Popular

10.4.2 Lab: Secure Access To A Switch

6 min read
10.4.2 Lab: Secure Access To A Switch
10.4.2 Lab: Secure Access To A Switch

10.4.2 Lab: Secure Access to a Switch

The 10.4.2 Lab: Secure Access to a Switch is a foundational hands-on exercise in the Cisco Networking Academy curriculum designed to teach students how to protect network infrastructure by hardening switch configurations. That's why in an era where network breaches can compromise entire organizations, understanding how to secure access to switches is not optional — it is essential. This lab walks learners through the process of configuring a Cisco switch to prevent unauthorized access, encrypt passwords, enable secure remote management, and disable vulnerable services.

Introduction

Network switches are critical devices that operate at Layer 2 of the OSI model, forwarding traffic between devices within a local area network (LAN). 4.The 10.In practice, because switches serve as the backbone of network communication, an attacker who gains access to a switch can intercept, redirect, or disrupt traffic across the entire network. 2 lab addresses this vulnerability by guiding students through a series of configuration tasks that significantly reduce the attack surface of a managed switch Easy to understand, harder to ignore..

This lab is typically performed using Cisco Packet Tracer or physical Cisco switches running IOS (Internetwork Operating System). Students will configure a switch from a nearly default state into a hardened device with encrypted passwords, SSH access, disabled unused ports, and legal banners The details matter here..

Lab Objectives

By the end of this lab, students will be able to:

  • Secure privileged EXEC mode with an encrypted enable secret password
  • Encrypt all plaintext passwords using the service password-encryption command
  • Configure a login banner to display legal warnings to unauthorized users
  • Secure console and VTY (virtual terminal) lines with passwords
  • Enable SSH for secure remote management and disable insecure Telnet
  • Disable unused switch ports to prevent unauthorized physical access
  • Verify the security configuration using appropriate show commands

Network Topology

The lab typically uses a simple topology consisting of:

  • One Cisco switch (e.g., Cisco 2960 series)
  • One PC connected to the switch via a console cable for initial configuration
  • Optionally, a second PC or device for testing SSH/Telnet remote access

The PC is connected to a switch port (e.g., FastEthernet 0/1) and communicates with the switch through a terminal emulation program such as PuTTY or the built-in CLI in Cisco Packet Tracer The details matter here..

Step-by-Step Configuration

Step 1: Access the Switch CLI

Connect the PC to the switch console port using a console cable. Open a terminal emulation program and access the CLI (Command Line Interface). You will begin in user EXEC mode.

Switch> enable
Switch# configure terminal

Step 2: Assign a Hostname

The first step in any secure configuration is to rename the device from the default generic hostname to something identifiable.

Switch(config)# hostname S1

Step 3: Secure the Enable Secret Password

The enable secret command sets a password for accessing privileged EXEC mode (also called enable mode). Unlike the older enable password command, enable secret uses MD5 hashing to encrypt the password in the running configuration Most people skip this — try not to..

S1(config)# enable secret class

Important: Always use enable secret instead of enable password. If both are configured, the enable secret takes precedence.

Step 4: Encrypt All Plaintext Passwords

By default, passwords configured on console and VTY lines are stored in plaintext in the configuration file. This means anyone who views the running config can read them. Use the following command to encrypt all plaintext passwords:

S1(config)# service password-encryption

This command applies a Type 7 reversible encryption to all current and future passwords. While Type 7 encryption is not considered highly secure by modern standards, it provides a basic layer of obfuscation against casual observers That's the part that actually makes a difference. That's the whole idea..

Step 5: Secure the Console Line

The console port provides physical, out-of-band management access. Secure it with a password and enable login.

S1(config)# line console 0
S1(config-line)# password cisco
S1(config-line)# login
S1(config-line)# logging synchronous
S1(config-line)# exec-timeout 5 0
  • password cisco — sets the console password
  • login — requires the password at login
  • logging synchronous — prevents console messages from interrupting command entry
  • exec-timeout 5 0 — sets the idle timeout to 5 minutes (the second value represents seconds)

Step 6: Secure the VTY Lines

VTY lines (Virtual Terminal Lines) handle remote access via Telnet or SSH. A Cisco switch may have up to 16 VTY lines (numbered 0 through 15). Secure all of them.

S1(config)# line vty 0 15
S1(config-line)# password cisco
S1(config-line)# login
S1(config-line)# transport input ssh

The transport input ssh command is critical. It disables Telnet and allows only SSH connections, ensuring that all remote management sessions are encrypted.

Step 7: Configure the IP Domain Name and Generate RSA Keys

SSH requires an IP domain name and RSA cryptographic keys to function.

S1(config)# ip domain-name example.com
S1(config)# crypto key generate rsa

When prompted, select a modulus size of 1024 bits or higher. The larger the modulus, the stronger the encryption, though it requires more processing power.

Step 8: Create a Local User Account

Rather than relying solely on line passwords, create a local user account for more solid authentication.

S1(config)# username admin secret S3cur3P@ss

Then update the VTY line configuration to use local authentication:

S1(config)# line vty 0 15
S1(config-line)# login local

Remove the previous password command from the VTY lines since login local will authenticate against the local username database.

Step 9: Configure a Login Banner

A Message of the Day (MOTD) banner warns unauthorized users that access is restricted and monitored. This is important from both a security and legal perspective.

S1(config)# banner motd #Authorized Access Only! Violators will be prosecuted. #

The # character serves as the delimiter — it marks the beginning and end of the banner text. You can use any character as a delimiter as long as it does not appear in the banner message itself.

Step 10: Disable Unused Ports

Any switch port that is not actively in use should be shutdown to prevent unauthorized devices from connecting to the network Small thing, real impact..

S1(config)# interface

S1(config)# interface range fa0/1 - fa0/8
S1(config-if-range)# shutdown
S1(config-if-range)# exit

This command sequence shuts down unused Fast Ethernet interfaces (0/1 to 0/8), preventing physical port access. Always verify connectivity before shutting down ports.  

### Step 11: Enable Port Security  
To prevent unauthorized device connections, enable **port security** on critical ports:

S1(config)# interface fa0/9
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# switchport port-security maximum 1
S1(config-if)# exit

This configures dynamic MAC address learning (`sticky`) and limits the port to one connected device. Repeat for other trusted ports.  

### Step 12: Verify Configuration  
Ensure all settings are active:

S1# show running-config
S1# show vty
S1# show users
S1# show port-security interface fa0/9

Check for correct line passwords, local user authentication, SSH enforcement, and port security status.  

### Step 13: Update Firmware and Enable SNMPv3  
Regularly update the switch firmware to patch vulnerabilities. For monitoring, configure **SNMPv3** (secure SNMP):

S1(config)# snmp-server community RO-ONLYv3 auth sha mysecret priv aes mysecret
S1(config)# snmp-server view all included
S1(config)# snmp-server group RO-ONLYv3 view all read-only

This creates a secure SNMP group with authentication and privacy.  

### Conclusion  
By implementing these steps, you’ve hardened the Cisco switch against unauthorized access, encrypted remote management, and restricted physical/network ports. Regular audits, firmware updates, and user training are essential to maintain security. Always document changes and test configurations in a staging environment before deployment. A secure network starts with foundational device hardening—prioritize these practices to safeguard your infrastructure.
New and Fresh

Freshly Written

This Week's Picks

See Where It Goes

Keep the Momentum

Thank you for reading about 10.4.2 Lab: Secure Access To A Switch. We hope the information has been useful. Feel free to contact us if you have any questions. See you next time — don't forget to bookmark!
⌂ Back to Home