Lab 2
Cisco IOS Login Block
Lab Objective:
The objective of this lab exercise is for you to learn and understand how implement the Cisco IOS Login Block feature.
Lab Purpose:The Cisco IOS Login Enhancements (Login Block) feature allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible Denial-of-Service (DoS) attack is detected.
Lab Difficulty:
This lab has a difficulty rating of 8/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Lab 2 Configuration Tasks
Task 1:
Configure the hostnames and IP addresses on R1 and R2 as illustrated in the network diagram. Configure R2 to send R1 clocking information at a rate of 512Kbps. Ping between R1 and R2 to verify your configuration and ensure that the two routers have IP connectivity.
Task 2:
Configure the following interfaces on R2:
| Interface | Address/Mask |
| Loopback10 | 10.10.10.2/26 |
| Loopback20 | 20.20.20.2/28 |
Task 3:
Configure a static default route on R1 via Serial0/0. Ping R1 from the Loopback10 and Loopback20 interfaces of R2 and validate IP connectivity.
Task 4:
Configure Cisco IOS Login Block on R1 as follows:
- If there are more than 2 failed login attempts within 20 seconds of each other, the router should block login access for a period of 40 seconds.
- However, during the blocking time, the router should allow only TELNET connections from the Loopback20 subnet on R2 to attempt to log in.
- In addition to this, the router should log every single successful and failed login attempt.
Task 5:
Configure a user with the username ccna and password security on R1. This user should have Level 15 privileges. In addition, configure R1 to allow Telnet access while authenticating users based on the local router database. Finally, configure R1 to log ALL messages to the buffer.
Task 6:
Test your login configuration as follows:
- Telnet to R1 from the Loopback10 interface of R2, purposely using an incorrect password for user ccna. For example, use the password security1 Repeat this activity at least two times in 20 seconds. If your configuration is correct, the router should activate the quiet period and a subsequent connection attempt to R1 should be denied. Validate this.
- Telnet to R1 from the Loopback20 interface of R2 while the router is in the quiet period. Despite this, the exception configured in Task 4 should allow user ccna to log in – using the correct password. Verify that this is the case.
- Issue the show log on R1 command. You should observe some SYSLOG messages pertaining to all failed and successful login attempts on the router.
Lab 2 Configuration and Verification
Task 1:
| Router(config)#hostname R1
R1(config)#interface serial0/0 R1(config-if)#no shutdown R1(config-if)#ip address 10.1.1.1 255.255.255.0 R1(config-if)#end R1# |
| Router(config)#hostname R2
R2(config)#interface serial0/0 R2(config-if)#no shutdown R2(config-if)#clock rate 512000 R2(config-if)#ip address 10.1.1.2 255.255.255.252 R2(config-if)#exit R2(config)#exit R2# R2#ping 10.1.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms |
Task 2:
| R2(config)#interface loopback 10
R2(config-if)#ip address 10.10.10.2 255.255.255.192 R2(config-if)#exit R2(config)# interface loopback 20 R2(config-if)#ip address 20.20.20.2 255.255.255.240 R2(config-if)#exit R2(config)#exit R2# |
Task 3:
| R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0
R1(config)#exit R1# R1#ping 10.10.10.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms R1# R1#ping 20.20.20.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms |
Task 4:
| R1(config)#login block-for 40 attempts 2 within 20
R1(config)#ip access-list extended R2-LPBK-20-TELNET R1(config-ext-nacl)#permit tcp 20.20.20.0 0.0.0.15 any eq telnet R1(config-ext-nacl)#exit R1(config)#login quiet-mode access-class R2-LPBK-20-TELNET R1(config)#login on-success log every 1 R1(config)#login on-failure log every 1 R1(config)#exit R1# |
Task 5:
| R1(config)#username ccna privilege 15 secret security
R1(config)#line vty 0 4 R1(config-line)#login local R1(config-line)#exit R1(config)#exit R1# |
Task 6:
| R2#telnet 10.1.1.1
Trying 10.1.1.1 … Open
User Access Verification
Username: ccna Password: % Login invalid
Username: ccna Password: % Login invalid [Connection to 10.1.1.1 closed by foreign host]
R2#telnet 10.1.1.1 Trying 10.1.1.1 … % Connection refused by remote host |
The following message should be visible on R1 when this happens:
| R1#show log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 5 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled Trap logging: level informational, 32 message lines logged
Log Buffer (4096 bytes):
*Mar 1 00:20:02.078: %SYS-5-CONFIG_I: Configured from console by ccna on vty0 (10.1.1.2) *Mar 1 00:20:10.300: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:20:10 UTC Fri Mar 1 2002 *Mar 1 00:20:14.422: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:20:14 UTC Fri Mar 1 2002 *Mar 1 00:20:14.422: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 6 secs, [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:20:14 UTC Fri Mar 1 2002 *Mar 1 00:20:54.424: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 00:20:54 UTC Fri Mar 1 2002 |
To validate the second requirement of the Task, Telnet to R1 during the quiet period and the connection from ONLY the Loopback20 subnet of R2 should be permitted.
| R2#telnet 10.1.1.1
Trying 10.1.1.1 … % Connection refused by remote host
R2#telnet 10.1.1.1 /source loopback 10 Trying 10.1.1.1 … % Connection refused by remote host
R2#telnet 10.1.1.1 /source loopback 20 Trying 10.1.1.1 … Open
User Access Verification
Username: ccna Password: R1# |
Because all login attempts are being logged, you should see quite a few logs. Make sure that you have enabled logging by using the logging buffered command on R1.
| R1#show log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 14 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled Trap logging: level informational, 41 message lines logged
Log Buffer (4096 bytes):
*Mar 1 00:20:02.078: %SYS-5-CONFIG_I: Configured from console by ccna on vty0 (10.1.1.2) *Mar 1 00:20:10.300: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:20:10 UTC Fri Mar 1 2002 *Mar 1 00:20:14.422: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:20:14 UTC Fri Mar 1 2002 *Mar 1 00:20:14.422: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 6 secs, [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:20:14 UTC Fri Mar 1 2002 *Mar 1 00:20:54.424: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 00:20:54 UTC Fri Mar 1 2002 *Mar 1 00:23:49.663: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccns] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadUser] at 00:23:49 UTC Fri Mar 1 2002 *Mar 1 00:23:54.062: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:23:54 UTC Fri Mar 1 2002 *Mar 1 00:23:54.062: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:23:54 UTC Fri Mar 1 2002 *Mar 1 00:24:10.409: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 20.20.20.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:24:10 UTC Fri Mar 1 2002 *Mar 1 00:24:10.409: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: ccna] [Source: 20.20.20.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:24:10 UTC Fri Mar 1 2002 *Mar 1 00:24:21.411: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 20.20.20.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:24:21 UTC Fri Mar 1 2002 *Mar 1 00:24:21.411: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: ccna] [Source: 20.20.20.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:24:21 UTC Fri Mar 1 2002 *Mar 1 00:24:41.897: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ccna] [Source: 20.20.20.2] [localport: 23] at 00:24:41 UTC Fri Mar 1 2002 *Mar 1 00:25:01.413: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 00:25:01 UTC Fri Mar 1 2002 |
Lab 2 Configurations
R1 Configuration
| R1#show run
Building configuration…
Current configuration : 1077 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! logging buffered 4096 no logging console ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! login block-for 40 attempts 2 within 20 login quiet-mode access-class R2-LPBK-20-TELNET login on-failure log login on-success log ! multilink bundle-name authenticated ! ! ! ! ! username ccna privilege 15 secret 5 $1$LlaJ$13RVZPlzHe1KOhx6nYq9s1 archive log config hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 10.1.1.1 255.255.255.252 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ! ip http server no ip http secure-server ! ip access-list extended R2-LPBK-20-TELNET permit tcp 20.20.20.0 0.0.0.15 any eq telnet ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 password cisco login local ! ! end |
R2 Configuration
| R2#show run
Building configuration…
Current configuration : 919 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ! ! interface Loopback10 ip address 10.10.10.2 255.255.255.192 ! interface Loopback20 ip address 20.20.20.2 255.255.255.240 ! interface FastEthernet0/0 ip address 172.16.1.2 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 10.1.1.2 255.255.255.252 clock rate 512000 ! ip forward-protocol nd ! ! ip http server ip http authentication local no ip http secure-server ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 password cisco login ! ! end |
