CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • EC Council
          • Certified Ethical Hacker
        • Google
          • Cloud Architect
        • ITIL
          • ITIL Foundations
        • PMI
          • CAPM
        • ISC2
          • CC
          • SSCP
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • Python
          • PCEP
          • PCAP
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
        • Wireshark
          • WCNA
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • EC Council
          • Certified Ethical Hacker
        • Google
          • Cloud Architect
        • ITIL
          • ITIL Foundations
        • PMI
          • CAPM
        • ISC2
          • CC
          • SSCP
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • Python
          • PCEP
          • PCAP
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
        • Wireshark
          • WCNA
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets

Cisco IOS Login Block

Lab 2 

Cisco IOS Login Block

Back to book index.

Lab Objective:

The objective of this lab exercise is for you to learn and understand how implement the Cisco IOS Login Block feature.

Lab Purpose:The Cisco IOS Login Enhancements (Login Block) feature allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible Denial-of-Service (DoS) attack is detected.

Lab Difficulty:

This lab has a difficulty rating of 8/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 15 minutes. 

Lab Topology:

Please use the following topology to complete this lab exercise:

Lab 2

Lab 2 Configuration Tasks 

Task 1:

Configure the hostnames and IP addresses on R1 and R2 as illustrated in the network diagram. Configure R2 to send R1 clocking information at a rate of 512Kbps. Ping between R1 and R2 to verify your configuration and ensure that the two routers have IP connectivity. 

Task 2:

Configure the following interfaces on R2:

Interface Address/Mask
Loopback10 10.10.10.2/26
Loopback20 20.20.20.2/28

Task 3:

Configure a static default route on R1 via Serial0/0. Ping R1 from the Loopback10 and Loopback20 interfaces of R2 and validate IP connectivity.

Task 4:

Configure Cisco IOS Login Block on R1 as follows:

  • If there are more than 2 failed login attempts within 20 seconds of each other, the router should block login access for a period of 40 seconds.
  • However, during the blocking time, the router should allow only TELNET connections from the Loopback20 subnet on R2 to attempt to log in.
  • In addition to this, the router should log every single successful and failed login attempt.

Task 5:

Configure a user with the username ccna and password security on R1. This user should have Level 15 privileges. In addition, configure R1 to allow Telnet access while authenticating users based on the local router database. Finally, configure R1 to log ALL messages to the buffer.

Task 6:

Test your login configuration as follows:

  • Telnet to R1 from the Loopback10 interface of R2, purposely using an incorrect password for user ccna. For example, use the password security1 Repeat this activity at least two times in 20 seconds. If your configuration is correct, the router should activate the quiet period and a subsequent connection attempt to R1 should be denied. Validate this.
  • Telnet to R1 from the Loopback20 interface of R2 while the router is in the quiet period. Despite this, the exception configured in Task 4 should allow user ccna to log in – using the correct password. Verify that this is the case.
  • Issue the show log on R1 command. You should observe some SYSLOG messages pertaining to all failed and successful login attempts on the router. 

Lab 2 Configuration and Verification

Task 1:

Router(config)#hostname R1

R1(config)#interface serial0/0

R1(config-if)#no shutdown

R1(config-if)#ip address 10.1.1.1 255.255.255.0

R1(config-if)#end

R1#

 

Router(config)#hostname R2

R2(config)#interface serial0/0

R2(config-if)#no shutdown

R2(config-if)#clock rate 512000

R2(config-if)#ip address 10.1.1.2 255.255.255.252

R2(config-if)#exit

R2(config)#exit

R2#

R2#ping 10.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

 Task 2:

R2(config)#interface loopback 10

R2(config-if)#ip address 10.10.10.2 255.255.255.192

R2(config-if)#exit

R2(config)# interface loopback 20

R2(config-if)#ip address 20.20.20.2 255.255.255.240

R2(config-if)#exit

R2(config)#exit

R2#

Task 3:

R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0

R1(config)#exit

R1#

R1#ping 10.10.10.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

R1#

R1#ping 20.20.20.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms

Task 4:

R1(config)#login block-for 40 attempts 2 within 20

R1(config)#ip access-list extended R2-LPBK-20-TELNET

R1(config-ext-nacl)#permit tcp 20.20.20.0 0.0.0.15 any eq telnet

R1(config-ext-nacl)#exit

R1(config)#login quiet-mode access-class R2-LPBK-20-TELNET

R1(config)#login on-success log every 1

R1(config)#login on-failure log every 1

R1(config)#exit

R1#

Task 5:

R1(config)#username ccna privilege 15 secret security

R1(config)#line vty 0 4

R1(config-line)#login local

R1(config-line)#exit

R1(config)#exit

R1#

Task 6:

R2#telnet 10.1.1.1

Trying 10.1.1.1 … Open

 

 

User Access Verification

 

Username: ccna

Password:

% Login invalid

 

Username: ccna

Password:

% Login invalid

 

[Connection to 10.1.1.1 closed by foreign host]

 

R2#telnet 10.1.1.1

Trying 10.1.1.1 …

% Connection refused by remote host

The following message should be visible on R1 when this happens:

R1#show log

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

 

No Active Message Discriminator.

 

 

 

No Inactive Message Discriminator.

 

 

Console logging: disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging:  level debugging, 5 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

Trap logging: level informational, 32 message lines logged

 

Log Buffer (4096 bytes):

 

*Mar  1 00:20:02.078: %SYS-5-CONFIG_I: Configured from console by ccna on vty0 (10.1.1.2)

*Mar  1 00:20:10.300: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:20:10 UTC Fri Mar 1 2002

*Mar  1 00:20:14.422: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:20:14 UTC Fri Mar 1 2002

*Mar  1 00:20:14.422: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 6 secs, [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:20:14 UTC Fri Mar 1 2002

*Mar  1 00:20:54.424: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 00:20:54 UTC Fri Mar 1 2002

To validate the second requirement of the Task, Telnet to R1 during the quiet period and the connection from ONLY the Loopback20 subnet of R2 should be permitted.

R2#telnet 10.1.1.1

Trying 10.1.1.1 …

% Connection refused by remote host

 

 

R2#telnet 10.1.1.1 /source loopback 10

Trying 10.1.1.1 …

% Connection refused by remote host

 

R2#telnet 10.1.1.1 /source loopback 20

Trying 10.1.1.1 … Open

 

 

User Access Verification

 

Username: ccna

Password:

R1#

Because all login attempts are being logged, you should see quite a few logs. Make sure that you have enabled logging by using the logging buffered command on R1.

R1#show log

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

 

No Active Message Discriminator.

 

 

 

No Inactive Message Discriminator.

 

 

Console logging: disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging:  level debugging, 14 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

Trap logging: level informational, 41 message lines logged

 

Log Buffer (4096 bytes):

 

*Mar  1 00:20:02.078: %SYS-5-CONFIG_I: Configured from console by ccna on vty0 (10.1.1.2)

*Mar  1 00:20:10.300: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:20:10 UTC Fri Mar 1 2002

*Mar  1 00:20:14.422: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:20:14 UTC Fri Mar 1 2002

*Mar  1 00:20:14.422: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 6 secs, [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:20:14 UTC Fri Mar 1 2002

*Mar  1 00:20:54.424: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 00:20:54 UTC Fri Mar 1 2002

*Mar  1 00:23:49.663: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccns] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadUser] at 00:23:49 UTC Fri Mar 1 2002

*Mar  1 00:23:54.062: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:23:54 UTC Fri Mar 1 2002

*Mar  1 00:23:54.062: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:23:54 UTC Fri Mar 1 2002

*Mar  1 00:24:10.409: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 20.20.20.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:24:10 UTC Fri Mar 1 2002

*Mar  1 00:24:10.409: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: ccna] [Source: 20.20.20.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:24:10 UTC Fri Mar 1 2002

*Mar  1 00:24:21.411: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 20.20.20.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] at 00:24:21 UTC Fri Mar 1 2002

*Mar  1 00:24:21.411: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: ccna] [Source: 20.20.20.2] [localport: 23] [Reason: Login Authentication Failed – BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:24:21 UTC Fri Mar 1 2002

*Mar  1 00:24:41.897: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ccna] [Source: 20.20.20.2] [localport: 23] at 00:24:41 UTC Fri Mar 1 2002

*Mar  1 00:25:01.413: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 00:25:01 UTC Fri Mar 1 2002

Lab 2 Configurations

R1 Configuration

R1#show run

Building configuration…

 

Current configuration : 1077 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

no logging console

!

no aaa new-model

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

login block-for 40 attempts 2 within 20

login quiet-mode access-class R2-LPBK-20-TELNET

login on-failure log

login on-success log

!

multilink bundle-name authenticated

!

!

!

!

!

username ccna privilege 15 secret 5 $1$LlaJ$13RVZPlzHe1KOhx6nYq9s1

archive

log config

hidekeys

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

ip address 10.1.1.1 255.255.255.252

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

!

ip http server

no ip http secure-server

!

ip access-list extended R2-LPBK-20-TELNET

permit tcp 20.20.20.0 0.0.0.15 any eq telnet

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login local

!

!

end

R2 Configuration

R2#show run

Building configuration…

 

Current configuration : 919 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no logging console

!

no aaa new-model

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!

!

!

!

!

archive

log config

hidekeys

!

!

!

!

!

!

!

interface Loopback10

ip address 10.10.10.2 255.255.255.192

!

interface Loopback20

ip address 20.20.20.2 255.255.255.240

!

interface FastEthernet0/0

ip address 172.16.1.2 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

ip address 10.1.1.2 255.255.255.252

clock rate 512000

!

ip forward-protocol nd

!

!

ip http server

ip http authentication local

no ip http secure-server

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

!

end

 

content-filler

ABOUT US

This site has been created to help you make the best out of your IT career. Whether you are trying to get your first job, get promoted, or start your own IT business, we have a course for you.

MOST POPULAR

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Members

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Newsletter

Subscription Form

Secure Site

website security secure

Copyright Reality Press Ltd . / Paul Browning

Insert/edit link

Enter the destination URL

Or link to existing content

    No search term specified. Showing recent items. Search or use up and down arrow keys to select an item.