Вы находитесь на странице: 1из 262

ICND1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Interconnecting Cisco
Networking Devices,
Part 1
Volume 1

Version 2.0

Lab Guide
Part Number: 97-3244-01

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Americas Headquarters
Cisco Systems, Inc.
San Jose, CA

Asia Pacific Headquarters


Cisco Systems (USA) Pte. Ltd.
Singapore

Europe Headquarters
Cisco Systems International BV
Amsterdam,
The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at
www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property
of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other
company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN
ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY
DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND
FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the
disclaimer above.

2013 Cisco Systems, Inc.

Table of Contents
L1

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Perform a Reload and Verify that the Switch Is Unconfigured
Task 2: Configure the Switch with a Hostname and an IP Address
Task 3: Explore Context-Sensitive Help
Task 4: Improve the Usability of the CLI

L2
L3
L3
L4
L6
L8
L10
L11

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 1-1: Performing Switch Startup and Initial Configuration

Lab 1-2: Troubleshooting Switch Media Issues

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Lab Setup
Task 2: Troubleshoot Connectivity Between Computer PC1 and Switch SW1
Task 3: Troubleshoot Connectivity Between Switch SW1 and the Branch Router

Lab 2-1: Performing Initial Router Setup and Configuration


Visual Objective
Required Resources
Command List
Job Aids
Task 1: Inspect the Router Hardware and Software
Task 2: Create the Initial Router Configuration
Task 3: Improve the Usability of the CLI
Task 4: Discover Connected Neighbors with Cisco Discovery Protocol

Lab 2-2: Connecting to the Internet

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Configure a Manual IP Address and Static Default Route
Task 2: Configure a DHCP-Obtained IP Address
Task 3: Configure NAT
Task 4: Configure NAT with PAT

Lab 3-1: Enhancing the Security of the Initial Configuration


Visual Objective
Required Resources
Command List
Job Aids

L13
L14
L14
L15
L15
L16
L17
L18

L19
L20
L20
L21
L21
L23
L24
L26
L28

L31
L32
L32
L33
L33
L35
L39
L42
L47

L53
L54
L54
L55
L56

Task 1: Add Password Protection


Task 2: Enable SSH Remote Access
Task 3: Limit Remote Access to Selected Network Addresses
Task 4: Configure a Login Banner

Lab 3-2: Device Hardening

L73
L74
L74
L75
L75
L77
L78
L81
L83

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Disable Unused Ports
Task 2: Configure Port Security on a Switch
Task 3: Disable Unused Services
Task 4: Configure NTP

L57
L64
L69
L71

Lab 3-3: Filtering Traffic with ACLs


Visual Objective
Required Resources
Command List
Job Aids
Task 1: Configure an ACL
Task 2: Lab Setup
Task 3: Troubleshoot an ACL

L85
L86
L86
L87
L87
L88
L95
L96

Lab 4-1: Configuring Expanded Switched Networks

L111

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Configure a VLAN
Task 2: Configure the Link Between Switches as a Trunk
Task 3: Configure a Trunk Link on the Router

L112
L112
L113
L113
L115
L120
L121

Lab 4-2: Configuring DHCP Server

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Configure DHCP Pools
Task 2: Exclude Specific IP Addresses from DHCP Pools
Task 3: Configure DHCP Relay Agent
Task 4: Manually Assign IP Addresses

Lab 4-3: Implementing OSPF


Visual Objective
Required Resources
Command List

ii

Interconnecting Cisco Networking Devices, Part 1

L125
L126
L126
L126
L127
L129
L133
L134
L135

L139
L140
L140
L141

2013 Cisco Systems, Inc.

Job Aids
Task 1: Connect the Router to the WAN
Task 2: Configure OSPF

L141
L143
L144

Lab 5-1: Configure and Verify Basic IPv6

L147
L148
L148
L149
L149
L150

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Enable IPv6 on the Router

Lab 5-2: Configure and Verify Stateless Autoconfiguration

L153

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Enable Stateless Autoconfiguration on the Router

L154
L154
L155
L155
L156

Lab 5-3: Configure and Verify IPv6 Routing

L161

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Enable IPv6 Static Routing
Task 2: Enable OSPFv3

L162
L162
L163
L163
L164
L166

Lab S-1: ICND1 Superlab

L169

Visual Objective
Required Resources
Command List
Job Aids
Task 1: Configure Basic Settings, VLANs, Trunks, and Port Security on Switches
Task 2: Configure Inter-VLAN Routing

L170
L170
L170
L172
L175
L180

Task 3: Configure Internet Connectivity


Task 4: Configure WAN Connectivity and a Dynamic Routing Protocol
Task 5: Configure IPv6 Connectivity in the LAN
Task 6: Configure the OSPFv3 Routing Protocol

L190
L196
L201
L208

Lab Answer Keys

L217

Lab 1-1: Performing Switch Startup and Initial Configuration


Lab 1-2: Troubleshooting Switch Media Issues
Lab 2-1: Performing Initial Router Setup and Configuration
Lab 2-2: Connecting to the Internet
Lab 3-1: Enhancing the Security of the Initial Configuration
Lab 3-2: Device Hardening
Lab 3-3: Filtering Traffic with ACLs
Lab 4-1: Configuring Expanded Switched Networks

2013 Cisco Systems, Inc.

L217
L224
L227
L229
L232
L235
L238
L239

Lab Guide

iii

L242
L244
L245
L245
L246
L246

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 4-2: Configuring DHCP Server


Lab 4-3: Implementing OSPF
Lab 5-1: Configure and Verify Basic IPv6
Lab 5-2: Configure and Verify Stateless Autoconfiguration
Lab 5-3: Configure and Verify IPv6 Routing
Lab S-1: ICND1 Superlab

iv

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 1-1: Performing Switch


Startup and Initial
Configuration
Activity Overview
Objectives

In this activity, you will observe the switch boot procedure and perform basic switch configuration. After
you have completed this activity, you will be able to meet these objectives:
Restart the switch and verify the initial configuration messages
Complete the initial configuration of the Cisco Catalyst switch
Explore context-sensitive help

Improve the usability of the CLI

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 1-1: Performing


Switch Startup and Initial Configuration
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective

Perform switch startup


and initial configuration.

PC1

SW1

2013 Cisco Systems, Inc.

L2

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Required Resources
No additional resources are required for this lab.

Command List

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.

Cisco IOS Switch Commands


Command

Description

? or help

In user EXEC mode, lists the subset of commands that are


available at that level

clock set

Manages the system clock

configure terminal

Activates the configuration mode from the terminal

copy running-config destination

Copies the switch running configuration file to another destination.


A typical destination is the startup configuration.

delete name

Deletes a file from flash memory

do command

Executes user EXEC or privileged EXEC commands from global


configuration mode or other configuration modes or submodes, in
any configuration mode

enable

Activates privileged EXEC mode. In privileged EXEC mode, more


commands are available. This command requires you to enter the
enable password if an enable password is configured.

end

Terminates configuration mode

erase startup-config

Erases the startup configuration that is stored in nonvolatile


memory

exit

Exits the current configuration mode

history size number

Sets the number of lines that are held in the history buffer for
recall. Two separate buffers are used: one for EXEC mode
commands and the other for configuration mode commands

hostname hostname

Sets the system name, which forms part of the prompt

interface vlan 1

Enters interface configuration mode for VLAN 1 to set the switch


management IP address

ip address ip-address subnet-mask

Sets the IP address and mask of the interface

line console 0

Enters line console configuration mode

logging synchronous

Synchronizes unsolicited messages and debugs privileged EXEC


command output with solicited device output and prompts for a
specific console port line or vty line

reload

Restarts the switch and reloads the Cisco IOS operating system
and configuration

show clock

Displays the system clock

2013 Cisco Systems, Inc.

Lab Guide

L3

Description

show flash:

Displays the layout and contents of a flash memory file system

show startup-config

Displays the startup configuration settings that are saved in


NVRAM

show terminal

Displays the current settings for the terminal

show version

Displays the configuration of the switch hardware and the various


software versions

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device
SW1
PC1

Hardware

Operating System

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

Any PC

Microsoft Windows 7

There are no console or enable passwords set for the router and switch in the initial lab setup. The table
shows the username and password that are used to access PC1.
Device
PC1

L4

Username

Password

Administrator

admin

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Topology and IP Addressing


Devices are connected by Ethernet connections. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Topology and IP Addressing


PC1

SW1

Fa0/1

10.1.1.100

10.1.1.11

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device

Interface

IP Address

Subnet Mask

SW1

VLAN1

10.1.1.11

255.255.255.0

PC1

Ethernet adapter local area


connection

10.1.1.100

255.255.255.0

2013 Cisco Systems, Inc.

Lab Guide

L5

Setting the IP Address on a PC

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On a PC, click Start and choose Control Panel. Click Change Adapter Settings and then right-click
Local Area Network. Choose Properties. When you are presented with the Local Area Connection
Properties dialog, click Internet Protocol version 4 (TCP/IPv4) and then click Properties. In the Internet
Protocol Version 4 (TCP/IPv4) Properties window, click the Use the Following IP Address radio button
and enter the appropriate IP address, subnet mask, and default gateway.

Task 1: Perform a Reload and Verify that the


Switch Is Unconfigured

In this task, you will use the erase startup-config command to ensure that the switch has no prior
configuration in the startup-config file. You will then reload the switch software and observe the output that
is generated during the reload. Finally, you will investigate the properties of the switch.
Activity Procedure
Complete the following steps:
Step 1

Access the CLI of switch SW1 and enter user EXEC mode.

You will be provided with information about how to access the lab equipment.

L6

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2
To see the effect of entering a privileged-level command in user EXEC mode, enter the command erase
startup-config.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

What was the result of issuing the command in an incorrect EXEC mode?

Step 3

Enter privileged EXEC mode.

How do you know if you are in privileged EXEC mode and not user EXEC mode?

Step 4

Erase the startup configuration. Because the switch also stores a small part of the configuration in the file,
vlan.dat, stored in flash memory, delete it before performing a reload. Observe the output during the reload.
Step 5

Press Enter when the switch boots and skip the initial configuration dialog. You will know when the switch
has finished booting when you see "Press RETURN to get started!" in the console output.
How do you know that the startup configuration has been erased?

Step 6

Using the appropriate show command, investigate the switch model number, software version, and amount
of RAM and flash memory.
Activity Verification
You have completed this task when you attain these results:
You performed a switch reload.

You verified that the switch is unconfigured.

2013 Cisco Systems, Inc.

Lab Guide

L7

Task 2: Configure the Switch with a Hostname


and an IP Address
In this task, you will configure the switch with a hostname and an IP address.

Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Procedure
Complete the following steps:

Change the hostname of the switch to SW1.


Step 2

Assign an IP address to the VLAN 1 interface on switch SW1. Be sure that you assign the correct IP
address, as described in the Job Aids section in the beginning of the lab document.
Note

Configuring the IP address on the switch is not mandatory to start the switch running, but it is necessary
for remote management access to the switch.

Step 3

Access the PC1. Use the username and password that is described in the Job Aids section in order to log in.

L8

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 4

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Assign the IP address of PC1, as listed in the Job Aids section. Leave the default gateway empty.

Step 5

From PC1, ping the VLAN 1 IP address of SW1 to confirm Layer 3 connectivity.
Activity Verification
You have completed this task when you attain these results:

You configured the switch with a hostname and a VLAN 1 IP address.


You configured PC1 with the correct IP address.

Your ping from PC1 to the VLAN 1 IP address of SW1 was successful.

2013 Cisco Systems, Inc.

Lab Guide

L9

Task 3: Explore Context-Sensitive Help


In this task, you will use context-sensitive help to locate commands and complete command syntax.
Activity Procedure
Complete the following steps:
Step 1

Step 2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On switch SW1, enter privileged EXEC mode and enter ? (or help) to list the available commands.

Using the ? command, set the clock on the switch to the current time and date.
Note

Pressing the Tab key automatically completes the command if the characters that you have entered are
not ambiguous.

Step 3

Verify the current date and time using the appropriate show command.
Step 4

Type the following comment line at the prompt and then press Enter:
!ths command changuw the clck sped for the swch
Note

An exclamation point (!) at the beginning of the line indicates that you are entering a comment. The
comment will not be part of the switch configuration. Comments are a great help when you are working
on a configuration in a text editor and plan to upload it to a device.

Step 5

Press Ctrl-P or press the Up Arrow key to see the previous line. Use the editor commands Ctrl-A, Ctrl-F,
Ctrl-E, and Ctrl-B to move along the line, and use the Backspace key to delete unwanted characters.
Using the editing commands, correct the comment line to read:
!This command changes the clock speed for the switch.

Activity Verification
You have completed this task when you attain these results:

You used the system help and command-completion functions.

You used the built-in editor and the keystrokes for cursor navigation.

L10

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Task 4: Improve the Usability of the CLI


In this task, you will enter commands to improve the usability of the CLI. You will increase the number of
lines in the history buffer, increase the inactivity timer on the console port, and stop the attempted name
resolution of mistyped commands.
Activity Procedure
Complete the following steps:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 1

Using the show terminal command, verify that history is enabled, and determine the current history size for
the console line.
Step 2

Change the history size to 100 for the console line and verify that the change has taken place.
Note

Alternatively, you could use the begin keyword. You will see the output beginning from the first match.

Step 3

The no ip domain lookup command disables the resolution of symbolic names. If you mistype a command,
the system will not try to translate it into an IP address (it will take about 5 seconds to time out). Disable IP
domain lookup.
Step 4

The default console access EXEC timeout is set to 10 minutes. After 10 minutes of inactivity, the user is
disconnected from console access and is required to reconnect. Change this timer to 60 minutes.
Note

Make sure that you are in console line configuration mode. To execute user EXEC or privileged EXEC
commands from global configuration mode or other configuration modes or submodes, use the do
command in any configuration mode.

Step 5

The logging synchronous command synchronizes unsolicited messages and debugs privileged EXEC
command output with the input from the CLI. If you are in the middle of typing a command, status
messages will appear where you are typing. Enable synchronous logging on line console 0.
Step 6

Save your running configuration to the startup configuration.

2013 Cisco Systems, Inc.

Lab Guide

L11

Activity Verification
You have completed this task when you attain these results:
You changed the history buffer size.
You disabled resolution of symbolic names.
You set the inactivity timeout on the console line to 60 minutes.
You enabled synchronous logging on the console line.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

You saved the running configuration to the startup configuration file.

L12

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 1-2: Troubleshooting


Switch Media Issues
Activity Overview
Objectives

In this activity, you will use troubleshooting guidelines to isolate and correct switch media issues. After
completing this activity, you will be able to meet these objectives:
Follow troubleshooting guidelines to determine the source of connectivity problems between a
computer and a switch, and fix them

Follow troubleshooting guidelines to determine the source of connectivity problems between a router
and a switch, and fix them

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 1-2: Troubleshooting


Switch Media Issues
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective

Branch

Troubleshooting Task 2

Troubleshooting Task 1

PC1

SW1

2013 Cisco Systems, Inc.

Required Resources

These are the resources and equipment that are required to complete this activity:

Successful completion of Lab 1-1: Performing Switch Startup and Initial Configuration

L14

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.

Commands
Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
configure terminal

Enters global configuration mode

copy running-config startup-config

Saves the running configuration into NVRAM as the startup


configuration

duplex full

Enables full duplex on an interface

enable

Enters the privileged EXEC mode command interpreter

interface FastEthernet 0/13

Specifies interface FastEthernet 0/13 and enters interface


configuration mode

shutdown/no shutdown

Disables or enables an interface

ping ip-address

Uses ICMP echo requests and ICMP echo replies to


determine whether a remote host is reachable

show interfaces FastEthernet 0/13

Displays information about interface FastEthernet 0/13

show ip interface brief

Displays a brief summary of the interfaces on a device, which is useful


for quickly checking the status of the device

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

PC1

Any PC

Microsoft Windows 7

There are no console or enable passwords set for the router and switch in the initial lab setup. The table
shows the username and password that are used to access PC1.
Device

Username

Password

PC1

Administrator

admin

Topology and IP Addressing

Devices are connected with Ethernet connections. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.

2013 Cisco Systems, Inc.

Lab Guide

L15

Topology and IP Addressing


Gi0/0

10.1.1.1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Fa0/13

PC1

SW1

Fa0/1

10.1.1.100

10.1.1.11

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device
Branch
SW1
PC1

Interface

IP Address/Subnet Mask

Gi0/0

10.1.1.1/24

VLAN1

10.1.1.11/24

Ethernet adapter local area connection

10.1.1.100/24

Task 1: Lab Setup

In this setup task, you will load the configuration from the switch flash drive.
Activity Procedure
Complete these steps:
Step 1

Access the CLI of switch SW1.

You will be provided with information about accessing the lab equipment.

L16

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2
Load the configuration file tshoot_media_issues_start.cfg from the flash drive of the switch.
SW1#copy flash:tshoot_sw_media.cfg run

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

At this point, you have loaded a configuration file that includes your trouble tickets, presented in Tasks 2
and 3.
Activity Verification
You have completed this task when you attain this result:

You loaded a configuration file from the switch flash drive.

Task 2: Troubleshoot Connectivity Between


Computer PC1 and Switch SW1

In this task, you will troubleshoot connectivity problems between switch SW1 and computer PC1.
Activity Procedure
Complete the following steps:
Step 1

John calls you about an issue that he is experiencing while using PC1. He says that PC1 has no network
connectivity, and he insists that somebody unplugged his computer from the switch. The senior engineers
are out. You are the only one who can solve this problem right now. You have access only to switch SW1.
Determine whether or not you can ping PC1 from switch SW1. The IP address of PC1 is listed in the Job
Aids section of this document. Is there Layer 3 connectivity between the computer and the switch?

Step 2

What is the status of interface FastEthernet0/1 on switch SW1, which connects to the PC1? What does this
status mean?

Note

Use the ? command and the Tab key to help you with the command syntax.

2013 Cisco Systems, Inc.

Lab Guide

L17

Step 3
Correct the issue so that John can continue his work.
Do not forget to verify Layer 3 connectivity between PC1 and SW1.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 4
Save the configuration of switch SW1.

Why is it important at this stage to save the configuration?

Activity Verification
You have completed this task when you attain this result:

You identified and corrected the problem that was reported by the user on PC1.

Task 3: Troubleshoot Connectivity Between


Switch SW1 and the Branch Router

In this task, you will troubleshoot connectivity problems between the Branch router and switch SW1. You
will correct the existing problem.
Activity Procedure
Complete the following steps:
Step 1

Your colleague informs you that switch SW1 is showing messages about duplex mismatch and they are
unable to prevent the messages. The senior engineers went out for lunch and left you alone to resolve this
issue. How do you solve the problem indicated by this message?
Using the appropriate show commands from the Command List section, identify the status of interface
FastEthernet0/13, which connects to the Branch router.
Step 2

Correct the issue that you identified. Do not forget to save the changes that you made.
Activity Verification
You have completed this task when you attain this result:

You identified and corrected the connectivity problem.

L18

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 2-1: Performing Initial


Router Setup and
Configuration
Activity Overview
Objectives

In this activity, you will observe the router boot procedure and perform basic router configuration. After
completing this activity, you will be able to meet these objectives:
Inspect router hardware and software
Perform initial router configuration
Improve the usability of the CLI

Use Cisco Discovery Protocol to discover how devices are interconnected

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 2-1: Performing Initial


Router Setup and Configuration
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective


Verify the router
and its settings.

Branch

Perform router
initial configuration.

Use Cisco Discovery


Protocol to discover how
devices are interconnected.

PC1

SW1

2013 Cisco Systems, Inc.

Required Resources

No additional resources are required for this lab.

L20

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.

Cisco IOS Router Commands


Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
configure terminal

Activates the configuration mode from the terminal.

copy running-config destination

Copies the running configuration file to another destination. A


typical destination is the startup configuration.

description

Adds a descriptive comment to the configuration of an interface.

enable

Activates privileged EXEC mode. In privileged EXEC mode, more


commands are available.

erase startup-config

Erases the startup configuration that is stored in nonvolatile


memory.

exec-timeout

Sets the interval before the user session is disconnected when


idle.

hostname hostname

Sets the system name, which forms part of the prompt.

interface type module/slot/port

Specifies an interface and enters interface configuration mode.

ip address ip-address subnet-mask

Sets the IP address and mask of the interface.

[no] ip domain lookup

Enables or disables DNS resolution of symbolic names.

line console 0

Enters line console configuration mode.

logging synchronous

Synchronizes the display of router output messages with the


command-line prompt.

ping ip_address

Uses ICMP echo requests and ICMP echo replies to determine


whether a remote host is reachable.

reload

Restarts the router and reloads the Cisco IOS operating system.

show cdp

Displays global Cisco Discovery Protocol information.

show cdp neighbors [detail]

Displays brief information about discovered neighboring Cisco


devices. If the keyword detail is used, detailed information about
discovered devices is displayed.

show interfaces

Displays information about all of the device interfaces.

show startup-config

Displays the startup configuration settings that are saved in


nonvolatile memory.

show version

Displays the configuration of the router hardware and the


various software versions.

[no] shutdown

Disables or enables an interface.

Job Aids

These job aids are available to help you complete the lab activity.

2013 Cisco Systems, Inc.

Lab Guide

L21

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

PC1

Any PC

Microsoft Windows 7

Device
PC1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

There are no console or enable passwords set for the router and switch in the initial lab setup. The table
shows the username and password that are used to access PC1.
Username

Password

Administrator

admin

Topology and IP Addressing

Devices are connected with Ethernet connections. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.

Topology and IP Addressing

Gi0/0

10.1.1.1

Fa0/13

PC1

SW1

Fa0/1

10.1.1.100

10.1.1.11

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device
Branch
SW1
PC1

L22

Interface

IP Address/Subnet Mask

Gi0/0

10.1.1.1/24

VLAN1

10.1.1.11/24

Ethernet adapter local area connection

10.1.1.100/24

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Task 1: Inspect the Router Hardware and


Software
In this task, you will first inspect the router hardware and software properties. You will verify that a startup
configuration exists and delete it. You will then reload the router and observe the output that is generated
during the reload.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Procedure
Complete the following steps:
Step 1

Access the CLI of router Branch and enter privileged EXEC mode.
Step 2

Use the correct verification command to display hardware and software properties. Find and write down the
following information:
Router model

Serial number
RAM

Flash

Software version

Use command show version in privileged EXEC mode on the Branch router to display information about
the currently loaded software, along with hardware and device information.
Router#show version
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M1,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 26-Jul-12 20:54 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Router uptime is 15 minutes
System returned to ROM by reload at 17:06:50 UTC Thu Nov 22 2012
System restarted at 17:09:24 UTC Thu Nov 22 2012
System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M1.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
<output omitted>
Cisco CISCO2901/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FCZ1642C5XJ
2 Gigabit Ethernet interfaces
1 Serial(sync/async) interface
1 terminal line
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
<output omitted>

2013 Cisco Systems, Inc.

Lab Guide

L23

Step 3
Use the correct show command to verify that the router has a startup configuration. If it has, erase the
startup configuration by issuing the erase startup-config command.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Router#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
Router#

After you have erased the startup configuration, verify that it no longer exists.
Router#show startup-config
startup-config is not present

Step 4

Reload the router and observe the console output during startup.

Router#reload
Proceed with reload? [confirm]
Sep 11 11:31:16.663: %SYS-5-RELOAD: Reload requested by console. Reload Reason:
Reload Command.
System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2009 by cisco Systems, Inc.
Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB
CISCO2901/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled
Readonly ROMMON initialized
program load complete, entry point: 0x80803000, size: 0x1b340
program load complete, entry point: 0x80803000, size: 0x1b340
IOS Image Load Test
<output omitted>

Activity Verification
You have completed this task when you attain these results:

You collected hardware and software device information.


You erased the startup configuration.

You reloaded the router and observed the startup output.

Task 2: Create the Initial Router Configuration

In this task, you will skip the initial configuration dialog and proceed with manual configuration. You will
configure system parameters and router interfaces. You will then verify connectivity.

L24

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Activity Procedure
Complete the following steps:
Step 1
Skip the initial configuration dialog, terminate the autoinstall, and enter privileged EXEC mode.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 2
Set the router host name to Branch. The prompt will reflect the new hostname.
Step 3

Enable interface GigabitEthernet0/0 and set its description to Link to LAN Switch.
Step 4

Configure the IP address 10.1.1.1 on the interface. Use subnet mask of 255.255.255.0.
Step 5

Return to the privileged EXEC command and verify GigabitEthernet0/0 interface status, interface
description, and correct IP address assignment by using a suitable verification command.

Branch#show interfaces GigabitEthernet 0/0


GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 5475.d08e.9ad8 (bia 5475.d08e.9ad8)
Description: Link to LAN Switch
Internet address is 10.1.1.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 100Mbps, media type is RJ45
<output omitted>

Step 6

Save the current configuration on the Branch router.

Activity Verification
You have completed this task when you attain these results:
Step 1

The console prompt shows the configured hostname:


Branch#

2013 Cisco Systems, Inc.

Lab Guide

L25

Step 2
You verified IP connectivity between router Branch and PC1 by using ICMP ping:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch#ping 10.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

The ping should be successful.


Note

The ping might fail due to slow STP convergence on the SW1 switch. If the ping fails, try to issue another
ping after a few seconds.

Note

The first ICMP packet could time out because ARP needs to obtain Layer 2 addressing before the
packet can be sent out of the interface.

Task 3: Improve the Usability of the CLI

In this task, you will improve the CLI experience by increasing the inactivity timer on the console line and
by disabling the resolution of symbolic names.
Activity Procedure
Complete the following steps:
Step 1

Change the EXEC timeout on the console line, which is set to 10 minutes by default, to a value of 60
minutes.

L26

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2
Verify the EXEC timeout value on the Branch router:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch#show line console 0


Tty Line Typ
Tx/Rx
A Modem Roty AccO AccI Uses Noise Overruns Int
*
0
0 CTY
0
0
0/0
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Status: PSI Enabled, Ready, Active, Automore On
Capabilities: none
Modem state: Ready
RJ45 Console is in use
USB Console baud rate = 9600
Modem hardware state: CTS* noDSR DTR RTS
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x
none
none
Timeouts:
Idle EXEC
Idle Session
Modem Answer Session
Dispatch
01:00:00
never
none
not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set
<output omitted>

Step 3

Improve the readability of the console access by synchronizing unsolicited messages and debug outputs
with the input from the CLI.
Step 4

Disable the resolution of symbolic names to prevent the system from attempting to translate a mistyped
command into an IP address.
Step 5

Save the configured changes to the startup configuration.

Activity Verification
You have completed this task when you attain these results:

You have set the inactivity timeout on the console line to 60 minutes.
You have enabled synchronous logging on the console line.
You have disabled resolution of symbolic names.

2013 Cisco Systems, Inc.

Lab Guide

L27

Task 4: Discover Connected Neighbors with


Cisco Discovery Protocol
In this task, you will use Cisco Discovery Protocol to obtain information about directly connected Cisco
devices. You will gather information about neighbor capabilities and IP addresses and discover how devices
are interconnected.

Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Procedure
Complete the following steps:

On the Branch router, issue the show cdp command to verify that Cisco Discovery Protocol is enabled and
to display its global information.
Branch#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

L28

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2
Enter the Cisco Discovery Protocol verification command to display all known neighboring Cisco devices.
Write down the information about the discovered neighbors in the table:
Platform

Local Interface

Remote Interface (Port


ID)

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Device ID
#
#

The information that you gather about the local and remote interfaces that are used reveals how neighboring
devices are physically interconnected.
On the Branch router, use the show cdp neighbors command to display all neighboring Cisco devices:
Branch#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID
Local Intrfce
Holdtme
Capability Platform Port ID
SW1
Gig 0/0
158
S I
WS-C2960- Fas 0/13

Use the Cisco Discovery Protocol verification command with the keyword detail to display additional
information about other Cisco devices. Write down the IP address of a neighboring switch, with exact
information about its platform and software version.

Branch#show cdp neighbors detail


------------------------Device ID: SW1
Entry address(es):
IP address: 10.1.1.11
Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP
Interface: GigabitEthernet0/0, Port ID (outgoing port): FastEthernet0/13
Holdtime : 146 sec
Version :
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(1)SE3, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 30-May-12 14:26 by prod_rel_team
advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27,
value=00000000FFFFFFFF010221FF000000000000001E147CBD00FF0000
VTP Management Domain: 'rlab'
Native VLAN: 1
Duplex: full
Branch#

2013 Cisco Systems, Inc.

Lab Guide

L29

Activity Verification
You have completed this task when you attain these results:
You observed Cisco Discovery Protocol output for directly attached Cisco neighbors.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

You gathered detailed information about a neighbor switch.

L30

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 2-2: Connecting to the


Internet
Activity Overview
Objectives

In this activity, you will establish Internet connectivity by enabling static routing, DHCP, and NAT. After
completing this activity, you will be able to meet these objectives:
Configure a static default route

Enable DHCP on a public interface


Configure NAT using a pool
Configure NAT with PAT

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 2-2: Connecting to the


Internet
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective


Configure NAT
with PAT.

Branch

HQ

Outside

Inside

Internet

Server

Configure static and DHCPobtained IP addresses.

SW1

PC1

PC2

2013 Cisco Systems, Inc.

Required Resources

No additional resources are required for this lab.

L32

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Description

access-list acl_id permit network


wildcard_mask

Configures a standard ACL that permits a network

configure terminal

Enters global configuration mode

debug ip icmp

Enables debugging of ICMP packets

interface interface

Enters interface configuration mode

ip address dhcp

Configures an interface to obtain an IP address using DHCP

ip address ip_address network_mask

Configures an IP address manually on an interface

ip nat inside

Configures an interface as NAT inside interface

ip nat inside source list acl_id pool


pool_name

Configures a dynamic source NAT rule that translates addresses into


IP addresses defined in the pool

ip nat inside source list acl_id interface


interface_name overload

Configures a dynamic source NAT or PAT rule that translates


addresses into the IP address of an interface

ip nat outside

Configures an interface as a NAT outside interface

ip nat pool pool_name start_IP end_IP


netmask mask

Configures a NAT pool

ip route network network_mask


next_hop_address

Configures a static route

ping ip_address

Pings an IP address

show ip interface brief

Displays the status and IP addresses of interfaces

show ip nat translations

Displays active NAT translations

show ip route

Displays the routing table

show users

Displays information about the active lines on a router

shutdown

Disables an interface

telnet ip_address

Establishes a Telnet session to an IP address

terminal monitor

Redirects debugging output to a Telnet session

undebug all

Disables all debugging

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.

2013 Cisco Systems, Inc.

Lab Guide

L33

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

HQ

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

PC1

Any PC

Microsoft Windows 7

PC2

Any PC

Microsoft Windows 7

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Device

There are no console or enable passwords set for the routers and switches in the initial lab setup. The table
shows the username and password that are used to access PC1 and PC2.
Device
PC1
PC2

Username

Password

Administrator

admin

Administrator

admin

Topology and IP Addressing

Devices are connected with Ethernet links. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.

Topology and IP Addressing


Gi0/1
209.165.201.1

Gi0/1
209.165.201.2

Branch

Server

Internet

VLAN 1: 10.1.1.1
Gi0/0

172.16.1.100

HQ

Fa0/13

PC1

10.1.1.100

Fa0/1

SW1

10.1.1.11

0/3
Fa0/3

PC2

10.1.1.101

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device
Branch
Branch
HQ

L34

Interface

IP Address/Subnet Mask

Gi0/1

209.165.201.1/27

Gi0/0

10.1.1.1/24

Gi0/1

209.165.201.2/27

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Device

Interface

IP Address/Subnet Mask

HQ

Loopback0

172.16.1.100/24

SW1

VLAN1

10.1.1.11/24

PC1

Ethernet adapter local area connection

10.1.1.100/24

PC2

Ethernet adapter local area connection

10.1.1.101/24

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Task 1: Configure a Manual IP Address and Static


Default Route
In this task, you will configure an IP address on the Internet-facing interface of the Branch router. You will
also configure a static default route on the Branch router to reach Internet networks. Then you will verify
connectivity between the Branch router, HQ router, and server.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router.


Step 2

Verify interface status and IP address on the Branch router.


Branch#show ip interface brief
Interface
IP-Address
Embedded-Service-Engine0/0 unassigned
GigabitEthernet0/0
10.1.1.1
GigabitEthernet0/1
unassigned
GigabitEthernet0/2
unassigned

OK?
YES
YES
YES
YES

Method
NVRAM
manual
NVRAM
NVRAM

Status
Protocol
administratively down down
up
up
administratively down down
administratively down down

You should see that only GigabitEthernet0/0 is up and configured with an IP address.
Step 3

Enable the GigabitEthernet0/1 interface. Manually assign the 209.165.201.1 IP address to the interface. Use
a mask of 255.255.255.224.

2013 Cisco Systems, Inc.

Lab Guide

L35

Step 4
Verify interface status and IP address on the Branch router again.

OK?
YES
YES
YES
YES
YES

Method
NVRAM
manual
manual
NVRAM
manual

Status
Protocol
administratively down down
up
up
up
up
administratively down down
administratively down down

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch#show ip interface brief


Interface
IP-Address
Embedded-Service-Engine0/0 unassigned
GigabitEthernet0/0
10.1.1.1
GigabitEthernet0/1
209.165.201.1
GigabitEthernet0/2
unassigned
Serial0/0/0
unassigned

The GigabitEthernet0/1 interface should be up and it should have an IP address configured.


Step 5

From the Branch router, ping the HQ router at 209.165.201.2.

Branch#ping 209.165.201.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.201.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 m

The ping should be successful, because the destination IP address is in a directly connected network.
Step 6

From the Branch router, ping the server at 172.16.1.100, which is behind the HQ router.
Branch#ping 172.16.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

The ping should not be successful. What is the reason for an unsuccessful ping?

L36

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 7
Verify the routing table on the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C
10.1.1.0/24 is directly connected, GigabitEthernet0/0
L
10.1.1.1/32 is directly connected, GigabitEthernet0/0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C
209.165.201.0/27 is directly connected, GigabitEthernet0/1
L
209.165.201.1/32 is directly connected, GigabitEthernet0/1

Is there a route present for the IP address of the server?


Step 8

On the Branch router, configure a static default route that points to the next-hop IP address 209.165.201.2.
Step 9

Save the running configuration to the startup configuration.


Step 10

From the Branch router, ping the server at 172.16.1.100 again.

Branch#ping 172.16.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

The ping should be successful because you configured a static default route.

2013 Cisco Systems, Inc.

Lab Guide

L37

Step 11
Verify the routing table on the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 209.165.201.2 to network 0.0.0.0
S*
0.0.0.0/0 [1/0] via 209.165.201.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C
10.1.1.0/24 is directly connected, GigabitEthernet0/0
L
10.1.1.1/32 is directly connected, GigabitEthernet0/0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C
209.165.201.0/27 is directly connected, GigabitEthernet0/1
L
209.165.201.1/32 is directly connected, GigabitEthernet0/1

The default route is designated with S and an asterisk (*).


Step 12

Remove the previously configured static default route from the Branch router to prepare the router for the
next task.
Step 13

Verify the routing table on the Branch router again to make sure that no default route is present on the
router.
Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C
10.1.1.0/24 is directly connected, GigabitEthernet0/0
L
10.1.1.1/32 is directly connected, GigabitEthernet0/0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C
209.165.201.0/27 is directly connected, GigabitEthernet0/1
L
209.165.201.1/32 is directly connected, GigabitEthernet0/1

L38

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Activity Verification
No additional verification is needed in this task.

Task 2: Configure a DHCP-Obtained IP Address

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

In this task, you will configure the Branch router to obtain an IP address using DHCP from the HQ router.
The HQ router has been preconfigured as a DHCP server. You will also verify connectivity between the
Branch router, HQ router, and server.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router.


Step 2

Configure the GigabitEthernet0/1 interface to obtain an IP address using DHCP.


Step 3

Save the running configuration to the startup configuration.


Step 4

Verify interface status and IP address on the Branch router.


Branch#show ip interface brief
Interface
IP-Address
Embedded-Service-Engine0/0 unassigned
GigabitEthernet0/0
10.1.1.1
GigabitEthernet0/1
209.165.201.1

OK?
YES
YES
YES

Method
NVRAM
manual
DHCP

Status
Protocol
administratively down down
up
up
up
up

The GigabitEthernet0/1 interface should be up and it should have an IP address that was configured through
DHCP. Write down the IP address in the space that is provided.

2013 Cisco Systems, Inc.

Lab Guide

L39

Step 5
Verify the routing table on the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 209.165.201.2 to network 0.0.0.0
S*
0.0.0.0/0 [254/0] via 209.165.201.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C
10.1.1.0/24 is directly connected, GigabitEthernet0/0
L
10.1.1.1/32 is directly connected, GigabitEthernet0/0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C
209.165.201.0/27 is directly connected, GigabitEthernet0/1
L
209.165.201.3/32 is directly connected, GigabitEthernet0/1

You should see a default route present in the table. Where did the default route come from?
Step 6

From the Branch router, ping the HQ router at 209.165.201.2.

Branch#ping 209.165.201.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.201.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 m

The ping should be successful.


Step 7

From the Branch router, ping the server at 172.16.1.100.

Branch#ping 172.16.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

The ping should be successful because the Branch router received knowledge of the default gateway from
the DHCP server. The Branch router set the default route automatically and it set the route next-hop IP
address to the IP address of the default gateway..

L40

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 8
Access PC1.
Step 9

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

From PC1, ping the Branch router at its public IP address, which was obtained through DHCP.
C:\>ping 209.165.201.1
Pinging 209.165.201.1 with 32 bytes of data:
Reply from 209.165.201.1: bytes=32 time=1ms TTL=255
Reply from 209.165.201.1: bytes=32 time<1ms TTL=255
Reply from 209.165.201.1: bytes=32 time<1ms TTL=255
Reply from 209.165.201.1: bytes=32 time<1ms TTL=255
Ping statistics for 209.165.201.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

The ping should be successful.


Step 10

From PC1, ping the server at 172.16.1.100.

C:\>ping 172.16.1.100
Pinging 172.16.1.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.1.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

The ping should not be successful. In the next step, you will examine why the ping is not successful.
Step 11

Return to the Branch router and establish a remote Telnet session to the HQ router at 209.165.201.2. Enable
debugging of ICMP packets using the debug ip icmp command. Direct the output of the debug messages to
the Telnet session using the terminal monitor command. Leave the console window open.
Branch#telnet 209.165.201.2
Trying 209.165.201.2 ... Open
HQ#debug ip icmp
ICMP packet debugging is on
HQ#terminal monitor

2013 Cisco Systems, Inc.

Lab Guide

L41

Note

Establishing remote Telnet sessions and redirecting output of the debug messages to a remote session
has not been discussed so far. In this task, it is needed only to verify that packets from PC1 actually
reach the HQ router.

Step 12

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Return to PC1 and ping the server at 172.16.1.100 again. Return to the HQ Telnet session and observe the
debugging messages.
HQ#
Sep 7 13:18:27.881: ICMP: echo
topology BASE, dscp 0 topoid 0
HQ#
Sep 7 13:18:32.853: ICMP: echo
topology BASE, dscp 0 topoid 0
HQ#
Sep 7 13:18:37.857: ICMP: echo
topology BASE, dscp 0 topoid 0
HQ#
Sep 7 13:18:42.861: ICMP: echo
topology BASE, dscp 0 topoid 0

reply sent, src 172.16.1.100, dst 10.1.1.100,

reply sent, src 172.16.1.100, dst 10.1.1.100,

reply sent, src 172.16.1.100, dst 10.1.1.100,


reply sent, src 172.16.1.100, dst 10.1.1.100,

You should see one debugging message for each ping packet coming from PC1. You can see that the pings
actually reach the HQ router and replies are sent back to PC1. However, the HQ router is not aware of the
network that PC1 is coming from and therefore discards the returning packets. You can verify this
conclusion by verifying the routing table on the HQ router.
What solution could be implemented on the Branch router to overcome this problem?
Step 13

Return to the HQ Telnet session. Disable debugging and exit the Telnet session.
HQ#undebug all
All possible debugging has been turned off
HQ#exit
[Connection to 209.165.201.2 closed by foreign host]
Branch#

Activity Verification
No additional verification is needed in this task.

Task 3: Configure NAT

In this task, you will configure dynamic NAT on the Branch router to translate the IP addresses of inside
hosts to public IP addresses. Then, you will verify the NAT configuration and connectivity from PC1 and
PC2 to the server.

L42

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Activity Procedure
Complete the following steps:
Step 1
Access the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 2
Configure a standard ACL that allows the 10.1.1.0/24 network. Use 1 as the ACL identifier. This ACL will
be used to define networks that are eligible for NAT translations.
Step 3

Create a NAT pool with the following parameters:


Pool name

NAT_POOL

Starting IP address

209.165.201.5

Ending IP address

209.165.201.10

Network mask

255.255.255.224

How many hosts that require NAT can you accommodate at the same time using this NAT pool?
Step 4

Configure the GigabitEthernet0/0 interface as the NAT inside interface.


Note

When you enable the interface as NAT inside, the router will block for approximately 1 minute. After that,
you will see a log message about the router creating NVI0 interface. This interface is used internally by
the router to perform NAT.

Step 5

Configure the GigabitEthernet0/1 interface as the NAT outside interface.


Step 6

Configure a dynamic source NAT rule that will translate inside hosts into the IP addresses that were defined
in the previously configured NAT pool. Use the previously configured ACL to specify hosts that are
eligible for translations, and use the previously configured NAT pool.
Step 7

Save the running configuration to the startup configuration.

2013 Cisco Systems, Inc.

Lab Guide

L43

Activity Verification
You have completed this task when you attain these results:
Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a remote Telnet session to the
server at 172.16.1.100 by clicking the Telnet radio button and entering the IP address into the Host Name
input field.

You should be successful.


Note

L44

Recall that the server is actually implemented as loopback interface on the HQ router. Therefore, you will
actually establish a Telnet session to the HQ router for testing purposes.

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2
Verify the user connection to the server using the show users command. This command will display
management sessions to the router via console or via remote access.

User

Host(s)
idle
idle

Idle
00:42:00
00:00:00

Location

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

HQ#show users
Line
0 con 0
*514 vty 0

209.165.201.5

You should see that the Telnet session from PC1 is seen as originating from a translated IP address. The
translated IP address is the first free IP address from the NAT pool.
Note

The session marked with an asterisk (*) is the one that is currently active and used.

2013 Cisco Systems, Inc.

Lab Guide

L45

Step 3
Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

If PC2 is not configured with an IP address, assign it an IP address of 10.1.1.101/24.

You should be successful.

L46

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 4
Verify the user connection to the server using the show users command.

User

Host(s)
idle
idle

Idle
00:00:29
00:00:00

Location
209.165.201.5
209.165.201.6

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

HQ#show users
Line
514 vty 0
*515 vty 1

You should see that the Telnet session from PC2 is seen as originating from a translated IP address. The
translated IP address is the next free IP address from the NAT pool.
Step 5

Return to the Branch router. Verify that there are active NAT translations.
Branch#show ip nat translations
Pro Inside global
Inside local
tcp 209.165.201.5:1035 10.1.1.100:1035
--- 209.165.201.5
10.1.1.100
tcp 209.165.201.6:1030 10.1.1.101:1030
--- 209.165.201.6
10.1.1.101

Outside local
172.16.1.100:23
--172.16.1.100:23
---

Outside global
172.16.1.100:23
--172.16.1.100:23
---

Notice that inside local IP addresses are translated into inside global IP addresses.
Step 6

Close the Telnet session on PC1 and PC2.

Task 4: Configure NAT with PAT

In this task, you will configure dynamic NAT with PAT on the Branch router to translate the IP addresses
of inside hosts to the public IP address of the Branch router. Then you will verify the NAT configuration
and connectivity from PC1 and PC2 to the server.
Activity Procedure
Complete the following steps:
Step 1

Return to the Branch router.


Step 2

Remove the previously configured dynamic NAT rule.

2013 Cisco Systems, Inc.

Lab Guide

L47

Step 3
Configure a dynamic source NAT/PAT (NAT with overload) rule that will translate inside hosts into the IP
address of the router outside interface. Use the previously configured ACL to specify the hosts that are
eligible for translations.

Step 4

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

How many hosts that require NAT can you accommodate at the same time by overloading the IP address of
the interface?

Save the running configuration to the startup configuration.

Activity Verification
You have completed this task when you attain these results:

L48

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.

You should be successful.


Step 2

Verify the user connection to the server using the show users command.
HQ#show users
Line
*514 vty 0

User

Host(s)
idle

Idle
Location
00:00:00 209.165.201.1

You should see that the Telnet session from PC1 is seen as originating from the IP address of the Branch
router outside interface.

2013 Cisco Systems, Inc.

Lab Guide

L49

Step 3

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.

You should be successful.

L50

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 4
Verify the user connection to the server using the show users command.

User

Host(s)
idle
idle

Idle
Location
00:01:05 209.165.201.1
00:00:00 209.165.201.1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

HQ#show users
Line
514 vty 0
*515 vty 1

You should see that the Telnet session from PC2 is again seen as originating from the IP address of the
Branch router outside interface.
Step 5

Return to the Branch router. Verify that there are active NAT translations.
Branch#show ip nat translations
Pro Inside global
Inside local
tcp 209.165.201.1:1042 10.1.1.100:1042
tcp 209.165.201.1:1036 10.1.1.101:1036

Outside local
172.16.1.100:23
172.16.1.100:23

Outside global
172.16.1.100:23
172.16.1.100:23

Notice that two inside local IP addresses are translated into the same inside global IP address, which is
configured on the Branch router outside interface. To provide two distinct translations, different source
ports are used.
Step 6

Close the Telnet session on PC1 and PC2.

2013 Cisco Systems, Inc.

Lab Guide

L51

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.
L52

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 3-1: Enhancing the


Security of the Initial
Configuration
Activity Overview
Objectives

Securing administrative access to devices is crucial because you do not want unauthorized users to have
access to your network devices. In this lab, you will increase the security of the initial switch and router
configuration. After you have completed this activity, you will be able to meet these objectives:
Configure passwords on a router and switch
Configure and limit remote access to SSH
Configure an ACL to limit remote access
Configure the login banner

Visual Objective
The figure illustrates what you will accomplish in this activity.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Visual Objective for Lab 3-1: Enhancing the


Security of the Initial Configuration

2013 Cisco Systems, Inc.

Detailed Visual Objective

Branch

Add password protection


Enable SSH
Configure a login banner

Add password protection


Enable SSH
Limit access with an ACL
Configure a login banner

PC1

S W1

2013 Cisco Systems, Inc.

Required Resources

There are no additional resources that are required for this lab.

L54

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.

Commands
Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
access-class number direction

Applies the ACL to the vty line. The direction argument can have the
value of either in or out.

access-list number permit ip_address


wildcard_mask

Creates a standard ACL that permits all traffic from or to a specified


network.

banner login

Allows the configuration of a message that is displayed just before


login.

copy running-config startup-config

Copies the switch running configuration file to the startup configuration


file that is held in local NVRAM.

crypto key generate rsa

Generates the RSA key pairs to be used.

enable secret password

Sets a password for entering privileged EXEC mode. The password is


protected using strong MD5-type encryption.

end

Terminates configuration mode.

ip domain-name name

Supplies an IP domain name that is required by the cryptographic keygeneration process.

ip ssh version [1 | 2]

Specifies the version of SSH to be run. To disable the version of SSH


that was configured and to return to compatibility mode, use the no
form of this command.

line console 0

Enters line console 0 configuration mode.

line vty start_number end_number

Enters vty configuration mode. Vty lines allow access to the switch for
remote network management. The number of vty lines available is
dependent on the Cisco IOS Software version. Typical values are 0-4
and 0-15 (inclusive).

login

Activates the login process on the console or vty lines.

login local

Makes the login process on the console or vty lines rely on (or use)
the local authentication database.

logout

Exits EXEC mode and requires reauthentication (if enabled).

password

Assigns a password to the console or vty lines.

show access-list

Displays all ACLs that are defined on the device.

show running-config

Displays the active configuration.

show users

Displays information about the active lines.

ssh l username ip_address

Starts an encrypted session with a remote networking device using the


current user ID. The IP address identifies the destination device.

2013 Cisco Systems, Inc.

Lab Guide

L55

Command

Description

transport input [telnet | ssh | all]

Specifies which protocols to use to connect to a specific line of the


device.

username username secret password

Creates a username and password pair that can then be used as a


local authentication database.

Job Aids

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

Headquarter
s

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

Any PC

Microsoft Windows 7

Any PC

Microsoft Windows 7

Branch

PC1
PC2

There are no console or enable passwords that are set for the routers and switches in the initial lab setup.
The table shows the username and password that are used to access PC1 and PC2.
Device
PC1
PC2

Username

Password

Administrator

admin

Administrator

admin

Topology and IP Addressing

Devices are connected with Ethernet links. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.

L56

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Topology and IP Addressing


Branch
Gi0/0
VLAN 1: 10.1.1.1
Fa0/13

SW1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

PC1

Fa0/1

10.1.1.11

10.1.1.100

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device

Interface

IP Address/Subnet Mask

Branch

Gi0/1

209.165.201.1/27

Branch

Gi0/0

10.1.1.1/24

Headquarters

Gi0/1

209.165.201.2/27

Headquarters

Loopback0

172.16.1.100/24

SW1

VLAN1

10.1.1.11/24

PC1

Ethernet adapter local area connection

10.1.1.100/24

PC2

Ethernet adapter local area connection

10.1.1.101/24

Task 1: Add Password Protection

Following the initial configuration of the switch, where passwords have been configured for the vty lines,
two potential security holes exist. First, a security breach is possible when the vty lines have the login
process deactivated and the password is too simple. Second, security can be breached because the console
port initially is not protected by a password at all. In this task, you will secure console access and access to
privileged EXEC mode on a router and a switch.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router.

2013 Cisco Systems, Inc.

Lab Guide

L57

Step 2
Secure the console line with the password cisco.
Step 3

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Exit to the console login screen by issuing the end and exit commands.
You will be asked for the password that you configured in the previous step.
Branch(config-line)# end
Branch# exit
Branch con0 is now available
Press RETURN to get started.
User Access Verification
Password:
Branch>

Step 4

Examine the running configuration and identify the password that was configured for the console line. Note
that the password is in cleartext.
Branch# show running-config | section line con
line con 0
exec-timeout 60 0
password cisco
logging synchronous
login

Step 5

Create the username ccna and assign the secret password cisco to it. Look at the Command List section to
identify the correct command.
Then change the mode of authentication on the console line so that this user is authenticated using this
username and password.

L58

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 6
Exit to the console login screen by issuing the end and exit commands.
You will be asked for a username and password. Enter the credentials that you created in the previous step.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch(config-line)# end
Branch# exit
Branch con0 is now available
Press RETURN to get started.
User Access Verification
Username: ccna
Password:
Branch>

Step 7

Examine the running configuration and identify the username and password that you created.

Note that the password is encrypted, not in cleartext. You could use the service password-encryption
command to encode the cleartext password, but this encryption type is weak.
Branch# show running-config | section username
username ccna secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

Step 8

Secure vty lines 0 through 15. Users should be able to log in using the username ccna and password cisco
that you previously defined.

For security reasons, the passwords for console and vty access should be different. Also, in production
environments, you should use strong passwords (at least eight characters and a combination of letters,
numbers, and special characters). In the lab environment, we are using the same passwords for console and
vty access.

2013 Cisco Systems, Inc.

Lab Guide

L59

Step 9

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On PC1, open PuTTY and establish a Telnet session to the Branch router to verify that you configured vty
security correctly.

Enter the appropriate credentials to log into the Branch router.

L60

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 10

On the Branch router, secure access to privileged EXEC mode with the password cisco. The password must
be encrypted with strong encryption.
Step 11

Save the changes that you made on the Branch router.


Step 12

Exit privileged EXEC mode and then re-enter it. When prompted, enter the password that you configured in
the previous step.
Branch# disable
Branch> enable
Password:
Branch#

Step 13

Examine the running configuration of the Branch router and identify the line where the password that
allows access to privileged EXEC mode is configured. Notice that the password is encrypted.
Branch# show running-config | section enable
enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

2013 Cisco Systems, Inc.

Lab Guide

L61

Step 14
Access switch SW1. Configure it with the enable secret password cisco. Users should be able to log into the
console and vty lines by using the username ccna and the password cisco. Use strong encryption.
Step 15

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Save the changes that you made on the SW1 switch.


Step 16

On the SW switch, go to the user EXEC mode by entering the end and exit commands. Log into the switch
SW console by using the previously configured username and password in order to verify console
protection.
SW1(config-line)# end
SW1# exit
SW1 con0 is now available
Press RETURN to get started.
User Access Verification
Username: ccna
Password:
SW1>

Step 17

On the SW switch, enter the privileged EXEC mode by entering the previously configured password.
SW1> enable
Password:
SW1#

L62

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 18

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Return to PC1, open PuTTY, and establish a Telnet session to the SW1 switch to verify that you configured
vty security correctly.

Enter the appropriate credentials to log into the switch.

2013 Cisco Systems, Inc.

Lab Guide

L63

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Verification
No additional verification is needed in this task.

Task 2: Enable SSH Remote Access

Previously, you protected passwords by using encryption. However, when remote management uses the
Telnet protocol, which sends all characters in cleartext, including passwords, the potential exists for packet
capture and exploitation of this information. In this task, you will configure SSH as an alternative to Telnet.
If it is possible in your environment, it would be best to replace Telnet with SSH.
Activity Procedure
Complete the following steps:
Step 1

Configure the Branch router for SSH access.

Use cisco.com as the domain name. The key length should be 1024 bits. Use SSH version 2 and make SSH
the only remote access that is allowed.
Step 2

Save the changes that you made on the Branch router.

L64

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
Configure the SW1 switch for SSH access.
Use cisco.com as the domain name, specify a key length of 1024 bits, use SSH version 2, and make SSH
the only remote access that is allowed.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 4

Save the changes that you made on the SW1 switch.


Step 5

On PC1, open PuTTY and try to connect to the Branch router using Telnet. Your attempt will be
unsuccessful.

2013 Cisco Systems, Inc.

Lab Guide

L65

Step 6
Now try to remotely connect from PC1 to the Branch router using SSH. Your attempt should be successful.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Leave the connection open for the next step.

L66

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 7

On the Branch router, show the users that are logged into the system. Identify the user that is using the vty
line.
Branch# show users
Line
User
* 0 con 0
ccna
514 vty 0
ccna
Interface
User

2013 Cisco Systems, Inc.

Host(s)
idle
idle

Mode

Idle
Location
00:00:00
00:00:27 10.1.1.100
Idle
Peer Address

Lab Guide

L67

Step 8

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Return to PC1. Open another PuTTY and apply SSH to the SW1 switch in order to verify the SSH
configuration on the switch. Your attempt should be successful.

L68

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Verification
No additional verification is needed in this task.

Task 3: Limit Remote Access to Selected Network


Addresses
In this task, you will create an ACL on the SW1 switch and apply it to the vty lines. The ACL will permit
remote sessions from the Branch router but not from PC1.
Activity Procedure
Complete the following steps:
Step 1

On the SW1 switch, define a standard ACL that will permit only the IP address of the Branch router.
Any attempts to establish remote sessions from unauthorized devices should be logged.
Step 2

Apply the defined ACL to all vty lines of the SW1 switch.
SW1(config)# line vty 0 15
SW1(config-line)# access-class 1 in

Step 3

Save the changes that you made on the SW1 switch.

2013 Cisco Systems, Inc.

Lab Guide

L69

Activity Verification
You have completed this task when you attain this result:
Step 1
Try to establish an SSH remote session from PC1 to SW1 at 10.1.1.11.

Step 2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

You should not be successful because the ACL that you defined allows only the Branch router to establish
sessions to the SW1 switch.

Try to establish an SSH remote session from the Branch router.


You should be successful.

Branch# ssh -l ccna 10.1.1.11


Password:
SW1>

L70

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
On the SW1 switch, show the ACL that you defined for the vty lines.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Notice that the counters for both the permit and deny statements increased. If you did not define an explicit
deny statement, a remote session from PC1 would still be denied, but you would not be able to see counters
for denied remote session attempts.
SW1# show access-lists
Standard IP access list 1
10 permit 10.1.1.1 (2 matches)
20 deny
any log (3 matches)

Task 4: Configure a Login Banner

As part of any security policy, you must ensure that network resources are clearly identified as being off
limits to the casual visitor. Hackers have successfully used the fact that a welcome screen was presented
at login as their legal defense for forced entry into the network. Therefore, a message that clearly states that
access is restricted should be presented when a user is attempting to access a network device (switch, router,
and so on). The Cisco IOS banner command allows you to do so.
Activity Procedure
Complete the following steps:
Step 1

Configure the Branch router with the following login banner message:
********** Warning *************
Access to this device is restricted to authorized persons only!
Unauthorized access is prohibited. Violators will be prosecuted.
***********************************************
Step 2

Save the changes that you made on the Branch router.


Step 3

Configure the SW1 switch with the same login banner that you used for the Branch router in the previous
step:
********** Warning *************
Access to this device is restricted to authorized persons only!
Unauthorized access is prohibited. Violators will be prosecuted.
***********************************************

2013 Cisco Systems, Inc.

Lab Guide

L71

Step 4
Save the changes that you made on the SW1 switch.

Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Verification
You have completed this task when you attain these results:

Access the Branch router. Log out of the Branch router and then log back in.
Notice the login banner that you were presented with as you logged in.

Branch# logout
Branch con0 is now available
Press RETURN to get started.
********** Warning *************
Access to this device is restricted to authorized persons only!
Unauthorized access is prohibited. Violators will be prosecuted.
***********************************************
User Access Verification
Username: ccna
Password:

Step 2

Access SW1. Log out of the SW1 switch console and then log back in.
Notice the login banner that you were presented with as you logged in.

SW1# logout
SW1 con0 is now available
Press RETURN to get started.
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
***********************************************
User Access Verification
Username: ccna
Password:

Note

L72

When accessing network devices via the SSH protocol, some terminal clients such as PuTTY display the
login banner only after the username parameter is entered as input.

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 3-2: Device Hardening


Activity Overview
Objectives

Device hardening is crucial to increasing security in the network. In this lab, you will perform security
device hardening on a router and switch. After you have completed this activity, you will be able to meet
these objectives:
Disable unused ports

Configure port security on a switch


Disable unused services
Configure NTP

Visual Objective
The figure illustrates what you will accomplish in this activity.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Visual Objective for Lab 3-2: Device Hardening

2013 Cisco Systems, Inc.

Detailed Visual Objective


Configure NTP
client and server

Branch

HQ

Outside

Internet

Server

Inside

NTP server

PC1

SW1

Disable unused ports


Configure port security
Disable Cisco Discovery Protocol
Configure NTP client

2013 Cisco Systems, Inc.

Required Resources

No additional resources are required for this lab.

L74

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table that follows describes the commands that are used in this activity. The commands are listed in
alphabetical order so that you can easily locate the information that you need. Refer to this list if you need
configuration command assistance during the lab activity.

Commands
Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
[no] cdp enable

Enables or disables Cisco Discovery Protocol on an interface

configure terminal

Enters configuration mode

interface interface

Enters interface configuration mode

ntp master [stratum]

Configures Cisco IOS Software as an NTP master clock.

ntp server {ip-address}

Allows the software clock to be synchronized by an NTP time server

ping dest_IP

Verifies connectivity between the source IP and destination IP

show cdp neighbors

Displays detailed information about neighboring devices that are


discovered by using Cisco Discovery Protocol

show interfaces

Displays statistics for all interfaces that are configured on the router

show interfaces status

Displays the status of interfaces

show port-security interface interface

Displays the port security settings that are defined for an interface

show ntp associations

Displays the status of NTP associations

show ntp status

Displays the status of NTP

show port-security address

Displays the secure MAC addresses for all ports

[no] shutdown

Enables or disables an interface on the router

switchport mode access

Configures a switchport as an access port

switchport port-security

Enables the port security feature on the interface

switchport port-security mac-address


mac-address

Enters a secure MAC address for the interface

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

Headquarter
s

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

2013 Cisco Systems, Inc.

Lab Guide

L75

Device

Hardware

Operating System

PC1

Any PC

Microsoft Windows 7

PC2

Any PC

Microsoft Windows 7

The table shows usernames and passwords that are used to access the lab devices.
Username

Password

PC1

Administrator

admin

Administrator

admin

Branch (console access)

ccna

cisco

Branch (enable password)

cisco

SW1 (console access)

ccna

cisco

SW1 (enable password)

cisco

PC2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Device

Topology and IP Addressing

Devices are connected with Ethernet links. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.

Topology and IP Addressing


Gi0/1
209.165.201.1

Gi0/1
209.165.201.2

Branch

Server

Internet

VLAN 1: 10.1.1.1
Gi0/0

172.16.1.100

HQ

Fa0/13

PC1

10.1.1.100

Fa0/1

SW1

10.1.1.11

0/3
Fa0/3

PC2

10.1.1.101

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device
Branch
Branch

Headquarters

L76

Interface

IP Address/Subnet Mask

Gi0/1

209.165.201.1/27

Gi0/0

10.1.1.1/24

Gi0/1

209.165.201.2/27

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Device

Interface

IP Address/Subnet Mask

Headquarters

Loopback0

172.16.1.100/24

SW1

VLAN1

10.1.1.11/24

PC1

Ethernet adapter local area connection

10.1.1.100/24

PC2

Ethernet adapter local area connection

10.1.1.101/24

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Task 1: Disable Unused Ports

Unused ports on a switch can be a security risk. A hacker can plug a switch into an unused port and become
part of the network. In this task, you will disable unused ports on a network switch.
Activity Procedure
Complete the following steps:
Step 1

Access the SW1 switch.


Step 2

Disable unused interfaces FastEthernet 0/14 to FastEthernet 0/24 with as few configuration steps as
possible.
Step 3

Examine the status of interfaces FastEthernet 0/14 to FastEthernet 0/24.

You should see interfaces FastEthernet 0/14 to FastEthernet 0/24 as disabled.


SW1# show interfaces status
Port
Name
<output omitted>
Fa0/13
Fa0/14
Fa0/15
Fa0/16
Fa0/17
Fa0/18
Fa0/19
Fa0/20
Fa0/21
Fa0/22
Fa0/23
Fa0/24

Status

Vlan

Duplex

Speed Type

connected
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled

1
1
1
1
1
1
1
1
1
1
1
1

a-full
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto

a-100
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto

10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX

Step 4

Save the running configuration to the startup configuration.

2013 Cisco Systems, Inc.

Lab Guide

L77

Activity Verification
No additional verification is needed in this task.

Task 2: Configure Port Security on a Switch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Port security is a feature that is supported on Cisco Catalyst switches that restricts a switch port to a specific
set or number of MAC addresses. In this task, you will configure port security on the switch interface that
faces the router. You will also demonstrate a port security violation.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router.


Step 2

Examine the MAC address of the Branch router interface GigabitEthernet 0/0, which faces the SW1 switch.
Write down the MAC address, which you will need to configure the port security feature.

Branch# show interfaces GigabitEthernet 0/0


GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is f866.f231.7250 (bia f866.f231.7250)

Note

Your MAC address might be different from the the address that is shown in the output.

Step 3

Access the SW1 switch.


Step 4

Configure interface FastEthernet0/13, which faces the Branch router, as a static access port.
Step 5

Enable the port security feature on interface FastEthernet0/13. Manually specify the secure MAC address
f866.f231.7251 (which is not the MAC address of the Branch router).
You will simulate a port security violation by misconfiguring the secure MAC address.

L78

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 6
Observe the switch output and verify the status of SW1 interface FastEthernet0/13. Make sure that a port
security violation occurred because of the misconfigured secure MAC address.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Sep 28 11:16:18.312: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13,


putting Fa0/13 in err-disable state
Sep 28 11:16:18.312: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address f866.f231.7250 on port FastEthernet0/13.
Sep 28 11:16:19.318: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/13, changed state to down
Sep 28 11:16:20.317: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to
down
SW1# show interfaces FastEthernet 0/13
FastEthernet0/13 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d)
SW1#show port-security interface FastEthernet 0/13
Port Security
: Enabled
Port Status
: Secure-shutdown
Violation Mode
: Shutdown
Aging Time
: 0 mins
Aging Type
: Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
: 1
Total MAC Addresses
: 1
Configured MAC Addresses
: 1
Sticky MAC Addresses
: 0
Last Source Address:Vlan
: f866.f231.7250:1
Security Violation Count
: 1

A port security violation occurs due to management traffic (Cisco Discovery Protocol, for example) coming
from the router toward the switch.
Step 7

Try to ping PC1 at 10.1.1.100 from the Branch router. Your attempt should fail because the switch port
connecting to the Branch router is error-disabled.
Branch# ping 10.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Step 8

Change the port security of the secure MAC address on SW1 interface FastEthernet0/13 to the correct MAC
address, which you wrote down.
Note

Your MAC address for the Branch router might be different from the address that was shown in the
output.

2013 Cisco Systems, Inc.

Lab Guide

L79

Step 9
Make the FastEthernet0/13 interface on SW1 operational again.
Step 10

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Observe the switch output. Verify the status of the FastEthernet0/13 interface on SW1 and make sure that
the interface is operational again.

Sep 28 11:10:07.080: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up


Sep 28 11:10:08.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/13, changed state to up
SW1# show interfaces FastEthernet 0/13
FastEthernet0/13 is down, line protocol is up
Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d)

Step 11

Try to ping PC1 at 10.1.1.100 from the Branch router. Your attempt should succeed now.
Branch# ping 10.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
!!!!!

Step 12

Display the secure MAC addresses for interface FastEthernet0/13.

SW1# show port-security address


Secure Mac Address Table
-------------------------------------------------------------------------Vlan
Mac Address
Type
Ports
Remaining Age
(mins)
--------------------------------1
f866.f231.7250
SecureConfigured
Fa0/13
-------------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 1
Max Addresses limit in System (excluding one mac per port) : 8192

L80

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 13
Display the port security settings for the SW1 switch.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1# show port-security


Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count)
(Count)
(Count)
--------------------------------------------------------------------------Fa0/13
1
1
0
Shutdown
--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 1
Max Addresses limit in System (excluding one mac per port) : 8192

Step 14

Disable the port security feature on interface FastEthernet 0/13.


Step 15

Save the running configuration to the startup configuration.


Activity Verification
No additional verification is needed in this task.

Task 3: Disable Unused Services

Some services may not be needed on the router and therefore can be disabled. You will disable Cisco
Discovery Protocol on the switch interface toward the router.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router.


Step 2

Examine the neighbor devices of the Branch router.

You should see the SW1 switch as the neighbor device.

Branch# show cdp neighbors


Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID
Local Intrfce
Holdtme
Capability Platform Port ID
SW1
Gig 0/0
135
S I
WS-C2960- Fas 0/13

2013 Cisco Systems, Inc.

Lab Guide

L81

Step 3
Disable Cisco Discovery Protocol on the SW1 interface that is facing the Branch router.
Step 4

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Examine the neighbor devices of the Branch router.


You should not see switch SW1 anymore as a neighbor device because you disabled Cisco Discovery
Protocol on the switch interface toward the router.
Branch# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID
Local Intrfce
Holdtme
Capability Platform Port ID

Note

It may take up to 3 minutes for the neighbor to disappear from the output because of the holddown timer
that is set to 180 seconds.

Step 5

Examine the neighbor devices of the SW1 switch.

You should see no neighbor device because you disabled Cisco Discovery Protocol on the switch interface
toward the Branch router.
SW1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID
Local Intrfce
Holdtme
Capability Platform Port ID

Step 6

Enable Cisco Discovery Protocol on the SW1 interface that faces the Branch router.
Step 7

Save the running configuration to the startup configuration.


Activity Verification
No additional verification is needed in this task.

L82

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Task 4: Configure NTP


Networks use NTP to synchronize the clocks of various devices across a network. Clock synchronization
within a network is critical for digital certificates and for correct interpretation of events within syslog data.
In this task, you will configure the Branch router as an NTP client of the server. The Branch router will also
act as an NTP server for SW1 at the same time. The server has been preconfigured as the NTP server with
stratum 3.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Procedure
Complete the following steps:
Step 1

Configure the Branch router as an NTP client of the server at 172.16.1.100.


Step 2

Verify NTP associations on the Branch router.

Branch# show ntp associations


address
ref clock
st
when
poll reach delay offset
disp
*~172.16.1.100
127.127.1.1
3
58
128
77 1.067 36.634 0.968
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

You should see that the Branch router synchronized its clock with the server.
Note

It may take several minutes in order to synchronize the clock with the NTP server.

Step 3

Verify the NTP status on the Branch router.

Branch# show ntp status


Clock is synchronized, stratum 4, reference is 172.16.1.100
nominal freq is 250.0000 Hz, actual freq is 249.9989 Hz, precision is 2**21
ntp uptime is 139700 (1/100 of seconds), resolution is 4016
reference time is D46AE7E9.B6A4139E (09:46:17.713 UTC Thu Dec 6 2012)
clock offset is 35.7065 msec, root delay is 0.87 msec
root dispersion is 40.23 msec, peer dispersion is 1.88 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000004366 s/s
system poll interval is 128, last update was 121 sec ago.

What is the stratum of the clock on the Branch router?


Step 4

Access the SW1 switch.

2013 Cisco Systems, Inc.

Lab Guide

L83

Step 5

Step 6

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Configure SW1 as an NTP client that will synchronize its time with the Branch router. Although the Branch
router is configured only with NTP client configuration, it will respond to time requests from other clients.
It will act as a server for switch SW1.

Verify the NTP status and the NTP association status on the SW1 switch.

SW1# show ntp status


Clock is synchronized, stratum 5, reference is 10.1.1.1
nominal freq is 119.2092 Hz, actual freq is 119.2091 Hz, precision is 2**17
reference time is D46AEB16.D3639982 (09:59:50.825 UTC Thu Dec 6 2012)
clock offset is 58.8216 msec, root delay is 2.30 msec
root dispersion is 122.31 msec, peer dispersion is 8.38 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000001118 s/s
system poll interval is 128, last update was 862 sec ago.
SW1# show ntp associations
address
ref clock
st
when
poll reach delay offset
disp
*~10.1.1.1
172.16.1.100
4
115
128
377 1.436 58.821 8.389
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

You should see that SW1 synchronized its clock with the Branch router.
What is the stratum of the clock on the SW1 switch?
Note

It may take several minutes in order to synchronize the clock with the NTP server.

Step 7

Save the running configuration to the startup configuration.


Activity Verification
No additional verification is needed in this task.

L84

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 3-3: Filtering Traffic with


ACLs
Activity Overview
Objectives

A common mechanism for filtering traffic is ACLs, which enable you to allow, limit, or restrict access to a
network resource. In this lab, you will configure traffic filtering using ACLs. After you have completed this
activity, you will be able to meet these objectives:
Configure extended, named ACLs
Troubleshoot ACLs

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 3-3: Filtering Traffic


with ACLs
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective

All Other Traffic Allowed

Telnet Allowed

Configure ACL
Troubleshoot ACL

Branch

HQ

Server

Internet

Telnet Blocked

SW1

All Other Traffic Allowed

PC1

PC2

2013 Cisco Systems, Inc.

Required Resources

There are no additional required resources for this lab.

L86

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table that follows describes the commands that are used in this activity. The commands are listed in
alphabetical order so that you can easily locate the information that you need. Refer to this list if you need
configuration command assistance during the lab activity.

Commands
Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
configure terminal

Enters configuration mode

interface interface

Enters interface configuration mode

ip access-group ACL_name {in | out}

Enables an IP ACL on an interface

ip access-list extended ACL_name

Defines an ACL and enters ACL configuration mode

{permit | deny} {test conditions}

Creates ACL statements for a named ACL

show access-lists ACL_name

Displays the contents of all IP ACLs

show ip interface interface-type interface


number

Displays IP-specific information for an interface, including the ACLs


that are applied on an interface

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

Headquarter
s

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

PC1

Any PC

Microsoft Windows 7

PC2

Any PC

Microsoft Windows 7

The table shows usernames and passwords that are used to access the lab devices.
Device

Username

Password

PC1

Administrator

admin

PC2

Administrator

admin

Branch (console access)

ccna

cisco

Branch (enable password)

cisco

SW1 (console access)

ccna

cisco

SW1 (enable password)

cisco

Server (HTTP)

ccna

cisco

2013 Cisco Systems, Inc.

Lab Guide

L87

Topology and IP Addressing


Devices are connected with Ethernet links. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.

Topology and IP Addressing


Gi0/1
209.165.201.2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Gi0/1
209.165.201.1

Branch

Server

Internet

VLAN 1: 10.1.1.1
Gi0/0

172.16.1.100

HQ

Fa0/13

PC1

10.1.1.100

Fa0/1

SW1

10.1.1.11

0/3
Fa0/3

PC2

10.1.1.101

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device

Interface

IP Address/Subnet Mask

Gi0/1

209.165.201.1/27

Gi0/0

10.1.1.1/24

Headquarters

Gi0/1

209.165.201.2/27

Headquarters

Loopback0

172.16.1.100/24

SW1

VLAN1

10.1.1.11/24

Ethernet adapter local area connection

10.1.1.100/24

Ethernet adapter local area connection

10.1.1.101/24

Branch
Branch

PC1
PC2

Task 1: Configure an ACL

ACLs enable you to control access to network resources based on Layer 3 packet-header information. In
this task, you will configure an ACL that will prevent a Telnet connection from PC2 to the server. All other
IP traffic will be permitted.
Activity Procedure
Complete the following steps:

L88

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1
Access the Branch router. Use the credentials provided in the Job Aids section of the document in order to
log in.
Step 2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Configure an extended ACL named Telnet that will prevent a Telnet connection from PC2 to the server. All
other IP traffic should be permitted.
Step 3

Verify the content of the configured ACL.

Branch# show access-lists Telnet


Extended IP access list Telnet
10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet
20 permit ip any any

Step 4

Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction.
Step 5

Verify that the configured interface is applied to the GigabitEthernet0/0 interface in the correct direction.
Branch# show ip interface GigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.1.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is Telnet
Proxy ARP is enabled
Local Proxy ARP is disabled
<...output omitted...>

Step 6

Save the running configuration to the startup configuration.

2013 Cisco Systems, Inc.

Lab Guide

L89

Step 7

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.

L90

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

You should be successful.


Step 8

Verify that the counter that was matched by the permit ACL statement increased.
Branch# show access-lists Telnet
Extended IP access list Telnet
10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet
20 permit ip any any (10 matches)

Note

The actual number of ACL hits may differ from the outputs that are provided in the lab guide.

2013 Cisco Systems, Inc.

Lab Guide

L91

Step 9

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.

L92

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

You should not be successful because the configured ACL blocks Telnet traffic from PC2 to the server.
Step 10

Verify that the counter that was matched by the deny ACL statement increased.

Branch#show access-lists Telnet


Extended IP access list Telnet
10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet (9 matches)
20 permit ip any any (10 matches)

2013 Cisco Systems, Inc.

Lab Guide

L93

Step 11

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.

You should be successful.

L94

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 12

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.

You should be successful.


Step 13

Verify that the counter that was matched by the permit ACL statement increased.

Branch# show access-lists Telnet


Extended IP access list Telnet
10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet (9 matches)
20 permit ip any any (274 matches)

Activity Verification
No additional verification is needed in this task.

Task 2: Lab Setup

In this lab setup procedure, you will load a configuration to the Branch router to create a trouble ticket. You
will resolve this ticket in the next task.

2013 Cisco Systems, Inc.

Lab Guide

L95

Activity Procedure
Complete the following steps:
Step 1
Access the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 2
Copy the TSHOOT_Troubleshoot_ACLs_Branch.cfg file from the router flash memory into the router
running configuration.
Branch# copy flash:TSHOOT_Troubleshoot_ACLs_Branch.cfg running-config
3341 bytes copied in 3.490 secs (957 bytes/sec)

Activity Verification
No additional verification is needed in this task.

Task 3: Troubleshoot an ACL

It is very important to be able to analyze the behavior of configured ACLs and to troubleshoot them. In this
task, you will troubleshoot the previously loaded trouble ticket. You should change the configuration so that
a Telnet connection from PC2 to the server is not permitted, while all other IP traffic to the server is
allowed.
Activity Procedure
Complete the following steps:

L96

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.

2013 Cisco Systems, Inc.

Lab Guide

L97

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

You should be successful.

L98

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.

2013 Cisco Systems, Inc.

Lab Guide

L99

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

You will be successful, although Telnet traffic from PC2 to the server should be blocked.

L100 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.

You should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L101

Step 4

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.

You should be successful.


Step 5

Access the Branch router.

L102 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 6
Verify that the configured ACL is applied to the GigabitEthernet0/0 interface in the correct direction.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ip interface GigabitEthernet 0/0


GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.1.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is Telnet
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
<...output omitted...>

Step 7

Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction.
Step 8

Verify the contents of the configured ACL.

Branch# show access-lists Telnet


Extended IP access list Telnet
10 permit ip any any (338 matches)
20 deny ip any any
30 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet

Step 9

Change the Telnet ACL so that it prevents Telnet connections from PC2 to the server. All other IP traffic
should be permitted.
Step 10

Save the running configuration to the startup configuration.

2013 Cisco Systems, Inc.

Lab Guide

L103

Step 11

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.

L104 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

You should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L105

Step 12

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.

L106 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

You should not be successful because the configured ACL blocks Telnet traffic from PC2 to the server.

2013 Cisco Systems, Inc.

Lab Guide

L107

Step 13

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.

You should be successful.

L108 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 14

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.

You should be successful.

Activity Verification
No additional verification is needed in this task.

2013 Cisco Systems, Inc.

Lab Guide

L109

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.
L110 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 4-1: Configuring


Expanded Switched
Networks
Activity Overview
Objectives

In this lab, you will configure two switches to meet specified VLAN requirements. After completing this
activity, you will be able to meet these objectives:
Configure VLANs

Configure trunking

Configure router with a trunk link

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-1: Configuring


Expanded Switched Networks
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective


Configure VLANs and
assign user ports to the
proper VLAN

Branch

Gi0/1

PC1

Fa0/13

Fa0/1

SW1

VLAN 10

Fa0/3

PC2

Configure a router
with a trunk link

Configure trunking

Fa0/3

Fa0/1

VLAN 20

SW2

2013 Cisco Systems, Inc.

Required Resources

There are no additional resources required for this lab.

L112 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.

Cisco IOS Commands


Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
encapsulation dot1q vlan

Enables IEEE 802.1Q encapsulation of traffic on a specified


subinterface in VLANs. This command can be entered when you are
in interface configuration mode.

interface interface_name
interface_number

Enters interface configuration mode for the specified interface.

ip address ip_address network_mask

Sets an IP address, along with the subnet mask, on an interface. Enter


interface configuration mode to issue this command.

show interfaces trunk

Displays trunking information.

show vlan

Displays VLAN information.

show vlans

When you configure a router on a stick, use this command to verify


trunking and VLANs.

[no] shutdown

Disables or enables an interface. Issue this command from interface


configuration mode.

switchport access vlan vlan

Assigns a port to a VLAN. Issue this command from interface


configuration mode.

switchport mode mode

Interface configuration mode command. There are four options. The


two non-negotiating modes are trunk and switch, and the two DTP
negotiation modes are dynamic auto and dynamic desirable.

switchport trunk allowed vlan vlan_list

Specifies VLANs from which traffic is allowed over the trunk link.

vlan vlan_number

Creates the VLAN that is specified. Issue this command from global
configuration mode.

Microsoft Windows Commands


Command

Description

ping ip_address

Issues a ping to the specified IP address

tracert ip_address

Issues a traceroute to the specified IP address

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.

2013 Cisco Systems, Inc.

Lab Guide

L113

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

Headquarter
s

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

SW2

Catalyst 2960 Series Switch

c2960-lanlitek9-mz.150-1.SE3

PC1

Any PC

Microsoft Windows 7

Any PC

Microsoft Windows 7

PC2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Device

The table shows usernames and passwords that are used to access the lab devices.
Device

Username

Password

Administrator

admin

Administrator

admin

Branch (console access)

ccna

cisco

Branch (enable password)

cisco

SW1 (console access)

ccna

cisco

SW1 (enable password)

cisco

Server (HTTP)

ccna

cisco

PC1
PC2

Topology and IP Addressing

Devices are connected with Ethernet links. The figure illustrates the interface identification and IP
addresses that will be used in this lab.

Topology and IP Addressing


Gi0/1
209.165.201.1

Gi0/1
209.165.201.2

Branch

Server

Internet

VLAN1:10.1.1.1

172.16.1.100

Gi0/0

HQ

Fa0/13

SW1

PC1

Fa0/1

10.1.1.100

10.1.1.11

a0/3
Fa0/3

Fa0/3

SW2

PC2

Fa0/1

10.1.1.101

10.1.1.12

2013 Cisco Systems, Inc.

L114 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Interface

IP Address/Subnet Mask

Branch

Gi0/1

209.165.201.1/27

Branch

Gi0/0

10.1.1.1/24

Headquarters

Gi0/1

209.165.201.2/27

Headquarters

Loopback0

172.16.1.100/24

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Device

SW1

VLAN1

10.1.1.11/24

SW2

VLAN1

10.1.1.12/24

PC1

Ethernet adapter local area connection

10.1.1.100/24

PC2

Ethernet adapter local area connection

10.1.1.101/24

Task 1: Configure a VLAN

In this task, you will create VLANs and assign the ports that are specified to them.
Activity Procedure
Complete the following steps:
Step 1

Access switch SW2.

For the purpose of management, configure the VLAN 1 interface with the IP address 10.1.1.12/24.

2013 Cisco Systems, Inc.

Lab Guide

L115

Step 2
Access PC2.

Step 3

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Assign the IP address 10.1.1.101/24 to it. The default gateway should be set to the IP address of a Branch
router.

Access PC1 and ping PC2 (10.1.1.101).

The ping should be successful because ports on both PCs are access ports belonging to VLAN 1.
C:\Users\Administrator> ping 10.1.1.101
Pinging 10.1.1.101 with 32 bytes of data:
Reply from 10.1.1.101: bytes=32 time<3ms TTL=128
Reply from 10.1.1.101: bytes=32 time<3ms TTL=128
Reply from 10.1.1.101: bytes=32 time<2ms TTL=128
Reply from 10.1.1.101: bytes=32 time<2ms TTL=128
Ping statistics for 10.1.1.101:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 3ms

L116 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 4
On both switches, SW1 and SW2, create VLANs 10 and 20.
Step 5

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On SW1, assign the port to which PC1 connects (FastEthernet0/1) to VLAN 10.
On SW2, assign the port to which PC2 connects (FastEthernet0/1) to VLAN 20.
Step 6

Save the running configuration to the startup configuration on both switches.


Step 7

Change the IP address of PC1 to 10.1.10.100/24. Set the default gateway to 10.1.10.1, which you will later
configure on the Branch router.
This step provides PC1 addressing in accordance with its VLAN assignment.

2013 Cisco Systems, Inc.

Lab Guide

L117

Step 8
Change the IP address of PC2 to 10.1.20.100/24. Set the default gateway to 10.1.20.1, which you will later
configure on the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

This step provides PC2 addressing in accordance with its VLAN assignment.

Activity Verification
You have completed this task when you attain these results:

L118 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1
On SW1 and SW2, verify that VLANs 10 and 20 are present.
SW1 should have FastEthernet0/1 belonging to VLAN 10, and SW2 should have FastEthernet0/1 belonging
to VLAN 20.
show vlan
Name
Status
Ports
-------------------------------- --------- ------------------------------default
active
Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
VLAN0010
active
Fa0/1
VLAN0020
active
fddi-default
act/unsup
token-ring-default
act/unsup
fddinet-default
act/unsup
trnet-default
act/unsup

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1#
VLAN
---1

10
20
1002
1003
1004
1005

SW2#
VLAN
---1

show vlan
Name
Status
Ports
-------------------------------- --------- ------------------------------default
active
Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
10
VLAN0010
active
20
VLAN0020
active
Fa0/1
1002 fddi-default
act/unsup
1003 token-ring-default
act/unsup
1004 fddinet-default
act/unsup
1005 trnet-default
act/unsup
<output omitted>

2013 Cisco Systems, Inc.

Lab Guide

L119

Step 2
At this point, PC1 belongs to VLAN 10, and PC2 belongs to VLAN 20.
From PC1, ping PC2 (10.1.20.100).

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

The connectivity test should not be successful. You first need to configure a trunk between switches that
will carry traffic from both VLANs and then configure a Layer 3 device that will route between those two
VLANs.
C:\Users\Administrator> ping 10.1.20.100
Pinging 10.1.20.100 with 32 bytes of data:
Reply from 10.1.10.100: Destination host unreachable.
Reply from 10.1.10.100: Destination host unreachable.
Reply from 10.1.10.100: Destination host unreachable.
Reply from 10.1.10.100: Destination host unreachable.
Ping statistics for 10.1.20.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Task 2: Configure the Link Between Switches as a


Trunk
In this task, you will configure the link between two switches as a trunk. This configuration will enable the
link to carry traffic from multiple VLANs.
Activity Procedure
Complete the following steps:
Step 1

On switch SW1, configure the link toward switch SW2 (FastEthernet0/3) as a trunk. To follow the best
practice, allow only VLANs 1, 10, and 20 to cross the trunk. You can limit which VLANs are allowed to
traverse the trunk link with the switchport trunk allowed vlan command.

By default, ports are in DTP negotiation mode (dynamic auto). This mode presents a security risk, so the
best practice is to configure the ports manually to non-negotiation modes (access or trunk).
Repeat the same procedure on SW2.
Step 2

Save the running configuration to the startup configuration on both switches.

L120 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
On switch SW1, verify that the link toward SW2 is trunking and that VLANs 1, 10, and 20 are the only
VLANs that are allowed.

Status
trunking

Native vlan
1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1# show interfaces trunk


Port
Mode
Encapsulation
Fa0/3
on
802.1q
Port
Vlans allowed on trunk
Fa0/3
1,10,20
<output omitted>

On switch SW2, verify that the link toward SW1 is trunking and that VLANs 1, 10, and 20 are the only
VLANs that are allowed.
SW2# show interfaces trunk
Port
Mode
Encapsulation
Fa0/3
on
802.1q
Port
Vlans allowed on trunk
Fa0/3
1,10,20
<output omitted>

Status
trunking

Native vlan
1

Step 4

At this point, PC1 belongs to VLAN 10, and PC2 belongs to VLAN 20. The link between the two switches
is configured to carry more than one VLAN. It is a trunk.
From PC1, ping PC2 (10.1.20.100).

The connectivity test will not be successful. You first need to configure a trunk between switches that will
carry traffic from both VLANs and then configure a Layer 3 device that will route between those two
VLANs.
C:\Users\Administrator> ping 10.1.20.100
Pinging 10.1.20.100 with 32 bytes of data:
Reply from 10.1.20.100: Destination host unreachable.
Reply from 10.1.20.100: Destination host unreachable.
Reply from 10.1.20.100: Destination host unreachable.
Reply from 10.1.20.100: Destination host unreachable.
Ping statistics for 10.1.20.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Activity Verification
No additional verification is needed in this task.

Task 3: Configure a Trunk Link on the Router

In this task, you will configure a trunk link on the Branch router. It will serve as a Layer 3 device that will
route between the two VLANs.

2013 Cisco Systems, Inc.

Lab Guide

L121

Activity Procedure
Complete the following steps:
Step 1
On switch SW1, configure the link toward the Branch router (FastEthernet0/13) as a trunk.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 2
Save the running configuration to the startup configuration on the SW1 switch.
Step 3

On the Branch router, remove the IP address from the GigabitEthernet0/0 interface.
Step 4

On the Branch router, configure three subinterfaces. Subinterface GigabitEthernet0/0.1 should have an IP
address of 10.1.1.1/24 and belong to VLAN 1. Subinterface GigabitEthernet0/0.10 should have an IP
address of 10.1.10.1/24 and belong to VLAN 10. Subinterface GigabitEthernet0/0.20 should have an IP
address of 10.1.20.1/24 and belong to VLAN 20.
Step 5

Save the running configuration to the startup configuration on the Branch router.

L122 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 6
On the Branch router, verify that you have interface IP addresses that are configured in VLANs 1, 10, and
20.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show vlans


Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface:
GigabitEthernet0/0.1
This is configured as native Vlan for the following interface(s)
GigabitEthernet0/0
Native-vlan Tx-type: Untagged
Protocols Configured:
Address:
Received:
IP
10.1.1.1
0
Other
0
2 packets, 518 bytes input
2 packets, 435 bytes output
Virtual LAN ID: 10 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface:
GigabitEthernet0/0.10
Protocols Configured:
Address:
Received:
IP
10.1.10.1
0
Other
0
0 packets, 0 bytes input
1 packets, 46 bytes output
Virtual LAN ID: 20 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface:
GigabitEthernet0/0.20
Protocols Configured:
Address:
Received:
IP
10.1.20.1
0
Other
0
0 packets, 0 bytes input
1 packets, 46 bytes output

Transmitted:
0
2

Transmitted:
0
1

Transmitted:
0
1

Activity Verification
You have completed this task when you attain these results:
Step 1

Access PC1. Issue a ping command from PC1 to PC2 (10.1.20.100).

The attempt should be successful. The first ping or first few pings might fail due to the ARP process.
C:\Users\Administrator> ping 10.1.20.100
Pinging 10.1.20.100 with 32 bytes of data:
Reply from 10.1.20.100: bytes=32 time<3ms TTL=128
Reply from 10.1.20.100: bytes=32 time<3ms TTL=128
Reply from 10.1.20.100: bytes=32 time<2ms TTL=128
Reply from 10.1.20.100: bytes=32 time<2ms TTL=128
Ping statistics for 10.1.20.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 3ms

2013 Cisco Systems, Inc.

Lab Guide

L123

Step 2
From PC1, use the traceroute (tracert command) utility to trace the path from PC1 to PC2.
Notice that the traffic goes through the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Users\Administrator> tracert 10.1.20.100


Tracing route to 10.1.20.100 over a maximum of 30 hops
1
4 ms
1 ms
1 ms
10.1.10.1
2
2 ms
1 ms
1 ms
10.1.20.100
Trace complete.

L124 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 4-2: Configuring DHCP


Server
Activity Overview
Objectives

In this lab, you will assign IP addresses to network devices using DHCP. After completing this activity, you
will be able to meet these objectives:
Configure a DHCP server

Exclude specific IP addresses from DHCP pools


Configure a DHCP relay agent

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-2: Configuring


DHCP Server
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Configure the
DHCP server

DHCP
Server

Configure the
DHCP relay agent

PC1

SW1

Configure DHCP
clients

PC2

SW2

2013 Cisco Systems, Inc.

Required Resources

No additional resources are required for this lab.

Command List

The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.

Cisco Commands
Command

Description

default-router address

Specifies the IP address of the default router for a DHCP client.

dns-server address

Specifies the IP address of the DNS server that is available to a DHCP


client.

ip dhcp excluded-address ip-address


[last-ip-address]

Specifies the IP addresses that a DHCP server should not assign to a


DHCP client.

ip dhcp pool name

Configures a DHCP address pool and enters DCHP configuration mode.

ip helper-address address

Enables forwarding of broadcasts that are received on the interface to


the specified IP address.

lease {days [hours] [minutes] | infinite}

Specifies the duration of the lease. The default is a one-day lease.

L126 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Description

network network-number [mask |


prefix-length]

Defines addresses in the DHCP pool. Optionally, defines the subnet


mask or prefix length. Either of these parameters determines which
portion of the specified network number refers to the network part.

show ip dhcp binding

Displays a list of all DHCP address bindings.

show ip interface brief

Displays a brief summary of the IP information and status of an interface.

show running-config

Displays the running configuration.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command

Microsoft Windows Commands


Command

Description

ping ip_address

Issues a ping to the specified IP address.

ipconfig {/all}

Displays IP address information. Uses option /all to display all details.

ipconfig /release

Releases the DHCP leases.

ipconfig /renew

Renews all network adapters and initiates a DHCP discover message


if DHCP is enabled on the interface.

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

Headquarter
s

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

SW2

Catalyst 2960 Series Switch

c2960-lanlitek9-mz.150-1.SE3

PC1

Any PC

Microsoft Windows 7

PC2

Any PC

Microsoft Windows 7

The table shows the usernames and passwords that are used to access the lab equipment.
Device

Username

Password

PC1

Administrator

admin

PC2

Administrator

admin

Branch (console access)

ccna

cisco

Branch (enable password)

cisco

SW1 (console access)

ccna

cisco

SW1 (enable password)

cisco

2013 Cisco Systems, Inc.

Lab Guide

L127

Topology and IP Addressing


Devices are connected with Ethernet links. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.

Topology and IP Addressing


Gi0/1

Branch 209.165.201.1

Gi0/1
209.165.201.2

DHCP
Server

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Gi0/0VLAN 1:10.1.1.1
Gi0/0.10VLAN 10: 10.1.10.1
Gi0/0.20VLAN 20: 10.1.20.1

172.16.1.100

HQ

Fa0/13

PC1

10.1.10.100

Fa0/1

SW1

10.1.1.11

Fa0/3

Fa0/3

PC2

SW2

10.1.1.12

Fa0/1

10.1.20.100

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device
Branch
Branch
Branch
Branch
HQ
HQ
SW1
SW2
PC1
PC2

Interface

IP Address/Subnet Mask

Gi0/1

209.165.201.1/27

Gi0/0.1

10.1.1.1/24

Gi0/0.10

10.1.10.1/24

Gi0/0.20

10.1.20.1/24

Gi0/1

209.165.201.2/27

Loopback0

172.16.1.100/24

VLAN1

10.1.1.11/24

VLAN1

10.1.1.12/24

Ethernet adapter local area connection

10.1.10.100/24

Ethernet adapter local area connection

10.1.20.100/24

VLAN Setup

Three VLANs are configured on the switches. VLAN 1 is used for switch management, VLAN 10 is used
to connect PC1, and VLAN 20 is used to connect PC2. A trunk is enabled between the switches and
between the SW1 switch and the Branch router. The figure illustrates the trunk and VLAN setup.

L128 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

VLAN Setup
Branch

Trunk
VLAN 10

SW1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

PC1

VLAN 1

PC2

SW2

VLAN 20

2013 Cisco Systems, Inc.

Task 1: Configure DHCP Pools

In this task, you will configure DHCP pools to enable the DHCP server implementation on a router.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router.

Configure a DHCP pool named VLAN 10. The leased addresses should be part of network 10.1.10.0 /24.
Step 2

Determine the router interface IP address for VLAN 10 and configure it as a default gateway for DHCP
clients. Configure the same IP address for the DNS server.

Branch# show ip interface brief


Any interface listed with OK? value "NO" does not have a valid configuration
Interface
IP-Address
OK? Method Status
Protocol
Embedded-Service-Engine0/0 unassigned
YES unset administratively down down
GigabitEthernet0/0
10.1.1.1
YES DHCP
up
up
GigabitEthernet0/0.10
10.1.10.1
YES manual up
up
GigabitEthernet0/0.20
10.1.20.1
YES manual up
up
GigabitEthernet0/1
209.165.201.1
YES unset administratively down down
GigabitEthernet0/2
unassigned
YES unset administratively down down
NVI0
unassigned
NO unset up
up
Branch#

2013 Cisco Systems, Inc.

Lab Guide

L129

Step 3
Change the default lease time to 2 hours.
Step 4

Step 5

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Save the running configuration to the startup configuration on the Branch router.

Access PC1.

Open the network adapter settings and edit the IPv4 settings. Set them to obtain an IP address and DNS
address automatically.

L130 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 6
Verify that PC1 has obtained an IP address dynamically by executing a DHCP verification command on the
Branch router.

Type

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ip dhcp binding


Bindings from all pools not associated with VRF:
IP address
Client-ID/
Lease expiration
Hardware address/
User name
10.1.10.2
0100.0c29.8fa8.a6
Oct 25 2012 12:18 PM

Automatic

In addition, verify the IP address settings using the command prompt on PC1.
C:\Windows\system32> ipconfig /all
<output omitted>
Ethernet adapter LAB:
Connection-specific DNS Suffix
Description . . . . . . . . . .
Physical Address. . . . . . . .
DHCP Enabled. . . . . . . . . .
Autoconfiguration Enabled . . .
Link-local IPv6 Address . . . .
IPv4 Address. . . . . . . . . .
Subnet Mask . . . . . . . . . .
Lease Obtained. . . . . . . . .
Lease Expires . . . . . . . . .
Default Gateway . . . . . . . .
DHCP Server . . . . . . . . . .
DHCPv6 IAID . . . . . . . . . .
DHCPv6 Client DUID. . . . . . .
DNS Servers . . . . . . . . . .
NetBIOS over Tcpip. . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

VMware Accelerated AMD PCNet Adapter #2


00-0C-29-45-32-BE
Yes
Yes
fe80::8c6e:3fe3:ca7e:c7c7%13(Preferred)
10.1.10.2(Preferred)
255.255.255.0
Friday, October 19, 2012 2:39:34 PM
Friday, October 19, 2012 4:39:34 PM
10.1.10.1
10.1.10.1
285215785
00-01-00-01-13-3B-A1-51-00-0C-29-87-5C-B5
10.1.10.1
Disabled

Step 7

Configure a DHCP pool for VLAN 20.

The leased addresses should be part of network 10.1.20.0 /24. For the DNS server and default gateway, use
the router VLAN 20 interface (10.1.20.1). Set the lease time to 12 hours.

2013 Cisco Systems, Inc.

Lab Guide

L131

Step 8
On the Branch router, verify the configured pools by using the show ip dhcp pool verification command.

Step 9

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ip dhcp pool


Pool VLAN10 :
Utilization mark (high/low)
: 100 / 0
Subnet size (first/next)
: 0 / 0
Total addresses
: 254
Leased addresses
: 1
Pending event
: none
1 subnet is currently in the pool :
Current index
IP address range
10.1.10.3
10.1.10.1 - 10.1.10.254
Pool VLAN20 :
Utilization mark (high/low)
: 100 / 0
Subnet size (first/next)
: 0 / 0
Total addresses
: 254
Leased addresses
: 0
Pending event
: none
1 subnet is currently in the pool :
Current index
IP address range
10.1.20.1 - 10.1.20.254
10.1.20.1

Leased addresses
1

Leased addresses
0

Access PC2.

Open the network adapter settings and edit the IPv4 settings. Set them to obtain an IP address and DNS
address automatically.
Step 10

Check the DHCP address bindings on the router to verify that PC2 has obtained an IP address dynamically.
Activity Verification
You have completed this task when you attain these results:
Step 1

You verified that both PC1 and PC2 have dynamically assigned IP addresses.

L132 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2
You have successfully verified connectivity between the PCs using the ping command:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Windows\system32> ping 10.1.20.2


Pinging 10.1.20.2 with 32 bytes of data:
Reply from 10.1.20.2: bytes=32 time=30ms TTL=127
Reply from 10.1.20.2: bytes=32 time=1ms TTL=127
Reply from 10.1.20.2: bytes=32 time=1ms TTL=127
Reply from 10.1.20.2: bytes=32 time=1ms TTL=127
Ping statistics for 10.1.20.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 30ms, Average = 8ms

Task 2: Exclude Specific IP Addresses from


DHCP Pools

The configured DHCP server can assign any valid IP address from the pool to DHCP clients. Commonly,
certain IP addresses within the subnet that are assigned to the DCHP pool are configured manually on some
end hosts, such as servers or printers. In this task, you will configure DHCP to limit the valid IP addresses
within the pool to the desired uses.
Activity Procedure
Complete the following steps:
Step 1

On the Branch router, change the configuration of the DHCP server to assign IP addresses to DHCP clients
only from x.x.x.100 to x.x.x.150 within the configured pools.
Step 2

Save the running configuration to the startup configuration on the Branch router.
Step 3

To verify the DHCP configuration, connect to PC1, enter the command prompt, and release the existing
DHCP lease with the ipconfig /release command.
Repeat this step on PC2.
Step 4

Instruct PC1 to request new a DCHP lease by issuing the ipconfig /renew command.
Repeat this step on PC2.

2013 Cisco Systems, Inc.

Lab Guide

L133

Activity Verification
You have completed this task when you have attained this result:
Step 1
On the Branch router, verify that PC1 and PC2 have been assigned new IP addresses:

Type

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ip dhcp binding


Bindings from all pools not associated with VRF:
IP address
Client-ID/
Lease expiration
Hardware address/
User name
10.1.10.100
0100.0c29.4532.be
Oct 19 2012 03:39 PM
10.1.20.100
0100.0c29.8807.34
Oct 20 2012 01:24 AM

Automatic
Automatic

Task 3: Configure DHCP Relay Agent

In this task, you will reconfigure the Branch router to support a centralized DHCP server.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router and remove the DHCP server configuration.
Step 2

Verify that no DHCP server configuration is present on the Branch router by using a DHCP pool show
command.
Branch# show ip dhcp pool
Branch#

Step 3

Configure a DHCP relay agent on the Branch router to forward DHCP messages to a centralized DHCP
server with IP address 172.16.1.100. Configure the relay agent on both logical subinterfaces, which are part
of VLAN 10 and VLAN 20.
Step 4

Save the running configuration to the startup configuration on the Branch router.
Step 5

Access PC1 and release the current DHCP lease.

L134 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 6
Renew the DHCP lease using the ipconfig /renew command and verify that PC1 has dynamically obtained
an IP address from the 10.1.10.20010.1.10.254 range.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter LAB:
Connection-specific DNS Suffix
Link-local IPv6 Address . . . .
IPv4 Address. . . . . . . . . .
Subnet Mask . . . . . . . . . .
Default Gateway . . . . . . . .
<output omitted>

.
.
.
.
.

:
:
:
:
:

fe80::1844:cd29:1d13:1905%13
10.1.10.200
255.255.255.0
10.1.10.1

Step 7

Renew the DHCP lease using the ipconfig /renew command and verify that PC2 has dynamically obtained
an IP address from the 10.1.20.20010.1.20.254 range.
C:\Windows\system32> ipconfig /all
<output omitted>
Ethernet adapter LAB:
Connection-specific DNS Suffix
Description . . . . . . . . . .
Physical Address. . . . . . . .
DHCP Enabled. . . . . . . . . .
Autoconfiguration Enabled . . .
Link-local IPv6 Address . . . .
IPv4 Address. . . . . . . . . .
Subnet Mask . . . . . . . . . .
Lease Obtained. . . . . . . . .
Lease Expires . . . . . . . . .
Default Gateway . . . . . . . .
DHCP Server . . . . . . . . . .
<output omitted>

.
.
.
.
.
.
.
.
.
.
.
.

:
:
:
:
:
:
:
:
:
:
:
:

VMware Accelerated AMD PCNet Adapter #2


00-0C-29-50-EB-9D
Yes
Yes
fe80::b423:4279:f330:b1f5%13(Preferred)
10.1.20.200
255.255.255.0
Tuesday, October 23, 2012 11:04:21 AM
Tuesday, October 23, 2012 11:04:21 PM
10.1.20.1
209.165.201.2

Activity Verification
No additional verification is needed in this task.

Task 4: Manually Assign IP Addresses


In this task, you will manually assign IP addresses on both PCs.
Activity Procedure
Complete the following steps:

2013 Cisco Systems, Inc.

Lab Guide

L135

Step 1
Access both PCs and edit the IPv4 network settings. Manually set the parameters according to the table.

IP Addressing
IP Address

Subnet Mask

Default Gateway

PC1

10.1.10.100

255.255.255.0

10.1.10.1

PC2

10.1.20.100

255.255.255.0

10.1.20.1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Device

On PC1:

On PC2:

L136 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 2

To verify the manual settings, use the ping command to verify connectivity between PC1 and PC2.
C:\Windows\system32> ping 10.1.20.100
Pinging 10.1.20.100 with 32 bytes of data:
Reply from 10.1.20.100: bytes=32 time=12ms TTL=127
Reply from 10.1.20.100: bytes=32 time=1ms TTL=127
Reply from 10.1.20.100: bytes=32 time=1ms TTL=127
Reply from 10.1.20.100: bytes=32 time=1ms TTL=127
Ping statistics for 10.1.20.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 12ms, Average = 3ms

Activity Verification
No additional verification is needed in this task.

2013 Cisco Systems, Inc.

Lab Guide

L137

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.
L138 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 4-3: Implementing OSPF


Activity Overview
Objectives

After completing this activity, you will be able to meet these objectives:
Configure a WAN interface
Configure OSPF

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-3: Implementing


OSPF
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective


Change IP
addressing

Branch

Server

WAN

HQ

Configure OSPF

PC1

SW1

2013 Cisco Systems, Inc.

Required Resources

No additional resources are required for this lab.

L140 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.

Cisco Commands
Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
interface interface

Enters interface configuration mode.

ip address ip_address network_mask

Sets an IP address, along with the subnet mask, on an interface.


Enters interface configuration mode to issue this command.

router ospf process_id

Starts the OSPF routing process with the specified process ID. The
process ID is of local significance, so two routers can have different
process IDs and still become neighbors.

show ip interfaces brief

Shows a brief version of the operational state and IP information of all


interfaces.

show ip ospf interface

Displays interface information that is related to OSPF.

show ip ospf neighbor

Shows all OSPF neighbors of the router.

show ip route

Displays the IP route table.

Microsoft Windows Commands


Command

Description

ping ip_address

Issues a ping to the specified IP address.

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

Headquarter
s

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

SW2

Catalyst 2960 Series Switch

c2960-lanlitek9-mz.150-1.SE3

PC1

Any PC

Microsoft Windows 7

PC2

Any PC

Microsoft Windows 7

The table shows the usernames and passwords that are used to access the lab equipment.

2013 Cisco Systems, Inc.

Lab Guide

L141

Username

Password

PC1

Administrator

admin

PC2

Administrator

admin

Branch (console access)

ccna

cisco

Branch (enable password)

cisco

SW1 (console access)

ccna

cisco

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Device

SW1 (enable password)

cisco

Topology and IP Addressing

Devices are connected with Ethernet and serial connections. The figure illustrates the interface
identification and IP addresses that are used in this lab setup.

Topology and IP Addressing


Eth0/1
192.168.1.1

Eth0/1
192.168.1.2

Branch

Server

WAN

172.16.1.100

VLAN 110.1.1.1
VLAN 1010.1.10.1
VLAN 2010.1.20.1

Eth0/0

HQ

Eth1/0

PC1

Eth0/1

SW1

10.1.10.100

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device

Interface

IP Address/Subnet Mask

Gi0/1

192.168.1.1/24

Gi0/0.1

10.1.1.1/24

Gi0/0.10

10.1.10.1/24

Gi0/0.20

10.1.20.1/24

Headquarters

Gi0/1

192.168.1.2/24

Headquarters

Loopback0

172.16.1.100/24

SW1

VLAN1

10.1.1.11/24

Ethernet adapter local area connection

10.1.10.100/24

Branch
Branch
Branch
Branch

PC1

L142 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

VLAN Setup
Three VLANs are configured on the switch. VLAN 1 is used for switch management, VLAN 10 is used to
connect PC1. VLAN 20 is used to connect PC2, which is not used in this lab exercise.

VLAN Setup

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch

Trunk

VLAN 10

PC1

VLAN 1

SW1

2013 Cisco Systems, Inc.

Task 1: Connect the Router to the WAN

In this task, you will disconnect the Branch router from the Internet by removing DHCP and NAT
configuration from the GigabitEthernet0/1 interface. You will use this link for WAN Ethernet connectivity
instead. You will configure the interface for WAN connectivity by setting a private IP address on the
interface. The Headquarters router has been already preconfigured for WAN connectivity.
Activity Procedure
Complete the following step:
Step 1

Access the Branch router.


Step 2

Remove DHCP and NAT configuration from the GigabitEthernet0/1 interface.


Step 3

Configure IP address 192.168.1.1 with network mask 255.255.255.0 on the GigabitEthernet0/1 interface.
Activity Verification
You have completed this task when you attain these results:

2013 Cisco Systems, Inc.

Lab Guide

L143

Step 1
On the Branch router, verify the operational state of interface GigabitEthernet0/1. Verify that the interface
is configured with the correct IP address.

Step 2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ip interfaces brief


Any interface listed with OK? value "NO" does not have a valid configuration
Interface
IP-Address
OK? Method Status
Protocol
Embedded-Service-Engine0/0 unassigned
YES unset administratively down down
GigabitEthernet0/0
unassigned
YES unset up
up
GigabitEthernet0/0.1
10.1.1.1
YES manual up
up
GigabitEthernet0/0.10
10.1.10.1
YES manual up
up
GigabitEthernet0/0.20
10.1.20.1
YES manual up
up
GigabitEthernet0/1
192.168.1.1
YES manual up
up
Serial0/0/0
unassigned
YES unset administratively down down
NVI0
unassigned
NO unset up
up

From the Branch router, ping the Headquarters router at 192.168.1.2.


Your attempt should be successful.

Branch# ping 192.168.1.2


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms

Step 3

From PC1, ping the server with the 172.16.1.100 IP address.

Your attempt should not be successful because the Headquarters router does not have a path back to the
10.1.10.0/24 network.
C:\Users\Administrator> ping 172.16.1.100
Pinging 172.16.1.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Task 2: Configure OSPF

The Headquarters router was configured with OSPF by your coworker. In this task, you will configure
OSPF on the Branch router. The two routers will then become neighbors and exchange routing information.
Activity Procedure
Complete the following steps:

L144 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1
On the Branch router, enable single-area OSPF (area 0) and configure it so that it advertises networks
10.1.1.0/24, 10.1.10.0/24, 10.1.20.0./24, and 192.168.1.0/24.
The Headquarters router was already configured with OSPF by your colleague.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Verification
You have completed this task when you attain these results:
Step 1

On the Branch router, determine whether you see the Headquarters router as a neighbor.
The Headquarters router is configured with the router ID of 1.1.1.1.
Branch# show ip ospf neighbor
Neighbor ID
Pri
State
1.1.1.1
1
FULL/BDR

Dead Time
00:00:35

Address
192.168.1.2

Interface
GigabitEthernet0/1

Step 2

On the Branch router, verify that GigabitEthernet0/0.1, GigabitEthernet0/0.10, GigabitEthernet0/0.20, and


GigabitEthernet0/1 are enabled for the OSPF process.
Branch# show
InterGice
Gi0/1
Gi0/0.20
Gi0/0.10
Gi0/0.1

ip ospf interface brief


PID
Area
IP Address/Mask
100
0
192.168.1.1/24
100
0
10.1.20.1/24
100
0
10.1.10.1/24
100
0
10.1.1.1/24

2013 Cisco Systems, Inc.

Cost
1
1
1
1

State
DR
DR
DR
DR

Nbrs F/C
1/1
0/0
0/0
0/0

Lab Guide

L145

Step 3
On the Branch router, view the routing table. Note the entry for the 172.16.1.0/24 network that was
acquired via the OSPF routing process.

Step 4

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*
0.0.0.0/0 is directly connected, GigabitEthernet0/1
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C
10.1.1.0/24 is directly connected, GigabitEthernet0/0.1
L
10.1.1.1/32 is directly connected, GigabitEthernet0/0.1
C
10.1.10.0/24 is directly connected, GigabitEthernet0/0.10
L
10.1.10.1/32 is directly connected, GigabitEthernet0/0.10
C
10.1.20.0/24 is directly connected, GigabitEthernet0/0.20
L
10.1.20.1/32 is directly connected, GigabitEthernet0/0.20
172.16.0.0/32 is subnetted, 1 subnets
O
172.16.1.100 [110/2] via 192.168.1.2, 00:07:00, GigabitEthernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C
192.168.1.0/24 is directly connected, GigabitEthernet0/1
L
192.168.1.1/32 is directly connected, GigabitEthernet0/1

From PC1, ping the 172.16.1.100 server. Your attempt should be successful because the HQ router now
knows how to get back to the 10.1.10.0/24 network.
C:\Users\Administrator>ping 172.16.1.100
Pinging 172.16.1.100 with 32 bytes of data:
Reply from 172.16.1.100: bytes=32 time=44ms TTL=128
Reply from 172.16.1.100: bytes=32 time=41ms TTL=128
Reply from 172.16.1.100: bytes=32 time=36ms TTL=128
Reply from 172.16.1.100: bytes=32 time=36ms TTL=128
Ping statistics for 172.16.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 36ms, Maximum = 44ms, Average = 39ms

L146 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 5-1: Configure and Verify


Basic IPv6
Activity Overview
Objectives

In this activity, you will enable IPv6 globally and manually configure an IPv6 address on the interface.
After completing this lab activity, you will be able to meet this objective:
Enable IPv6 support on a router and perform basic configuration

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 5-1: Configure and


Verify Basic IPv6
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective


Configure and verify
basic IPv6

Branch

HQ

2013 Cisco Systems, Inc.

Required Resources

No additional resources are required for this lab.

L148 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
or verification Cisco IOS command assistance during the lab activity.

Commands
Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
configure terminal

Enters configuration mode

exit

Exits from the Telnet session

interface interface

Enters interface configuration mode

ipv6 address ipv6_address/ipv6_mask

Configures IPv6 address to the interface

ipv6 unicast-routing

Enables IPv6 forwarding support on the router

ping destination_address

Pings the specified IP address

show ipv6 interface interface

Displays IPv6 status on the interface

telnet ip_address

Uses Telnet to connect to the specified IP address

traceroute ip_address

Traces to the specified IP address

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

HQ

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

The table shows the usernames and passwords that are used to access the lab equipment.
Device

Username

Password

Branch (console access)

ccna

cisco

Branch (enable password)

cisco

Topology and IP Addressing

Devices are connected with an Ethernet connection. The figure illustrates IP addresses that are used in this
lab setup.

2013 Cisco Systems, Inc.

Lab Guide

L149

Topology and IP Addressing


Server
Branch

HQ
2001:DB8:AC10:100::64

Internet

2001:DB8:D1A5:C900::2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

2001:DB8:D1A5:C900::1

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device
Branch
HQ
HQ

Interface

IP Address/Subnet Mask

Gi0/1

2001:DB8:D1A5:C900::1/64

Gi0/1

2001:DB8:D1A5:C900::2/64

Loopback0

2001:DB8:AC10:100::64/64

Task 1: Enable IPv6 on the Router

In this task, you will enable IPv6 globally and manually configure an IPv6 address on the interface.
The HQ router is already configured with an IPv6 address on the Gigabit Ethernet interface.
Activity Procedure
Complete the following steps:
Step 1

On the Branch router, enable IPv6 unicast routing.


Step 2

On the Branch router, configure an IPv6 address on the GigabitEthernet0/1 interface.


Step 3

Save the running configuration to the startup configuration.

L150 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Activity Verification
You have completed this task when you attain this result:
Step 1
On the Branch router, verify IPv6 setup on the GigabitEthernet 0/1 interface.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ipv6 interface GigabitEthernet 0/1


GigabitEthernet0/1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2599
No Virtual link-local address(es):
Description: Link to HQ
Global unicast address(es):
2001:DB8:D1A5:C900::1, subnet is 2001:DB8:D1A5:C900::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FFE5:2599
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.

The GigabitEthernet0/1 interface is up and running. An IPv6 address is successfully enabled on the
interface.
Step 2

On the Branch router, ping the HQ router GigabitEthernet0/1 interface (2001:DB8:D1A5:C900::2). The
ping should be successful.
Branch# ping 2001:db8:D1A5:C900::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:D1A5:C900::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

2013 Cisco Systems, Inc.

Lab Guide

L151

Step 3
On the Branch router, trace route to the IPv6 address 2001:DB8:D1A5:C900::2. You should see a response
from the HQ router.

Step 4

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# traceroute 2001:db8:D1A5:C900::2


Type escape sequence to abort.
Tracing the route to 2001:DB8:D1A5:C900::2
1 2001:DB8:D1A5:C900::2 0 msec 4 msec 0 msec

From the Branch router, use Telnet to connect to IPv6 address 2001:DB8:D1A5:C900::2. You should see a
successful Telnet to the HQ router.
Branch# telnet 2001:db8:D1A5:C900::2
Trying 2001:DB8:D1A5:C900::2 ... Open
HQ#

Disconnect from the HQ router by performing the exit command.

HQ# exit
[Connection to 2001:db8:D1A5:C900::2 closed by foreign host]
Branch#

L152 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 5-2: Configure and Verify


Stateless Autoconfiguration
Activity Overview
Objectives

In this activity, you will enable stateless autoconfiguration. After completing this lab activity, you will be
able to meet this objective:
Configure and verify stateless autoconfiguration

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 5-2: Configure and


Verify Stateless Autoconfiguration
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective


Enable and verify IPv6
stateless autoconfiguration

Branch

HQ

2013 Cisco Systems, Inc.

Required Resources

No additional resources are required for this lab.

L154 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
or verification Cisco IOS command assistance during the lab activity.

Commands
Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
configure terminal

Enters configuration mode

exit

Exits from the Telnet session

interface interface

Enters interface configuration mode

ipv6 address autoconfig

Enables IPv6 autoconfiguration on the interface

ping destination_address

Pings the specified IP address

show ipv6 interface interface

Displays IPv6 status on the interface

telnet ip_address

Uses Telnet to connect to the specified IP address

traceroute ip_address

Traces to the specified IP address

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

HQ

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

The table shows the usernames and passwords that are used to access the lab equipment.
Device

Username

Password

Branch (console access)

ccna

cisco

Branch (enable password)

cisco

Topology and IP Addressing

Devices are connected with an Ethernet connection. The figure illustrates IP addresses that are used in this
lab setup.

2013 Cisco Systems, Inc.

Lab Guide

L155

Topology and IP Addressing


Server
Branch

HQ
2001:DB8:AC10:100::64

Internet

2001:DB8:D1A5:C900::2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

2001:DB8:D1A5:C900::1

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device
Branch
HQ
HQ

Interface

IP Address/Subnet Mask

Gi0/1

2001:DB8:D1A5:C900::1/64

Gi0/1

2001:DB8:D1A5:C900::2/64

Loopback0

2001:DB8:AC10:100::64/64

Task 1: Enable Stateless Autoconfiguration on


the Router

In this task, you will first remove a configured IPv6 address from the interface and then configure stateless
autoconfiguration on the interface.
The HQ router is already configured with the IPv6 address on the Gigabit Ethernet interface.
Activity Procedure
Complete the following steps:

L156 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1
On the Branch router, verify the current GigabitEthernet 0/1 configuration.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show running-config interface GigabitEthernet 0/1


Building configuration...
Current configuration : 166 bytes
!
interface GigabitEthernet0/1
description Link to HQ
ip address 209.165.201.1 255.255.255.224
duplex auto
speed auto
ipv6 address 2001:DB8:D1A5:C900::1/64
end

There is an IPv6 address that is configured on the interface.


Step 2

On the Branch router, remove the IPv6 address from the GigabitEthernet 0/1 interface.
Step 3

On the Branch router, configure stateless autoconfiguration on the GigabitEthernet 0/1 interface.
Activity Verification
You have completed this task when you attain these results:

2013 Cisco Systems, Inc.

Lab Guide

L157

Step 1
On the Branch router, verify the IPv6 setup on the GigabitEthernet 0/1 interface.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ipv6 interface GigabitEthernet 0/1


GigabitEthernet0/1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2599
No Virtual link-local address(es):
Description: Link to HQ
Stateless address autoconfig enabled
Global unicast address(es):
2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599, subnet is 2001:DB8:D1A5:C900::/64
[EUI/CAL/PRE]
valid lifetime 2591996 preferred lifetime 604796
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFE5:2599
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.

The GigabitEthernet 0/1 interface is up and running. The IPv6 address is successfully set on the interface.
The IPv6 prefix is the same as what is configured on the HQ router, and the host portion of the IPv6 address
is calculated from the GigabitEthernet 0/1 interface MAC address.
Step 2

On the Branch router, ping the HQ router GigabitEthernet0/1 interface (2001:DB8:D1A5:C900::2). The
ping should be successful.
Branch# ping 2001:db8:D1A5:C900::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:D1A5:C900::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

L158 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
On the Branch router, trace route to the IPv6 address 2001:DB8:D1A5:C900::2. You should see a response
from the HQ router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# traceroute 2001:db8:D1A5:C900::2


Type escape sequence to abort.
Tracing the route to 2001:DB8:D1A5:C900::2
1 2001:DB8:D1A5:C900::2 0 msec 4 msec 0 msec

2013 Cisco Systems, Inc.

Lab Guide

L159

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.
L160 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab 5-3: Configure and Verify


IPv6 Routing
Activity Overview
Objectives

In this activity, you will configure and verify IPv6 routing by enabling static routing and OSPFv3. After
completing this lab activity, you will be able to meet these objectives:
Enable and verify static routing
Enable and verify OSPFv3

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 5-3: Configure and


Verify IPv6 Routing
Branch

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Server

HQ

PC1

SW1

PC2

SW2

2013 Cisco Systems, Inc.

Detailed Visual Objective


Configure IPv6
default route

Enable OSPFv3

Server

Branch

HQ

2013 Cisco Systems, Inc.

Required Resources

No additional resources are required for this lab.

L162 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
or verification Cisco IOS command assistance during the lab activity.

Commands
Description

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command
configure terminal

Enters configuration mode.

interface interface

Enters interface configuration mode.

ipv6 ospf process_ID area area_ID

Enables OSPFv3 routing on the interface.

[no] ipv6 route ::/0 interface next_hop

Enables or disables the IPv6 default route.

ipv6 router ospf process_ID

Enables OSPFv3 and enters routing process mode.

ping destination_address

Pings the specified IP address.

router-id router-id

Configures the OSPFv3 router ID. The router ID is 32-bit value, written
in the IPv4 form (x.x.x.x).

show ipv6 ospf

Displays OSPFv3 settings.

show ipv6 ospf neighbor

Displays OSPFv3 neighbors.

show ipv6 route

Displays the IPv6 routing table.

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

HQ

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

The table shows the usernames and passwords that are used to access the lab equipment.
Device

Username

Password

Branch (console access)

ccna

cisco

Branch (enable password)

cisco

Topology and IP Addressing

Devices are connected with an Ethernet connection. The figure illustrates IP addresses that are used in this
lab setup.

2013 Cisco Systems, Inc.

Lab Guide

L163

Topology and IP Addressing


Server
Branch

HQ
2001:DB8:AC10:100::64

Internet

2001:DB8:D1A5:C900::2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

2001:DB8:D1A5:C900::1

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that are used in this lab setup.
Device
Branch
HQ
HQ

Interface

IP Address/Subnet Mask

Gi0/1

2001:DB8:D1A5:C900::1/64

Gi0/1

2001:DB8:D1A5:C900::2/64

Loopback0

2001:DB8:AC10:100::64/64

Task 1: Enable IPv6 Static Routing

In this task, you will configure the IPv6 default route on the Branch router.
Activity Procedure
Complete the following steps:
Step 1

On the Branch router, verify IPv6 connectivity to the server at 2001:DB8:AC10:100::64.

Branch# ping 2001:DB8:AC10:100::64


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:AC10:100::64, timeout is 2 seconds:
% No valid source address for destination
Success rate is 0 percent (0/1)

The ping is not successful because there is no valid route for network 2001:DB8:AC10:100::/64 in the
routing table.

L164 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2
On the Branch router, verify the IPv6 routing table.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ipv6 route


IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - Neighbor Discovery, l - LISP
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
NDp 2001:DB8:D1A5:C900::/64 [2/0]
via GigabitEthernet0/1, directly connected
L
2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599/128 [0/0]
via GigabitEthernet0/1, receive
L
FF00::/8 [0/0]
via Null0, receive

From the IPv6 routing table output, you can confirm there is no route for a desirable network.
Step 3

On the Branch router, configure a default IPv6 route pointing to the HQ router.
Activity Verification
You have completed this task when you attain these results:
Step 1

On the Branch router, ping the server at 2001:DB8:AC10:100::64. The ping should be successful.

Branch# ping 2001:DB8:AC10:100::64


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:AC10:100::64, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/8 ms

2013 Cisco Systems, Inc.

Lab Guide

L165

Step 2
On the Branch router, verify the IPv6 routing table.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ipv6 route


IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - Neighbor Discovery, l - LISP
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S
::/0 [1/0]
via 2001:DB8:D1A5:C900::2, GigabitEthernet0/1
NDp 2001:DB8:D1A5:C900::/64 [2/0]
via GigabitEthernet0/1, directly connected
L
2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599/128 [0/0]
via GigabitEthernet0/1, receive
L
FF00::/8 [0/0]
via Null0, receive

There is still no route for network 2001:DB8:AC10:100::/64, but there is a static default route. The Branch
router uses the default route to reach IPv6 networks that are not present in the routing table.

Task 2: Enable OSPFv3

In this task, you will first remove the default IPv6 route that is configured in the previous task, and you will
enable OSPFv3.
The HQ router is already configured with OSPFv3.
Activity Procedure
Complete the following steps:
Step 1

On the Branch router, remove the static IPv6 default route.


Step 2

On the Branch router, enable OSPFv3 with process ID 1 and router ID 0.0.0.2.
Step 3

On the Branch router, enable OSPFv3 area 0 on the GigabitEthernet0/1 interface.


Activity Verification
You have completed this task when you attain these results:

L166 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1
On the Branch router, observe the output on the console.
Nov 14 10:13:05.399: %OSPFv3-5-ADJCHG: Process 1, Nbr 0.0.0.1 on GigabitEthernet0/1
from LOADING to FULL, Loading Done

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

The OSPFv3 adjacency between the Headquarters and Branch routers is established.
Step 2

On the Branch router, display the OSPFv3 neighbor.


Branch# show ipv6 ospf neighbor
Neighbor ID
Pri
State
0.0.0.1
1
FULL/DR

Dead Time
00:00:39

Interface ID
4

Interface
GigabitEthernet0/1

The Branch router has an active OSPFv3 neighborship to the router with router ID 0.0.0.1. The HQ router is
using OSPFv3 router ID 0.0.0.1.
Step 3

On the Branch router, display the OSPFv3 setup.

Branch# show ipv6 ospf


Routing Process "ospfv3 1" with ID 0.0.0.2
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
< output omitted >

The OSPFv3 on the Branch router is using process ID 1 and router ID 0.0.0.2.

2013 Cisco Systems, Inc.

Lab Guide

L167

Step 4
On the Branch router, display the IPv6 routing table.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ipv6 route


IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - Neighbor Discovery, l - LISP
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O
2001:DB8:AC10:100::/64 [110/2]
via FE80::FE99:47FF:FEE5:2551, GigabitEthernet0/1
NDp 2001:DB8:D1A5:C900::/64 [2/0]
via GigabitEthernet0/1, directly connected
L
2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599/128 [0/0]
via GigabitEthernet0/1, receive
L
FF00::/8 [0/0]
via Null0, receive

Observe the OSPFv3 route to network 2001:DB8:AC10:100::/64.


Step 5

On the Branch router, verify connectivity to IPv6 address 2001:DB8:AC10:100::64.

Branch# ping 2001:DB8:AC10:100::64


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:AC10:100::64, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms

The ping is successful.

L168 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab S-1: ICND1 Superlab


Activity Overview
Objectives

In this activity, you will repeat what you have learned throughout the course. After completing this activity,
you will be able to meet these objectives:
Configure basic settings, VLANs, trunks, and port security on the Cisco switch
Configure inter-VLAN routing

Configure Internet connectivity

Configure WAN connectivity and dynamic routing protocol


Configure IPv6 connectivity in a LAN

Configure the OSPFv3 routing protocol

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab S-1: ICND1 Superlab


Configure WAN
connectivity

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Configure basic
settings and interVLAN routing

Branch

Server

Internet/WAN

Enable IPv6
connectivity

HQ

VLAN 10

Configure Internet
connectivity

SW1

PC1

VLAN 20

PC2

Configure VLANs,
trunk, and port security
SW2

Configure VLANs,
trunk, and port security

2013 Cisco Systems, Inc.

Required Resources

These resources and equipment are required to complete this activity:

A PC that is connected to the on-site lab or a PC with Internet connectivity to access the remote lab

Command List

The table that follows describes the commands that are used in this activity. The commands are listed in
alphabetical order so that you can easily locate the information that you need. Refer to this list if you need
configuration command assistance during the lab activity.
Command

Description

access-list acl_id permit network

Creates a numbered access list entry.

configure terminal

Activates the configuration mode from the terminal.

crypto key generate rsa

Generates an RSA crypto key pair.

delete name

Deletes a file from flash memory.

deny ip|tcp|udp source_network wildcard


mask dst_network wildcard mask

Creates a deny access list entry.

enable

Activates privileged EXEC mode. In privileged EXEC mode, more


commands are available. This command requires you to enter the
enable password if an enable password is configured.

enable secret password

L170 Interconnecting Cisco Networking Devices, Part 1

Configures the enable password in encrypted form.

2013 Cisco Systems, Inc.

Description

encapsulation dot1Q vlan [native]

Sets the encapsulation type and VLAN on a subinterface on a


router.

erase startup-config

Erases the startup configuration that is stored in nonvolatile


memory.

hostname hostname

Sets the system name, which forms part of the prompt.

interface interface

Enters the interface configuration mode.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command

interface interface.subinterface

Enters the subinterface configuration mode.

ip access-list extended acl_name

Creates an extended, named ACL.

ip access-group acl_name in|out

Applies an extended ACL to an interface in the inbound or


outbound direction.

ip address ip-address subnet-mask

Sets the IP address and mask on an interface.

ip domain-name domain

Sets a domain name.

ip nat inside source list acl_id interface


interface overload

Configures dynamic NAT with PAT.

ip nat inside

Configures an interface as NAT inside.

ip nat outside

Configures an interface as NAT outside.

ip route network mask next_hop_ip_address

Configures a static route (including a default route).

ip ssh version 2

Enables SSH version 2.

ipv6 address ipv6-address/prefix_length

Sets the IPv6 address and prefix length on an interface.

ipv6 ospf process_id area area_id

Enables an interface for OSPFv3 in an area.

ipv6 router ospf process_id

Creates the OSPFv3 process.

ipv6 unicast-routing

Enables IPv6 routing on a router.

line console 0

Enters the line console configuration mode.

line vty start_line end_line

Enters the virtual lines configuration mode.

logging synchronous

Enables synchronous logging on a line.

login

Enables verification of a password on a line.

login local

Enables verification of a username and password on a line.

network network wildcard_mask area


area_id

Configures a router to advertise a network through OSPF.

password

Sets the password on a line.

permit ip|tcp|udp source_network wildcard


mask dst_network wildcard mask

Creates a permit access list entry.

ping ip_address

Pings a destination IP address.

reload

Restarts the switch and reloads the Cisco IOS operating system
and configuration.

router ospf process_id

Creates the OSPF process.

2013 Cisco Systems, Inc.

Lab Guide

L171

Description

show interfaces interface

Displays the status of an interface.

show interfaces interface switchport

Displays the switchport status of a port.

show interfaces interface trunk

Displays the trunking status of a port.

show ip access-lists

Displays configured access lists and hit counts.

show ip interface brief

Displays the brief status of interfaces and their IP addresses.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Command

show ip route

Displays the routing table.

show ipv6 interface interface

Displays IPv6 settings and status on an interface.

show ipv6 ospf

Displays OSPFv3 settings on a router.

show ipv6 neighbors

Displays the IPv6 neighbor discovery table.

show ipv6 route

Displays the IPv6 routing table.

show ip nat translations

Displays the NAT table.

show ip ospf neighbors

Displays OSPF neighbors.

show ipv6 ospf neighbors

Displays OSPFv3 neighbors.

show mac address-table

Displays the MAC address table on a switch.

show users

Displays users that are currently logged to a router.

show port-security interface interface

Displays port security information on an interface.

shutdown

Shuts down an interface. Uses the no version of the command to


enable the interface.

switchport access vlan vlan

Specifies an access VLAN on a switchport.

switchport mode access | trunk

Configures a switchport as an access or trunk.

switchport port-security

Enables port security on a switchport.

switchport port-security violation protect

Configures the port security violation to protect.

switchport port-security maximum number

Specifies the maximum number of MAC addresses that can be


seen on a port when port security is enabled.

switchport port-security mac-address


mac_address

Manually defines MAC addresses that are allowed on a switchport


when port security is enabled.

switchport trunk allowed vlan vlans

Specifies allowed VLANs on a trunk link.

telnet ip_address

Uses Telnet to connect to a destination IP address.

transport input ssh telnet

Allows Telnet and SSH on virtual lines.

username username password password

Creates a user account in the local user database.

vlan vlan_id

Creates a VLAN on a switch.

Job Aids

These job aids are available to help you complete the lab activity.

The table shows the hardware that is used in the lab and the operating system that is running on the devices.

L172 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Hardware

Operating System

Branch

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

HQ

Cisco 2901 Integrated Services Router

c2900-universalk9-mz.SPA.152-4.M1

SW1

Catalyst 2960 Series Switch

c2960-lanbasek9-mz.150-1.SE3

SW2

Catalyst 2960 Series Switch

c2960-lanlitek9-mz.150-1.SE3

PC1

Any PC

Microsoft Windows 7

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Device

PC2

Any PC

Microsoft Windows 7

Topology and IP Addressing

Devices are connected with Ethernet and serial connections. The figure illustrates the interface
identification and IP addresses that will be used in this lab.

Topology and IP Addressing


Branch

Gi0/1
209.165.201.1
192.168.1.1

Gi0/1
209.165.201.2
192.168.1.2

Server

Internet

VLAN 110.1.1.1
VLAN 1010.1.10.1 Gi0/0
VLAN 2010.1.20.1

172.16.1.100

HQ

Fa0/13

PC1

Fa0/1

SW1

10.1.1.11

Fa0/3

10.1.10.100

Fa0/3

PC2

Fa0/1

SW2

10.1.1.12

10.1.20.100

2013 Cisco Systems, Inc.

The table shows the interface identification and IP addresses that will be used in this lab setup.
Device

Interface

IP Address or Subnet Mask

Branch

Looback10

10.100.100.100/32

Branch

Gi0/0.1 (VLAN1)

10.1.1.1/24

Branch

Gi0/0.10 (VLAN10)

10.1.10.1/24

Branch

Gi0/0.20 (VLAN20)

10.1.20.1/24

Branch

Gi0/1

209.165.201.1/27, 192.168.1.1/24

HQ

Gi0/1

209.165.201.2/27, 192.168.1.2/24

HQ

Loopback0

172.16.1.100/24

SW1

VLAN1

10.1.1.11/24

2013 Cisco Systems, Inc.

Lab Guide

L173

Device

Interface

IP Address or Subnet Mask

SW2

VLAN1

10.1.1.12/24

PC1

Ethernet adapter local area connection

10.1.10.100/24

PC2

Ethernet adapter local area connection

10.1.20.100/24

IPv6 Addressing

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

The figure illustrates IPv6 addresses that will be used in this lab.

IPv6 Addressing

Gi0/1
2001:db8 :D1A5:C900::2/64
2001:db8 :C0A8:100::2/64

Branch

Server

Internet

VLAN 12001:db8 :0A01:100::1/64


VLAN 102001:db8 :0A01:A00::1/64
VLAN 202001:db8 :0A01:1400::1/64

Gi0/1
2001:db8 :D1A5:C900::1/64
2001:db8 :C0A8:100::1/64

PC1

SW1

PC2

SW2

2001:db8 :AC10:100::64/64

HQ

2013 Cisco Systems, Inc.

The table shows the interface identification and IPv6 addresses that will be used in this lab.
Device
Branch
Branch
Branch
Branch
HQ
HQ

Interface

IP Address or Subnet Mask

Gi0/0.1 (VLAN1)

2001:db8 :0A01:100::1/64

Gi0/0.10 (VLAN10)

2001:db8 :0A01:A00::1/64

Gi0/0.20 (VLAN20)

2001:db8 :0A01:1400::1/64

Gi0/1

2001:db8 :D1A5:C900::1/64,
2001:db8 :C0A8:100::1/64

Gi0/1

2001:db8 :D1A5:C900::2/64,
2001:db8 :C0A8:100::2/64

Loopback0

2001:db8 :AC10:100::64/64

L174 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Task 1: Configure Basic Settings, VLANs, Trunks,


and Port Security on Switches
In this task, you will first delete the existing configuration from SW1 and SW2 switches and reload them.
Then you will configure basic settings on the switches and secure administrative access to the switches.
You will also configure VLANs and trunks on the switches and put both PCs into different VLANs. Finally,
you will enable port security on the switches to prevent unauthorized access to the LAN.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Procedure
Complete the following steps:
Step 1

Access the SW1 and SW2 switches.


Step 2

Delete the startup configuration from the SW1 and SW2 switches. Delete the vlan.dat file from the flash
memory of the switches and delete the VLAN information. Reload the switches in order to boot the
switches with an empty configuration.
Step 3

Configure a hostname (SW1, SW2) on the switches.


Step 4

Configure IPv4 addresses on both switches for management purposes. Assign the IP address to the VLAN 1
interface. Use the Job Aids section of the document to determine the IP address for each switch. Enable the
VLAN 1 interface.
Step 5

Configure the enable password on the SW1 and SW2 switches. Use the command that will store the
configured password in encrypted form. Use cisco as a password.
Step 6

Secure console access to the switches by enabling the password on the console. Use cisco as a password.
Enable synchronous logging on the console to make the input of commands easier.
Step 7

Enable SSH version 2 remote access to the SW1 and SW2 switches. Use 1024-bit long RSA keys and
cisco.com as the domain name. Allow Telnet and SSH on the virtual lines.

2013 Cisco Systems, Inc.

Lab Guide

L175

Step 8

Step 9

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Create a local user account on the switches that will be used to authenticate users accessing the switches via
SSH or Telnet. Use ccna as a username and cisco as a password. Configure the virtual lines for checking
the username and password.

Create two additional VLANs on the switches. Use VLAN 10 and 20.
Step 10

Configure a trunk between SW1 and SW2 switches over the FastEthernet0/3 port. Allow only VLANs 1,
10, and 20 on the trunk link. Shut down the FastEthernet0/4 port on both switches.
Step 11

On SW1, configure the port connecting to PC1 (FastEthernet0/1) as the access port. Put the port into VLAN
10.
Step 12

On SW2, configure the port connecting to PC2 (FastEthernet0/1) as the access port. Put the port into VLAN
20.

L176 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 13
Access PC1. Use administrator as a username and admin as a password in order to log in. Set the
following IP settings on the LAB network adapter:
Mask

Default Gateway

10.1.10.100

255.255.255.0

10.1.10.1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

IP Address

2013 Cisco Systems, Inc.

Lab Guide

L177

Step 14
Access PC2. Use administrator as a username and admin as a password in order to log in. Set the
following IP settings on the LAB network adapter:
Mask

Default Gateway

10.1.20.100

255.255.255.0

10.1.20.1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

IP Address

L178 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 15
From PC1, which is in VLAN 10, ping the management IP address of SW1 (10.1.1.11) in VLAN 1.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Windows\system32> ping 10.1.1.11


Pinging 10.1.1.11 with 32 bytes of data:
Reply from 10.1.10.100: Destination host unreachable.
Reply from 10.1.10.100: Destination host unreachable.
Reply from 10.1.10.100: Destination host unreachable.
Reply from 10.1.10.100: Destination host unreachable.
Ping statistics for 10.1.1.11:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

The ping should be unsuccessful because routing between VLAN 1 and VLAN 10 has not been configured
yet.
Step 16

From PC2, which is in VLAN 20, ping the management IP address of SW1 (10.1.1.11) in VLAN 1.
C:\Windows\system32> ping 10.1.1.11
Pinging 10.1.1.11 with 32 bytes of data:
Reply from 10.1.20.100: Destination host unreachable.
Reply from 10.1.20.100: Destination host unreachable.
Reply from 10.1.20.100: Destination host unreachable.
Reply from 10.1.20.100: Destination host unreachable.
Ping statistics for 10.1.1.11:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

The ping should be unsuccessful because routing between VLAN 1 and VLAN 20 has not been configured
yet.
Step 17

Return to SW1 and verify the MAC address table. Note the MAC address of PC1 and write it down.
SW1# show mac address-table
Mac Address Table
------------------------------------------Vlan
Mac Address
Type
Ports
------------------------All
0100.0ccc.cccc
STATIC
CPU
All
0100.0ccc.cccd
STATIC
CPU
<output omitted>
1
001e.145e.4983
DYNAMIC
Fa0/3
1
fc99.47e5.2700
DYNAMIC
Fa0/13
10
000c.293b.709d
DYNAMIC
Fa0/1
10
000f.34f9.9181
DYNAMIC
Fa0/1

2013 Cisco Systems, Inc.

Lab Guide

L179

Note

If there is more then one MAC address that is seen on the FastEthernet0/1 interface, go to the PC and
determine its MAC address using the ipconfig /all command.

Step 18
Return to SW2 and verify the MAC address table. Note the MAC address of PC2 and write it down.

Note

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1# show mac address-table


Mac Address Table
------------------------------------------Vlan
Mac Address
Type
Ports
------------------------All
0100.0ccc.cccc
STATIC
CPU
All
0100.0ccc.cccd
STATIC
CPU
<output omitted>
1
001e.147c.6f03
DYNAMIC
Fa0/3
10
000c.293b.709d
DYNAMIC
Fa0/3
20
000c.29a8.a05a
DYNAMIC
Fa0/1
20
000f.34f9.9183
DYNAMIC
Fa0/1

If there is more than one MAC address that is seen on the FastEthernet0/1 interface, go to the PC and
determine its MAC address using the ipconfig /all command.

Step 19

On the SW1 and SW2 switches, enable port security on the interfaces connecting to the PCs
(FastEthernet0/1) in order to allow only PCs to connect to the switches. You should first set up the
parameters and then enable port security; otherwise, the port will be shut down due to a port security
violation. Use the following port security parameters:
Violation action: Protect

Maximum MAC addresses: 1

MAC address: PC1 on SW1, PC2 on SW2

Activity Verification
Verification of this task will be done after configuration of inter-VLAN routing.

Task 2: Configure Inter-VLAN Routing

In this task, you will first delete the existing configuration from the Branch router and reload it. You will
then secure administrative access to the router and configure inter-VLAN routing among VLAN 1, 10, and
20. This way, you will enable connectivity among PC1, PC2, and management IP addresses on the
switches. You will implement inter-VLAN routing on the Branch router by establishing a trunk link
between the router and SW1 switch.
Activity Procedure
Complete the following steps:

L180 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1
Access the Branch router.
Step 2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Delete the startup configuration from the Branch router. Reload the router in order to boot the router with an
empty configuration.
Step 3

Configure the hostname on the Branch router.


Step 4

Configure the enable password on the Branch router. Use the command that will store the configured
password in secure encrypted form. Use cisco as a password.
Step 5

Secure console access to the router by enabling the password on the console. Use cisco as a password.
Enable synchronous logging on the console to make the input of commands easier.
Step 6

Secure Telnet access to the router by enabling the password on virtual lines. Use cisco as a password.
Step 7

Enable the GigabitEthernet0/0 interface on the Branch router. Create three subinterfaces on the interface
and configure them with the following parameters:
Subinterface Identifier

VLAN Identifier

IP Address/Mask

GigabitEthernet0/0.1

1 (native VLAN)

10.1.1.1/24

GigabitEthernet0/0.10

10

10.1.10.1/24

GigabitEthernet0/0.20

20

10.1.20.1/24

Step 8

Access the SW1 switch.

2013 Cisco Systems, Inc.

Lab Guide

L181

Step 9
Configure the FastEthernet 0/13 port on the switch as a trunk. Allow only VLANs 1, 10, and 20 on the
trunk link. This way, you will enable the switch to send traffic to or from all configured VLANs over the
same port toward the Branch router.

Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Activity Verification
You have completed this task when you attain this result:

Verify the switchport status of the FastEthernet0/13 port on the SW1 switch:
SW1# show interfaces FastEthernet0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

You should see that the interface is in trunking mode.


Step 2

Verify the switch port status of the FastEthernet0/3 port on the SW1 switch:
SW1# show interfaces FastEthernet0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

You should see that the interface is in trunking mode.

L182 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
Verify the trunking status of the FastEthernet0/3 port on the SW1 switch:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1# show interfaces FastEthernet0/3 trunk


Port
Mode
Encapsulation Status
Native vlan
802.1q
trunking
1
Fa0/3
on
Port
Vlans allowed on trunk
Fa0/3
1,10,20
Port
Vlans allowed and active in management domain
Fa0/3
1,10,20
Port
Vlans in spanning tree forwarding state and not pruned
Fa0/3
1,10,20

You should see that the interface is in trunking mode, encapsulation is 802.1q, and VLANs 1, 10, and 20
are active and not pruned.
Step 4

Verify the trunking status of the FastEthernet0/3 port on the SW2 switch:

SW2# show interfaces FastEthernet0/3 trunk


Port
Mode
Encapsulation Status
Native vlan
Fa0/3
on
802.1q
trunking
1
Port
Vlans allowed on trunk
Fa0/3
1,10,20
Port
Vlans allowed and active in management domain
Fa0/3
1,10,20
Port
Vlans in spanning tree forwarding state and not pruned
Fa0/3
1,10,20

You should see that the interface is in trunking mode, encapsulation is 802.1q, and VLANs 1, 10, and 20
are active and not pruned.
Step 5

On the Branch router, verify the state of configured subinterfaces:


Branch# show ip interface brief
Interface
IP-Address
Embedded-Service-Engine0/0 unassigned
GigabitEthernet0/0
unassigned
GigabitEthernet0/0.1
10.1.1.1
GigabitEthernet0/0.10
10.1.10.1
GigabitEthernet0/0.20
10.1.20.1
<output omitted>

OK?
YES
YES
YES
YES
YES

Method
unset
unset
manual
manual
manual

Status
Protocol
administratively down down
up
up
up
up
up
up
up
up

You should see that the subinterfaces are configured with IP addresses and are operational.

2013 Cisco Systems, Inc.

Lab Guide

L183

Step 6
Access PC1. Ping the SW1 management IP address at 10.1.1.11.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Windows\system32> ping 10.1.1.11


Pinging 10.1.1.11 with 32 bytes of data:
Request timed out.
Reply from 10.1.1.11: bytes=32 time=8ms TTL=254
Reply from 10.1.1.11: bytes=32 time=2ms TTL=254
Reply from 10.1.1.11: bytes=32 time=2ms TTL=254
Ping statistics for 10.1.1.11:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 8ms, Average = 4ms

The ping should be successful.


Step 7

Ping PC2 at 10.1.20.100 from PC1.

C:\Windows\system32> ping 10.1.20.100


Pinging 10.1.20.100 with 32 bytes of data:
Reply from 10.1.20.100: bytes=32 time=15ms TTL=127
Reply from 10.1.20.100: bytes=32 time=1ms TTL=127
Reply from 10.1.20.100: bytes=32 time=1ms TTL=127
Reply from 10.1.20.100: bytes=32 time=1ms TTL=127
Ping statistics for 10.1.20.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 15ms, Average = 4ms

The ping should be successful.

L184 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 8

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish an SSH session to the
SW1 management IP address at 10.1.1.11. Accept the fingerprint of the switches when asked. Use ccna as a
username and cisco as a password in order to log in. Enter the privileged EXEC mode using the cisco
password in order to verify that the enable password is properly configured.

login as: ccna


Using keyboard-interactive authentication.
Password: cisco
SW1> enable
Password: cisco
SW1#

Establishment of the SSH session should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L185

Step 9
Verify port security information on the FastEthernet0/1 port on the SW1 switch. Use the previously
established SSH session to access SW1.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1# show port-security interface FastEthernet0/1


Port Security
: Enabled
Port Status
: Secure-up
Violation Mode
: Protect
Aging Time
: 0 mins
Aging Type
: Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
: 1
Total MAC Addresses
: 1
Configured MAC Addresses
: 0
Sticky MAC Addresses
: 0
Last Source Address:Vlan
: 000c.293b.709d:10
Security Violation Count
: 0

You should see that the port is protected, the security violation is set to protect, and the last seen MAC
address is PC1 in VLAN 10.

L186 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 10

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On PC1, open another PuTTY window by double-clicking the PuTTY icon again. Establish a Telnet session
to the Branch router at 10.1.10.1. Use the cisco password to log in. Enter privileged EXEC mode using the
cisco password in order to verify if the enable password is properly configured.

User Access Verification


Password:cisco
Branch>enable
Password:cisco
Branch#

Establishment of the Telnet session should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L187

Step 11
Access PC2. Ping the SW2 management IP address at 10.1.1.12.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Windows\system32> ping 10.1.1.12


Pinging 10.1.1.12 with 32 bytes of data:
Request timed out.
Reply from 10.1.1.12: bytes=32 time=8ms TTL=254
Reply from 10.1.1.12: bytes=32 time=2ms TTL=254
Reply from 10.1.1.12: bytes=32 time=2ms TTL=254
Ping statistics for 10.1.1.12:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 8ms, Average = 4ms

The ping should be successful.

L188 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 12

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On PC2, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish an SSH session to the
SW2 management IP address at 10.1.1.12. Accept the fingerprint of the switches when asked. Use ccna as a
username and cisco as a password in order to log in. Enter the privileged EXEC mode using the cisco
password in order to verify if the enable password is properly configured.

login as: ccna


Using keyboard-interactive authentication.
Password: cisco
SW2> enable
Password: cisco
SW2#

Establishment of the SSH session should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L189

Step 13
Verify port security information on the FastEthernet0/1 port on the SW2 switch. Use the previously
established SSH session to access SW2.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW2# show port-security interface FastEthernet0/1


Port Security
: Enabled
Port Status
: Secure-up
Violation Mode
: Protect
Aging Time
: 0 mins
Aging Type
: Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
: 1
Total MAC Addresses
: 1
Configured MAC Addresses
: 1
Sticky MAC Addresses
: 0
Last Source Address:Vlan
: 000f.34f9.9183:20
Security Violation Count
: 0

You should see that the port is protected, the security violation is set to protect, and the last seen MAC
address is PC2 in VLAN 20.
Step 14

Close all SSH and Telnet sessions on PC1 and PC2.

Task 3: Configure Internet Connectivity

In this task, you will configure the Branch router to provide Internet connectivity. This includes configuring
IP addresses on an interface and default route. You will also configure NAT with PAT to hide internal
addressing from the Internet. Finally, you will configure an ACL that will protect the router and LAN from
traffic on the Internet.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router.


Step 2

Configure an IP address on the Branch router on the interface connecting to the Internet
(GigabitEthernet0/1). Use 209.165.201.1/27 for the IP address. Enable the interface.
Step 3

Configure a default route on the Branch router that will point to the HQ router as the next hop.

L190 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 4
Create a standard ACL that will permit users on VLAN 10 and 20. This ACL will be used to specify IP
addresses that are eligible for NAT. Use 1 for the access list identifer.
Step 5

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Configure NAT with PAT on the Branch router for all LAN users. This includes users on VLAN 10 and 20.
Refer to the previously configured ACL. Use the IP address on the GigabitEthernet0/1 interface for the
translated IP address.
Step 6

Configure a named extended ACL on the Branch router that will deny all TCP and UDP traffic coming
from a source port greater than 1024. Permit all other IP traffic. Apply the ACL to the GigabitEthernet0/1
interface in the inbound direction.
Note

This ACL will effectively block all connection attempts from the Internet, while the returning traffic to the
LAN will be allowed. With a majority of well-known applications, you can expect that the source port of
traffic returning from a server will have a value that is lower than 1024. For example, returning traffic that
is coming from a Telnet server will have a source port with a value of 23. On the other hand, Telnet
traffic that originates from a host will have a source port greater than 1024.

Activity Verification
You have completed this task when you attain these results:
Step 1

Verify the status of the GigabitEthernet0/1 interface on the Branch router.

Branch# show interfaces GigabitEthernet0/1


GigabitEthernet0/1 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is fc99.47e5.2701 (bia fc99.47e5.2701)
Internet address is 209.165.201.1/27
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 100Mbps, media type is RJ45

You should see that the interface is operational and that it has an IP address configured.

2013 Cisco Systems, Inc.

Lab Guide

L191

Step 2
Verify the routing table on the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 209.165.201.2 to network 0.0.0.0
S*
0.0.0.0/0 [1/0] via 209.165.201.2

You should see that the router has a default route that is configured, which points to the HQ router.

L192 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Access PC1. Start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to
the server at 172.16.1.100.

HQ#

Establishment of the Telnet session should be successful.


Note

Recall that the server is simulated as the loopback interface on the HQ router.

2013 Cisco Systems, Inc.

Lab Guide

L193

Step 4
On the HQ router, verify the user connection to the server using the show users command. Use the
previously established Telnet session.

Host(s)
idle

Idle
Location
00:00:00 209.165.201.1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

HQ# show users


Line
User
*388 vty 0

You should see that the Telnet session from PC1 is seen as originating from the translated IP address. The
translated IP address is the IP address of the GigabitEthernet0/1 interface on the Branch router.
Step 5

Access PC2. Start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to
the server at 172.16.1.100.

HQ#

Establishment of the Telnet session should be successful.

L194 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 6
On the HQ router, verify the user connection to the server using the show users command. Use the
previously established Telnet session.

Host(s)
idle
idle

Idle
Location
00:01:02 209.165.201.1
00:00:00 209.165.201.1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

HQ# show users


Line
User
388 vty 0
*389 vty 1

You should also see that the Telnet session from PC2 is seen as originating from the translated IP address.
The translated IP address is the IP address of the GigabitEthernet0/1 interface on the Branch router..
Step 7

Verify the translation table on the Branch router.

Branch# show ip nat translations


Pro Inside global
Inside local
tcp 209.165.201.1:1037 10.1.10.100:1037
tcp 209.165.201.1:1033 10.1.20.100:1033

Outside local
172.16.1.100:23
172.16.1.100:23

Outside global
172.16.1.100:23
172.16.1.100:23

You should see two PAT translations. One translation is for PC1 at 10.1.10.100, and the second is for PC2
at 10.1.10.100. Both IP addresses translated to the same global IP address but with different source ports.
Step 8

Return to the Telnet session on PC1. Try to establish a Telnet session from the HQ router to the Branch
router twice or three times.
HQ# telnet 209.165.201.1
Trying 209.165.201.1 ...
% Destination unreachable; gateway or host down
HQ# telnet 209.165.201.1
Trying 209.165.201.1 ...
% Destination unreachable; gateway or host down
HQ# telnet 209.165.201.1
Trying 209.165.201.1 ...
% Destination unreachable; gateway or host down

You should not be successful because the ACL denies connections that are initiated from the Internet.

2013 Cisco Systems, Inc.

Lab Guide

L195

Step 9
Return to the Branch router console and verify the ACL hits.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ip access-lists


Standard IP access list 1
10 permit 10.1.10.0, wildcard bits 0.0.0.255 (4 matches)
20 permit 10.1.20.0, wildcard bits 0.0.0.255 (1 match)
Extended IP access list OUTSIDE
10 deny tcp any gt 1024 any (3 matches)
20 deny udp any gt 1024 any
30 permit ip any any (122 matches)

You should see that the ACL denied three TCP packets coming from the TCP source port greater than 1024
to the Branch router.
Step 10

Close all Telnet sessions on PC1 and PC2.

Task 4: Configure WAN Connectivity and a


Dynamic Routing Protocol

In this task, you will configure the Branch router with WAN connectivity to the HQ router. This activity
includes removing the NAT configuration from the GigabitEthernet0/1 interface and changing the IP
address on the interface. You will also configure single-area OSPF on the Branch router in order to
exchange routing information with the HQ router. The HQ router has been preconfigured with OSPF.
However, you will have to change the IP addressing on the HQ router as well.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router.


Step 2

From the Branch router, use Telnet to connect to the HQ router.


Step 3

Change the IP address on the GigabitEthernet0/1 interface on the HQ router to 192.168.1.2 with network
mask 255.255.255.0. Be careful not to mistype the IP address.

L196 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Note

Changing the IP address on the HQ router will terminate your Telnet session. If the session freezes,
press Ctrl-Shift-6, followed by X. This action will pause the Telnet session, and you will return to the
Branch router console. At the Branch router prompt, enter Disconnect to disconnect the frozen Telnet
session permanently.

Step 4

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On the Branch router, remove the NAT configuration from the GigabitEthernet0/1 interface.
Step 5

Configure the IP address on the Branch router on the GigabitEthernet0/1 interface. Use 192.168.1.1/24 for
the IP address.
Step 6

Configure a loopback interface on the Branch router. Use 10 as the interface ID and 10.100.100.100/32 as
the IP address.
Why is it recommended to configure a loopback interface when enabling an OSPF routing protocol?
Step 7

Create the OSPF routing process on the Branch router. Use 1 as the OSPF process ID.
Step 8

Enable OSPF routing in Area 0 for the following networks:


192.168.1.0/24
10.1.1.0/24

10.1.10.0/24
10.1.20.0/24

10.100.100.100/32

Activity Verification
You have completed this task when you attain these results:

2013 Cisco Systems, Inc.

Lab Guide

L197

Step 1
From the Branch router, ping the HQ router at 192.168.1.2.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# ping 192.168.1.2


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

The ping should be successful.


Step 2

Verify OSPF neighbors on the Branch router.


Branch# show ip ospf neighbor
Neighbor ID
Pri
State
1.1.1.1
1
FULL/DR

Dead Time
00:00:35

Address
192.168.1.2

Interface
GigabitEthernet0/1

You should see the HQ router as the OSPF neighbor in FULL state.

L198 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
Verify the routing table on the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C
10.1.1.0/24 is directly connected, GigabitEthernet0/0.1
L
10.1.1.1/32 is directly connected, GigabitEthernet0/0.1
C
10.1.10.0/24 is directly connected, GigabitEthernet0/0.10
L
10.1.10.1/32 is directly connected, GigabitEthernet0/0.10
C
10.1.20.0/24 is directly connected, GigabitEthernet0/0.20
L
10.1.20.1/32 is directly connected, GigabitEthernet0/0.20
C
10.100.100.100/32 is directly connected, Loopback10
172.16.0.0/32 is subnetted, 1 subnets
O
172.16.1.100 [110/2] via 192.168.1.2, 00:02:10, GigabitEthernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C
192.168.1.0/24 is directly connected, GigabitEthernet0/1
L
192.168.1.1/32 is directly connected, GigabitEthernet0/1

You should see the 172.16.1.0/24 network as the OSPF route. The network should be accessible over the
GigabitEthernet0/1 interface.
Step 4

Access PC1. Open a command prompt and ping the server at 172.16.1.100.
C:\Windows\system32> ping 172.16.1.100
Pinging 172.16.1.100 with 32 bytes of data:
Reply from 172.16.1.100: bytes=32 time=42ms TTL=254
Reply from 172.16.1.100: bytes=32 time=36ms TTL=254
Reply from 172.16.1.100: bytes=32 time=35ms TTL=254
Reply from 172.16.1.100: bytes=32 time=36ms TTL=254
Ping statistics for 172.16.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 35ms, Maximum = 42ms, Average = 37ms

The ping should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L199

Step 5

HQ#

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the
HQ router at 192.168.1.2.

Establishment of the Telnet session should be successful.

L200 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 6
On the HQ router, verify the routing table. Use the previously established Telnet session.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

HQ# show ip route


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O
10.1.1.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1
O
10.1.10.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1
O
10.1.20.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1
O
10.100.100.100/32
[110/2] via 192.168.1.1, 00:00:00, GigabitEthernet0/1
<output omitted>

You should see LAN networks accessible over the the Serial0/0/0 interface, with the Branch router as the
next hop router.
Step 7

Close the Telnet sessions on PC1.

Task 5: Configure IPv6 Connectivity in the LAN

In this task, you will enable IPV6 connectivity in the LAN. This activity includes enabling IPv6 on the
Branch router and setting IPv6 addresses on the LAN subinterfaces of the router. On the PCs with
Microsoft Windows 7, IPv6 is enabled by default. Therefore, the PCs will obtain IPv6 addresses
automatically by using stateless autoconfiguration.
Activity Procedure
Complete the following steps:
Step 1

Access the Branch router.


Step 2

Enable IPv6 forwarding on the Branch router.

2013 Cisco Systems, Inc.

Lab Guide

L201

Step 3
Configure subinterfaces on the GigabitEthernet0/0 interface with the following IPv6 addresses:
VLAN Identifier

IPv6 Address/Mask

GigabitEthernet0/0.1

2001:db8:0A01:100::1/64

GigabitEthernet0/0.10

10

2001:db8:0A01:A00::1/64

GigabitEthernet0/0.20

20

2001:db8:0A01:1400::1/64

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Subinterface Identifier

By configuring the IPv6 address on a router interface, the router starts sending router advertisements out of
the interface. This enables PCs that are connected to the interface to automatically configure the IPv6
address on a network adapter and to set a default gateway.
Activity Verification
You have completed this task when you attain these results:

L202 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1
Verify IPv6 settings and the status on all subinterfaces:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ipv6 interface GigabitEthernet0/0.1


GigabitEthernet0/0.1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2700
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:A01:100::1, subnet is 2001:DB8:A01:100::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FFE5:2700
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
Branch# show ipv6 interface GigabitEthernet0/0.10
GigabitEthernet0/0.10 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2700
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:A01:A00::1, subnet is 2001:DB8:A01:A00::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FFE5:2700
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
Branch# show ipv6 interface GigabitEthernet0/0.20
GigabitEthernet0/0.20 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2700
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:A01:1400::1, subnet is 2001:DB8:A01:1400::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FFE5:2700

2013 Cisco Systems, Inc.

Lab Guide

L203

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

MTU is 1500 bytes


ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.

You should see all three subinterfaces that are enabled for IPv6. Each subinterface should have a link-local
IPv6 address and one global IPv6 address.

Note that the link-local IPv6 address is the same on all subinterfaces. Why is the link-local IPv6 address the
same on all subinterfaces?
Step 2

Access PC1. Open a command prompt and verify the IP settings.


C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter LAB:
Connection-specific DNS Suffix
IPv6 Address. . . . . . . . . .
Temporary IPv6 Address. . . . .
Link-local IPv6 Address . . . .
IPv4 Address. . . . . . . . . .
Subnet Mask . . . . . . . . . .
Default Gateway . . . . . . . .

.
.
.
.
.
.
.

:
:
:
:
:
:
:

2001:db8:a01:a00:15e4:2bea:367f:8c5c
2001:db8:a01:a00:191b:d8a9:e435:33c1
fe80::15e4:2bea:367f:8c5c%13
10.1.10.100
255.255.255.0
fe80::fe99:47ff:fee5:2700%13
10.1.10.1

You should see that the PC is configured with one global IPv6 address, one temporary IPv6 address, the
link-local IPv6 address, and the default gateway.

You will see a percentage sign (%), followed by a number, at the end of the link-local IPv6 address and at
the end of the default gateway. The number following the percentage sign identifies an interface on the PC,
and it is not part of the IPv6 address and should be ignored when determining the IPv6 address of the the
default gateway.
Which router IPv6 address is configured as the default gateway on the PC?

L204 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
From PC1, ping the default gateway. Use the link-local IPv6 address as the destination IPv6 address.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Windows\system32> ping fe80::fe99:47ff:fee5:2700


Pinging fe80::fe99:47ff:fee5:2700 with 32 bytes of data:
Destination host unreachable.
Reply from fe80::fe99:47ff:fee5:2700: time=3ms
Reply from fe80::fe99:47ff:fee5:2700: time<1ms
Reply from fe80::fe99:47ff:fee5:2700: time<1ms
Ping statistics for fe80::fe99:47ff:fee5:2700:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 3ms, Average = 1ms

The ping should be successful.


Step 4

From PC1, ping the directly connected interface of the Branch router. Use the global IPv6 address as the
destination IPv6 address.
C:\Windows\system32> ping 2001:DB8:A01:A00::1
Pinging 2001:db8:a01:a00::1 with 32 bytes of data:
Reply from 2001:db8:a01:a00::1: time=5ms
Reply from 2001:db8:a01:a00::1: time<1ms
Reply from 2001:db8:a01:a00::1: time<1ms
Reply from 2001:db8:a01:a00::1: time<1ms
Ping statistics for 2001:db8:a01:a00::1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 5ms, Average = 1ms

The ping should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L205

Step 5
On PC1, verify the neighbor discovery table to see mappings between IPv6 addresses and MAC addresses.
Examine entries for the LAB interface.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Windows\system32> netsh interface ipv6 show neighbors


<output omitted>
Interface 13: LAB
Internet Address
Physical Address
-------------------------------------------- ----------------2001:db8:a01:a00::1
fc-99-47-e5-27-00
fe80::19eb:7144:6b5d:3377
00-0c-29-a8-a0-5a
fe80::fe99:47ff:fee5:2700
fc-99-47-e5-27-00
ff02::2
33-33-00-00-00-02
ff02::16
33-33-00-00-00-16
ff02::1:2
33-33-00-01-00-02
ff02::1:3
33-33-00-01-00-03
ff02::1:ff00:1
33-33-ff-00-00-01
ff02::1:ff35:33c1
33-33-ff-35-33-c1
ff02::1:ff7f:8c5c
33-33-ff-7f-8c-5c
ff02::1:ffe5:2700
33-33-ff-e5-27-00

Type
----------Stale (Router)
Stale
Stale (Router)
Permanent
Permanent
Permanent
Permanent
Permanent
Permanent
Permanent
Permanent

You should see neighbor discovery entries for link-local and global IPv6 addresses of the Branch router that
you pinged before.
Step 6

Access PC2. Open a command prompt and verify the IP settings.


C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter LAB:
Connection-specific DNS Suffix
IPv6 Address. . . . . . . . . .
Temporary IPv6 Address. . . . .
Link-local IPv6 Address . . . .
IPv4 Address. . . . . . . . . .
Subnet Mask . . . . . . . . . .
Default Gateway . . . . . . . .

.
.
.
.
.
.
.

:
:
:
:
:
:
:

2001:db8:a01:1400:19eb:7144:6b5d:3377
2001:db8:a01:1400:78bd:f560:d1fd:b766
fe80::19eb:7144:6b5d:3377%13
10.1.20.100
255.255.255.0
fe80::fe99:47ff:fee5:2700%13
10.1.20.1

You should see that the PC is configured with one global IPv6 address, one temporary IPv6 address, the
link-local IPv6 address and the default gateway.

You will see a percent sign (%), followed by a number, at the end of the link-local IPv6 address and at the
end of the default gateway. The number following the percent sign identifies an interface on the PC, and it
is not part of the IPv6 address and should be ignored when determining the IPv6 address of the default
gateway.
Which router IPv6 address is configured as the default gateway on the PC?

L206 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 7
From PC2, ping the default gateway. Use the link-local IPv6 address as the destination IPv6 address.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Windows\system32> ping fe80::fe99:47ff:fee5:2700


Pinging fe80::fe99:47ff:fee5:2700 with 32 bytes of data:
Destination host unreachable.
Reply from fe80::fe99:47ff:fee5:2700: time=4ms
Reply from fe80::fe99:47ff:fee5:2700: time<1ms
Reply from fe80::fe99:47ff:fee5:2700: time<1ms
Ping statistics for fe80::fe99:47ff:fee5:2700:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 4ms, Average = 1ms

The ping should be successful.


Step 8

From PC2, ping the directly connected interface of the Branch router. Use the global IPv6 address as the
destination IPv6 address.
C:\Windows\system32> ping 2001:DB8:A01:A00::1
Pinging 2001:db8:a01:a00::1 with 32 bytes of data:
Reply from 2001:db8:a01:a00::1: time=9ms
Reply from 2001:db8:a01:a00::1: time<1ms
Reply from 2001:db8:a01:a00::1: time<1ms
Reply from 2001:db8:a01:a00::1: time<1ms
Ping statistics for 2001:db8:a01:a00::1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms

The ping should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L207

Step 9
On PC2, verify the neighbor discovery table to see mappings between IPv6 addresses and MAC addresses.
Examine entries for the LAB interface.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

C:\Windows\system32> netsh interface ipv6 show neighbors


<output omitted>
Interface 13: LAB
Internet Address
Physical Address
-------------------------------------------- ----------------2001:db8:a01:1400::1
fc-99-47-e5-27-00
fe80::15e4:2bea:367f:8c5c
00-0c-29-3b-70-9d
fe80::fe99:47ff:fee5:2700
fc-99-47-e5-27-00
ff02::2
33-33-00-00-00-02
ff02::16
33-33-00-00-00-16
ff02::1:2
33-33-00-01-00-02
ff02::1:3
33-33-00-01-00-03
ff02::1:ff53:e7a0
33-33-ff-53-e7-a0
ff02::1:ff5d:3377
33-33-ff-5d-33-77
ff02::1:ff7f:8c5c
33-33-ff-7f-8c-5c
ff02::1:ffe5:2700
33-33-ff-e5-27-00
ff02::1:fffd:b766
33-33-ff-fd-b7-66

Type
----------Stale (Router)
Stale
Stale (Router)
Permanent
Permanent
Permanent
Permanent
Permanent
Permanent
Permanent
Permanent
Permanent

You should see neighbor discovery entries for the link-local and global IPv6 addresses of the Branch router
that you pinged before.
Step 10

Return to the Branch router. Verify the neighbor discovery table.


Branch# show ipv6 neighbors
IPv6 Address
FE80::19EB:7144:6B5D:3377
FE80::15E4:2BEA:367F:8C5C
2001:DB8:A01:1400:78BD:F560:D1FD:B766
2001:DB8:A01:A00:191B:D8A9:E435:33C1

Age
3
11
4
8

Link-layer Addr
000c.29a8.a05a
000c.293b.709d
000c.29a8.a05a
000c.293b.709d

State
STALE
STALE
STALE
STALE

Interface
Gi0/0.20
Gi0/0.10
Gi0/0.20
Gi0/0.10

You should see two entries for each PC. One entry is for the link-local IPv6 address, and the other is for the
global IPv6 address.

Task 6: Configure the OSPFv3 Routing Protocol

In this task, you will enable the OSPFv3 routing protocol to route for IPv6 between the Branch and HQ
routers. The HQ router has been preconfigured.
Activity Procedure
Complete the following steps:

L208 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 1
Access the Branch router.
Step 2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

From the Branch router, use Telnet to connect to the HQ router at 192.168.1.2 using IPv4.
Step 3

Remove the existing IPv6 address from the GigabitEthernet0/1 interface on the HQ router. Set the IPv6
address on the interface to 2001:db8:c0a8:100::2/64. Include the interface into the OSPFv3 routing protocol
with Process ID 1 and Area 0. Exit the Telnet session.
Step 4

On the Branch router, configure the GigabitEthernet0/1 interface with 2001:db8:c0a8:100::1/64 IPv6
address.
Step 5

From the Branch router, ping the HQ router at 2001:db8:c0a8:100::2 to verify IPv6 connectivity between
the routers.
Branch# ping 2001:db8:c0a8:100::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:C0A8:100::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/54/56 ms

The ping should be successful.


Step 6

From the Branch router, use Telnet to connect to the HQ router at 2001:db8:c0a8:100::2.
Branch# telnet 2001:db8:c0a8:100::2
Trying 2001:DB8:C0A8:100::2 ... Open
HQ#

The Telnet should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L209

Step 7
Verify the existing OSPFv3 configuration on the HQ router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

interface Loopback0
ip address 172.16.1.100 255.255.255.0
ipv6 address 2001:DB8:AC10:100::64/64
ipv6 ospf network point-to-point
ipv6 ospf 1 area 0
!
<output omitted>
!
interface GigabitEthernet0/1
description Link to Branch
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
ipv6 address 2001:DB8:C0A8:100::2/64
ipv6 ospf 1 area 0
!
<output omitted>
!
ipv6 router ospf 1
router-id 0.0.0.1

You should see that the OSPFv3 process is configured and that Loopback0 and GigabitEthernet0/1 are
enabled for OSPFv3.
Step 8

Close the Telnet session.


Step 9

Create an OSPFv3 process on the Branch router. Use 1 as the Process ID.
Branch(config)# ipv6 router ospf 1

L210 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 10
Enable the following interfaces for OSPFv3 in Area 0:
GigabitEthernet0/1
GigabitEthernet0/0.1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

GigabitEthernet0/0.10
GigabitEthernet0/0.20

Branch(config)# interface GigabitEthernet0/1


Branch(config-if)# ipv6 ospf 1 area 0
Branch(config-if)#
Branch(config)# interface GigabitEthernet0/0.1
Branch(config-subif)# ipv6 ospf 1 area 0
Branch(config-if)#
Branch(config-subif)# interface GigabitEthernet0/0.10
Branch(config-subif)# ipv6 ospf 1 area 0
Branch(config-if)#
Branch(config-subif)# interface GigabitEthernet0/0.20
Branch(config-subif)# ipv6 ospf 1 area 0

You should see that OSPFv3 adjacency went up immediately after you enabled OSPFv3 on the
GigabitEthernet0/1 interface:
*Dec 7 13:59:21.815: %OSPFv3-5-ADJCHG: Process 1, Nbr 0.0.0.1 on
GigabitEthernet0/1 from LOADING to FULL, Loading Done

Activity Verification
You have completed this task when you attain these results:
Step 1

Verify OSPFv3 neighbors on the Branch router.

Branch# show ipv6 ospf neighbor


OSPFv3 Router with ID (10.100.100.100) (Process ID 1)
Neighbor ID
Pri
State
Dead Time
Interface ID
Interface
0.0.0.1
1
FULL/DR
00:00:30
4
GigabitEthernet0/1

You should see the HQ router as the OSPFv3 neighbor.


What is the HQ router ID?

2013 Cisco Systems, Inc.

Lab Guide

L211

Step 2
Verify OSPFv3 settings on the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ipv6 ospf


Routing Process "ospfv3 1" with ID 10.100.100.100
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Graceful restart helper support enabled
Reference bandwidth unit is 100 mbps
Area BACKBONE(0)
Number of interfaces in this area is 4
SPF algorithm executed 3 times
Number of LSA 9. Checksum Sum 0x0523AD
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

You should see that OSPFv3 is enabled for four interfaces in Area 0.
What is the Branch router ID?

L212 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
Verify the IPv6 routing table on the Branch router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# show ipv6 route


IPv6 Routing Table - default - 10 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C
2001:DB8:A01:100::/64 [0/0]
via GigabitEthernet0/0.1, directly connected
L
2001:DB8:A01:100::1/128 [0/0]
via GigabitEthernet0/0.1, receive
C
2001:DB8:A01:A00::/64 [0/0]
via GigabitEthernet0/0.10, directly connected
L
2001:DB8:A01:A00::1/128 [0/0]
via GigabitEthernet0/0.10, receive
C
2001:DB8:A01:1400::/64 [0/0]
via GigabitEthernet0/0.20, directly connected
L
2001:DB8:A01:1400::1/128 [0/0]
via GigabitEthernet0/0.20, receive
O
2001:DB8:AC10:100::/64 [110/2]
via FE80::FE99:47FF:FEDE:B4B9, GigabitEthernet0/1
C
2001:DB8:C0A8:100::/64 [0/0]
via GigabitEthernet0/1, directly connected
L
2001:DB8:C0A8:100::1/128 [0/0]
via GigabitEthernet0/1, receive
L
FF00::/8 [0/0]
via Null0, receive

You should see the 2001:DB8:AC10:100::/64 network that is learned through OSPF and with the HQ router
as the next hop. This is the network where the server is located.
Step 4

Access PC1 and open a command prompt. Ping the server at 2001:db8:ac10:100::64.
C:\Windows\system32> ping 2001:db8:ac10:100::64
Pinging 2001:db8:ac10:100::64 with 32 bytes of data:
Reply from 2001:db8:ac10:100::64: time=56ms
Reply from 2001:db8:ac10:100::64: time=45ms
Reply from 2001:db8:ac10:100::64: time=46ms
Reply from 2001:db8:ac10:100::64: time=46ms
Ping statistics for 2001:db8:ac10:100::64:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 45ms, Maximum = 56ms, Average = 48ms

The ping should be successful.

2013 Cisco Systems, Inc.

Lab Guide

L213

Step 5

HQ#

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the
server at 2001:DB8:AC10:100::64.

Establishment of the Telnet session should be successful.


Note

Recall that the server is simulated as the loopback interface on the HQ router.

L214 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 6
Verify the IPv6 routing table on the HQ router.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

HQ# show ipv6 route


IPv6 Routing Table - default - 8 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O
2001:DB8:A01:100::/64 [110/2]
via FE80::6E20:56FF:FE17:B149, GigabitEthernet0/1
O
2001:DB8:A01:A00::/64 [110/2]
via FE80::6E20:56FF:FE17:B149, GigabitEthernet0/1
O
2001:DB8:A01:1400::/64 [110/2]
via FE80::6E20:56FF:FE17:B149, GigabitEthernet0/1
<output omitted>

You should see all three LANs that are learned through OSPFv3 with the Branch router as the next hop
router.

2013 Cisco Systems, Inc.

Lab Guide

L215

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.
L216 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Lab Answer Keys

Lab 1-1: Performing Switch Startup and Initial


Configuration
Task 1: Perform a Reload and Verify that the Switch Is
Unconfigured
Step 2

Since the erase startup-config command is a privileged-level command, entering it in user EXEC mode
will have no effect on the system. You were informed that the command is invalid.
Switch>erase startup-config
^
% Invalid input detected at '^' marker.

Step 3

When you have a right arrow (>) symbol after the device hostname, you are in user EXEC mode. When you
issued the enable command, you moved into privileged EXEC mode, which is indicated by the pound sign
(#) after the hostname. Enter privileged EXEC mode by typing enable in user EXEC mode.
Switch>enable
Switch#

Step 4

When you enter the erase startup-config command within privileged EXEC mode, it is accepted and you
are prompted to press Enter to confirm this action.

SwitchX#delete vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

When you enter the reload command within privileged EXEC mode, you are asked to confirm the reload.
Press Enter at that point.
Switch#reload
Proceed with reload? [confirm]
*Mar 1 00:16:18.229: %SYS-5-RELOAD: Reload requested by console. Reload Reason:
Reload command.
Boot Sector Filesystem (bs) installed, fsid: 2
Base ethernet MAC Address: 00:1e:14:7c:bd:00
Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash...
flashfs[0]: 549 files, 19 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32514048
flashfs[0]: Bytes used: 14942208
flashfs[0]: Bytes available: 17571840
flashfs[0]: flashfs fsck took 11 seconds.
...done Initializing Flash.
done.
Loading "flash:/c2960-lanbasek9-mz.150-1.SE3/c2960-lanbasek9-mz.150-1.SE3.bin"...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
< output omitted >
64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address
: 00:1E:14:7C:BD:00
Motherboard assembly number
: 73-10390-04
Power supply part number
: 341-0097-02
Motherboard serial number
: FOC114131RV
Power supply serial number
: AZS113600YM
Model revision number
: D0
Motherboard revision number
: A0
Model number
: WS-C2960-24TT-L
System serial number
: FOC1141Z8W9
Top Assembly Part Number
: 800-27221-03
Top Assembly Revision Number
: B0
Version ID
: V03
CLEI Code Number
: COM3L00BRB
Hardware Board Revision Number : 0x01
Switch Ports Model
SW Version
SW Image
------ ----- ----------------------*
1 26
WS-C2960-24TT-L
15.0(1)SE3
C2960-LANBASEK9-M
Press RETURN to get started!

Step 5

Your results should resemble the output displayed here. You should have answered No to the question
(Would you like to enter the initial configuration dialog?).

L218 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

--- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]: no
Switch>

If you skipped the initial configuration dialog, there is no startup configuration present. Alternatively, you
can verify that there is no configuration present by entering privileged EXEC mode and issuing the show
startup-config command.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Switch>enable
Switch#show startup-config
startup-config is not present

Step 6

You can issue the show version command from either user or privileged EXEC mode. In the output here,
you see that the switch is a WS-C2960-24TT-L type, the software version is 15.0(1)SE3, and there is 65536
KB (or 64 MB) of RAM.
Note that your device may have different properties.
Switch#show version
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(1)SE3, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 30-May-12 14:26 by prod_rel_team
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE6, RELEASE SOFTWARE
(fc1)
Switch1 uptime is 4 hours, 31 minutes
System returned to ROM by power-on
System restarted at 09:25:53 UTC Fri Aug 17 2012
System image file is "flash:/c2960-lanbasek9-mz.150-1.SE3/c2960-lanbasek9-mz.
150-1.SE3.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K bytes of
memory.
< output omitted >

The show flash: command output here shows that the switch has 32514048 bytes (32 MB) of flash memory
and that 17569280 bytes of that memory is free (16.8 MB).
Note that your device may have different properties.

2013 Cisco Systems, Inc.

Lab Guide

L219

Switch#show flash
Directory of flash:/
2 drwx
256
Aug 8 2012
567 -rwx
556 Nov 21 2012
568 -rwx
2072 Nov 21 2012
32514048 bytes total (17573376 bytes

12:23:45 +00:00
08:17:08 +00:00
11:05:33 +00:00
free)

c2960-lanbasek9-mz.150-1.SE3
vlan.dat
multiple-fs

Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Task 2: Configure the Switch with a Hostname and an IP


Address

Enter privileged EXEC mode and then global configuration mode. Issue the hostname command, as shown
in the following output. Notice the change in the hostname of the device in the last line of the output.
Switch#enable
Switch#configure terminal
Enter configuration commands, one per line.
Switch(config)#hostname SW1
SW1(config)#

Step 2

End with CNTL/Z.

First, make sure that you are in global configuration mode.


SW1(config)#

Then enter interface configuration mode for VLAN 1 and assign it the proper IP address and network mask.
SW1(config)#interface vlan 1
SW1(config-if)#ip address 10.1.1.11 255.255.255.0

Step 5

On PC1, click the Start button, enter cmd, and click Enter. When you are presented with a command
prompt window, enter ping, followed by the IP address of the VLAN 1 interface on the switch. This Layer
3 test should succeed.

L220 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Task 3: Explore Context-Sensitive Help


Step 1
After you enter privileged EXEC mode and enter ?, you are presented with a list of available commands.
Each command is listed with a description.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1>enable
SW1#?
Exec commands:
access-enable
Create a temporary Access-List entry
access-profile
Apply user-profile to interface
access-template Create a temporary Access-List entry
archive
manage archive files
beep
Blocks Extensible Exchange Protocol commands
< output omitted >
where
List active connections
write
Write running configuration to memory, network, or terminal

Step 2

First, make sure that you are in privileged EXEC mode. Enter clock, followed by ?. Complete the
configuration as displayed here.
SW1#clock ?
set Set the time and date
SW1#clock set ?
hh:mm:ss Current Time
SW1#clock set 12:57:22 ?
<1-31> Day of the month
MONTH
Month of the year
SW1#clock set 12:57:22 17 ?
MONTH Month of the year
SW1#clock set 12:57:22 17 8 ?
% Unrecognized command
Lan_Switch_1#clock set 12:57:22 17 August ?
<1993-2035> Year
SW1#clock set 12:57:22 17 August 2012 ?
<cr>
SW1#clock set 12:57:22 17 August 2012

Step 3

When you are familiar only with how a command begins, you can get help by using the ? command. It will
list all commands that begin with the sequence of letters that you entered.

2013 Cisco Systems, Inc.

Lab Guide

L221

Show AAA values


List access lists
Display alias commands
Archive functions
ARP table
Shows Auth Manager registrations or sessions
Show Automation Template
Show BEEP information
show boot attributes
Buffer pool statistics
Show Cable Diagnostics Results
Show command for call home
Capability Information
CCA information
CDP information
Shows CISP information
Show CPL Class Map
Display the system clock
Cluster information
CNS agents
Contents of Non-Volatile memory
Interface controller status
Encryption module

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1#sh?
shell show
SW1#show ?
aaa
access-lists
aliases
archive
arp
authentication
auto
beep
boot
buffers
cable-diagnostics
call-home
capability
cca
cdp
cisp
class-map
clock
cluster
cns
configuration
controllers
crypto
SW1#show clock?
clock
SW1#show clock
13:01:24.145 UTC Fri

Aug 17 2012

Task 4: Improve the Usability of the CLI


Step 1

You can enter the show terminal command and then investigate the output to determine the current history
size. Alternatively, you can use the pipe (|) along with the include command and the keyword history size
to print out just the line with the information.
SW1>show terminal | include history size
History is enabled, history size is 20.

Step 2

Enter global configuration mode.

SW1#configure terminal
Enter configuration commands, one per line.

End with CNTL/Z.

Enter line console 0 configuration mode.


SW1(config)#line console 0

L222 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Change the history size to 100.


SW1(config-line)#history size 100

Issue the exit command twice to get back to privileged EXEC mode.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1(config-line)#exit
SW1(config)#exit

Verify that the history size is changed.

SW1#show terminal | i history size


History is enabled, history size is 100.

Step 3

You must be in global configuration mode before issuing the no ip domain lookup command.
SW1>enable
SW1#configure terminal
SW1(config)#no ip domain-lookup

Step 4

Issue the exec-timeout 60 command to set the console timeout expiration timer to one hour.
SW1(config-line)#exec-timeout 60

Verify that idle exec timeout is set to one hour. Use the verification command directly from console
configuration mode.
SW1(config-line)#do show terminal | begin Timeouts
Timeouts:
Idle EXEC
Idle Session
Modem Answer
01:00:00
never
<output omitted>
SW1(config-line)#exit

Session
none

Dispatch
not set

Step 5

Make sure that you are in global configuration mode and then enter line console 0 configuration mode. Last,
enable synchronous logging as shown in the output here.
SW1(config)#line console 0
SW1(config-line)#logging synchronous
SW1(config-line)#exit
SW1(config)#exit

2013 Cisco Systems, Inc.

Lab Guide

L223

Step 6
This command copies the running configuration to the startup configuration. If you do not save the
configuration, you will lose it the next time the switch is restarted.
SW1#copy running-config startup-config

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

If you press Enter when asked for the destination filename, the running configuration is stored as the
startup configuration.
Destination filename [startup-config]?
Building configuration...
[OK]

Lab 1-2: Troubleshooting Switch Media Issues

Task 2: Troubleshoot Connectivity Between Computer PC1


and Switch SW1
Step 1

When you issue a ping from SW1 to PC1, your success rate is 0 percent, so there is no Layer 3 connectivity
between the two devices.
SW1>ping 10.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Step 2

The output of the show interfaces FastEthernet0/1 command tells you that the interface toward PC1 is
administratively down, which means that the interface was disabled by the administrator.
SW1>enable
SW1#show interfaces FastEthernet0/1
FastEthernet0/1 is administratively down, line protocol is down (disabled)
Hardware is Fast Ethernet, address is 001e.147c.bd01 (bia 001e.147c.bd01)
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100BaseTX

L224 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
Enter global configuration mode.
SW1#configure terminal
Enter configuration commands, one per line.

End with CTRL-Z.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Enter interface configuration mode for FastEthernet 0/1 and enable the interface with the no shutdown
command.
SW1(config)#interface FastEthernet 0/1
SW1(config-if)#no shutdown

Finally, verify Layer 3 connectivity between PC1 and SW1 by issuing a ping command. It should be
successful.
SW1#ping 10.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

Step 4

It is important to save the configuration of SW1 because the no shutdown command would disappear if the
switch is restarted. John would again be cut off from the network.
SW1#copy running-config startup-config

Task 3: Troubleshoot Connectivity Between Switch SW1 and


the Branch Router
Step 1

Because you have console logging enabled (which you can verify with the show logging command), the
switch is reporting. This message tells you that the interfaces of SW1 and Branch have different duplex
settings. It looks like the Branch router FastEthernet0/0 interface is configured for full duplex, while
interface FastEthernet0/13 on the switch is not configured for full duplex.
Aug 21 14:39:52.112: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on
FastEthernet0/13 (not full duplex), with Branch FastEthernet0/0 (full duplex).

Use the show interfaces FastEthernet Fa0/13 command to identify the duplex setting on the interface.

2013 Cisco Systems, Inc.

Lab Guide

L225

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1#show interfaces FastEthernet 0/13


FastEthernet 0/13 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 001e.147c.bd0d (bia 001e.147c.bd0d)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
< output omitted >

You can also use the show ip interface brief command to verify status of all interfaces. It shows that
interface FastEthernet 0/13 is in an up/up state. This status means that even though the duplex settings are
mismatched on the link, it is still functional. The drawback is that the connection is not efficient. With halfduplex operation, data cannot be sent and received at the same time.
SW1#show ip interface brief
Interface
IP-Address
< output omitted >
FastEthernet0/13
unassigned
<output omitted>

Step 2

OK? Method Status

Protocol

YES unset

up

up

Enter global configuration mode.

SW1#configure terminal
Enter configuration commands, one per line. End with CTRL-Z.

Enter interface configuration mode.

SW1(config)#interface FastEthernet 0/13

Change the duplex setting to full.

SW1(config-if)#duplex full

Save your changes by copying the running configuration to the startup configuration.
SW1(config)#interface FastEthernet 0/13
SW1(config-if)#end
SW1#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]

L226 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Lab 2-1: Performing Initial Router Setup and


Configuration
Task 1: Inspect the Router Hardware and Software
Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Enter this command on the Branch router:


Router>enable
Router#

Task 2: Create the Initial Router Configuration


Step 1

Answer No to the initial configuration dialog question and use the enable command to enter privileged
EXEC mode.
Would you like to enter the initial configuration dialog? [yes/no]: no
Would you like to terminate autoinstall? [yes]:
<output omitted>
Router>
Router>enable
Router#

Step 2

Use the command hostname to set the hostname.


Router(config)#
Router(config)#hostname Branch
Branch(config)#

Step 3

Enter these commands on the Branch router to enter interface configuration mode, enable the interface, and
provide a description:
Branch(config)#interface GigabitEthernet 0/0
Branch(config-if)#no shutdown
%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state
to up
Branch(config-if)#description Link to LAN Switch

2013 Cisco Systems, Inc.

Lab Guide

L227

Step 4
Enter this command on the Branch router:

Step 6

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch(config-if)#ip address 10.1.1.1 255.255.255.0

Use this command on the Branch router:

Branch#copy running-config startup-config


Destination filename [startup-config]?
Building configuration...
[OK]
Branch#

Task 3: Improve the Usability of the CLI


Step 1

Enter these commands on the Branch router:

Branch#configure terminal
Branch(config)#line console 0
Branch(config-line)#exec-timeout 60 0

Step 3

Use the logging synchronous command on the Branch router:


Branch(config-line)#logging synchronous

Step 4

On the Branch router, use the command no ip domain lookup in global configuration mode to disable the
resolution of symbolic names.
Branch(config)#no ip domain lookup

Step 5

On the Branch router, use the command write memory to copy the configuration into NVRAM.
Branch#write memory

L228 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Lab 2-2: Connecting to the Internet


Task 1: Configure a Manual IP Address and Static Default
Route

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 3
Enter the following commands on the Branch router:

Branch(config)#interface GigabitEthernet0/1
Branch(config-if)#no shutdown
Branch(config-if)#ip address 209.165.201.1 255.255.255.224

Step 6

The Branch router does not have a route to reach networks that are not directly connected.
Step 7

No, there is no route present for the IP address of the server.


Step 8

Enter the following command on the Branch router:

Branch#configure terminal
Branch(config)#ip route 0.0.0.0 0.0.0.0 209.165.201.2

Step 9

Enter the following commands on the Branch router:

Branch(config)#exit
Branch#copy running-config startup-config

Step 12

Enter the following command on the Branch router:

Branch(config)#no ip route 0.0.0.0 0.0.0.0 209.165.201.2

Task 2: Configure a DHCP-Obtained IP Address

2013 Cisco Systems, Inc.

Lab Guide

L229

Step 2
Enter the following commands on the Branch router:

Step 3

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch(config-if)#interface GigabitEthernet0/1
Branch(config-if)#ip address dhcp

Enter the following commands on the Branch router:

Branch(config-if)#exit
Branch(config)#exit
Branch#copy running-config startup-config

Step 5

The default route was set by the Branch router automatically. The Branch router received knowledge of the
default gateway from the DHCP server and it set the static route next-hop IP address to the IP address of the
default gateway.
Step 12

The solution that could be implemented on the Branch router to provide connectivity between PC1 and the
server is NAT. With NAT, the source IP address in a packet would be translated into the outside IP address
of the Branch router. The HQ router would then know how to send a returning packet back to the Branch
router, because the routers are directly connected. The destination IP address in the packet would be then
translated back to the IP address of PC1 and sent to PC1.

Task 3: Configure NAT


Step 2

Enter the following command on the Branch router:

Branch(config)#access-list 1 permit 10.1.1.0 0.0.0.255

Step 3

Enter the following commands on the Branch router:

Branch(config)#ip nat pool NAT_POOL 209.165.201.5 209.165.201.10 netmask


255.255.255.224

L230 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

You can accommodate up to six hosts at the same time using the configured NAT pool.
Step 4
Enter the following commands on the Branch router:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch(config)#interface GigabitEthernet0/0
Branch(config-if)#ip nat inside

Step 5

Enter the following commands on the Branch router:

Branch(config)#interface GigabitEthernet0/1
Branch(config-if)#ip nat outside

Step 6

Enter the following command on the Branch router:

Branch(config)#ip nat inside source list 1 pool NAT_POOL

Step 7

Enter the following commands on the Branch router:

Branch(config)#exit
Branch#copy running-config startup-config

Task 4: Configure NAT with PAT


Step 2

Enter the following command on the Branch router:

Branch(config)#no ip nat inside source list 1 pool NAT_POOL


Dynamic mapping in use, do you want to delete all entries? [no]: yes

Step 3

Enter the following command on the Branch router (and then answer with yes):

Branch(config)#ip nat inside source list 1 interface GigabitEthernet0/1 overload

2013 Cisco Systems, Inc.

Lab Guide

L231

You can accommodate approximately 64,000 hosts by overloading one IP address.


Step 4
Enter the following commands on the Branch router:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch(config)#exit
Branch#copy running-config startup-config

Lab 3-1: Enhancing the Security of the Initial


Configuration
Task 1: Add Password Protection
Step 2

Enter this sequence of commands into the Branch router:


Branch> enable
Branch# configure terminal
Branch(config)# line console 0
Branch(config-line)# password cisco
Branch(config-line)# login

Step 5

Enter the following command sequence into the Branch router:


Branch(config)# username ccna secret cisco
Branch(config)# line console 0
Branch(config-line)# login local

Step 8

Enter this sequence of commands into the Branch router:


Branch(config)# line vty 0 15
Branch(config-line)# login local

Step 10

Enter this command on the Branch router:

Branch(config)# enable secret cisco

L232 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 11
Enter this command on the Branch router:
Branch# copy running-config startup-config

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 14

Enter this sequence of commands on SW1:

SW1(config)# enable secret cisco


SW1(config)# username ccna secret cisco
SW1(config)# line console 0
SW1(config-line)# login local
SW1(config-line)# line vty 0 15
SW1(config-line)# login local

Step 15

Enter this command on the SW1 switch:

SW1# copy running-config startup-config

Task 2: Enable SSH Remote Access


Step 1

Enter this sequence of commands on the Branch router:

Branch(config)# ip domain-name cisco.com


Branch(config)# crypto key generate rsa
The name for the keys will be: Branch.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your General
Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Branch(config)# line vty 0 15
Branch(config-line)# transport input ssh
Branch(config-line)# exit
Branch(config)# ip ssh version 2

Step 2

Enter this command on the Branch router:

Branch# copy running-config startup-config

2013 Cisco Systems, Inc.

Lab Guide

L233

Step 3
Enter this sequence of commands on the SW1 switch:

Step 4

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1(config)# ip domain-name cisco.com


SW1(config)# crypto key generate rsa
The name for the keys will be: SW1.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your General
Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
SW1(config)# line vty 0 15
SW1(config-line)# transport input ssh
SW1(config-line)# ip ssh version 2

Enter this command on the SW1 switch:

SW1# copy running-config startup-config

Task 3: Limit Remote Access to Selected Network Addresses


Step 1

Enter this sequence of commands on the SW1 switch:

SW1(config)# access-list 1 permit host 10.1.1.1


SW1(config)# access-list 1 deny any log

Step 3

Enter this command on the SW1 switch:

SW1# copy running-config startup-config

Task 4: Configure a Login Banner


Step 1

Enter the following command on the Branch router:

Branch(config)# banner login #********** Warning *************


Enter TEXT message. End with the character '#'.
Access to this device is restricted to authorized persons only!
Unauthorized access is prohibited. Violators will be prosecuted.
***********************************************#

L234 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2
Enter this command on the Branch router:
Branch# copy running-config startup-config

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Step 3

Enter the following command on the SW1 switch:

SW1(config)# banner login #********** Warning *************


Enter TEXT message. End with the character '#'.
Access to this device is restricted to authorized persons only!
Unauthorized access is prohibited. Violators will be prosecuted.
***********************************************#

Step 4

Enter this command on the SW1 switch:

SW1# copy running-config startup-config

Lab 3-2: Device Hardening


Task 1: Disable Unused Ports
Step 2

Enter this sequence of commands into the SW1 switch:

SW1(config)# interface range FastEthernet 0/14 - 24


SW1(config-if-range)# shutdown

Step 4

Enter the following commands on the SW1 switch:


SW1# copy running-config startup-config

Task 2: Configure Port Security on a Switch

2013 Cisco Systems, Inc.

Lab Guide

L235

Step 4
Enter these commands on the SW1 switch:

Step 5

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1(config)# interface FastEthernet 0/13


SW1(config-if)# switchport mode access

Enter this sequence of commands into the SW1 switch:

SW1(config-if)# switchport port-security mac-address f866.f231.7251


SW1(config-if)# switchport port-security

Step 8

Enter this sequence of commands into the SW1 switch:

SW1(config-if)# no switchport port-security mac-address f866.f231.7251


SW1(config-if)# switchport port-security mac-address f866.f231.7250

Step 9

Enter this sequence of commands into the SW1 switch:


SW1(config-if)# shutdown
SW1(config-if)# no shutdown

Step 14

Enter this command into the SW1 switch:

SW1(config-if)# no switchport port-security

Step 15

Enter the following command on the SW1 switch:

SW1# copy running-config startup-config

Task 3: Disable Unused Services

L236 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 3
Enter this sequence of commands into the switch.

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1(config)# interface FastEthernet 0/13


SW1(config-if)# no cdp enable

Step 6

Enter this sequence of commands into the switch.

SW1(config)# interface FastEthernet 0/13


SW1(config-if)# cdp enable

Step 7

Enter the following command on the SW1 switch:

SW1# copy running-config startup-config

Task 4: Configure NTP


Step 1

Enter the following command on the Branch router:


Branch(config)# ntp server 172.16.1.100

Step 3

The stratum of the clock on the Branch router is 4.


Step 5

Enter the following command on the SW1 switch:


SW1(config)# ntp server 10.1.1.1

Step 6

The stratum of the clock on the SW1 switch is 5.

2013 Cisco Systems, Inc.

Lab Guide

L237

Step 7
Enter the following commands on the SW1 switch and Branch router:
SW1# copy running-config startup-config

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# copy running-config startup-config

Lab 3-3: Filtering Traffic with ACLs


Task 1: Configure an ACL
Step 2

Enter this sequence of commands into the Branch router:

Branch(config)# ip access-list extended Telnet


Branch(config-ext-nacl)# deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet
Branch(config-ext-nacl)# permit ip any any

Step 4

Enter this sequence of commands into the Branch router:

Branch(config)# interface GigabitEthernet 0/0


Branch(config-if)# ip access-group Telnet in

Step 6

Enter the following command on the Branch router:

Branch# copy running-config startup-config

Task 3: Troubleshoot an ACL


Step 7

Enter this sequence of commands into the Branch router:

Branch(config)# interface GigabitEthernet 0/0


Branch(config-if)# no ip access-group out
Branch(config-if)# ip access-group in

L238 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 9
Enter this sequence of commands into the Branch router:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch(config)# ip access-list extended Telnet


Branch(config-ext-nacl)# no 10
Branch(config-ext-nacl)# no 20
Branch(config-ext-nacl)# 40 permit ip any any

Step 10

Enter the following command on the Branch router:

Branch# copy running-config startup-config

Lab 4-1: Configuring Expanded Switched


Networks
Task 1: Configure a VLAN
Step 1

Enter this sequence of commands on SW1:

SW2# configure terminal


SW2(config)# interface vlan 1
SW2(config-if)# ip address 10.1.1.12 255.255.255.0

Step 4

Enter this sequence of commands on SW1:


SW1# configure terminal
SW1(config)# vlan 10
SW1(config)-vlan)# vlan 20

Enter this sequence of commands on SW2:


SW2# configure terminal
SW2(config)# vlan 10
SW2(config)-vlan)# vlan 20

2013 Cisco Systems, Inc.

Lab Guide

L239

Step 5
Enter this sequence of commands on SW1:
SW1(config)# interface FastEthernet0/1
SW1(config-if)# switchport access vlan 10

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Enter this sequence of commands on SW2:

SW2(config)# interface FastEthernet0/1


SW2(config-if)# switchport access vlan 20

Step 6

Enter the following command on the SW1 switch.

SW1# copy running-config startup-config

Enter the following command on the SW2 switch.

SW2# copy running-config startup-config

Task 2: Configure the Link Between Switches as a Trunk


Step 1

Enter this sequence of commands on the SW1 switch:

SW1(config)# interface FastEthernet 0/3


SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 1,10,20

Enter this sequence of commands on the SW2 switch:

SW2(config)# interface FastEthernet 0/3


SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan 1,10,20

Step 2

Enter the following command on the SW1 switch.

SW1# copy running-config startup-config

Enter the following command on the SW2 switch.

L240 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

SW2# copy running-config startup-config

Task 3: Configure a Trunk Link on the Router


Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Enter this sequence of commands on the SW1 switch:


SW1(config)# interface FastEthernet 0/13
SW1(config-if)# switchport mode trunk

Step 2

Enter the following command on the SW1 switch.

SW1# copy running-config startup-config

Step 3

Enter the following commands on the Branch router.

Branch# configure terminal


Branch(config)# interface GigabitEthernet0/0
Branch(config-if)# no ip address

Step 4

Enter the following commands on the Branch router.

Branch(config)# interface GigabitEthernet 0/0.1


Branch(config-if)# encapsulation dot1q 1
Branch(config-if)# ip address 10.1.1.1 255.255.255.0
Branch(config-if)# exit
Branch(config)# interface GigabitEthernet 0/0.10
Branch(config-if)# encapsulation dot1q 10
Branch(config-if)# ip address 10.1.10.1 255.255.255.0
Branch(config-if)# exit
Branch(config)# interface GigabitEthernet 0/0.20
Branch(config-if)# encapsulation dot1q 20
Branch(config-if)# ip address 10.1.20.1 255.255.255.0

Step 5

Enter the following command on the Branch router.

Branch# copy running-config startup-config

2013 Cisco Systems, Inc.

Lab Guide

L241

Lab 4-2: Configuring DHCP Server


Task 1: Configure DHCP Pools
Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Enter global configuration mode and enter this sequence of commands on the Branch router:
Branch(config)# ip dhcp pool VLAN10
Branch(dhcp-config)# network 10.1.10.0 /24

Step 2

Define the default gateway and DNS server for the configured DHCP pool, as indicated in the output.
Branch(config)# ip dhcp pool VLAN10
Branch(dhcp-config)# default-router 10.1.10.1
Branch(dhcp-config)# dns-server 10.1.10.1

Step 3

Enter this command on the router:

Branch(dhcp-config)# lease 0 2

Step 4

Enter the following command on the Branch router.

Branch# copy running-config startup-config

Step 7

Enter this sequence of commands on the Branch router:

Branch(config)# ip dhcp pool VLAN20


Branch(dhcp-config)# network 10.1.20.0 /24
Branch(dhcp-config)# default-router 10.1.20.1
Branch(dhcp-config)# dns-server 10.1.20.1
Branch(dhcp-config)# lease 0 12

Step 10

Use the show ip dhcp binding command to verify that PC2 has obtained an IP address dynamically.

L242 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Branch# show ip dhcp binding


Bindings from all pools not associated with VRF:
IP address
Client-ID/
Lease expiration
Hardware address/
User name
10.1.10.2
0100.0c29.4532.be
Oct 19 2012 03:39 PM
10.1.20.2
0100.0c29.8807.34
Oct 20 2012 01:24 AM

Type
Automatic
Automatic

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Task 2: Exclude Specific IP Addresses from DHCP Pools


Step 1

To exclude specific IP addresses, use the ip dhcp excluded-address command, as indicated in the output.
Branch(config)#
Branch(config)#
Branch(config)#
Branch(config)#

ip
ip
ip
ip

dhcp
dhcp
dhcp
dhcp

excluded-address
excluded-address
excluded-address
excluded-address

10.1.10.1 10.1.10.99
10.1.10.150 10.1.10.254
10.1.20.1 10.1.20.99
10.1.20.150 10.1.20.254

Step 2

Enter the following command on the Branch router.

Branch# copy running-config startup-config

Task 3: Configure DHCP Relay Agent


Step 1

Use the following commands to remove the DHCP pool configuration:


Branch(config)# no ip dhcp pool VLAN10
Branch(config)# no ip dhcp pool VLAN20

Step 3

Configure the DHCP relay agent using the ip helper-address command on both subinterfaces, as indicated
in the output:
Branch(config)# interface GigabitEthernet 0/0.10
Branch(config-subif)# ip helper-address 172.16.1.100
Branch(config-subif)# exit
Branch(config)# interface GigabitEthernet 0/0.20
Branch(config-subif)# ip helper-address 172.16.1.100

2013 Cisco Systems, Inc.

Lab Guide

L243

Step 4
Enter the following commands on the Branch router.

Step 5

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# copy running-config startup-config

Release the current DHCP lease using the ipconfig /release command.

Lab 4-3: Implementing OSPF

Task 1: Connect the Router to the WAN


Step 2

Enter this sequence of commands on the Branch router:

Branch# configure terminal


Branch(config)# interface GigabitEthernet0/1
Branch(config-if)# no ip nat outside
Branch(config-if)# no ip address dhcp

Step 3

Enter this command on the Branch router:

Branch(config-if)# ip address 192.168.1.1 255.255.255.0

Task 2: Configure OSPF


Step 1

Enter this sequence of commands on the Branch router:


Branch(config)# router
Branch(config-router)#
Branch(config-router)#
Branch(config-router)#
Branch(config-router)#

ospf 100
network 10.1.1.0 0.0.0.255 area 0
network 10.1.10.0 0.0.0.255 area 0
network 10.1.20.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0

L244 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Lab 5-1: Configure and Verify Basic IPv6


Task 1: Enable IPv6 on the Router
Step 1

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Enter this command on the Branch router:


Branch(config)# ipv6 unicast-routing

Step 2

Enter these commands on the Branch router:

Branch(config)# interface GigabitEthernet 0/1


Branch(config-if)# ipv6 address 2001:db8:D1A5:C900::1/64

Step 3

Enter the following command on the Branch router:

Branch# copy running-config startup-config

Lab 5-2: Configure and Verify Stateless


Autoconfiguration

Task 1: Enable Stateless Autoconfiguration on the Router


Step 2

Enter these commands on the Branch router:

Branch(config)# interface GigabitEthernet 0/1


Branch(config-if)# no ipv6 address 2001:DB8:D1A5:C900::1/64

Step 3

Enter these commands on the Branch router:

Branch(config)# interface GigabitEthernet 0/1


Branch(config-if)# ipv6 address autoconfig

2013 Cisco Systems, Inc.

Lab Guide

L245

Lab 5-3: Configure and Verify IPv6 Routing


Task 1: Enable IPv6 Static Routing
Step 3

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Enter this command on the Branch router:


Branch(config)# ipv6 route ::/0 Gi0/1 2001:DB8:D1A5:C900::2

Task 2: Enable OSPFv3


Step 1

Enter this command on the Branch router:

Branch(config)# no ipv6 route ::/0 Gi0/1 2001:DB8:D1A5:C900::2

Step 2

Enter these commands on the Branch router:

Branch(config)# ipv6 router ospf 1


Branch(config-rtr)# router-id 0.0.0.2

Step 3

Enter these commands on the Branch router:

Branch(config)# interface GigabitEthernet 0/1


Branch(config-if)# ipv6 ospf 1 area 0

Lab S-1: ICND1 Superlab

Task 1: Configure Basic Settings, VLANs, Trunks, and Port


Security on Switches
Step 2

Enter the following commands on the SW1 and SW2 switches:

L246 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

SW1# erase startup-config


SW1# delete vlan.dat
SW1# reload

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW2# erase startup-config


SW2# delete vlan.dat
SW2# reload

Step 3

Enter the following commands on the SW1 switch:


Switch# configure terminal
Switch(config)# hostname SW1

Enter the following commands on the SW2 switch:


Switch# configure terminal
Switch(config)# hostname SW2

Step 4

Enter the following commands on the SW1 switch:

SW1(config-if)# interface vlan 1


SW1(config-if)# ip address 10.1.1.11 255.255.255.0
SW1(config-if)# no shutdown

Enter the following commands on the SW2 switch:

SW2(config-if)# interface vlan 1


SW2(config-if)# ip address 10.1.1.12 255.255.255.0
SW2(config-if)# no shutdown

Step 5

Enter the following commands on the SW1 switch:


SW1(config)# enable secret cisco

Enter the following commands on the SW2 switch:


SW2(config)# enable secret cisco

2013 Cisco Systems, Inc.

Lab Guide

L247

Step 6
Enter the following commands on the SW1 switch:
con 0
password cisco
login
logging synchronous

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1(config)# line
SW1(config-line)#
SW1(config-line)#
SW1(config-line)#

Enter the following commands on the SW2 switch:


SW2(config)# line
SW2(config-line)#
SW2(config-line)#
SW2(config-line)#

Step 7

con 0
password cisco
login
logging synchronous

Enter the following commands on the SW1 switch:

SW1(config)# ip domain-name cisco.com


SW1(config)# crypto key generate rsa
SW1(config)# ip ssh version 2
SW1(config)# line vty 0 4
SW1(config-line)# transport input ssh telnet

Enter the following commands on the SW2 switch:

SW2(config)# ip domain-name cisco.com


SW2(config)# crypto key generate rsa
SW2(config)# ip ssh version 2
SW2(config)# line vty 0 4
SW2(config-line)# transport input ssh telnet

Step 8

Enter the following commands on the SW1 switch:

SW1(config)# username ccna password cisco


SW1(config)# line vty 0 4
SW1(config-line)# login local

Enter the following commands on the SW2 switch:

SW2(config)# username ccna password cisco


SW2(config)# line vty 0 4
SW2(config-line)# login local

L248 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 9
Enter the following commands on the SW1 switch:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

SW1(config)# vlan 10
SW1(config-vlan)# exit
SW1(config)# vlan 20

Enter the following commands on the SW2 switch:


SW2(config)# vlan 10
SW2(config-vlan)# exit
SW2(config)# vlan 20

Step 10

Enter the following commands on the SW1 switch:

SW1(config)# interface FastEthernet0/3


SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 1,10,20
SW1(config)#
SW1(config)# interface FastEthernet0/4
SW1(config-if)# shutdown

Enter the following commands on the SW2 switch:

SW2(config)# interface FastEthernet0/3


SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan 1,10,20
SW2(config)#
SW2(config)# interface FastEthernet0/4
SW2(config-if)# shutdown

Step 11

Enter the following commands on the SW1 switch:

SW1(config)# interface FastEthernet0/1


SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10

Step 12

Enter the following commands on the SW1 switch:

2013 Cisco Systems, Inc.

Lab Guide

L249

SW2(config)# interface FastEthernet0/1


SW2(config-if)# switchport mode access
SW2(config-if)# switchport access vlan 20

Step 19

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Enter the following commands on the SW1 switch:


SW1# configure terminal
SW1(config)# interface FastEthernet0/1
SW1(config-if)# switchport port-security violation protect
SW1(config-if)# switchport port-security maximum 1
SW1(config-if)# switchport port-security mac-address 000c.293b.709d
SW1(config-if)# switchport port-security

Enter the following commands on the SW2 switch:

SW2# configure terminal


SW2(config)# interface FastEthernet0/1
SW2(config-if)# switchport port-security violation protect
SW2(config-if)# switchport port-security maximum 1
SW2(config-if)# switchport port-security mac-address 000c.29a8.a05a
SW2(config-if)# switchport port-security

Task 2: Configure Inter-VLAN Routing


Step 2

Enter the following commands on the Branch router:


Branch# erase startup-config
Branch# reload

Step 3

Enter the following commands on the Branch router:


Router# configure terminal
Router(config)# hostname Branch

Step 4

Enter the following command on the Branch router:


Branch(config)# enable secret cisco

L250 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 5
Enter the following commands on the Branch router:
con 0
password cisco
login
logging synchronous

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch(config)# line
Branch(config-line)#
Branch(config-line)#
Branch(config-line)#

Step 6

Enter the following commands on the Branch router:


Branch(config)# line vty 0 4
Branch(config-line)# password cisco
Branch(config-line)# login

Step 7

Enter the following commands on the Branch router:

Branch(config)# interface GigabitEthernet0/0


Branch(config-if)# no shutdown
Branch(config)#
Branch(config-if)# interface GigabitEthernet0/0.1
Branch(config-subif)# encapsulation dot1Q 1 native
Branch(config-subif)# ip address 10.1.1.1 255.255.255.0
Branch(config)#
Branch(config-subif)# interface GigabitEthernet0/0.10
Branch(config-subif)# encapsulation dot1Q 10
Branch(config-subif)# ip address 10.1.10.1 255.255.255.0
Branch(config)#
Branch(config-subif)# interface GigabitEthernet0/0.20
Branch(config-subif)# encapsulation dot1Q 20
Branch(config-subif)# ip address 10.1.20.1 255.255.255.0

Step 9

Enter the following commands on the SW1 switch:

SW1# configure terminal


SW1(config)# interface FastEthernet0/13
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 1,10,20

Task 3: Configure Internet Connectivity

2013 Cisco Systems, Inc.

Lab Guide

L251

Step 2
Enter the following commands on the Branch router:

Step 3

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# configure terminal


Branch(config)# interface GigabitEthernet0/1
Branch(config-if)# ip address 209.165.201.1 255.255.255.224
Branch(config-if)# no shutdown

Enter the following command on the Branch router:

Branch(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.2

Step 4

Enter the following commands on the Branch router:

Branch(config)# access-list 1 permit 10.1.10.0 0.0.0.255


Branch(config)# access-list 1 permit 10.1.20.0 0.0.0.255

Step 5

Enter the following commands on the Branch router:

Branch(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload


Branch(config)# interface GigabitEthernet0/1
Branch(config-if)# ip nat outside
Branch(config-subif)#
Branch(config-if)# interface GigabitEthernet0/0.10
Branch(config-subif)# ip nat inside
Branch(config-subif)#
Branch(config-subif)# interface GigabitEthernet0/0.20
Branch(config-subif)# ip nat inside

Step 6

Enter the following commands on the Branch router:

Branch(config)# ip access-list extended OUTSIDE


Branch(config-ext-nacl)# deny tcp any gt 1024 any
Branch(config-ext-nacl)# deny udp any gt 1024 any
Branch(config-ext-nacl)# permit ip any any
Branch(config)#
Branch(config)# interface GigabitEthernet0/1
Branch(config-if)# ip access-group OUTSIDE in

L252 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Task 4: Configure WAN Connectivity and a Dynamic Routing


Protocol
Step 2
Enter the following commands on the Branch router:

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch# telnet 209.165.201.2


Trying 209.165.201.2 ... Open
HQ#

Step 3

Enter the following commands on the HQ router:

HQ# configure terminal


HQ(config)# interface GigabitEthernet0/1
HQ(config-if)# ip address 192.168.1.2 255.255.255.0

Step 4

Enter the following commands on the Branch router:

Branch# configure terminal


Branch(config)# interface GigabitEthernet0/1
Branch(config-if)# no ip nat outside

Step 5

Enter the following commands on the Branch router:

Branch# configure terminal


Branch(config)# interface GigabitEthernet0/1
Branch(config-if)# ip address 192.168.1.1 255.255.255.0

Step 6

Enter the following commands on the Branch router:

Branch(config)# interface Loopback10


Branch(config-if)# ip address 10.100.100.100 255.255.255.255

Each router running OSPF requires a router ID. The router ID will be the highest IP address of the router on
a loopback interface, if configured, or the highest IP address on an interface, if a loopback interface is not
configured. Because loopback is a stable interface and cannot go down, it is recommended to configure the
loopback interface for the OSPF router ID.

2013 Cisco Systems, Inc.

Lab Guide

L253

Step 7
Enter the following command on the Branch router:

Step 8

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

Branch(config)# router ospf 1

Enter the following commands on the Branch router:


Branch(config-router)#
Branch(config-router)#
Branch(config-router)#
Branch(config-router)#
Branch(config-router)#

network
network
network
network
network

192.168.1.0 0.0.0.255 area 0


10.1.1.0 0.0.0.255 area 0
10.1.10.0 0.0.0.255 area 0
10.1.20.0 0.0.0.255 area 0
10.100.100.100 0.0.0.0 area 0

Task 5: Configure IPv6 Connectivity in the LAN


Step 2

Enter the following commands on the Branch router:


Branch# configure terminal
Branch(config)# ipv6 unicast-routing

Step 3

Enter the following commands on the Branch router:

Branch(config-if)# interface GigabitEthernet0/0.1


Branch(config-subif)# ipv6 address 2001:db8:0A01:100::1/64
Branch(config)#
Branch(config-subif)# interface GigabitEthernet0/0.10
Branch(config-subif)# ipv6 address 2001:db8:0A01:A00::1/64
Branch(config)#
Branch(config-subif)# interface GigabitEthernet0/0.20
Branch(config-subif)# ipv6 address 2001:db8:0A01:1400::1/64

Step 1

The link-local IPv6 address is the same on all subinterfaces because the link-local IPv6 address is derived
from the MAC address, which is the same on all subinterfaces. All subinterfaces use the MAC address of
the physical interface.

L254 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Step 2
The default gateway on the PC is the link-local IPv6 address of the router of the directly connected interface
(GigabitEthernet0/0.10).
Step 6

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

The default gateway on the PC is the link-local IPv6 address of the router of the directly connected interface
(GigabitEthernet0/0.20).

Task 6: Configure the OSPFv3 Routing Protocol


Step 2

Enter the following commands on the Branch router:


Branch# telnet 192.168.1.2
Trying 192.168.1.2 ... Open
HQ#

Step 3

Enter the following commands on the HQ router:

HQ# configure terminal


HQ(config)# interface GigabitEthernet0/1
HQ(config-if)# no ipv6 address 2001:DB8:D1A5:C900::2/64
HQ(config-if)# ipv6 address 2001:db8:c0a8:100::2/64
HQ(config-if)# ipv6 ospf 1 area 0
HQ(config-if)# end
HQ# exit

Step 4

Enter the following commands on the Branch router:

Branch#configure terminal
Branch(config)#interface GigabitEthernet0/1
Branch(config-if)#ipv6 address 2001:db8:c0a8:100::1/64

Step 1

The HQ router ID is 0.0.0.1. OSPFv3 uses an IPv4 address-like format of the router ID.

2013 Cisco Systems, Inc.

Lab Guide

L255

Step 2

Po D
st o N
be o
ta, t D
no upl
t f ica
or te
re :
lea
se
.

The Branch router ID is 10.100.100.100, which is the IPv4 address on the Loopback0 interface. OSPFv3
uses the same mechanisms as OSPF to determine the router ID.

L256 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.