Академический Документы
Профессиональный Документы
Культура Документы
Interconnecting Cisco
.
Networking Devices,
se
re :
Part 1
or te
lea
t f ica
Volume 1
Version 2.0
no upl
ta, t D
be o
st o N
Po D
Lab Guide
Part Number: 97-3244-01
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Europe Headquarters
Po D
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at
www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property
of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other
company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN
ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY
DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND
FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the
disclaimer above.
.
Task 2: Configure the Switch with a Hostname and an IP Address L8
se
Task 3: Explore Context-Sensitive Help L10
Task 4: Improve the Usability of the CLI L11
re :
Lab 1-2: Troubleshooting Switch Media Issues L13
or te
lea
Visual Objective L14
Required Resources L14
t f ica
Command List L15
Job Aids L15
Task 1: Lab Setup L16
Task 2: Troubleshoot Connectivity Between Computer PC1 and Switch SW1 L17
no upl
Task 3: Troubleshoot Connectivity Between Switch SW1 and the Branch Router L18
Lab 2-1: Performing Initial Router Setup and Configuration L19
Visual Objective L20
ta, t D
.
Job Aids L75
se
Task 1: Disable Unused Ports L77
Task 2: Configure Port Security on a Switch L78
re :
Task 3: Disable Unused Services L81
or te
lea
Task 4: Configure NTP L83
Lab 3-3: Filtering Traffic with ACLs L85
t f ica
Visual Objective L86
Required Resources L86
Command List L87
Job Aids L87
no upl
Task 1: Configure an ACL L88
Task 2: Lab Setup L95
Task 3: Troubleshoot an ACL L96
Lab 4-1: Configuring Expanded Switched Networks L111
ta, t D
.
Task 1: Enable IPv6 on the Router L150
se
Lab 5-2: Configure and Verify Stateless Autoconfiguration L153
re :
Visual Objective L154
or te
lea
Required Resources L154
Command List L155
Job Aids L155
t f ica
Task 1: Enable Stateless Autoconfiguration on the Router L156
Lab 5-3: Configure and Verify IPv6 Routing L161
Visual Objective L162
no upl
Required Resources L162
Command List L163
Job Aids L163
Task 1: Enable IPv6 Static Routing L164
ta, t D
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
re :
or te
lea
Startup and Initial
t f ica
Configuration
no upl
Activity Overview
ta, t D
Objectives
In this activity, you will observe the switch boot procedure and perform basic switch configuration. After
you have completed this activity, you will be able to meet these objectives:
be o
Branch Server
.
se
HQ
SW1
re :
PC1
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
PC1 SW1
Po D
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
.
Cisco IOS Switch Commands
se
Command Description
re :
? or help In user EXEC mode, lists the subset of commands that are
or te
lea
available at that level
t f ica
configure terminal Activates the configuration mode from the terminal
copy running-config destination Copies the switch running configuration file to another destination.
no upl A typical destination is the startup configuration.
history size number Sets the number of lines that are held in the history buffer for
recall. Two separate buffers are used: one for EXEC mode
commands and the other for configuration mode commands
hostname hostname Sets the system name, which forms part of the prompt
Po D
interface vlan 1 Enters interface configuration mode for VLAN 1 to set the switch
management IP address
ip address ip-address subnet-mask Sets the IP address and mask of the interface
reload Restarts the switch and reloads the Cisco IOS operating system
and configuration
show flash: Displays the layout and contents of a flash memory file system
show startup-config Displays the startup configuration settings that are saved in
NVRAM
show version Displays the configuration of the switch hardware and the various
software versions
.
Job Aids
se
These job aids are available to help you complete the lab activity.
re :
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
or te
lea
Device Hardware Operating System
t f ica
SW1 Catalyst 2960 Series Switch c2960-lanbasek9-mz.150-1.SE3
There are no console or enable passwords set for the router and switch in the initial lab setup. The table
no upl
shows the username and password that are used to access PC1.
.
PC1 SW1
se
Fa0/1
10.1.1.100 10.1.1.11
re :
or te
lea
t f ica
no upl
2013 Cisco Systems, Inc.
The table shows the interface identification and IP addresses that are used in this lab setup.
ta, t D
connection
st o N
Po D
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
In this task, you will use the erase startup-config command to ensure that the switch has no prior
configuration in the startup-config file. You will then reload the switch software and observe the output that
is generated during the reload. Finally, you will investigate the properties of the switch.
Activity Procedure
Complete the following steps:
Step 1
Access the CLI of switch SW1 and enter user EXEC mode.
You will be provided with information about how to access the lab equipment.
To see the effect of entering a privileged-level command in user EXEC mode, enter the command erase
startup-config.
What was the result of issuing the command in an incorrect EXEC mode?
.
se
Step 3
re :
or te
Enter privileged EXEC mode.
lea
How do you know if you are in privileged EXEC mode and not user EXEC mode?
t f ica
Step 4
no upl
Erase the startup configuration. Because the switch also stores a small part of the configuration in the file,
vlan.dat, stored in flash memory, delete it before performing a reload. Observe the output during the reload.
ta, t D
Step 5
Press Enter when the switch boots and skip the initial configuration dialog. You will know when the switch
has finished booting when you see "Press RETURN to get started!" in the console output.
be o
How do you know that the startup configuration has been erased?
st o N
Step 6
Po D
Using the appropriate show command, investigate the switch model number, software version, and amount
of RAM and flash memory.
Activity Verification
You have completed this task when you attain these results:
You performed a switch reload.
You verified that the switch is unconfigured.
Activity Procedure
Complete the following steps:
Step 1
.
se
Change the hostname of the switch to SW1.
re :
Step 2
or te
lea
Assign an IP address to the VLAN 1 interface on switch SW1. Be sure that you assign the correct IP
address, as described in the Job Aids section in the beginning of the lab document.
t f ica
Note Configuring the IP address on the switch is not mandatory to start the switch running, but it is necessary
for remote management access to the switch.
no upl
Step 3
Access the PC1. Use the username and password that is described in the Job Aids section in order to log in.
ta, t D
be o
st o N
Po D
Assign the IP address of PC1, as listed in the Job Aids section. Leave the default gateway empty.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
Step 5
st o N
From PC1, ping the VLAN 1 IP address of SW1 to confirm Layer 3 connectivity.
Activity Verification
You have completed this task when you attain these results:
Po D
Activity Procedure
Complete the following steps:
Step 1
On switch SW1, enter privileged EXEC mode and enter ? (or help) to list the available commands.
.
se
Step 2
re :
Using the ? command, set the clock on the switch to the current time and date.
or te
lea
Note Pressing the Tab key automatically completes the command if the characters that you have entered are
not ambiguous.
t f ica
Step 3
no upl
Verify the current date and time using the appropriate show command.
Step 4
ta, t D
Type the following comment line at the prompt and then press Enter:
Note An exclamation point (!) at the beginning of the line indicates that you are entering a comment. The
comment will not be part of the switch configuration. Comments are a great help when you are working
st o N
Step 5
Po D
Press Ctrl-P or press the Up Arrow key to see the previous line. Use the editor commands Ctrl-A, Ctrl-F,
Ctrl-E, and Ctrl-B to move along the line, and use the Backspace key to delete unwanted characters.
Using the editing commands, correct the comment line to read:
Activity Verification
You have completed this task when you attain these results:
You used the system help and command-completion functions.
You used the built-in editor and the keystrokes for cursor navigation.
L10 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Task 4: Improve the Usability of the CLI
In this task, you will enter commands to improve the usability of the CLI. You will increase the number of
lines in the history buffer, increase the inactivity timer on the console port, and stop the attempted name
resolution of mistyped commands.
Activity Procedure
Complete the following steps:
Step 1
.
se
Using the show terminal command, verify that history is enabled, and determine the current history size for
the console line.
re :
or te
lea
Step 2
Change the history size to 100 for the console line and verify that the change has taken place.
t f ica
Note Alternatively, you could use the begin keyword. You will see the output beginning from the first match.
no upl
Step 3
The no ip domain lookup command disables the resolution of symbolic names. If you mistype a command,
the system will not try to translate it into an IP address (it will take about 5 seconds to time out). Disable IP
ta, t D
domain lookup.
Step 4
be o
The default console access EXEC timeout is set to 10 minutes. After 10 minutes of inactivity, the user is
disconnected from console access and is required to reconnect. Change this timer to 60 minutes.
st o N
Note Make sure that you are in console line configuration mode. To execute user EXEC or privileged EXEC
commands from global configuration mode or other configuration modes or submodes, use the do
command in any configuration mode.
Po D
Step 5
The logging synchronous command synchronizes unsolicited messages and debugs privileged EXEC
command output with the input from the CLI. If you are in the middle of typing a command, status
messages will appear where you are typing. Enable synchronous logging on line console 0.
Step 6
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L12 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 1-2: Troubleshooting
re :
or te
lea
Switch Media Issues
t f ica
Activity Overview
no upl
Objectives
In this activity, you will use troubleshooting guidelines to isolate and correct switch media issues. After
ta, t D
Branch Server
.
se
HQ
PC1 SW1
re :
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
Troubleshooting Task 2
Troubleshooting Task 1
Po D
PC1 SW1
Required Resources
These are the resources and equipment that are required to complete this activity:
Successful completion of Lab 1-1: Performing Switch Startup and Initial Configuration
L14 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Commands
Command Description
.
configure terminal Enters global configuration mode
se
copy running-config startup-config Saves the running configuration into NVRAM as the startup
configuration
re :
duplex full Enables full duplex on an interface
or te
lea
enable Enters the privileged EXEC mode command interpreter
interface FastEthernet 0/13 Specifies interface FastEthernet 0/13 and enters interface
t f ica
configuration mode
ping ip-address Uses ICMP echo requests and ICMP echo replies to
no upl determine whether a remote host is reachable
show interfaces FastEthernet 0/13 Displays information about interface FastEthernet 0/13
show ip interface brief Displays a brief summary of the interfaces on a device, which is useful
for quickly checking the status of the device
ta, t D
Job Aids
These job aids are available to help you complete the lab activity.
be o
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
st o N
There are no console or enable passwords set for the router and switch in the initial lab setup. The table
shows the username and password that are used to access PC1.
Gi0/0 10.1.1.1
Fa0/13
.
PC1 SW1
se
Fa0/1
10.1.1.100 10.1.1.11
re :
or te
lea
t f ica
2013 Cisco Systems, Inc.
The table shows the interface identification and IP addresses that are used in this lab setup.
no upl
Device Interface IP Address/Subnet Mask
In this setup task, you will load the configuration from the switch flash drive.
st o N
Activity Procedure
Complete these steps:
Step 1
Po D
You will be provided with information about accessing the lab equipment.
L16 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 2
Load the configuration file tshoot_media_issues_start.cfg from the flash drive of the switch.
At this point, you have loaded a configuration file that includes your trouble tickets, presented in Tasks 2
.
and 3.
se
Activity Verification
re :
You have completed this task when you attain this result:
or te
lea
You loaded a configuration file from the switch flash drive.
t f ica
Task 2: Troubleshoot Connectivity Between
Computer PC1 and Switch SW1
In this task, you will troubleshoot connectivity problems between switch SW1 and computer PC1.
no upl
Activity Procedure
Complete the following steps:
ta, t D
Step 1
John calls you about an issue that he is experiencing while using PC1. He says that PC1 has no network
connectivity, and he insists that somebody unplugged his computer from the switch. The senior engineers
are out. You are the only one who can solve this problem right now. You have access only to switch SW1.
be o
Determine whether or not you can ping PC1 from switch SW1. The IP address of PC1 is listed in the Job
st o N
Aids section of this document. Is there Layer 3 connectivity between the computer and the switch?
Po D
Step 2
What is the status of interface FastEthernet0/1 on switch SW1, which connects to the PC1? What does this
status mean?
Note Use the ? command and the Tab key to help you with the command syntax.
Step 4
.
Save the configuration of switch SW1.
se
Why is it important at this stage to save the configuration?
re :
or te
lea
t f ica
Activity Verification
You have completed this task when you attain this result:
You identified and corrected the problem that was reported by the user on PC1.
no upl
Task 3: Troubleshoot Connectivity Between
Switch SW1 and the Branch Router
ta, t D
In this task, you will troubleshoot connectivity problems between the Branch router and switch SW1. You
will correct the existing problem.
be o
Activity Procedure
Complete the following steps:
st o N
Step 1
Your colleague informs you that switch SW1 is showing messages about duplex mismatch and they are
unable to prevent the messages. The senior engineers went out for lunch and left you alone to resolve this
issue. How do you solve the problem indicated by this message?
Po D
Using the appropriate show commands from the Command List section, identify the status of interface
FastEthernet0/13, which connects to the Branch router.
Step 2
Correct the issue that you identified. Do not forget to save the changes that you made.
Activity Verification
You have completed this task when you attain this result:
You identified and corrected the connectivity problem.
L18 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 2-1: Performing Initial
re :
or te
lea
Router Setup and
t f ica
Configuration
no upl
Activity Overview
ta, t D
Objectives
In this activity, you will observe the router boot procedure and perform basic router configuration. After
completing this activity, you will be able to meet these objectives:
be o
Branch Server
.
se
HQ
PC1 SW1
re :
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
Required Resources
No additional resources are required for this lab.
L20 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
.
configure terminal Activates the configuration mode from the terminal.
se
copy running-config destination Copies the running configuration file to another destination. A
typical destination is the startup configuration.
re :
description Adds a descriptive comment to the configuration of an interface.
or te
lea
enable Activates privileged EXEC mode. In privileged EXEC mode, more
commands are available.
t f ica
erase startup-config Erases the startup configuration that is stored in nonvolatile
memory.
exec-timeout Sets the interval before the user session is disconnected when
idle.
no upl
hostname hostname Sets the system name, which forms part of the prompt.
interface type module/slot/port Specifies an interface and enters interface configuration mode.
ip address ip-address subnet-mask Sets the IP address and mask of the interface.
ta, t D
logging synchronous Synchronizes the display of router output messages with the
be o
command-line prompt.
ping ip_address Uses ICMP echo requests and ICMP echo replies to determine
st o N
reload Restarts the router and reloads the Cisco IOS operating system.
show cdp neighbors [detail] Displays brief information about discovered neighboring Cisco
Po D
show startup-config Displays the startup configuration settings that are saved in
nonvolatile memory.
show version Displays the configuration of the router hardware and the
various software versions.
Job Aids
These job aids are available to help you complete the lab activity.
There are no console or enable passwords set for the router and switch in the initial lab setup. The table
.
shows the username and password that are used to access PC1.
se
Device Username Password
re :
PC1 Administrator admin
or te
lea
Topology and IP Addressing
Devices are connected with Ethernet connections. The figure illustrates the interface identification and IP
t f ica
addresses that are used in this lab setup.
Fa0/13
PC1 SW1
Fa0/1
be o
10.1.1.100 10.1.1.11
st o N
Po D
The table shows the interface identification and IP addresses that are used in this lab setup.
L22 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Task 1: Inspect the Router Hardware and
Software
In this task, you will first inspect the router hardware and software properties. You will verify that a startup
configuration exists and delete it. You will then reload the router and observe the output that is generated
during the reload.
Activity Procedure
Complete the following steps:
.
se
Step 1
Access the CLI of router Branch and enter privileged EXEC mode.
re :
or te
lea
Step 2
t f ica
Use the correct verification command to display hardware and software properties. Find and write down the
following information:
Router model
no upl
Serial number
RAM
Flash
ta, t D
Software version
Use command show version in privileged EXEC mode on the Branch router to display information about
be o
the currently loaded software, along with hardware and device information.
st o N
Router#show version
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M1,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 26-Jul-12 20:54 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Po D
Use the correct show command to verify that the router has a startup configuration. If it has, erase the
startup configuration by issuing the erase startup-config command.
Router#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
.
[OK]
Erase of nvram: complete
se
Router#
re :
or te
After you have erased the startup configuration, verify that it no longer exists.
lea
Router#show startup-config
t f ica
startup-config is not present
Step 4
no upl
Reload the router and observe the console output during startup.
Router#reload
Proceed with reload? [confirm]
ta, t D
Activity Verification
You have completed this task when you attain these results:
You collected hardware and software device information.
You erased the startup configuration.
You reloaded the router and observed the startup output.
L24 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Activity Procedure
Complete the following steps:
Step 1
Skip the initial configuration dialog, terminate the autoinstall, and enter privileged EXEC mode.
Step 2
.
Set the router host name to Branch. The prompt will reflect the new hostname.
se
Step 3
re :
or te
lea
Enable interface GigabitEthernet0/0 and set its description to Link to LAN Switch.
t f ica
Step 4
Configure the IP address 10.1.1.1 on the interface. Use subnet mask of 255.255.255.0.
Step 5
no upl
Return to the privileged EXEC command and verify GigabitEthernet0/0 interface status, interface
description, and correct IP address assignment by using a suitable verification command.
ta, t D
<output omitted>
Po D
Step 6
Activity Verification
You have completed this task when you attain these results:
Step 1
Branch#
You verified IP connectivity between router Branch and PC1 by using ICMP ping:
Branch#ping 10.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
.
se
The ping should be successful.
re :
or te
lea
Note The ping might fail due to slow STP convergence on the SW1 switch. If the ping fails, try to issue another
ping after a few seconds.
t f ica
Note The first ICMP packet could time out because ARP needs to obtain Layer 2 addressing before the
packet can be sent out of the interface.
Activity Procedure
ta, t D
Step 1
be o
Change the EXEC timeout on the console line, which is set to 10 minutes by default, to a value of 60
minutes.
st o N
Po D
L26 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 2
.
Status: PSI Enabled, Ready, Active, Automore On
se
Capabilities: none
Modem state: Ready
RJ45 Console is in use
re :
USB Console baud rate = 9600
or te
lea
Modem hardware state: CTS* noDSR DTR RTS
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
t f ica
01:00:00 never none not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
no upl Autoselect Initial Wait
not set
<output omitted>
ta, t D
Step 3
Improve the readability of the console access by synchronizing unsolicited messages and debug outputs
with the input from the CLI.
be o
st o N
Step 4
Disable the resolution of symbolic names to prevent the system from attempting to translate a mistyped
command into an IP address.
Po D
Step 5
Activity Verification
You have completed this task when you attain these results:
You have set the inactivity timeout on the console line to 60 minutes.
You have enabled synchronous logging on the console line.
You have disabled resolution of symbolic names.
Activity Procedure
Complete the following steps:
.
se
Step 1
On the Branch router, issue the show cdp command to verify that Cisco Discovery Protocol is enabled and
re :
to display its global information.
or te
lea
Branch#show cdp
t f ica
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
no upl
ta, t D
be o
st o N
Po D
L28 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 2
Enter the Cisco Discovery Protocol verification command to display all known neighboring Cisco devices.
Write down the information about the discovered neighbors in the table:
.
#
se
#
re :
or te
lea
The information that you gather about the local and remote interfaces that are used reveals how neighboring
devices are physically interconnected.
t f ica
On the Branch router, use the show cdp neighbors command to display all neighboring Cisco devices:
Use the Cisco Discovery Protocol verification command with the keyword detail to display additional
information about other Cisco devices. Write down the IP address of a neighboring switch, with exact
information about its platform and software version.
be o
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L30 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 2-2: Connecting to the
re :
or te
lea
Internet
t f ica
Activity Overview
no upl
Objectives
In this activity, you will establish Internet connectivity by enabling static routing, DHCP, and NAT. After
ta, t D
Branch Server
.
se
HQ
re :
PC1 SW1
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
Outside Server
Internet
st o N
Inside
Configure static and DHCP-
obtained IP addresses.
PC1 SW1
Po D
PC2
Required Resources
No additional resources are required for this lab.
L32 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
access-list acl_id permit network Configures a standard ACL that permits a network
wildcard_mask
.
configure terminal Enters global configuration mode
se
debug ip icmp Enables debugging of ICMP packets
re :
interface interface Enters interface configuration mode
or te
lea
ip address dhcp Configures an interface to obtain an IP address using DHCP
t f ica
ip nat inside Configures an interface as NAT inside interface
ip nat inside source list acl_id pool Configures a dynamic source NAT rule that translates addresses into
pool_nameno upl IP addresses defined in the pool
ip nat inside source list acl_id interface Configures a dynamic source NAT or PAT rule that translates
interface_name overload addresses into the IP address of an interface
netmask mask
Job Aids
These job aids are available to help you complete the lab activity.
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
.
There are no console or enable passwords set for the routers and switches in the initial lab setup. The table
se
shows the username and password that are used to access PC1 and PC2.
re :
Device Username Password
or te
lea
PC1 Administrator admin
t f ica
Topology and IP Addressing
Devices are connected with Ethernet links. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.
no upl
Topology and IP Addressing
ta, t D
Gi0/1 Gi0/1
209.165.201.1 209.165.201.2
Branch Server
Internet
VLAN 1: 10.1.1.1 172.16.1.100
Gi0/0 HQ
be o
Fa0/13
PC1 SW1
st o N
Fa0/1
10.1.1.11
10.1.1.100 0/3
Fa0/3
PC2
Po D
10.1.1.101
The table shows the interface identification and IP addresses that are used in this lab setup.
HQ Gi0/1 209.165.201.2/27
L34 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Device Interface IP Address/Subnet Mask
HQ Loopback0 172.16.1.100/24
.
se
Default Route
In this task, you will configure an IP address on the Internet-facing interface of the Branch router. You will
re :
also configure a static default route on the Branch router to reach Internet networks. Then you will verify
or te
lea
connectivity between the Branch router, HQ router, and server.
Activity Procedure
t f ica
Complete the following steps:
Step 1 no upl
Access the Branch router.
Step 2
ta, t D
You should see that only GigabitEthernet0/0 is up and configured with an IP address.
Po D
Step 3
Enable the GigabitEthernet0/1 interface. Manually assign the 209.165.201.1 IP address to the interface. Use
a mask of 255.255.255.224.
.
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
se
Serial0/0/0 unassigned YES manual administratively down down
re :
The GigabitEthernet0/1 interface should be up and it should have an IP address configured.
or te
lea
Step 5
t f ica
From the Branch router, ping the HQ router at 209.165.201.2.
Branch#ping 209.165.201.2
no upl
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.201.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 m
ta, t D
The ping should be successful, because the destination IP address is in a directly connected network.
Step 6
be o
From the Branch router, ping the server at 172.16.1.100, which is behind the HQ router.
st o N
Branch#ping 172.16.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Po D
The ping should not be successful. What is the reason for an unsuccessful ping?
L36 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 7
Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
.
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
se
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
re :
Gateway of last resort is not set
or te
lea
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.1/32 is directly connected, GigabitEthernet0/0
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
t f ica
C 209.165.201.0/27 is directly connected, GigabitEthernet0/1
L 209.165.201.1/32 is directly connected, GigabitEthernet0/1
On the Branch router, configure a static default route that points to the next-hop IP address 209.165.201.2.
Step 9
be o
Step 10
Branch#ping 172.16.1.100
Po D
The ping should be successful because you configured a static default route.
Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
.
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
se
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
re :
Gateway of last resort is 209.165.201.2 to network 0.0.0.0
or te
lea
S* 0.0.0.0/0 [1/0] via 209.165.201.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.1/32 is directly connected, GigabitEthernet0/0
t f ica
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.201.0/27 is directly connected, GigabitEthernet0/1
L 209.165.201.1/32 is directly connected, GigabitEthernet0/1
no upl
The default route is designated with S and an asterisk (*).
Step 12
ta, t D
Remove the previously configured static default route from the Branch router to prepare the router for the
next task.
be o
Step 13
st o N
Verify the routing table on the Branch router again to make sure that no default route is present on the
router.
Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
Po D
L38 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Activity Verification
No additional verification is needed in this task.
.
Activity Procedure
se
Complete the following steps:
Step 1
re :
or te
lea
Access the Branch router.
t f ica
Step 2
Step 3
no upl
Save the running configuration to the startup configuration.
ta, t D
Step 4
The GigabitEthernet0/1 interface should be up and it should have an IP address that was configured through
Po D
Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
.
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
se
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
re :
Gateway of last resort is 209.165.201.2 to network 0.0.0.0
or te
lea
S* 0.0.0.0/0 [254/0] via 209.165.201.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.1/32 is directly connected, GigabitEthernet0/0
t f ica
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.201.0/27 is directly connected, GigabitEthernet0/1
L 209.165.201.3/32 is directly connected, GigabitEthernet0/1
no upl
You should see a default route present in the table. Where did the default route come from?
Step 6
ta, t D
Branch#ping 209.165.201.2
Type escape sequence to abort.
be o
Step 7
Branch#ping 172.16.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
The ping should be successful because the Branch router received knowledge of the default gateway from
the DHCP server. The Branch router set the default route automatically and it set the route next-hop IP
address to the IP address of the default gateway..
L40 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 8
Access PC1.
Step 9
From PC1, ping the Branch router at its public IP address, which was obtained through DHCP.
.
se
C:\>ping 209.165.201.1
Pinging 209.165.201.1 with 32 bytes of data:
Reply from 209.165.201.1: bytes=32 time=1ms TTL=255
re :
Reply from 209.165.201.1: bytes=32 time<1ms TTL=255
or te
Reply from 209.165.201.1: bytes=32 time<1ms TTL=255
lea
Reply from 209.165.201.1: bytes=32 time<1ms TTL=255
Ping statistics for 209.165.201.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
t f ica
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\>ping 172.16.1.100
Pinging 172.16.1.100 with 32 bytes of data:
Request timed out.
be o
The ping should not be successful. In the next step, you will examine why the ping is not successful.
Po D
Step 11
Return to the Branch router and establish a remote Telnet session to the HQ router at 209.165.201.2. Enable
debugging of ICMP packets using the debug ip icmp command. Direct the output of the debug messages to
the Telnet session using the terminal monitor command. Leave the console window open.
Branch#telnet 209.165.201.2
Trying 209.165.201.2 ... Open
HQ#debug ip icmp
ICMP packet debugging is on
HQ#terminal monitor
Step 12
Return to PC1 and ping the server at 172.16.1.100 again. Return to the HQ Telnet session and observe the
debugging messages.
.
se
HQ#
Sep 7 13:18:27.881: ICMP: echo reply sent, src 172.16.1.100, dst 10.1.1.100,
topology BASE, dscp 0 topoid 0
re :
HQ#
or te
lea
Sep 7 13:18:32.853: ICMP: echo reply sent, src 172.16.1.100, dst 10.1.1.100,
topology BASE, dscp 0 topoid 0
HQ#
Sep 7 13:18:37.857: ICMP: echo reply sent, src 172.16.1.100, dst 10.1.1.100,
t f ica
topology BASE, dscp 0 topoid 0
HQ#
Sep 7 13:18:42.861: ICMP: echo reply sent, src 172.16.1.100, dst 10.1.1.100,
topology BASE, dscp 0 topoid 0
no upl
You should see one debugging message for each ping packet coming from PC1. You can see that the pings
actually reach the HQ router and replies are sent back to PC1. However, the HQ router is not aware of the
network that PC1 is coming from and therefore discards the returning packets. You can verify this
ta, t D
What solution could be implemented on the Branch router to overcome this problem?
be o
Step 13
st o N
Return to the HQ Telnet session. Disable debugging and exit the Telnet session.
HQ#undebug all
All possible debugging has been turned off
HQ#exit
[Connection to 209.165.201.2 closed by foreign host]
Po D
Branch#
Activity Verification
No additional verification is needed in this task.
L42 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Activity Procedure
Complete the following steps:
Step 1
Step 2
.
Configure a standard ACL that allows the 10.1.1.0/24 network. Use 1 as the ACL identifier. This ACL will
se
be used to define networks that are eligible for NAT translations.
re :
Step 3
or te
lea
Create a NAT pool with the following parameters:
t f ica
Pool name NAT_POOL
How many hosts that require NAT can you accommodate at the same time using this NAT pool?
ta, t D
Step 4
Note When you enable the interface as NAT inside, the router will block for approximately 1 minute. After that,
st o N
you will see a log message about the router creating NVI0 interface. This interface is used internally by
the router to perform NAT.
Step 5
Po D
Step 6
Configure a dynamic source NAT rule that will translate inside hosts into the IP addresses that were defined
in the previously configured NAT pool. Use the previously configured ACL to specify hosts that are
eligible for translations, and use the previously configured NAT pool.
Step 7
Step 1
Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a remote Telnet session to the
server at 172.16.1.100 by clicking the Telnet radio button and entering the IP address into the Host Name
input field.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
Note Recall that the server is actually implemented as loopback interface on the HQ router. Therefore, you will
actually establish a Telnet session to the HQ router for testing purposes.
L44 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 2
Verify the user connection to the server using the show users command. This command will display
management sessions to the router via console or via remote access.
HQ#show users
Line User Host(s) Idle Location
0 con 0 idle 00:42:00
.
*514 vty 0 idle 00:00:00 209.165.201.5
se
You should see that the Telnet session from PC1 is seen as originating from a translated IP address. The
re :
translated IP address is the first free IP address from the NAT pool.
or te
lea
Note The session marked with an asterisk (*) is the one that is currently active and used.
t f ica
no upl
ta, t D
be o
st o N
Po D
Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L46 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 4
Verify the user connection to the server using the show users command.
HQ#show users
Line User Host(s) Idle Location
514 vty 0 idle 00:00:29 209.165.201.5
*515 vty 1 idle 00:00:00 209.165.201.6
.
se
You should see that the Telnet session from PC2 is seen as originating from a translated IP address. The
translated IP address is the next free IP address from the NAT pool.
re :
or te
lea
Step 5
t f ica
Return to the Branch router. Verify that there are active NAT translations.
Notice that inside local IP addresses are translated into inside global IP addresses.
Step 6
be o
Activity Procedure
Complete the following steps:
Step 1
Step 2
Configure a dynamic source NAT/PAT (NAT with overload) rule that will translate inside hosts into the IP
address of the router outside interface. Use the previously configured ACL to specify the hosts that are
eligible for translations.
How many hosts that require NAT can you accommodate at the same time by overloading the IP address of
.
the interface?
se
Step 4
re :
or te
lea
Save the running configuration to the startup configuration.
Activity Verification
t f ica
You have completed this task when you attain these results:
no upl
ta, t D
be o
st o N
Po D
L48 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Step 2
Verify the user connection to the server using the show users command.
HQ#show users
Line User Host(s) Idle Location
*514 vty 0 idle 00:00:00 209.165.201.1
You should see that the Telnet session from PC1 is seen as originating from the IP address of the Branch
router outside interface.
Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L50 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 4
Verify the user connection to the server using the show users command.
HQ#show users
Line User Host(s) Idle Location
514 vty 0 idle 00:01:05 209.165.201.1
*515 vty 1 idle 00:00:00 209.165.201.1
.
se
You should see that the Telnet session from PC2 is again seen as originating from the IP address of the
Branch router outside interface.
re :
or te
lea
Step 5
t f ica
Return to the Branch router. Verify that there are active NAT translations.
Notice that two inside local IP addresses are translated into the same inside global IP address, which is
configured on the Branch router outside interface. To provide two distinct translations, different source
ta, t D
Step 6
be o
L52 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 3-1: Enhancing the
re :
or te
lea
Security of the Initial
t f ica
Configuration
no upl
Activity Overview
ta, t D
Objectives
Securing administrative access to devices is crucial because you do not want unauthorized users to have
access to your network devices. In this lab, you will increase the security of the initial switch and router
configuration. After you have completed this activity, you will be able to meet these objectives:
be o
.
se
re :
or te
lea
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
PC1 S W1
Po D
Required Resources
There are no additional resources that are required for this lab.
L54 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Commands
Command Description
.
access-class number direction Applies the ACL to the vty line. The direction argument can have the
se
value of either in or out.
access-list number permit ip_address Creates a standard ACL that permits all traffic from or to a specified
re :
wildcard_mask network.
or te
lea
banner login Allows the configuration of a message that is displayed just before
login.
t f ica
copy running-config startup-config Copies the switch running configuration file to the startup configuration
file that is held in local NVRAM.
crypto key generate rsa Generates the RSA key pairs to be used.
enable secret password Sets a password for entering privileged EXEC mode. The password is
no upl protected using strong MD5-type encryption.
ip domain-name name Supplies an IP domain name that is required by the cryptographic key-
generation process.
ta, t D
ip ssh version [1 | 2] Specifies the version of SSH to be run. To disable the version of SSH
that was configured and to return to compatibility mode, use the no
form of this command.
line vty start_number end_number Enters vty configuration mode. Vty lines allow access to the switch for
st o N
login local Makes the login process on the console or vty lines rely on (or use)
Po D
show access-list Displays all ACLs that are defined on the device.
ssh l username ip_address Starts an encrypted session with a remote networking device using the
current user ID. The IP address identifies the destination device.
transport input [telnet | ssh | all] Specifies which protocols to use to connect to a specific line of the
device.
username username secret password Creates a username and password pair that can then be used as a
local authentication database.
Job Aids
These job aids are available to help you complete the lab activity.
.
se
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
re :
or te
lea
Branch Cisco 2901 Integrated Services Router c2900-universalk9-mz.SPA.152-4.M1
t f ica
SW1 Catalyst 2960 Series Switch c2960-lanbasek9-mz.150-1.SE3
PC1 Any PC
no upl Microsoft Windows 7
There are no console or enable passwords that are set for the routers and switches in the initial lab setup.
The table shows the username and password that are used to access PC1 and PC2.
ta, t D
Devices are connected with Ethernet links. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.
Po D
L56 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Topology and IP Addressing
Branch
Gi0/0
VLAN 1: 10.1.1.1
Fa0/13
PC1 SW1
.
Fa0/1 10.1.1.11
se
10.1.1.100
re :
or te
lea
t f ica
2013 Cisco Systems, Inc.
The table shows the interface identification and IP addresses that are used in this lab setup.
no upl
Device Interface IP Address/Subnet Mask
Following the initial configuration of the switch, where passwords have been configured for the vty lines,
two potential security holes exist. First, a security breach is possible when the vty lines have the login
process deactivated and the password is too simple. Second, security can be breached because the console
port initially is not protected by a password at all. In this task, you will secure console access and access to
privileged EXEC mode on a router and a switch.
Activity Procedure
Complete the following steps:
Step 1
Step 3
Exit to the console login screen by issuing the end and exit commands.
.
You will be asked for the password that you configured in the previous step.
se
Branch(config-line)# end
re :
Branch# exit
or te
lea
Branch con0 is now available
Press RETURN to get started.
User Access Verification
Password:
t f ica
Branch>
Step 4
no upl
Examine the running configuration and identify the password that was configured for the console line. Note
that the password is in cleartext.
line con 0
exec-timeout 60 0
password cisco
logging synchronous
login
be o
st o N
Step 5
Create the username ccna and assign the secret password cisco to it. Look at the Command List section to
identify the correct command.
Then change the mode of authentication on the console line so that this user is authenticated using this
Po D
L58 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 6
Exit to the console login screen by issuing the end and exit commands.
You will be asked for a username and password. Enter the credentials that you created in the previous step.
Branch(config-line)# end
Branch# exit
.
Branch con0 is now available
Press RETURN to get started.
se
User Access Verification
Username: ccna
Password:
re :
Branch>
or te
lea
Step 7
t f ica
Examine the running configuration and identify the username and password that you created.
Note that the password is encrypted, not in cleartext. You could use the service password-encryption
no upl
command to encode the cleartext password, but this encryption type is weak.
Step 8
Secure vty lines 0 through 15. Users should be able to log in using the username ccna and password cisco
be o
For security reasons, the passwords for console and vty access should be different. Also, in production
environments, you should use strong passwords (at least eight characters and a combination of letters,
numbers, and special characters). In the lab environment, we are using the same passwords for console and
vty access.
Po D
On PC1, open PuTTY and establish a Telnet session to the Branch router to verify that you configured vty
security correctly.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
L60 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
re :
or te
lea
t f ica
no upl
Step 10
On the Branch router, secure access to privileged EXEC mode with the password cisco. The password must
be encrypted with strong encryption.
ta, t D
Step 11
Step 12
Exit privileged EXEC mode and then re-enter it. When prompted, enter the password that you configured in
the previous step.
Branch# disable
Po D
Branch> enable
Password:
Branch#
Step 13
Examine the running configuration of the Branch router and identify the line where the password that
allows access to privileged EXEC mode is configured. Notice that the password is encrypted.
Access switch SW1. Configure it with the enable secret password cisco. Users should be able to log into the
console and vty lines by using the username ccna and the password cisco. Use strong encryption.
Step 15
.
se
Step 16
re :
or te
On the SW switch, go to the user EXEC mode by entering the end and exit commands. Log into the switch
lea
SW console by using the previously configured username and password in order to verify console
protection.
t f ica
SW1(config-line)# end
SW1# exit
SW1 con0 is now available
Press RETURN to get started.
no upl
User Access Verification
Username: ccna
Password:
SW1>
ta, t D
Step 17
On the SW switch, enter the privileged EXEC mode by entering the previously configured password.
be o
SW1> enable
st o N
Password:
SW1#
Po D
L62 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 18
Return to PC1, open PuTTY, and establish a Telnet session to the SW1 switch to verify that you configured
vty security correctly.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
Previously, you protected passwords by using encryption. However, when remote management uses the
Telnet protocol, which sends all characters in cleartext, including passwords, the potential exists for packet
capture and exploitation of this information. In this task, you will configure SSH as an alternative to Telnet.
If it is possible in your environment, it would be best to replace Telnet with SSH.
be o
Activity Procedure
st o N
Step 1
Use cisco.com as the domain name. The key length should be 1024 bits. Use SSH version 2 and make SSH
the only remote access that is allowed.
Step 2
L64 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
Use cisco.com as the domain name, specify a key length of 1024 bits, use SSH version 2, and make SSH
the only remote access that is allowed.
Step 4
.
se
Save the changes that you made on the SW1 switch.
re :
or te
Step 5
lea
On PC1, open PuTTY and try to connect to the Branch router using Telnet. Your attempt will be
unsuccessful.
t f ica
no upl
ta, t D
be o
st o N
Po D
Now try to remotely connect from PC1 to the Branch router using SSH. Your attempt should be successful.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L66 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
re :
or te
lea
t f ica
Step 7
no upl
On the Branch router, show the users that are logged into the system. Identify the user that is using the vty
line.
ta, t D
Return to PC1. Open another PuTTY and apply SSH to the SW1 switch in order to verify the SSH
configuration on the switch. Your attempt should be successful.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L68 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
re :
or te
lea
t f ica
no upl
Activity Verification
No additional verification is needed in this task.
Addresses
In this task, you will create an ACL on the SW1 switch and apply it to the vty lines. The ACL will permit
remote sessions from the Branch router but not from PC1.
be o
Activity Procedure
st o N
Step 1
On the SW1 switch, define a standard ACL that will permit only the IP address of the Branch router.
Po D
Any attempts to establish remote sessions from unauthorized devices should be logged.
Step 2
Apply the defined ACL to all vty lines of the SW1 switch.
Step 3
Step 1
You should not be successful because the ACL that you defined allows only the Branch router to establish
sessions to the SW1 switch.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
Step 2
st o N
SW1>
L70 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
On the SW1 switch, show the ACL that you defined for the vty lines.
Notice that the counters for both the permit and deny statements increased. If you did not define an explicit
deny statement, a remote session from PC1 would still be denied, but you would not be able to see counters
for denied remote session attempts.
.
SW1# show access-lists
se
Standard IP access list 1
10 permit 10.1.1.1 (2 matches)
20 deny any log (3 matches)
re :
or te
lea
Task 4: Configure a Login Banner
As part of any security policy, you must ensure that network resources are clearly identified as being off
t f ica
limits to the casual visitor. Hackers have successfully used the fact that a welcome screen was presented
at login as their legal defense for forced entry into the network. Therefore, a message that clearly states that
access is restricted should be presented when a user is attempting to access a network device (switch, router,
and so on). The Cisco IOS banner command allows you to do so.
no upl
Activity Procedure
Complete the following steps:
ta, t D
Step 1
Configure the Branch router with the following login banner message:
***********************************************
Step 2
Step 3
Configure the SW1 switch with the same login banner that you used for the Branch router in the previous
step:
Activity Verification
You have completed this task when you attain these results:
Step 1
.
se
Access the Branch router. Log out of the Branch router and then log back in.
Notice the login banner that you were presented with as you logged in.
re :
or te
lea
Branch# logout
Branch con0 is now available
Press RETURN to get started.
t f ica
********** Warning *************
Access to this device is restricted to authorized persons only!
Unauthorized access is prohibited. Violators will be prosecuted.
***********************************************
User Access Verification
Username: ccna
Password:
no upl
Step 2
ta, t D
Access SW1. Log out of the SW1 switch console and then log back in.
Notice the login banner that you were presented with as you logged in.
be o
SW1# logout
st o N
Username: ccna
Password:
Note When accessing network devices via the SSH protocol, some terminal clients such as PuTTY display the
login banner only after the username parameter is entered as input.
L72 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 3-2: Device Hardening
re :
or te
lea
t f ica
Activity Overview
Objectives no upl
Device hardening is crucial to increasing security in the network. In this lab, you will perform security
device hardening on a router and switch. After you have completed this activity, you will be able to meet
these objectives:
Disable unused ports
ta, t D
.
se
re :
or te
lea
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
Outside Server
Internet
st o N
Inside
NTP server
PC1 SW1
Required Resources
No additional resources are required for this lab.
L74 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table that follows describes the commands that are used in this activity. The commands are listed in
alphabetical order so that you can easily locate the information that you need. Refer to this list if you need
configuration command assistance during the lab activity.
Commands
Command Description
.
[no] cdp enable Enables or disables Cisco Discovery Protocol on an interface
se
configure terminal Enters configuration mode
re :
or te
lea
ntp master [stratum] Configures Cisco IOS Software as an NTP master clock.
ntp server {ip-address} Allows the software clock to be synchronized by an NTP time server
t f ica
ping dest_IP Verifies connectivity between the source IP and destination IP
show cdp neighbors Displays detailed information about neighboring devices that are
no upl discovered by using Cisco Discovery Protocol
show interfaces Displays statistics for all interfaces that are configured on the router
show port-security interface interface Displays the port security settings that are defined for an interface
ta, t D
show port-security address Displays the secure MAC addresses for all ports
be o
switchport port-security mac-address Enters a secure MAC address for the interface
mac-address
Job Aids
Po D
These job aids are available to help you complete the lab activity.
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
The table shows usernames and passwords that are used to access the lab devices.
.
se
PC2 Administrator admin
re :
Branch (enable password) / cisco
or te
lea
SW1 (console access) ccna cisco
t f ica
Topology and IP Addressing
Devices are connected with Ethernet links. The figure illustrates the interface identification and IP
addresses that are used in this lab setup.
no upl
Topology and IP Addressing
ta, t D
Gi0/1 Gi0/1
209.165.201.1 209.165.201.2
Branch Server
Internet
VLAN 1: 10.1.1.1 172.16.1.100
Gi0/0 HQ
be o
Fa0/13
st o N
PC1 SW1
Fa0/1
10.1.1.11
10.1.1.100 0/3
Fa0/3
PC2
Po D
10.1.1.101
The table shows the interface identification and IP addresses that are used in this lab setup.
L76 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Device Interface IP Address/Subnet Mask
.
se
Unused ports on a switch can be a security risk. A hacker can plug a switch into an unused port and become
part of the network. In this task, you will disable unused ports on a network switch.
re :
or te
Activity Procedure
lea
Complete the following steps:
t f ica
Step 1
Step 2
no upl
Disable unused interfaces FastEthernet 0/14 to FastEthernet 0/24 with as few configuration steps as
possible.
ta, t D
Step 3
Step 4
.
Activity Procedure
se
Complete the following steps:
Step 1
re :
or te
lea
Access the Branch router.
t f ica
Step 2
Examine the MAC address of the Branch router interface GigabitEthernet 0/0, which faces the SW1 switch.
Write down the MAC address, which you will need to configure the port security feature.
no upl
Branch# show interfaces GigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is f866.f231.7250 (bia f866.f231.7250)
ta, t D
Note Your MAC address might be different from the the address that is shown in the output.
be o
Step 3
st o N
Step 4
Po D
Configure interface FastEthernet0/13, which faces the Branch router, as a static access port.
Step 5
Enable the port security feature on interface FastEthernet0/13. Manually specify the secure MAC address
f866.f231.7251 (which is not the MAC address of the Branch router).
You will simulate a port security violation by misconfiguring the secure MAC address.
L78 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 6
Observe the switch output and verify the status of SW1 interface FastEthernet0/13. Make sure that a port
security violation occurred because of the misconfigured secure MAC address.
.
occurred, caused by MAC address f866.f231.7250 on port FastEthernet0/13.
Sep 28 11:16:19.318: %LINEPROTO-5-UPDOWN: Line protocol on Interface
se
FastEthernet0/13, changed state to down
Sep 28 11:16:20.317: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to
down
re :
SW1# show interfaces FastEthernet 0/13
or te
lea
FastEthernet0/13 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d)
SW1#show port-security interface FastEthernet 0/13
t f ica
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
no upl
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : f866.f231.7250:1
ta, t D
A port security violation occurs due to management traffic (Cisco Discovery Protocol, for example) coming
from the router toward the switch.
be o
st o N
Step 7
Try to ping PC1 at 10.1.1.100 from the Branch router. Your attempt should fail because the switch port
connecting to the Branch router is error-disabled.
Po D
Step 8
Change the port security of the secure MAC address on SW1 interface FastEthernet0/13 to the correct MAC
address, which you wrote down.
Note Your MAC address for the Branch router might be different from the address that was shown in the
output.
Step 10
Observe the switch output. Verify the status of the FastEthernet0/13 interface on SW1 and make sure that
the interface is operational again.
.
se
Sep 28 11:10:07.080: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
re :
Sep 28 11:10:08.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface
or te
lea
FastEthernet0/13, changed state to up
SW1# show interfaces FastEthernet 0/13
FastEthernet0/13 is down, line protocol is up
Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d)
t f ica
Step 11 no upl
Try to ping PC1 at 10.1.1.100 from the Branch router. Your attempt should succeed now.
!!!!!
Step 12
be o
(mins)
---- ----------- ---- ----- -------------
1 f866.f231.7250 SecureConfigured Fa0/13 -
--------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
L80 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 13
.
Fa0/13 1 1 0 Shutdown
se
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
re :
or te
lea
Step 14
t f ica
Disable the port security feature on interface FastEthernet 0/13.
Step 15
no upl
Save the running configuration to the startup configuration.
Activity Verification
No additional verification is needed in this task.
ta, t D
Activity Procedure
Complete the following steps:
Step 1
Po D
Step 2
Disable Cisco Discovery Protocol on the SW1 interface that is facing the Branch router.
Step 4
.
You should not see switch SW1 anymore as a neighbor device because you disabled Cisco Discovery
se
Protocol on the switch interface toward the router.
re :
Branch# show cdp neighbors
or te
lea
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
t f ica
Note It may take up to 3 minutes for the neighbor to disappear from the output because of the holddown timer
that is set to 180 seconds.
no upl
Step 5
You should see no neighbor device because you disabled Cisco Discovery Protocol on the switch interface
toward the Branch router.
be o
Step 6
Po D
Enable Cisco Discovery Protocol on the SW1 interface that faces the Branch router.
Step 7
Activity Verification
No additional verification is needed in this task.
L82 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Task 4: Configure NTP
Networks use NTP to synchronize the clocks of various devices across a network. Clock synchronization
within a network is critical for digital certificates and for correct interpretation of events within syslog data.
In this task, you will configure the Branch router as an NTP client of the server. The Branch router will also
act as an NTP server for SW1 at the same time. The server has been preconfigured as the NTP server with
stratum 3.
Activity Procedure
Complete the following steps:
.
se
Step 1
re :
Configure the Branch router as an NTP client of the server at 172.16.1.100.
or te
lea
Step 2
t f ica
Verify NTP associations on the Branch router.
You should see that the Branch router synchronized its clock with the server.
ta, t D
Note It may take several minutes in order to synchronize the clock with the NTP server.
be o
Step 3
st o N
Step 4
Configure SW1 as an NTP client that will synchronize its time with the Branch router. Although the Branch
router is configured only with NTP client configuration, it will respond to time requests from other clients.
It will act as a server for switch SW1.
Step 6
.
se
Verify the NTP status and the NTP association status on the SW1 switch.
re :
Clock is synchronized, stratum 5, reference is 10.1.1.1
or te
lea
nominal freq is 119.2092 Hz, actual freq is 119.2091 Hz, precision is 2**17
reference time is D46AEB16.D3639982 (09:59:50.825 UTC Thu Dec 6 2012)
clock offset is 58.8216 msec, root delay is 2.30 msec
root dispersion is 122.31 msec, peer dispersion is 8.38 msec
t f ica
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000001118 s/s
system poll interval is 128, last update was 862 sec ago.
SW1# show ntp associations
address ref clock st when poll reach delay offset disp
*~10.1.1.1 172.16.1.100 4 115 128 377 1.436 58.821 8.389
no upl
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
You should see that SW1 synchronized its clock with the Branch router.
ta, t D
Note It may take several minutes in order to synchronize the clock with the NTP server.
be o
st o N
Step 7
Activity Verification
Po D
L84 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 3-3: Filtering Traffic with
re :
or te
lea
ACLs
t f ica
Activity Overview
no upl
Objectives
A common mechanism for filtering traffic is ACLs, which enable you to allow, limit, or restrict access to a
ta, t D
network resource. In this lab, you will configure traffic filtering using ACLs. After you have completed this
activity, you will be able to meet these objectives:
Configure extended, named ACLs
Troubleshoot ACLs
be o
st o N
Po D
Visual Objective
The figure illustrates what you will accomplish in this activity.
Branch Server
.
se
HQ
re :
PC1 SW1
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
Configure ACL
Troubleshoot ACL Branch HQ
Server
st o N
Internet
Telnet Blocked
SW1
All Other Traffic Allowed
PC1
Po D
PC2
Required Resources
There are no additional required resources for this lab.
L86 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table that follows describes the commands that are used in this activity. The commands are listed in
alphabetical order so that you can easily locate the information that you need. Refer to this list if you need
configuration command assistance during the lab activity.
Commands
Command Description
.
configure terminal Enters configuration mode
se
interface interface Enters interface configuration mode
re :
or te
lea
ip access-list extended ACL_name Defines an ACL and enters ACL configuration mode
{permit | deny} {test conditions} Creates ACL statements for a named ACL
t f ica
show access-lists ACL_name Displays the contents of all IP ACLs
show ip interface interface-type interface Displays IP-specific information for an interface, including the ACLs
number no upl that are applied on an interface
Job Aids
These job aids are available to help you complete the lab activity.
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
ta, t D
The table shows usernames and passwords that are used to access the lab devices.
.
Branch Server
Internet
se
VLAN 1: 10.1.1.1 172.16.1.100
Gi0/0 HQ
re :
Fa0/13
or te
lea
PC1 SW1
Fa0/1
10.1.1.11
10.1.1.100 0/3
Fa0/3
t f ica
PC2
10.1.1.101
no upl
2013 Cisco Systems, Inc.
The table shows the interface identification and IP addresses that are used in this lab setup.
ta, t D
Activity Procedure
Complete the following steps:
L88 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
Access the Branch router. Use the credentials provided in the Job Aids section of the document in order to
log in.
Step 2
Configure an extended ACL named Telnet that will prevent a Telnet connection from PC2 to the server. All
other IP traffic should be permitted.
.
se
Step 3
re :
Verify the content of the configured ACL.
or te
lea
Branch# show access-lists Telnet
Extended IP access list Telnet
t f ica
10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet
20 permit ip any any
Step 4
no upl
Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction.
ta, t D
Step 5
Verify that the configured interface is applied to the GigabitEthernet0/0 interface in the correct direction.
be o
Step 6
Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L90 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
re :
or te
lea
t f ica
no upl
You should be successful.
Step 8
ta, t D
Verify that the counter that was matched by the permit ACL statement increased.
Note The actual number of ACL hits may differ from the outputs that are provided in the lab guide.
Po D
Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L92 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
re :
or te
lea
t f ica
no upl
You should not be successful because the configured ACL blocks Telnet traffic from PC2 to the server.
Step 10
ta, t D
Verify that the counter that was matched by the deny ACL statement increased.
Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
L94 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 12
Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
Step 13
Verify that the counter that was matched by the permit ACL statement increased.
Po D
Activity Verification
No additional verification is needed in this task.
Step 1
Step 2
.
Copy the TSHOOT_Troubleshoot_ACLs_Branch.cfg file from the router flash memory into the router
se
running configuration.
re :
Branch# copy flash:TSHOOT_Troubleshoot_ACLs_Branch.cfg running-config
3341 bytes copied in 3.490 secs (957 bytes/sec)
or te
lea
Activity Verification
t f ica
No additional verification is needed in this task.
Activity Procedure
Complete the following steps:
be o
st o N
Po D
L96 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L98 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 2
Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L100 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
Step 5
L102 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 6
Verify that the configured ACL is applied to the GigabitEthernet0/0 interface in the correct direction.
.
MTU is 1500 bytes
se
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is Telnet
re :
Inbound access list is not set
or te
lea
Proxy ARP is enabled
Local Proxy ARP is disabled
<...output omitted...>
t f ica
Step 7
Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction.
no upl
Step 8
Step 9
Change the Telnet ACL so that it prevents Telnet connections from PC2 to the server. All other IP traffic
should be permitted.
Po D
Step 10
Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L104 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
re :
or te
lea
t f ica
no upl
You should be successful.
ta, t D
be o
st o N
Po D
Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server
at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L106 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
re :
or te
lea
t f ica
no upl
You should not be successful because the configured ACL blocks Telnet traffic from PC2 to the server.
ta, t D
be o
st o N
Po D
Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
L108 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 14
Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the
credentials that are provided in the Job Aids section of the document in order to log in.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
Activity Verification
No additional verification is needed in this task.
Po D
L110 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 4-1: Configuring
re :
or te
lea
Expanded Switched
t f ica
Networks no upl
Activity Overview
ta, t D
Objectives
In this lab, you will configure two switches to meet specified VLAN requirements. After completing this
activity, you will be able to meet these objectives:
be o
Configure VLANs
Configure trunking
st o N
Branch Server
.
se
HQ
re :
PC1 SW1
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
proper VLAN
Gi0/1
Configure a router
with a trunk link
st o N
Fa0/13
PC1
Fa0/1
VLAN 10 SW1
Required Resources
There are no additional resources required for this lab.
L112 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
.
encapsulation dot1q vlan Enables IEEE 802.1Q encapsulation of traffic on a specified
se
subinterface in VLANs. This command can be entered when you are
in interface configuration mode.
re :
interface interface_name Enters interface configuration mode for the specified interface.
or te
interface_number
lea
ip address ip_address network_mask Sets an IP address, along with the subnet mask, on an interface. Enter
interface configuration mode to issue this command.
t f ica
show interfaces trunk Displays trunking information.
show vlans When you configure a router on a stick, use this command to verify
no upl trunking and VLANs.
[no] shutdown Disables or enables an interface. Issue this command from interface
configuration mode.
switchport access vlan vlan Assigns a port to a VLAN. Issue this command from interface
ta, t D
configuration mode.
switchport mode mode Interface configuration mode command. There are four options. The
two non-negotiating modes are trunk and switch, and the two DTP
negotiation modes are dynamic auto and dynamic desirable.
be o
switchport trunk allowed vlan vlan_list Specifies VLANs from which traffic is allowed over the trunk link.
st o N
vlan vlan_number Creates the VLAN that is specified. Issue this command from global
configuration mode.
Job Aids
These job aids are available to help you complete the lab activity.
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
.
PC2 Any PC Microsoft Windows 7
se
The table shows usernames and passwords that are used to access the lab devices.
re :
or te
lea
Device Username Password
t f ica
PC2 Administrator admin
Branch Server
Internet
VLAN1:10.1.1.1
Po D
172.16.1.100
Gi0/0 HQ
Fa0/13
PC1 SW1
Fa0/1
10.1.1.11
10.1.1.100 a0/3
Fa0/3
Fa0/3
PC2 SW2
Fa0/1
10.1.1.101 10.1.1.12
L114 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
The table shows the interface identification and IP addresses that are used in this lab setup.
.
SW1 VLAN1 10.1.1.11/24
se
SW2 VLAN1 10.1.1.12/24
re :
or te
lea
PC2 Ethernet adapter local area connection 10.1.1.101/24
t f ica
In this task, you will create VLANs and assign the ports that are specified to them.
Activity Procedure
no upl
Complete the following steps:
Step 1
For the purpose of management, configure the VLAN 1 interface with the IP address 10.1.1.12/24.
be o
st o N
Po D
Access PC2.
Assign the IP address 10.1.1.101/24 to it. The default gateway should be set to the IP address of a Branch
router.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Step 3
The ping should be successful because ports on both PCs are access ports belonging to VLAN 1.
L116 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 4
Step 5
On SW1, assign the port to which PC1 connects (FastEthernet0/1) to VLAN 10.
.
On SW2, assign the port to which PC2 connects (FastEthernet0/1) to VLAN 20.
se
re :
Step 6
or te
lea
Save the running configuration to the startup configuration on both switches.
t f ica
Step 7
Change the IP address of PC1 to 10.1.10.100/24. Set the default gateway to 10.1.10.1, which you will later
configure on the Branch router.
no upl
This step provides PC1 addressing in accordance with its VLAN assignment.
ta, t D
be o
st o N
Po D
Change the IP address of PC2 to 10.1.20.100/24. Set the default gateway to 10.1.20.1, which you will later
configure on the Branch router.
This step provides PC2 addressing in accordance with its VLAN assignment.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Activity Verification
You have completed this task when you attain these results:
Po D
L118 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
SW1 should have FastEthernet0/1 belonging to VLAN 10, and SW2 should have FastEthernet0/1 belonging
to VLAN 20.
.
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
se
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
re :
Fa0/18, Fa0/19, Fa0/20, Fa0/21
or te
Fa0/22, Fa0/23, Fa0/24, Gi0/1
lea
Gi0/2
10 VLAN0010 active Fa0/1
20 VLAN0020 active
t f ica
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
SW2#
no upl
show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
ta, t D
10 VLAN0010 active
20 VLAN0020 active Fa0/1
1002 fddi-default act/unsup
st o N
At this point, PC1 belongs to VLAN 10, and PC2 belongs to VLAN 20.
The connectivity test should not be successful. You first need to configure a trunk between switches that
will carry traffic from both VLANs and then configure a Layer 3 device that will route between those two
.
VLANs.
se
C:\Users\Administrator> ping 10.1.20.100
Pinging 10.1.20.100 with 32 bytes of data:
re :
Reply from 10.1.10.100: Destination host unreachable.
or te
lea
Reply from 10.1.10.100: Destination host unreachable.
Reply from 10.1.10.100: Destination host unreachable.
Reply from 10.1.10.100: Destination host unreachable.
t f ica
Ping statistics for 10.1.20.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Activity Procedure
Complete the following steps:
be o
Step 1
On switch SW1, configure the link toward switch SW2 (FastEthernet0/3) as a trunk. To follow the best
st o N
practice, allow only VLANs 1, 10, and 20 to cross the trunk. You can limit which VLANs are allowed to
traverse the trunk link with the switchport trunk allowed vlan command.
By default, ports are in DTP negotiation mode (dynamic auto). This mode presents a security risk, so the
best practice is to configure the ports manually to non-negotiation modes (access or trunk).
Po D
Step 2
L120 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
On switch SW1, verify that the link toward SW2 is trunking and that VLANs 1, 10, and 20 are the only
VLANs that are allowed.
.
Port Vlans allowed on trunk
Fa0/3 1,10,20
se
<output omitted>
re :
or te
On switch SW2, verify that the link toward SW1 is trunking and that VLANs 1, 10, and 20 are the only
lea
VLANs that are allowed.
t f ica
SW2# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/3 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/3 1,10,20
no upl
<output omitted>
Step 4
ta, t D
At this point, PC1 belongs to VLAN 10, and PC2 belongs to VLAN 20. The link between the two switches
is configured to carry more than one VLAN. It is a trunk.
The connectivity test will not be successful. You first need to configure a trunk between switches that will
st o N
carry traffic from both VLANs and then configure a Layer 3 device that will route between those two
VLANs.
Activity Verification
No additional verification is needed in this task.
Step 1
On switch SW1, configure the link toward the Branch router (FastEthernet0/13) as a trunk.
Step 2
.
Save the running configuration to the startup configuration on the SW1 switch.
se
Step 3
re :
or te
lea
On the Branch router, remove the IP address from the GigabitEthernet0/0 interface.
t f ica
Step 4
On the Branch router, configure three subinterfaces. Subinterface GigabitEthernet0/0.1 should have an IP
address of 10.1.1.1/24 and belong to VLAN 1. Subinterface GigabitEthernet0/0.10 should have an IP
address of 10.1.10.1/24 and belong to VLAN 10. Subinterface GigabitEthernet0/0.20 should have an IP
no upl
address of 10.1.20.1/24 and belong to VLAN 20.
Step 5
ta, t D
Save the running configuration to the startup configuration on the Branch router.
be o
st o N
Po D
L122 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 6
On the Branch router, verify that you have interface IP addresses that are configured in VLANs 1, 10, and
20.
.
This is configured as native Vlan for the following interface(s) :
GigabitEthernet0/0 Native-vlan Tx-type: Untagged
se
Protocols Configured: Address: Received: Transmitted:
IP 10.1.1.1 0 0
Other 0 2
re :
2 packets, 518 bytes input
or te
lea
2 packets, 435 bytes output
Virtual LAN ID: 10 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: GigabitEthernet0/0.10
t f ica
Protocols Configured: Address: Received: Transmitted:
IP 10.1.10.1 0 0
Other 0 1
0 packets, 0 bytes input
1 packets, 46 bytes output
Virtual LAN ID: 20 (IEEE 802.1Q Encapsulation)
no upl
vLAN Trunk Interface: GigabitEthernet0/0.20
Protocols Configured: Address: Received: Transmitted:
IP 10.1.20.1 0 0
Other 0 1
0 packets, 0 bytes input
ta, t D
Activity Verification
You have completed this task when you attain these results:
be o
Step 1
st o N
The attempt should be successful. The first ping or first few pings might fail due to the ARP process.
From PC1, use the traceroute (tracert command) utility to trace the path from PC1 to PC2.
.
1 4 ms 1 ms 1 ms 10.1.10.1
2 2 ms 1 ms 1 ms 10.1.20.100
se
Trace complete.
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L124 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 4-2: Configuring DHCP
re :
or te
lea
Server
t f ica
Activity Overview
no upl
Objectives
In this lab, you will assign IP addresses to network devices using DHCP. After completing this activity, you
ta, t D
.
DHCP server
DHCP
se
Server
Configure the
re :
PC1 DHCP relay agent
or te
SW1
lea
Configure DHCP
clients
t f ica
PC2
SW2
no upl
2013 Cisco Systems, Inc.
Required Resources
ta, t D
Command List
be o
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
st o N
Cisco Commands
Command Description
Po D
default-router address Specifies the IP address of the default router for a DHCP client.
dns-server address Specifies the IP address of the DNS server that is available to a DHCP
client.
ip dhcp excluded-address ip-address Specifies the IP addresses that a DHCP server should not assign to a
[last-ip-address] DHCP client.
ip dhcp pool name Configures a DHCP address pool and enters DCHP configuration mode.
ip helper-address address Enables forwarding of broadcasts that are received on the interface to
the specified IP address.
lease {days [hours] [minutes] | infinite} Specifies the duration of the lease. The default is a one-day lease.
L126 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command Description
network network-number [mask | Defines addresses in the DHCP pool. Optionally, defines the subnet
prefix-length] mask or prefix length. Either of these parameters determines which
portion of the specified network number refers to the network part.
show ip interface brief Displays a brief summary of the IP information and status of an interface.
.
Microsoft Windows Commands
se
Command Description
re :
ping ip_address Issues a ping to the specified IP address.
or te
lea
ipconfig {/all} Displays IP address information. Uses option /all to display all details.
t f ica
ipconfig /renew Renews all network adapters and initiates a DHCP discover message
if DHCP is enabled on the interface.
Job Aids
no upl
These job aids are available to help you complete the lab activity.
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
ta, t D
s
st o N
The table shows the usernames and passwords that are used to access the lab equipment.
.
Gi0/0.10VLAN 10: 10.1.10.1 Server
Gi0/0.20VLAN 20: 10.1.20.1 172.16.1.100
se
HQ
Fa0/13
re :
PC1 SW1
Fa0/1 10.1.1.11
or te
lea
10.1.10.100 Fa0/3
Fa0/3
SW2
PC2 10.1.1.12
t f ica
Fa0/1
10.1.20.100
no upl
2013 Cisco Systems, Inc.
The table shows the interface identification and IP addresses that are used in this lab setup.
ta, t D
HQ Gi0/1 209.165.201.2/27
HQ Loopback0 172.16.1.100/24
Po D
VLAN Setup
Three VLANs are configured on the switches. VLAN 1 is used for switch management, VLAN 10 is used
to connect PC1, and VLAN 20 is used to connect PC2. A trunk is enabled between the switches and
between the SW1 switch and the Branch router. The figure illustrates the trunk and VLAN setup.
L128 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
VLAN Setup
Branch
Trunk
VLAN 10
PC1 SW1
.
VLAN 1
se
PC2 SW2
VLAN 20
re :
or te
lea
t f ica
2013 Cisco Systems, Inc.
no upl
Task 1: Configure DHCP Pools
In this task, you will configure DHCP pools to enable the DHCP server implementation on a router.
ta, t D
Activity Procedure
Complete the following steps:
Step 1
be o
Configure a DHCP pool named VLAN 10. The leased addresses should be part of network 10.1.10.0 /24.
Step 2
Determine the router interface IP address for VLAN 10 and configure it as a default gateway for DHCP
Po D
Step 4
Save the running configuration to the startup configuration on the Branch router.
.
se
Step 5
re :
Access PC1.
or te
lea
Open the network adapter settings and edit the IPv4 settings. Set them to obtain an IP address and DNS
address automatically.
t f ica
no upl
ta, t D
be o
st o N
Po D
L130 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 6
Verify that PC1 has obtained an IP address dynamically by executing a DHCP verification command on the
Branch router.
.
Hardware address/
User name
se
10.1.10.2 0100.0c29.8fa8.a6 Oct 25 2012 12:18 PM Automatic
re :
or te
In addition, verify the IP address settings using the command prompt on PC1.
lea
C:\Windows\system32> ipconfig /all
t f ica
<output omitted>
Ethernet adapter LAB:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter #2
Physical Address. . . . . . . . . : 00-0C-29-45-32-BE
DHCP Enabled. . . . . . . . . . . : Yes
no upl
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8c6e:3fe3:ca7e:c7c7%13(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.10.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, October 19, 2012 2:39:34 PM
ta, t D
Step 7
The leased addresses should be part of network 10.1.20.0 /24. For the DNS server and default gateway, use
the router VLAN 20 interface (10.1.20.1). Set the lease time to 12 hours.
On the Branch router, verify the configured pools by using the show ip dhcp pool verification command.
.
Leased addresses : 1
se
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
re :
10.1.10.3 10.1.10.1 - 10.1.10.254 1
or te
lea
Pool VLAN20 :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
t f ica
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.1.20.1 10.1.20.1 - 10.1.20.254 0
no upl
Step 9
ta, t D
Access PC2.
Open the network adapter settings and edit the IPv4 settings. Set them to obtain an IP address and DNS
address automatically.
be o
Step 10
st o N
Check the DHCP address bindings on the router to verify that PC2 has obtained an IP address dynamically.
Activity Verification
You have completed this task when you attain these results:
Po D
Step 1
You verified that both PC1 and PC2 have dynamically assigned IP addresses.
L132 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 2
You have successfully verified connectivity between the PCs using the ping command:
.
Reply from 10.1.20.2: bytes=32 time=1ms TTL=127
se
Ping statistics for 10.1.20.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
re :
Minimum = 1ms, Maximum = 30ms, Average = 8ms
or te
lea
Task 2: Exclude Specific IP Addresses from
t f ica
DHCP Pools
The configured DHCP server can assign any valid IP address from the pool to DHCP clients. Commonly,
certain IP addresses within the subnet that are assigned to the DCHP pool are configured manually on some
no upl
end hosts, such as servers or printers. In this task, you will configure DHCP to limit the valid IP addresses
within the pool to the desired uses.
Activity Procedure
ta, t D
Step 1
On the Branch router, change the configuration of the DHCP server to assign IP addresses to DHCP clients
be o
Step 2
Save the running configuration to the startup configuration on the Branch router.
Po D
Step 3
To verify the DHCP configuration, connect to PC1, enter the command prompt, and release the existing
DHCP lease with the ipconfig /release command.
Step 4
Instruct PC1 to request new a DCHP lease by issuing the ipconfig /renew command.
Step 1
On the Branch router, verify that PC1 and PC2 have been assigned new IP addresses:
.
Hardware address/
se
User name
10.1.10.100 0100.0c29.4532.be Oct 19 2012 03:39 PM Automatic
10.1.20.100 0100.0c29.8807.34 Oct 20 2012 01:24 AM Automatic
re :
or te
lea
Task 3: Configure DHCP Relay Agent
In this task, you will reconfigure the Branch router to support a centralized DHCP server.
t f ica
Activity Procedure
Complete the following steps:
no upl
Step 1
Access the Branch router and remove the DHCP server configuration.
ta, t D
Step 2
Verify that no DHCP server configuration is present on the Branch router by using a DHCP pool show
command.
be o
Branch#
Step 3
Configure a DHCP relay agent on the Branch router to forward DHCP messages to a centralized DHCP
Po D
server with IP address 172.16.1.100. Configure the relay agent on both logical subinterfaces, which are part
of VLAN 10 and VLAN 20.
Step 4
Save the running configuration to the startup configuration on the Branch router.
Step 5
L134 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 6
Renew the DHCP lease using the ipconfig /renew command and verify that PC1 has dynamically obtained
an IP address from the 10.1.10.20010.1.10.254 range.
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter LAB:
.
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::1844:cd29:1d13:1905%13
se
IPv4 Address. . . . . . . . . . . : 10.1.10.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.10.1
re :
<output omitted>
or te
lea
Step 7
t f ica
Renew the DHCP lease using the ipconfig /renew command and verify that PC2 has dynamically obtained
an IP address from the 10.1.20.20010.1.20.254 range.
no upl
C:\Windows\system32> ipconfig /all
<output omitted>
Ethernet adapter LAB:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter #2
ta, t D
Activity Verification
Po D
Activity Procedure
Complete the following steps:
Access both PCs and edit the IPv4 network settings. Manually set the parameters according to the table.
IP Addressing
Device IP Address Subnet Mask Default Gateway
.
se
On PC1:
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
On PC2:
L136 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
Step 2
To verify the manual settings, use the ping command to verify connectivity between PC1 and PC2.
be o
st o N
Activity Verification
No additional verification is needed in this task.
L138 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 4-3: Implementing OSPF
re :
or te
lea
t f ica
Activity Overview
Objectives no upl
After completing this activity, you will be able to meet these objectives:
Configure a WAN interface
Configure OSPF
ta, t D
be o
st o N
Po D
Visual Objective
The figure illustrates what you will accomplish in this activity.
Branch Server
.
se
HQ
re :
PC1 SW1
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
Branch
st o N
Server
WAN
HQ
Configure OSPF
PC1 SW1
Po D
Required Resources
No additional resources are required for this lab.
L140 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Cisco Commands
Command Description
.
interface interface Enters interface configuration mode.
se
ip address ip_address network_mask Sets an IP address, along with the subnet mask, on an interface.
Enters interface configuration mode to issue this command.
re :
router ospf process_id Starts the OSPF routing process with the specified process ID. The
or te
lea
process ID is of local significance, so two routers can have different
process IDs and still become neighbors.
t f ica
show ip interfaces brief Shows a brief version of the operational state and IP information of all
interfaces.
Command Description
Job Aids
be o
These job aids are available to help you complete the lab activity.
st o N
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
The table shows the usernames and passwords that are used to access the lab equipment.
.
SW1 (enable password) / cisco
se
Topology and IP Addressing
Devices are connected with Ethernet and serial connections. The figure illustrates the interface
re :
or te
identification and IP addresses that are used in this lab setup.
lea
t f ica
Topology and IP Addressing
Eth0/1 Eth0/1
192.168.1.1 192.168.1.2
Branch Server
WAN
no upl VLAN 110.1.1.1
VLAN 1010.1.10.1 Eth0/0 HQ
172.16.1.100
VLAN 2010.1.20.1
Eth1/0
PC1 SW1
Eth0/1
ta, t D
10.1.10.100
be o
st o N
The table shows the interface identification and IP addresses that are used in this lab setup.
Po D
L142 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
VLAN Setup
Three VLANs are configured on the switch. VLAN 1 is used for switch management, VLAN 10 is used to
connect PC1. VLAN 20 is used to connect PC2, which is not used in this lab exercise.
VLAN Setup
Branch
.
Trunk
se
VLAN 10
PC1
VLAN 1
re :
SW1
or te
lea
t f ica
no upl
2013 Cisco Systems, Inc.
In this task, you will disconnect the Branch router from the Internet by removing DHCP and NAT
configuration from the GigabitEthernet0/1 interface. You will use this link for WAN Ethernet connectivity
instead. You will configure the interface for WAN connectivity by setting a private IP address on the
be o
interface. The Headquarters router has been already preconfigured for WAN connectivity.
st o N
Activity Procedure
Complete the following step:
Step 1
Po D
Step 2
Step 3
Configure IP address 192.168.1.1 with network mask 255.255.255.0 on the GigabitEthernet0/1 interface.
Activity Verification
You have completed this task when you attain these results:
On the Branch router, verify the operational state of interface GigabitEthernet0/1. Verify that the interface
is configured with the correct IP address.
.
GigabitEthernet0/0.1 10.1.1.1 YES manual up up
se
GigabitEthernet0/0.10 10.1.10.1 YES manual up up
GigabitEthernet0/0.20 10.1.20.1 YES manual up up
GigabitEthernet0/1 192.168.1.1 YES manual up up
re :
Serial0/0/0 unassigned YES unset administratively down down
NVI0 unassigned NO unset up up
or te
lea
t f ica
Step 2
Step 3
be o
Your attempt should not be successful because the Headquarters router does not have a path back to the
10.1.10.0/24 network.
Activity Procedure
Complete the following steps:
L144 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
On the Branch router, enable single-area OSPF (area 0) and configure it so that it advertises networks
10.1.1.0/24, 10.1.10.0/24, 10.1.20.0./24, and 192.168.1.0/24.
The Headquarters router was already configured with OSPF by your colleague.
Activity Verification
You have completed this task when you attain these results:
.
se
Step 1
On the Branch router, determine whether you see the Headquarters router as a neighbor.
re :
or te
The Headquarters router is configured with the router ID of 1.1.1.1.
lea
Branch# show ip ospf neighbor
t f ica
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/BDR 00:00:35 192.168.1.2 GigabitEthernet0/1
Step 2
no upl
On the Branch router, verify that GigabitEthernet0/0.1, GigabitEthernet0/0.10, GigabitEthernet0/0.20, and
GigabitEthernet0/1 are enabled for the OSPF process.
ta, t D
On the Branch router, view the routing table. Note the entry for the 172.16.1.0/24 network that was
acquired via the OSPF routing process.
.
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
se
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
re :
+ - replicated route, % - next hop override
or te
lea
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, GigabitEthernet0/1
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
t f ica
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0.1
L 10.1.1.1/32 is directly connected, GigabitEthernet0/0.1
C 10.1.10.0/24 is directly connected, GigabitEthernet0/0.10
L 10.1.10.1/32 is directly connected, GigabitEthernet0/0.10
C 10.1.20.0/24 is directly connected, GigabitEthernet0/0.20
L 10.1.20.1/32 is directly connected, GigabitEthernet0/0.20
no upl
172.16.0.0/32 is subnetted, 1 subnets
O 172.16.1.100 [110/2] via 192.168.1.2, 00:07:00, GigabitEthernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.1/32 is directly connected, GigabitEthernet0/1
ta, t D
Step 4
From PC1, ping the 172.16.1.100 server. Your attempt should be successful because the HQ router now
be o
C:\Users\Administrator>ping 172.16.1.100
Pinging 172.16.1.100 with 32 bytes of data:
Reply from 172.16.1.100: bytes=32 time=44ms TTL=128
Reply from 172.16.1.100: bytes=32 time=41ms TTL=128
Reply from 172.16.1.100: bytes=32 time=36ms TTL=128
Reply from 172.16.1.100: bytes=32 time=36ms TTL=128
Po D
L146 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 5-1: Configure and Verify
re :
or te
lea
Basic IPv6
t f ica
Activity Overview
no upl
Objectives
In this activity, you will enable IPv6 globally and manually configure an IPv6 address on the interface.
ta, t D
After completing this lab activity, you will be able to meet this objective:
Enable IPv6 support on a router and perform basic configuration
be o
st o N
Po D
Visual Objective
The figure illustrates what you will accomplish in this activity.
Branch Server
.
se
HQ
re :
PC1 SW1
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
Branch HQ
Po D
Required Resources
No additional resources are required for this lab.
L148 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
or verification Cisco IOS command assistance during the lab activity.
Commands
Command Description
.
configure terminal Enters configuration mode
se
exit Exits from the Telnet session
re :
or te
lea
ipv6 address ipv6_address/ipv6_mask Configures IPv6 address to the interface
t f ica
ping destination_address Pings the specified IP address
Job Aids
ta, t D
These job aids are available to help you complete the lab activity.
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
The table shows the usernames and passwords that are used to access the lab equipment.
Branch HQ
2001:DB8:AC10:100::64
.
se
re :
or te
lea
t f ica
2013 Cisco Systems, Inc.
The table shows the interface identification and IP addresses that are used in this lab setup.
no upl
Device Interface IP Address/Subnet Mask
HQ Gi0/1 2001:DB8:D1A5:C900::2/64
HQ Loopback0 2001:DB8:AC10:100::64/64
In this task, you will enable IPv6 globally and manually configure an IPv6 address on the interface.
st o N
The HQ router is already configured with an IPv6 address on the Gigabit Ethernet interface.
Activity Procedure
Complete the following steps:
Po D
Step 1
Step 2
Step 3
L150 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Activity Verification
You have completed this task when you attain this result:
Step 1
On the Branch router, verify IPv6 setup on the GigabitEthernet 0/1 interface.
.
No Virtual link-local address(es):
se
Description: Link to HQ
Global unicast address(es):
2001:DB8:D1A5:C900::1, subnet is 2001:DB8:D1A5:C900::/64
re :
Joined group address(es):
or te
FF02::1
lea
FF02::2
FF02::1:FF00:1
FF02::1:FFE5:2599
t f ica
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
no upl
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
ta, t D
The GigabitEthernet0/1 interface is up and running. An IPv6 address is successfully enabled on the
interface.
be o
st o N
Step 2
On the Branch router, ping the HQ router GigabitEthernet0/1 interface (2001:DB8:D1A5:C900::2). The
ping should be successful.
On the Branch router, trace route to the IPv6 address 2001:DB8:D1A5:C900::2. You should see a response
from the HQ router.
.
1 2001:DB8:D1A5:C900::2 0 msec 4 msec 0 msec
se
Step 4
re :
or te
lea
From the Branch router, use Telnet to connect to IPv6 address 2001:DB8:D1A5:C900::2. You should see a
successful Telnet to the HQ router.
t f ica
Branch# telnet 2001:db8:D1A5:C900::2
Trying 2001:DB8:D1A5:C900::2 ... Open
HQ#
no upl
Disconnect from the HQ router by performing the exit command.
HQ# exit
[Connection to 2001:db8:D1A5:C900::2 closed by foreign host]
ta, t D
Branch#
be o
st o N
Po D
L152 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 5-2: Configure and Verify
re :
or te
lea
Stateless Autoconfiguration
t f ica
Activity Overview
no upl
Objectives
In this activity, you will enable stateless autoconfiguration. After completing this lab activity, you will be
ta, t D
Branch Server
.
se
HQ
re :
PC1 SW1
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
Branch HQ
Po D
Required Resources
No additional resources are required for this lab.
L154 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
or verification Cisco IOS command assistance during the lab activity.
Commands
Command Description
.
configure terminal Enters configuration mode
se
exit Exits from the Telnet session
re :
or te
lea
ipv6 address autoconfig Enables IPv6 autoconfiguration on the interface
t f ica
show ipv6 interface interface Displays IPv6 status on the interface
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
The table shows the usernames and passwords that are used to access the lab equipment.
Branch HQ
2001:DB8:AC10:100::64
.
se
re :
or te
lea
t f ica
2013 Cisco Systems, Inc.
The table shows the interface identification and IP addresses that are used in this lab setup.
no upl
Device Interface IP Address/Subnet Mask
HQ Gi0/1 2001:DB8:D1A5:C900::2/64
HQ Loopback0 2001:DB8:AC10:100::64/64
the Router
st o N
In this task, you will first remove a configured IPv6 address from the interface and then configure stateless
autoconfiguration on the interface.
The HQ router is already configured with the IPv6 address on the Gigabit Ethernet interface.
Po D
Activity Procedure
Complete the following steps:
L156 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
.
ip address 209.165.201.1 255.255.255.224
duplex auto
se
speed auto
ipv6 address 2001:DB8:D1A5:C900::1/64
end
re :
or te
lea
There is an IPv6 address that is configured on the interface.
t f ica
Step 2
On the Branch router, remove the IPv6 address from the GigabitEthernet 0/1 interface.
no upl
Step 3
On the Branch router, configure stateless autoconfiguration on the GigabitEthernet 0/1 interface.
ta, t D
Activity Verification
You have completed this task when you attain these results:
be o
st o N
Po D
On the Branch router, verify the IPv6 setup on the GigabitEthernet 0/1 interface.
.
Global unicast address(es):
2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599, subnet is 2001:DB8:D1A5:C900::/64
se
[EUI/CAL/PRE]
valid lifetime 2591996 preferred lifetime 604796
Joined group address(es):
re :
FF02::1
or te
lea
FF02::2
FF02::1:FFE5:2599
MTU is 1500 bytes
t f ica
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
no upl
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
ta, t D
The GigabitEthernet 0/1 interface is up and running. The IPv6 address is successfully set on the interface.
The IPv6 prefix is the same as what is configured on the HQ router, and the host portion of the IPv6 address
is calculated from the GigabitEthernet 0/1 interface MAC address.
be o
Step 2
st o N
On the Branch router, ping the HQ router GigabitEthernet0/1 interface (2001:DB8:D1A5:C900::2). The
ping should be successful.
L158 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
On the Branch router, trace route to the IPv6 address 2001:DB8:D1A5:C900::2. You should see a response
from the HQ router.
.
1 2001:DB8:D1A5:C900::2 0 msec 4 msec 0 msec
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L160 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab 5-3: Configure and Verify
re :
or te
lea
IPv6 Routing
t f ica
Activity Overview
no upl
Objectives
In this activity, you will configure and verify IPv6 routing by enabling static routing and OSPFv3. After
ta, t D
completing this lab activity, you will be able to meet these objectives:
Enable and verify static routing
Enable and verify OSPFv3
be o
st o N
Po D
Visual Objective
The figure illustrates what you will accomplish in this activity.
Branch Server
.
se
HQ
re :
PC1 SW1
or te
lea
PC2 SW2
t f ica
no upl
2013 Cisco Systems, Inc.
ta, t D
Server
st o N
Branch HQ
Po D
Required Resources
No additional resources are required for this lab.
L162 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
or verification Cisco IOS command assistance during the lab activity.
Commands
Command Description
.
configure terminal Enters configuration mode.
se
interface interface Enters interface configuration mode.
ipv6 ospf process_ID area area_ID Enables OSPFv3 routing on the interface.
re :
or te
lea
[no] ipv6 route ::/0 interface next_hop Enables or disables the IPv6 default route.
ipv6 router ospf process_ID Enables OSPFv3 and enters routing process mode.
t f ica
ping destination_address Pings the specified IP address.
router-id router-id Configures the OSPFv3 router ID. The router ID is 32-bit value, written
no upl in the IPv4 form (x.x.x.x).
Job Aids
These job aids are available to help you complete the lab activity.
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
be o
The table shows the usernames and passwords that are used to access the lab equipment.
Po D
Branch HQ
2001:DB8:AC10:100::64
.
se
re :
or te
lea
t f ica
2013 Cisco Systems, Inc.
The table shows the interface identification and IP addresses that are used in this lab setup.
no upl
Device Interface IP Address/Subnet Mask
HQ Gi0/1 2001:DB8:D1A5:C900::2/64
HQ Loopback0 2001:DB8:AC10:100::64/64
In this task, you will configure the IPv6 default route on the Branch router.
st o N
Activity Procedure
Complete the following steps:
Step 1
Po D
The ping is not successful because there is no valid route for network 2001:DB8:AC10:100::/64 in the
routing table.
L164 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 2
.
ND - Neighbor Discovery, l - LISP
se
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
NDp 2001:DB8:D1A5:C900::/64 [2/0]
re :
via GigabitEthernet0/1, directly connected
or te
lea
L 2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599/128 [0/0]
via GigabitEthernet0/1, receive
L FF00::/8 [0/0]
via Null0, receive
t f ica
From the IPv6 routing table output, you can confirm there is no route for a desirable network.
Step 3
no upl
On the Branch router, configure a default IPv6 route pointing to the HQ router.
ta, t D
Activity Verification
You have completed this task when you attain these results:
Step 1
be o
On the Branch router, ping the server at 2001:DB8:AC10:100::64. The ping should be successful.
st o N
.
ND - Neighbor Discovery, l - LISP
se
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S ::/0 [1/0]
re :
via 2001:DB8:D1A5:C900::2, GigabitEthernet0/1
or te
lea
NDp 2001:DB8:D1A5:C900::/64 [2/0]
via GigabitEthernet0/1, directly connected
L 2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599/128 [0/0]
via GigabitEthernet0/1, receive
t f ica
L FF00::/8 [0/0]
via Null0, receive
There is still no route for network 2001:DB8:AC10:100::/64, but there is a static default route. The Branch
no upl
router uses the default route to reach IPv6 networks that are not present in the routing table.
In this task, you will first remove the default IPv6 route that is configured in the previous task, and you will
enable OSPFv3.
The HQ router is already configured with OSPFv3.
be o
Activity Procedure
Complete the following steps:
st o N
Step 1
Step 2
On the Branch router, enable OSPFv3 with process ID 1 and router ID 0.0.0.2.
Step 3
Activity Verification
You have completed this task when you attain these results:
L166 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
The OSPFv3 adjacency between the Headquarters and Branch routers is established.
.
se
Step 2
re :
or te
lea
Branch# show ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
0.0.0.1 1 FULL/DR 00:00:39 4 GigabitEthernet0/1
t f ica
The Branch router has an active OSPFv3 neighborship to the router with router ID 0.0.0.1. The HQ router is
using OSPFv3 router ID 0.0.0.1.
no upl
Step 3
The OSPFv3 on the Branch router is using process ID 1 and router ID 0.0.0.2.
Po D
.
ND - Neighbor Discovery, l - LISP
se
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O 2001:DB8:AC10:100::/64 [110/2]
re :
via FE80::FE99:47FF:FEE5:2551, GigabitEthernet0/1
or te
lea
NDp 2001:DB8:D1A5:C900::/64 [2/0]
via GigabitEthernet0/1, directly connected
L 2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599/128 [0/0]
via GigabitEthernet0/1, receive
t f ica
L FF00::/8 [0/0]
via Null0, receive
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
st o N
L168 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab S-1: ICND1 Superlab
re :
or te
lea
t f ica
Activity Overview
Objectives no upl
In this activity, you will repeat what you have learned throughout the course. After completing this activity,
you will be able to meet these objectives:
Configure basic settings, VLANs, trunks, and port security on the Cisco switch
Configure inter-VLAN routing
ta, t D
.
VLAN routing
se
Branch Server
Internet/WAN
Enable IPv6
connectivity HQ
Configure Internet
re :
VLAN 10 connectivity
or te
lea
PC1 SW1
Configure VLANs,
trunk, and port security
t f ica
VLAN 20
PC2 SW2
Configure VLANs,
no upl trunk, and port security
Required Resources
ta, t D
Command List
st o N
The table that follows describes the commands that are used in this activity. The commands are listed in
alphabetical order so that you can easily locate the information that you need. Refer to this list if you need
configuration command assistance during the lab activity.
Command Description
Po D
L170 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Command Description
encapsulation dot1Q vlan [native] Sets the encapsulation type and VLAN on a subinterface on a
router.
hostname hostname Sets the system name, which forms part of the prompt.
.
interface interface.subinterface Enters the subinterface configuration mode.
se
ip access-list extended acl_name Creates an extended, named ACL.
re :
outbound direction.
or te
lea
ip address ip-address subnet-mask Sets the IP address and mask on an interface.
t f ica
ip nat inside source list acl_id interface Configures dynamic NAT with PAT.
interface overload
ip nat inside
no upl Configures an interface as NAT inside.
ip route network mask next_hop_ip_address Configures a static route (including a default route).
ipv6 address ipv6-address/prefix_length Sets the IPv6 address and prefix length on an interface.
ipv6 ospf process_id area area_id Enables an interface for OSPFv3 in an area.
line vty start_line end_line Enters the virtual lines configuration mode.
network network wildcard_mask area Configures a router to advertise a network through OSPF.
area_id
reload Restarts the switch and reloads the Cisco IOS operating system
and configuration.
show ip interface brief Displays the brief status of interfaces and their IP addresses.
.
show ip route Displays the routing table.
se
show ipv6 interface interface Displays IPv6 settings and status on an interface.
re :
or te
show ipv6 neighbors Displays the IPv6 neighbor discovery table.
lea
show ipv6 route Displays the IPv6 routing table.
t f ica
show ip nat translations Displays the NAT table.
switchport port-security violation protect Configures the port security violation to protect.
switchport port-security maximum number Specifies the maximum number of MAC addresses that can be
seen on a port when port security is enabled.
switchport port-security mac-address Manually defines MAC addresses that are allowed on a switchport
mac_address when port security is enabled.
Po D
switchport trunk allowed vlan vlans Specifies allowed VLANs on a trunk link.
transport input ssh telnet Allows Telnet and SSH on virtual lines.
username username password password Creates a user account in the local user database.
Job Aids
These job aids are available to help you complete the lab activity.
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
L172 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Device Hardware Operating System
.
PC2 Any PC Microsoft Windows 7
se
Topology and IP Addressing
Devices are connected with Ethernet and serial connections. The figure illustrates the interface
re :
or te
identification and IP addresses that will be used in this lab.
lea
t f ica
Topology and IP Addressing
Gi0/1 Gi0/1
209.165.201.1 209.165.201.2
192.168.1.1 192.168.1.2
Branch Server
Internet
no upl VLAN 110.1.1.1
VLAN 1010.1.10.1 Gi0/0 HQ
172.16.1.100
VLAN 2010.1.20.1
Fa0/13
PC1 SW1
Fa0/1 10.1.1.11
10.1.10.100 Fa0/3
ta, t D
Fa0/3
PC2 SW2
Fa0/1
10.1.1.12
10.1.20.100
be o
st o N
The table shows the interface identification and IP addresses that will be used in this lab setup.
Po D
HQ Loopback0 172.16.1.100/24
IPv6 Addressing
The figure illustrates IPv6 addresses that will be used in this lab.
.
se
IPv6 Addressing
re :
Gi0/1
or te
lea
2001:db8 :D1A5:C900::2/64
2001:db8 :C0A8:100::2/64
Branch Server
Internet
2001:db8 :AC10:100::64/64
t f ica
VLAN 12001:db8 :0A01:100::1/64 Gi0/1
VLAN 102001:db8 :0A01:A00::1/64 2001:db8 :D1A5:C900::1/64 HQ
VLAN 202001:db8 :0A01:1400::1/64 2001:db8 :C0A8:100::1/64
PC1 SW1
no upl
PC2 SW2
ta, t D
The table shows the interface identification and IPv6 addresses that will be used in this lab.
st o N
L174 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Task 1: Configure Basic Settings, VLANs, Trunks,
and Port Security on Switches
In this task, you will first delete the existing configuration from SW1 and SW2 switches and reload them.
Then you will configure basic settings on the switches and secure administrative access to the switches.
You will also configure VLANs and trunks on the switches and put both PCs into different VLANs. Finally,
you will enable port security on the switches to prevent unauthorized access to the LAN.
Activity Procedure
.
Complete the following steps:
se
Step 1
re :
Access the SW1 and SW2 switches.
or te
lea
Step 2
t f ica
Delete the startup configuration from the SW1 and SW2 switches. Delete the vlan.dat file from the flash
memory of the switches and delete the VLAN information. Reload the switches in order to boot the
switches with an empty configuration.
no upl
Step 3
Step 4
Configure IPv4 addresses on both switches for management purposes. Assign the IP address to the VLAN 1
be o
interface. Use the Job Aids section of the document to determine the IP address for each switch. Enable the
VLAN 1 interface.
st o N
Step 5
Configure the enable password on the SW1 and SW2 switches. Use the command that will store the
configured password in encrypted form. Use cisco as a password.
Po D
Step 6
Secure console access to the switches by enabling the password on the console. Use cisco as a password.
Enable synchronous logging on the console to make the input of commands easier.
Step 7
Enable SSH version 2 remote access to the SW1 and SW2 switches. Use 1024-bit long RSA keys and
cisco.com as the domain name. Allow Telnet and SSH on the virtual lines.
Create a local user account on the switches that will be used to authenticate users accessing the switches via
SSH or Telnet. Use ccna as a username and cisco as a password. Configure the virtual lines for checking
the username and password.
Step 9
.
se
Create two additional VLANs on the switches. Use VLAN 10 and 20.
re :
Step 10
or te
lea
Configure a trunk between SW1 and SW2 switches over the FastEthernet0/3 port. Allow only VLANs 1,
10, and 20 on the trunk link. Shut down the FastEthernet0/4 port on both switches.
t f ica
Step 11
On SW1, configure the port connecting to PC1 (FastEthernet0/1) as the access port. Put the port into VLAN
10.
no upl
Step 12
ta, t D
On SW2, configure the port connecting to PC2 (FastEthernet0/1) as the access port. Put the port into VLAN
20.
be o
st o N
Po D
L176 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 13
Access PC1. Use administrator as a username and admin as a password in order to log in. Set the
following IP settings on the LAB network adapter:
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
Access PC2. Use administrator as a username and admin as a password in order to log in. Set the
following IP settings on the LAB network adapter:
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L178 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 15
From PC1, which is in VLAN 10, ping the management IP address of SW1 (10.1.1.11) in VLAN 1.
.
Reply from 10.1.10.100: Destination host unreachable.
se
Ping statistics for 10.1.1.11:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
re :
or te
lea
The ping should be unsuccessful because routing between VLAN 1 and VLAN 10 has not been configured
yet.
t f ica
Step 16
From PC2, which is in VLAN 20, ping the management IP address of SW1 (10.1.1.11) in VLAN 1.
no upl
C:\Windows\system32> ping 10.1.1.11
Pinging 10.1.1.11 with 32 bytes of data:
Reply from 10.1.20.100: Destination host unreachable.
Reply from 10.1.20.100: Destination host unreachable.
ta, t D
The ping should be unsuccessful because routing between VLAN 1 and VLAN 20 has not been configured
st o N
yet.
Step 17
Return to SW1 and verify the MAC address table. Note the MAC address of PC1 and write it down.
Po D
Step 18
Return to SW2 and verify the MAC address table. Note the MAC address of PC2 and write it down.
.
Mac Address Table
se
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
re :
All 0100.0ccc.cccc STATIC CPU
or te
lea
All 0100.0ccc.cccd STATIC CPU
<output omitted>
1 001e.147c.6f03 DYNAMIC Fa0/3
10 000c.293b.709d DYNAMIC Fa0/3
t f ica
20 000c.29a8.a05a DYNAMIC Fa0/1
20 000f.34f9.9183 DYNAMIC Fa0/1
Note If there is more than one MAC address that is seen on the FastEthernet0/1 interface, go to the PC and
no upl
determine its MAC address using the ipconfig /all command.
Step 19
ta, t D
On the SW1 and SW2 switches, enable port security on the interfaces connecting to the PCs
(FastEthernet0/1) in order to allow only PCs to connect to the switches. You should first set up the
parameters and then enable port security; otherwise, the port will be shut down due to a port security
violation. Use the following port security parameters:
be o
Activity Verification
Po D
Activity Procedure
Complete the following steps:
L180 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
Step 2
Delete the startup configuration from the Branch router. Reload the router in order to boot the router with an
empty configuration.
.
se
Step 3
re :
or te
lea
Step 4
t f ica
Configure the enable password on the Branch router. Use the command that will store the configured
password in secure encrypted form. Use cisco as a password.
Step 5
no upl
Secure console access to the router by enabling the password on the console. Use cisco as a password.
Enable synchronous logging on the console to make the input of commands easier.
ta, t D
Step 6
Secure Telnet access to the router by enabling the password on virtual lines. Use cisco as a password.
be o
Step 7
st o N
Enable the GigabitEthernet0/0 interface on the Branch router. Create three subinterfaces on the interface
and configure them with the following parameters:
GigabitEthernet0/0.10 10 10.1.10.1/24
GigabitEthernet0/0.20 20 10.1.20.1/24
Step 8
Configure the FastEthernet 0/13 port on the switch as a trunk. Allow only VLANs 1, 10, and 20 on the
trunk link. This way, you will enable the switch to send traffic to or from all configured VLANs over the
same port toward the Branch router.
Activity Verification
You have completed this task when you attain this result:
.
se
Step 1
Verify the switchport status of the FastEthernet0/13 port on the SW1 switch:
re :
or te
lea
SW1# show interfaces FastEthernet0/13 switchport
Name: Fa0/13
Switchport: Enabled
t f ica
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
no upl
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
ta, t D
Step 2
be o
Verify the switch port status of the FastEthernet0/3 port on the SW1 switch:
st o N
L182 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
Verify the trunking status of the FastEthernet0/3 port on the SW1 switch:
.
Port Vlans allowed and active in management domain
se
Fa0/3 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Fa0/3 1,10,20
re :
or te
lea
You should see that the interface is in trunking mode, encapsulation is 802.1q, and VLANs 1, 10, and 20
are active and not pruned.
t f ica
Step 4
Verify the trunking status of the FastEthernet0/3 port on the SW2 switch:
no upl
SW2# show interfaces FastEthernet0/3 trunk
Port Mode Encapsulation Status Native vlan
Fa0/3 on 802.1q trunking 1
ta, t D
You should see that the interface is in trunking mode, encapsulation is 802.1q, and VLANs 1, 10, and 20
are active and not pruned.
Step 5
Po D
You should see that the subinterfaces are configured with IP addresses and are operational.
.
Reply from 10.1.1.11: bytes=32 time=2ms TTL=254
se
Ping statistics for 10.1.1.11:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
re :
Minimum = 2ms, Maximum = 8ms, Average = 4ms
or te
lea
The ping should be successful.
t f ica
Step 7
L184 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 8
On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish an SSH session to the
SW1 management IP address at 10.1.1.11. Accept the fingerprint of the switches when asked. Use ccna as a
username and cisco as a password in order to log in. Enter the privileged EXEC mode using the cisco
password in order to verify that the enable password is properly configured.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
SW1#
Verify port security information on the FastEthernet0/1 port on the SW1 switch. Use the previously
established SSH session to access SW1.
.
Violation Mode : Protect
Aging Time : 0 mins
se
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
re :
Total MAC Addresses : 1
or te
lea
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000c.293b.709d:10
t f ica
Security Violation Count : 0
You should see that the port is protected, the security violation is set to protect, and the last seen MAC
address is PC1 in VLAN 10.
no upl
ta, t D
be o
st o N
Po D
L186 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 10
On PC1, open another PuTTY window by double-clicking the PuTTY icon again. Establish a Telnet session
to the Branch router at 10.1.10.1. Use the cisco password to log in. Enter privileged EXEC mode using the
cisco password in order to verify if the enable password is properly configured.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
.
Reply from 10.1.1.12: bytes=32 time=2ms TTL=254
se
Ping statistics for 10.1.1.12:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
re :
Minimum = 2ms, Maximum = 8ms, Average = 4ms
or te
lea
The ping should be successful.
t f ica
no upl
ta, t D
be o
st o N
Po D
L188 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 12
On PC2, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish an SSH session to the
SW2 management IP address at 10.1.1.12. Accept the fingerprint of the switches when asked. Use ccna as a
username and cisco as a password in order to log in. Enter the privileged EXEC mode using the cisco
password in order to verify if the enable password is properly configured.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
SW2#
Verify port security information on the FastEthernet0/1 port on the SW2 switch. Use the previously
established SSH session to access SW2.
.
Violation Mode : Protect
Aging Time : 0 mins
se
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
re :
Total MAC Addresses : 1
or te
lea
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000f.34f9.9183:20
t f ica
Security Violation Count : 0
You should see that the port is protected, the security violation is set to protect, and the last seen MAC
address is PC2 in VLAN 20.
no upl
Step 14
IP addresses on an interface and default route. You will also configure NAT with PAT to hide internal
addressing from the Internet. Finally, you will configure an ACL that will protect the router and LAN from
st o N
Activity Procedure
Complete the following steps:
Po D
Step 1
Step 2
Configure an IP address on the Branch router on the interface connecting to the Internet
(GigabitEthernet0/1). Use 209.165.201.1/27 for the IP address. Enable the interface.
Step 3
Configure a default route on the Branch router that will point to the HQ router as the next hop.
L190 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 4
Create a standard ACL that will permit users on VLAN 10 and 20. This ACL will be used to specify IP
addresses that are eligible for NAT. Use 1 for the access list identifer.
Step 5
Configure NAT with PAT on the Branch router for all LAN users. This includes users on VLAN 10 and 20.
.
se
Refer to the previously configured ACL. Use the IP address on the GigabitEthernet0/1 interface for the
translated IP address.
re :
or te
lea
Step 6
Configure a named extended ACL on the Branch router that will deny all TCP and UDP traffic coming
t f ica
from a source port greater than 1024. Permit all other IP traffic. Apply the ACL to the GigabitEthernet0/1
interface in the inbound direction.
Note This ACL will effectively block all connection attempts from the Internet, while the returning traffic to the
no upl
LAN will be allowed. With a majority of well-known applications, you can expect that the source port of
traffic returning from a server will have a value that is lower than 1024. For example, returning traffic that
is coming from a Telnet server will have a source port with a value of 23. On the other hand, Telnet
traffic that originates from a host will have a source port greater than 1024.
ta, t D
Activity Verification
You have completed this task when you attain these results:
Step 1
be o
You should see that the interface is operational and that it has an IP address configured.
.
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
se
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
re :
Gateway of last resort is 209.165.201.2 to network 0.0.0.0
or te
lea
S* 0.0.0.0/0 [1/0] via 209.165.201.2
t f ica
You should see that the router has a default route that is configured, which points to the HQ router.
no upl
ta, t D
be o
st o N
Po D
L192 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
Access PC1. Start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to
the server at 172.16.1.100.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
HQ#
st o N
Note Recall that the server is simulated as the loopback interface on the HQ router.
Po D
On the HQ router, verify the user connection to the server using the show users command. Use the
previously established Telnet session.
.
se
You should see that the Telnet session from PC1 is seen as originating from the translated IP address. The
translated IP address is the IP address of the GigabitEthernet0/1 interface on the Branch router.
re :
or te
lea
Step 5
t f ica
Access PC2. Start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to
the server at 172.16.1.100.
no upl
ta, t D
be o
st o N
Po D
HQ#
L194 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 6
On the HQ router, verify the user connection to the server using the show users command. Use the
previously established Telnet session.
.
*389 vty 1 idle 00:00:00 209.165.201.1
se
You should also see that the Telnet session from PC2 is seen as originating from the translated IP address.
re :
The translated IP address is the IP address of the GigabitEthernet0/1 interface on the Branch router..
or te
lea
Step 7
t f ica
Verify the translation table on the Branch router.
You should see two PAT translations. One translation is for PC1 at 10.1.10.100, and the second is for PC2
ta, t D
at 10.1.10.100. Both IP addresses translated to the same global IP address but with different source ports.
Step 8
be o
Return to the Telnet session on PC1. Try to establish a Telnet session from the HQ router to the Branch
st o N
You should not be successful because the ACL denies connections that are initiated from the Internet.
Return to the Branch router console and verify the ACL hits.
.
10 deny tcp any gt 1024 any (3 matches)
se
20 deny udp any gt 1024 any
30 permit ip any any (122 matches)
re :
or te
lea
You should see that the ACL denied three TCP packets coming from the TCP source port greater than 1024
to the Branch router.
t f ica
Step 10
In this task, you will configure the Branch router with WAN connectivity to the HQ router. This activity
includes removing the NAT configuration from the GigabitEthernet0/1 interface and changing the IP
address on the interface. You will also configure single-area OSPF on the Branch router in order to
exchange routing information with the HQ router. The HQ router has been preconfigured with OSPF.
However, you will have to change the IP addressing on the HQ router as well.
be o
st o N
Activity Procedure
Complete the following steps:
Step 1
Step 2
Step 3
Change the IP address on the GigabitEthernet0/1 interface on the HQ router to 192.168.1.2 with network
mask 255.255.255.0. Be careful not to mistype the IP address.
L196 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Note Changing the IP address on the HQ router will terminate your Telnet session. If the session freezes,
press Ctrl-Shift-6, followed by X. This action will pause the Telnet session, and you will return to the
Branch router console. At the Branch router prompt, enter Disconnect to disconnect the frozen Telnet
session permanently.
Step 4
On the Branch router, remove the NAT configuration from the GigabitEthernet0/1 interface.
.
se
Step 5
re :
Configure the IP address on the Branch router on the GigabitEthernet0/1 interface. Use 192.168.1.1/24 for
or te
lea
the IP address.
t f ica
Step 6
Configure a loopback interface on the Branch router. Use 10 as the interface ID and 10.100.100.100/32 as
the IP address.
no upl
Why is it recommended to configure a loopback interface when enabling an OSPF routing protocol?
Step 7
ta, t D
Create the OSPF routing process on the Branch router. Use 1 as the OSPF process ID.
Step 8
be o
192.168.1.0/24
10.1.1.0/24
10.1.10.0/24
10.1.20.0/24
Po D
10.100.100.100/32
Activity Verification
You have completed this task when you attain these results:
.
se
The ping should be successful.
re :
Step 2
or te
lea
Verify OSPF neighbors on the Branch router.
t f ica
Branch# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DR 00:00:35 192.168.1.2 GigabitEthernet0/1
no upl
You should see the HQ router as the OSPF neighbor in FULL state.
ta, t D
be o
st o N
Po D
L198 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
.
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
se
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
re :
Gateway of last resort is not set
or te
lea
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0.1
L 10.1.1.1/32 is directly connected, GigabitEthernet0/0.1
C 10.1.10.0/24 is directly connected, GigabitEthernet0/0.10
t f ica
L 10.1.10.1/32 is directly connected, GigabitEthernet0/0.10
C 10.1.20.0/24 is directly connected, GigabitEthernet0/0.20
L 10.1.20.1/32 is directly connected, GigabitEthernet0/0.20
C 10.100.100.100/32 is directly connected, Loopback10
172.16.0.0/32 is subnetted, 1 subnets
O
no upl
172.16.1.100 [110/2] via 192.168.1.2, 00:02:10, GigabitEthernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.1/32 is directly connected, GigabitEthernet0/1
ta, t D
You should see the 172.16.1.0/24 network as the OSPF route. The network should be accessible over the
GigabitEthernet0/1 interface.
be o
Step 4
st o N
Access PC1. Open a command prompt and ping the server at 172.16.1.100.
On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the
HQ router at 192.168.1.2.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
HQ#
st o N
L200 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 6
On the HQ router, verify the routing table. Use the previously established Telnet session.
.
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
se
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
re :
Gateway of last resort is not set
or te
lea
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O 10.1.1.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1
O 10.1.10.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1
O 10.1.20.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1
t f ica
O 10.100.100.100/32
[110/2] via 192.168.1.1, 00:00:00, GigabitEthernet0/1
<output omitted>
no upl
You should see LAN networks accessible over the the Serial0/0/0 interface, with the Branch router as the
next hop router.
ta, t D
Step 7
In this task, you will enable IPV6 connectivity in the LAN. This activity includes enabling IPv6 on the
st o N
Branch router and setting IPv6 addresses on the LAN subinterfaces of the router. On the PCs with
Microsoft Windows 7, IPv6 is enabled by default. Therefore, the PCs will obtain IPv6 addresses
automatically by using stateless autoconfiguration.
Activity Procedure
Po D
Step 1
Step 2
Configure subinterfaces on the GigabitEthernet0/0 interface with the following IPv6 addresses:
GigabitEthernet0/0.1 1 2001:db8:0A01:100::1/64
GigabitEthernet0/0.10 10 2001:db8:0A01:A00::1/64
.
se
GigabitEthernet0/0.20 20 2001:db8:0A01:1400::1/64
re :
By configuring the IPv6 address on a router interface, the router starts sending router advertisements out of
or te
lea
the interface. This enables PCs that are connected to the interface to automatically configure the IPv6
address on a network adapter and to set a default gateway.
t f ica
Activity Verification
You have completed this task when you attain these results:
no upl
ta, t D
be o
st o N
Po D
L202 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
.
Joined group address(es):
FF02::1
se
FF02::2
FF02::1:FF00:1
FF02::1:FFE5:2700
re :
MTU is 1500 bytes
or te
lea
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
t f ica
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
no upl
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
Branch# show ipv6 interface GigabitEthernet0/0.10
GigabitEthernet0/0.10 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2700
ta, t D
FF02::1:FF00:1
FF02::1:FFE5:2700
st o N
.
se
You should see all three subinterfaces that are enabled for IPv6. Each subinterface should have a link-local
re :
IPv6 address and one global IPv6 address.
or te
lea
Note that the link-local IPv6 address is the same on all subinterfaces. Why is the link-local IPv6 address the
same on all subinterfaces?
t f ica
Step 2
You should see that the PC is configured with one global IPv6 address, one temporary IPv6 address, the
link-local IPv6 address, and the default gateway.
You will see a percentage sign (%), followed by a number, at the end of the link-local IPv6 address and at
Po D
the end of the default gateway. The number following the percentage sign identifies an interface on the PC,
and it is not part of the IPv6 address and should be ignored when determining the IPv6 address of the the
default gateway.
Which router IPv6 address is configured as the default gateway on the PC?
L204 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
From PC1, ping the default gateway. Use the link-local IPv6 address as the destination IPv6 address.
.
Reply from fe80::fe99:47ff:fee5:2700: time<1ms
se
Ping statistics for fe80::fe99:47ff:fee5:2700:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
re :
Minimum = 0ms, Maximum = 3ms, Average = 1ms
or te
lea
The ping should be successful.
t f ica
Step 4
From PC1, ping the directly connected interface of the Branch router. Use the global IPv6 address as the
no upl
destination IPv6 address.
On PC1, verify the neighbor discovery table to see mappings between IPv6 addresses and MAC addresses.
Examine entries for the LAB interface.
.
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
se
2001:db8:a01:a00::1 fc-99-47-e5-27-00 Stale (Router)
fe80::19eb:7144:6b5d:3377 00-0c-29-a8-a0-5a Stale
fe80::fe99:47ff:fee5:2700 fc-99-47-e5-27-00 Stale (Router)
re :
ff02::2 33-33-00-00-00-02 Permanent
or te
lea
ff02::16 33-33-00-00-00-16 Permanent
ff02::1:2 33-33-00-01-00-02 Permanent
ff02::1:3 33-33-00-01-00-03 Permanent
t f ica
ff02::1:ff00:1 33-33-ff-00-00-01 Permanent
ff02::1:ff35:33c1 33-33-ff-35-33-c1 Permanent
ff02::1:ff7f:8c5c 33-33-ff-7f-8c-5c Permanent
ff02::1:ffe5:2700 33-33-ff-e5-27-00 Permanent
no upl
You should see neighbor discovery entries for link-local and global IPv6 addresses of the Branch router that
you pinged before.
ta, t D
Step 6
C:\Windows\system32> ipconfig
be o
Windows IP Configuration
Ethernet adapter LAB:
st o N
10.1.20.1
You should see that the PC is configured with one global IPv6 address, one temporary IPv6 address, the
link-local IPv6 address and the default gateway.
You will see a percent sign (%), followed by a number, at the end of the link-local IPv6 address and at the
end of the default gateway. The number following the percent sign identifies an interface on the PC, and it
is not part of the IPv6 address and should be ignored when determining the IPv6 address of the default
gateway.
Which router IPv6 address is configured as the default gateway on the PC?
L206 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 7
From PC2, ping the default gateway. Use the link-local IPv6 address as the destination IPv6 address.
.
Reply from fe80::fe99:47ff:fee5:2700: time<1ms
se
Ping statistics for fe80::fe99:47ff:fee5:2700:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
re :
Minimum = 0ms, Maximum = 4ms, Average = 1ms
or te
lea
The ping should be successful.
t f ica
Step 8
From PC2, ping the directly connected interface of the Branch router. Use the global IPv6 address as the
no upl
destination IPv6 address.
On PC2, verify the neighbor discovery table to see mappings between IPv6 addresses and MAC addresses.
Examine entries for the LAB interface.
.
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
se
2001:db8:a01:1400::1 fc-99-47-e5-27-00 Stale (Router)
fe80::15e4:2bea:367f:8c5c 00-0c-29-3b-70-9d Stale
fe80::fe99:47ff:fee5:2700 fc-99-47-e5-27-00 Stale (Router)
re :
ff02::2 33-33-00-00-00-02 Permanent
or te
lea
ff02::16 33-33-00-00-00-16 Permanent
ff02::1:2 33-33-00-01-00-02 Permanent
ff02::1:3 33-33-00-01-00-03 Permanent
t f ica
ff02::1:ff53:e7a0 33-33-ff-53-e7-a0 Permanent
ff02::1:ff5d:3377 33-33-ff-5d-33-77 Permanent
ff02::1:ff7f:8c5c 33-33-ff-7f-8c-5c Permanent
ff02::1:ffe5:2700 33-33-ff-e5-27-00 Permanent
ff02::1:fffd:b766
no upl 33-33-ff-fd-b7-66 Permanent
You should see neighbor discovery entries for the link-local and global IPv6 addresses of the Branch router
that you pinged before.
ta, t D
Step 10
You should see two entries for each PC. One entry is for the link-local IPv6 address, and the other is for the
global IPv6 address.
Activity Procedure
Complete the following steps:
L208 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 1
Step 2
From the Branch router, use Telnet to connect to the HQ router at 192.168.1.2 using IPv4.
.
Step 3
se
Remove the existing IPv6 address from the GigabitEthernet0/1 interface on the HQ router. Set the IPv6
address on the interface to 2001:db8:c0a8:100::2/64. Include the interface into the OSPFv3 routing protocol
re :
with Process ID 1 and Area 0. Exit the Telnet session.
or te
lea
Step 4
t f ica
On the Branch router, configure the GigabitEthernet0/1 interface with 2001:db8:c0a8:100::1/64 IPv6
address.
no upl
Step 5
From the Branch router, ping the HQ router at 2001:db8:c0a8:100::2 to verify IPv6 connectivity between
the routers.
ta, t D
Step 6
Po D
From the Branch router, use Telnet to connect to the HQ router at 2001:db8:c0a8:100::2.
interface Loopback0
ip address 172.16.1.100 255.255.255.0
ipv6 address 2001:DB8:AC10:100::64/64
ipv6 ospf network point-to-point
ipv6 ospf 1 area 0
.
!
se
<output omitted>
!
interface GigabitEthernet0/1
re :
description Link to Branch
or te
lea
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
ipv6 address 2001:DB8:C0A8:100::2/64
t f ica
ipv6 ospf 1 area 0
!
<output omitted>
!
ipv6 router ospf 1
no upl
router-id 0.0.0.1
You should see that the OSPFv3 process is configured and that Loopback0 and GigabitEthernet0/1 are
enabled for OSPFv3.
ta, t D
Step 8
Step 9
Create an OSPFv3 process on the Branch router. Use 1 as the Process ID.
L210 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 10
.
GigabitEthernet0/0.20
se
Branch(config)# interface GigabitEthernet0/1
Branch(config-if)# ipv6 ospf 1 area 0
re :
Branch(config-if)#
or te
lea
Branch(config)# interface GigabitEthernet0/0.1
Branch(config-subif)# ipv6 ospf 1 area 0
Branch(config-if)#
Branch(config-subif)# interface GigabitEthernet0/0.10
t f ica
Branch(config-subif)# ipv6 ospf 1 area 0
Branch(config-if)#
Branch(config-subif)# interface GigabitEthernet0/0.20
Branch(config-subif)# ipv6 ospf 1 area 0
no upl
You should see that OSPFv3 adjacency went up immediately after you enabled OSPFv3 on the
GigabitEthernet0/1 interface:
ta, t D
Activity Verification
be o
You have completed this task when you attain these results:
st o N
Step 1
.
Maximum wait time between two consecutive SPFs 10000 msecs
se
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
re :
Interface flood pacing timer 33 msecs
or te
lea
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Graceful restart helper support enabled
t f ica
Reference bandwidth unit is 100 mbps
Area BACKBONE(0)
Number of interfaces in this area is 4
SPF algorithm executed 3 times
Number of LSA 9. Checksum Sum 0x0523AD
no upl
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
ta, t D
You should see that OSPFv3 is enabled for four interfaces in Area 0.
L212 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
.
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
se
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2001:DB8:A01:100::/64 [0/0]
re :
via GigabitEthernet0/0.1, directly connected
or te
lea
L 2001:DB8:A01:100::1/128 [0/0]
via GigabitEthernet0/0.1, receive
C 2001:DB8:A01:A00::/64 [0/0]
via GigabitEthernet0/0.10, directly connected
t f ica
L 2001:DB8:A01:A00::1/128 [0/0]
via GigabitEthernet0/0.10, receive
C 2001:DB8:A01:1400::/64 [0/0]
via GigabitEthernet0/0.20, directly connected
L 2001:DB8:A01:1400::1/128 [0/0]
no upl
via GigabitEthernet0/0.20, receive
O 2001:DB8:AC10:100::/64 [110/2]
via FE80::FE99:47FF:FEDE:B4B9, GigabitEthernet0/1
C 2001:DB8:C0A8:100::/64 [0/0]
via GigabitEthernet0/1, directly connected
L 2001:DB8:C0A8:100::1/128 [0/0]
ta, t D
You should see the 2001:DB8:AC10:100::/64 network that is learned through OSPF and with the HQ router
as the next hop. This is the network where the server is located.
st o N
Step 4
Access PC1 and open a command prompt. Ping the server at 2001:db8:ac10:100::64.
Po D
On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the
server at 2001:DB8:AC10:100::64.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
HQ#
st o N
Note Recall that the server is simulated as the loopback interface on the HQ router.
Po D
L214 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 6
.
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
se
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O 2001:DB8:A01:100::/64 [110/2]
re :
via FE80::6E20:56FF:FE17:B149, GigabitEthernet0/1
or te
lea
O 2001:DB8:A01:A00::/64 [110/2]
via FE80::6E20:56FF:FE17:B149, GigabitEthernet0/1
O 2001:DB8:A01:1400::/64 [110/2]
via FE80::6E20:56FF:FE17:B149, GigabitEthernet0/1
t f ica
<output omitted>
You should see all three LANs that are learned through OSPFv3 with the Branch router as the next hop
router.
no upl
ta, t D
be o
st o N
Po D
L216 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
.
se
Lab Answer Keys
re :
or te
lea
t f ica
Lab 1-1: Performing Switch Startup and Initial
Configuration
no upl
Task 1: Perform a Reload and Verify that the Switch Is
Unconfigured
ta, t D
Step 2
Since the erase startup-config command is a privileged-level command, entering it in user EXEC mode
will have no effect on the system. You were informed that the command is invalid.
be o
Switch>erase startup-config
st o N
^
% Invalid input detected at '^' marker.
Step 3
Po D
When you have a right arrow (>) symbol after the device hostname, you are in user EXEC mode. When you
issued the enable command, you moved into privileged EXEC mode, which is indicated by the pound sign
(#) after the hostname. Enter privileged EXEC mode by typing enable in user EXEC mode.
Switch>enable
Switch#
Step 4
When you enter the erase startup-config command within privileged EXEC mode, it is accepted and you
are prompted to press Enter to confirm this action.
SwitchX#delete vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
When you enter the reload command within privileged EXEC mode, you are asked to confirm the reload.
Press Enter at that point.
.
se
Switch#reload
Proceed with reload? [confirm]
*Mar 1 00:16:18.229: %SYS-5-RELOAD: Reload requested by console. Reload Reason:
re :
Reload command.
or te
lea
Boot Sector Filesystem (bs) installed, fsid: 2
Base ethernet MAC Address: 00:1e:14:7c:bd:00
Xmodem file system is available.
The password-recovery mechanism is enabled.
t f ica
Initializing Flash...
flashfs[0]: 549 files, 19 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32514048
flashfs[0]: Bytes used: 14942208
no upl
flashfs[0]: Bytes available: 17571840
flashfs[0]: flashfs fsck took 11 seconds.
...done Initializing Flash.
done.
Loading "flash:/c2960-lanbasek9-mz.150-1.SE3/c2960-lanbasek9-mz.150-1.SE3.bin"...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ta, t D
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
< output omitted >
64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:1E:14:7C:BD:00
Motherboard assembly number : 73-10390-04
be o
Version ID : V03
CLEI Code Number : COM3L00BRB
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C2960-24TT-L 15.0(1)SE3 C2960-LANBASEK9-M
Press RETURN to get started!
Step 5
Your results should resemble the output displayed here. You should have answered No to the question
(Would you like to enter the initial configuration dialog?).
L218 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: no
Switch>
If you skipped the initial configuration dialog, there is no startup configuration present. Alternatively, you
can verify that there is no configuration present by entering privileged EXEC mode and issuing the show
startup-config command.
Switch>enable
.
Switch#show startup-config
startup-config is not present
se
re :
Step 6
or te
lea
You can issue the show version command from either user or privileged EXEC mode. In the output here,
you see that the switch is a WS-C2960-24TT-L type, the software version is 15.0(1)SE3, and there is 65536
t f ica
KB (or 64 MB) of RAM.
Note that your device may have different properties.
Switch#show version
no upl
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(1)SE3, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 30-May-12 14:26 by prod_rel_team
ROM: Bootstrap program is C2960 boot loader
ta, t D
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
Po D
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K bytes of
memory.
< output omitted >
The show flash: command output here shows that the switch has 32514048 bytes (32 MB) of flash memory
and that 17569280 bytes of that memory is free (16.8 MB).
Note that your device may have different properties.
.
se
Step 1
re :
Enter privileged EXEC mode and then global configuration mode. Issue the hostname command, as shown
or te
lea
in the following output. Notice the change in the hostname of the device in the last line of the output.
Switch#enable
t f ica
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname SW1
SW1(config)#
no upl
Step 2
SW1(config)#
Then enter interface configuration mode for VLAN 1 and assign it the proper IP address and network mask.
be o
SW1(config)#interface vlan 1
st o N
Step 5
On PC1, click the Start button, enter cmd, and click Enter. When you are presented with a command
Po D
prompt window, enter ping, followed by the IP address of the VLAN 1 interface on the switch. This Layer
3 test should succeed.
L220 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Task 3: Explore Context-Sensitive Help
Step 1
After you enter privileged EXEC mode and enter ?, you are presented with a list of available commands.
Each command is listed with a description.
SW1>enable
SW1#?
.
Exec commands:
access-enable Create a temporary Access-List entry
se
access-profile Apply user-profile to interface
access-template Create a temporary Access-List entry
archive manage archive files
re :
beep Blocks Extensible Exchange Protocol commands
or te
lea
< output omitted >
where List active connections
write Write running configuration to memory, network, or terminal
t f ica
Step 2
First, make sure that you are in privileged EXEC mode. Enter clock, followed by ?. Complete the
no upl
configuration as displayed here.
SW1#clock ?
set Set the time and date
ta, t D
SW1#clock set ?
hh:mm:ss Current Time
SW1#clock set 12:57:22 ?
<1-31> Day of the month
MONTH Month of the year
SW1#clock set 12:57:22 17 ?
be o
% Unrecognized command
Lan_Switch_1#clock set 12:57:22 17 August ?
<1993-2035> Year
SW1#clock set 12:57:22 17 August 2012 ?
<cr>
SW1#clock set 12:57:22 17 August 2012
Po D
Step 3
When you are familiar only with how a command begins, you can get help by using the ? command. It will
list all commands that begin with the sequence of letters that you entered.
.
boot show boot attributes
se
buffers Buffer pool statistics
cable-diagnostics Show Cable Diagnostics Results
call-home Show command for call home
capability Capability Information
re :
cca CCA information
or te
lea
cdp CDP information
cisp Shows CISP information
class-map Show CPL Class Map
t f ica
clock Display the system clock
cluster Cluster information
cns CNS agents
configuration Contents of Non-Volatile memory
controllers Interface controller status
crypto Encryption module
SW1#show clock?
no upl
clock
SW1#show clock
13:01:24.145 UTC Fri Aug 17 2012
ta, t D
You can enter the show terminal command and then investigate the output to determine the current history
st o N
size. Alternatively, you can use the pipe (|) along with the include command and the keyword history size
to print out just the line with the information.
Step 2
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#line console 0
L222 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Change the history size to 100.
Issue the exit command twice to get back to privileged EXEC mode.
SW1(config-line)#exit
SW1(config)#exit
.
Verify that the history size is changed.
se
SW1#show terminal | i history size
History is enabled, history size is 100.
re :
or te
lea
Step 3
t f ica
You must be in global configuration mode before issuing the no ip domain lookup command.
SW1>enable
SW1#configure terminal
no upl
SW1(config)#no ip domain-lookup
Step 4
ta, t D
Issue the exec-timeout 60 command to set the console timeout expiration timer to one hour.
SW1(config-line)#exec-timeout 60
be o
Verify that idle exec timeout is set to one hour. Use the verification command directly from console
st o N
configuration mode.
SW1(config-line)#exit
Step 5
Make sure that you are in global configuration mode and then enter line console 0 configuration mode. Last,
enable synchronous logging as shown in the output here.
SW1(config)#line console 0
SW1(config-line)#logging synchronous
SW1(config-line)#exit
SW1(config)#exit
This command copies the running configuration to the startup configuration. If you do not save the
configuration, you will lose it the next time the switch is restarted.
If you press Enter when asked for the destination filename, the running configuration is stored as the
.
startup configuration.
se
Destination filename [startup-config]?
re :
Building configuration...
or te
[OK]
lea
Lab 1-2: Troubleshooting Switch Media Issues
t f ica
Task 2: Troubleshoot Connectivity Between Computer PC1
and Switch SW1
no upl
Step 1
When you issue a ping from SW1 to PC1, your success rate is 0 percent, so there is no Layer 3 connectivity
ta, t D
SW1>ping 10.1.1.100
Type escape sequence to abort.
be o
Step 2
The output of the show interfaces FastEthernet0/1 command tells you that the interface toward PC1 is
Po D
administratively down, which means that the interface was disabled by the administrator.
SW1>enable
SW1#show interfaces FastEthernet0/1
FastEthernet0/1 is administratively down, line protocol is down (disabled)
Hardware is Fast Ethernet, address is 001e.147c.bd01 (bia 001e.147c.bd01)
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100BaseTX
L224 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
SW1#configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
Enter interface configuration mode for FastEthernet 0/1 and enable the interface with the no shutdown
.
command.
se
SW1(config)#interface FastEthernet 0/1
re :
SW1(config-if)#no shutdown
or te
lea
Finally, verify Layer 3 connectivity between PC1 and SW1 by issuing a ping command. It should be
successful.
t f ica
SW1#ping 10.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
!!!!!
no upl
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
Step 4
ta, t D
It is important to save the configuration of SW1 because the no shutdown command would disappear if the
switch is restarted. John would again be cut off from the network.
Because you have console logging enabled (which you can verify with the show logging command), the
switch is reporting. This message tells you that the interfaces of SW1 and Branch have different duplex
settings. It looks like the Branch router FastEthernet0/0 interface is configured for full duplex, while
interface FastEthernet0/13 on the switch is not configured for full duplex.
Use the show interfaces FastEthernet Fa0/13 command to identify the duplex setting on the interface.
.
You can also use the show ip interface brief command to verify status of all interfaces. It shows that
se
interface FastEthernet 0/13 is in an up/up state. This status means that even though the duplex settings are
mismatched on the link, it is still functional. The drawback is that the connection is not efficient. With half-
re :
duplex operation, data cannot be sent and received at the same time.
or te
lea
SW1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
t f ica
< output omitted >
FastEthernet0/13 unassigned YES unset up up
<output omitted>
Step 2
no upl
Enter global configuration mode.
ta, t D
SW1#configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
SW1(config-if)#duplex full
Po D
Save your changes by copying the running configuration to the startup configuration.
L226 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Lab 2-1: Performing Initial Router Setup and
Configuration
Task 1: Inspect the Router Hardware and Software
Step 1
.
se
Router>enable
Router#
re :
or te
lea
Task 2: Create the Initial Router Configuration
t f ica
Step 1
Answer No to the initial configuration dialog question and use the enable command to enter privileged
EXEC mode.
no upl
Would you like to enter the initial configuration dialog? [yes/no]: no
Would you like to terminate autoinstall? [yes]:
<output omitted>
Router>
ta, t D
Router>enable
Router#
Step 2
be o
Router(config)#
Router(config)#hostname Branch
Branch(config)#
Po D
Step 3
Enter these commands on the Branch router to enter interface configuration mode, enable the interface, and
provide a description:
Step 6
.
se
Use this command on the Branch router:
re :
Branch#copy running-config startup-config
or te
lea
Destination filename [startup-config]?
Building configuration...
[OK]
Branch#
t f ica
Task 3: Improve the Usability of the CLI
no upl
Step 1
Branch#configure terminal
Branch(config)#line console 0
Branch(config-line)#exec-timeout 60 0
be o
Step 3
st o N
Branch(config-line)#logging synchronous
Po D
Step 4
On the Branch router, use the command no ip domain lookup in global configuration mode to disable the
resolution of symbolic names.
Step 5
On the Branch router, use the command write memory to copy the configuration into NVRAM.
Branch#write memory
L228 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Lab 2-2: Connecting to the Internet
Task 1: Configure a Manual IP Address and Static Default
Route
Step 3
.
Enter the following commands on the Branch router:
se
Branch(config)#interface GigabitEthernet0/1
Branch(config-if)#no shutdown
re :
Branch(config-if)#ip address 209.165.201.1 255.255.255.224
or te
lea
Step 6
t f ica
The Branch router does not have a route to reach networks that are not directly connected.
Step 7
no upl
No, there is no route present for the IP address of the server.
ta, t D
Step 8
Branch#configure terminal
be o
Step 9
Branch(config)#exit
Branch#copy running-config startup-config
Step 12
Branch(config-if)#interface GigabitEthernet0/1
Branch(config-if)#ip address dhcp
.
Step 3
se
Enter the following commands on the Branch router:
re :
or te
lea
Branch(config-if)#exit
Branch(config)#exit
Branch#copy running-config startup-config
t f ica
Step 5
The default route was set by the Branch router automatically. The Branch router received knowledge of the
no upl
default gateway from the DHCP server and it set the static route next-hop IP address to the IP address of the
default gateway.
Step 12
ta, t D
The solution that could be implemented on the Branch router to provide connectivity between PC1 and the
server is NAT. With NAT, the source IP address in a packet would be translated into the outside IP address
of the Branch router. The HQ router would then know how to send a returning packet back to the Branch
be o
router, because the routers are directly connected. The destination IP address in the packet would be then
translated back to the IP address of PC1 and sent to PC1.
st o N
Step 2
Po D
Step 3
L230 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
You can accommodate up to six hosts at the same time using the configured NAT pool.
Step 4
Branch(config)#interface GigabitEthernet0/0
Branch(config-if)#ip nat inside
.
se
Step 5
re :
or te
lea
Branch(config)#interface GigabitEthernet0/1
Branch(config-if)#ip nat outside
t f ica
Step 6
Step 7
Branch(config)#exit
Branch#copy running-config startup-config
st o N
Step 2
Po D
Step 3
Enter the following command on the Branch router (and then answer with yes):
Step 4
Branch(config)#exit
Branch#copy running-config startup-config
.
Lab 3-1: Enhancing the Security of the Initial
se
Configuration
re :
or te
lea
Task 1: Add Password Protection
t f ica
Step 2
Branch(config-line)# login
Step 5
be o
Step 8
Step 10
L232 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 11
Step 14
.
se
Enter this sequence of commands on SW1:
re :
SW1(config)# enable secret cisco
or te
lea
SW1(config)# username ccna secret cisco
SW1(config)# line console 0
SW1(config-line)# login local
SW1(config-line)# line vty 0 15
t f ica
SW1(config-line)# login local
Step 15
no upl
Enter this command on the SW1 switch:
Step 2
.
How many bits in the modulus [512]: 1024
se
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
SW1(config)# line vty 0 15
SW1(config-line)# transport input ssh
re :
SW1(config-line)# ip ssh version 2
or te
lea
Step 4
t f ica
Enter this command on the SW1 switch:
Step 1
Step 3
L234 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 2
Step 3
.
se
Enter the following command on the SW1 switch:
re :
SW1(config)# banner login #********** Warning *************
or te
lea
Enter TEXT message. End with the character '#'.
Access to this device is restricted to authorized persons only!
Unauthorized access is prohibited. Violators will be prosecuted.
***********************************************#
t f ica
Step 4 no upl
Enter this command on the SW1 switch:
Step 2
SW1(config-if-range)# shutdown
Step 4
.
Step 5
se
Enter this sequence of commands into the SW1 switch:
re :
or te
lea
SW1(config-if)# switchport port-security mac-address f866.f231.7251
SW1(config-if)# switchport port-security
t f ica
Step 8
Step 9
SW1(config-if)# shutdown
SW1(config-if)# no shutdown
st o N
Step 14
Step 15
L236 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 3
.
Step 6
se
Enter this sequence of commands into the switch.
re :
or te
lea
SW1(config)# interface FastEthernet 0/13
SW1(config-if)# cdp enable
t f ica
Step 7
Step 1
Step 3
Step 5
Step 6
Enter the following commands on the SW1 switch and Branch router:
.
se
Lab 3-3: Filtering Traffic with ACLs
re :
or te
lea
Task 1: Configure an ACL
t f ica
Step 2
Step 4
Step 6
Step 7
L238 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 9
.
se
Step 10
re :
Enter the following command on the Branch router:
or te
lea
Branch# copy running-config startup-config
t f ica
Lab 4-1: Configuring Expanded Switched
Networks
no upl
Task 1: Configure a VLAN
Step 1
ta, t D
Step 4
.
se
SW2(config)# interface FastEthernet0/1
SW2(config-if)# switchport access vlan 20
re :
or te
lea
Step 6
t f ica
Enter the following command on the SW1 switch.
Step 2
L240 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
SW2# copy running-config startup-config
.
SW1(config)# interface FastEthernet 0/13
se
SW1(config-if)# switchport mode trunk
re :
or te
Step 2
lea
Enter the following command on the SW1 switch.
t f ica
SW1# copy running-config startup-config
Step 3
no upl
Enter the following commands on the Branch router.
Step 4
be o
Step 5
Enter global configuration mode and enter this sequence of commands on the Branch router:
.
Branch(config)# ip dhcp pool VLAN10
se
Branch(dhcp-config)# network 10.1.10.0 /24
re :
Step 2
or te
lea
Define the default gateway and DNS server for the configured DHCP pool, as indicated in the output.
t f ica
Branch(config)# ip dhcp pool VLAN10
Branch(dhcp-config)# default-router 10.1.10.1
Branch(dhcp-config)# dns-server 10.1.10.1
no upl
Step 3
Branch(dhcp-config)# lease 0 2
Step 4
be o
Step 7
Po D
Step 10
Use the show ip dhcp binding command to verify that PC2 has obtained an IP address dynamically.
L242 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Branch# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.1.10.2 0100.0c29.4532.be Oct 19 2012 03:39 PM Automatic
10.1.20.2 0100.0c29.8807.34 Oct 20 2012 01:24 AM Automatic
.
se
Step 1
To exclude specific IP addresses, use the ip dhcp excluded-address command, as indicated in the output.
re :
or te
lea
Branch(config)# ip dhcp excluded-address 10.1.10.1 10.1.10.99
Branch(config)# ip dhcp excluded-address 10.1.10.150 10.1.10.254
Branch(config)# ip dhcp excluded-address 10.1.20.1 10.1.20.99
t f ica
Branch(config)# ip dhcp excluded-address 10.1.20.150 10.1.20.254
Step 2
no upl
Enter the following command on the Branch router.
Step 3
Configure the DHCP relay agent using the ip helper-address command on both subinterfaces, as indicated
in the output:
Step 5
.
se
Release the current DHCP lease using the ipconfig /release command.
re :
Lab 4-3: Implementing OSPF
or te
lea
Task 1: Connect the Router to the WAN
t f ica
Step 2 no upl
Enter this sequence of commands on the Branch router:
Step 3
be o
Step 1
L244 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Lab 5-1: Configure and Verify Basic IPv6
Task 1: Enable IPv6 on the Router
Step 1
.
Branch(config)# ipv6 unicast-routing
se
re :
Step 2
or te
lea
Enter these commands on the Branch router:
t f ica
Branch(config)# interface GigabitEthernet 0/1
Branch(config-if)# ipv6 address 2001:db8:D1A5:C900::1/64
Step 3
no upl
Enter the following command on the Branch router:
Step 2
Po D
Step 3
Step 3
.
se
Branch(config)# ipv6 route ::/0 Gi0/1 2001:DB8:D1A5:C900::2
re :
Task 2: Enable OSPFv3
or te
lea
Step 1
t f ica
Enter this command on the Branch router:
Step 3
st o N
Step 2
L246 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
SW1# erase startup-config
SW1# delete vlan.dat
SW1# reload
.
Step 3
se
Enter the following commands on the SW1 switch:
re :
Switch# configure terminal
or te
lea
Switch(config)# hostname SW1
t f ica
Switch# configure terminal
Switch(config)# hostname SW2
no upl
Step 4
Step 5
.
se
Enter the following commands on the SW2 switch:
re :
SW2(config-line)# password cisco
or te
lea
SW2(config-line)# login
SW2(config-line)# logging synchronous
t f ica
Step 7
Step 8
Po D
L248 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 9
SW1(config)# vlan 10
SW1(config-vlan)# exit
SW1(config)# vlan 20
.
Enter the following commands on the SW2 switch:
se
SW2(config)# vlan 10
SW2(config-vlan)# exit
re :
SW2(config)# vlan 20
or te
lea
t f ica
Step 10
Step 11
Po D
Step 12
Step 19
.
SW1# configure terminal
SW1(config)# interface FastEthernet0/1
se
SW1(config-if)# switchport port-security violation protect
SW1(config-if)# switchport port-security maximum 1
SW1(config-if)# switchport port-security mac-address 000c.293b.709d
re :
SW1(config-if)# switchport port-security
or te
lea
Enter the following commands on the SW2 switch:
t f ica
SW2# configure terminal
SW2(config)# interface FastEthernet0/1
SW2(config-if)# switchport port-security violation protect
SW2(config-if)# switchport port-security maximum 1
no upl
SW2(config-if)# switchport port-security mac-address 000c.29a8.a05a
SW2(config-if)# switchport port-security
Step 2
Branch# reload
Step 3
Po D
Step 4
L250 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 5
.
se
Step 6
re :
Enter the following commands on the Branch router:
or te
lea
Branch(config)# line vty 0 4
Branch(config-line)# password cisco
t f ica
Branch(config-line)# login
Step 7
no upl
Enter the following commands on the Branch router:
Branch(config)#
Branch(config-if)# interface GigabitEthernet0/0.1
Branch(config-subif)# encapsulation dot1Q 1 native
Branch(config-subif)# ip address 10.1.1.1 255.255.255.0
Branch(config)#
be o
Branch(config)#
Branch(config-subif)# interface GigabitEthernet0/0.20
Branch(config-subif)# encapsulation dot1Q 20
Branch(config-subif)# ip address 10.1.20.1 255.255.255.0
Po D
Step 9
.
se
Step 3
re :
Enter the following command on the Branch router:
or te
lea
Branch(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.2
t f ica
Step 4
Step 5
Step 6
L252 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Task 4: Configure WAN Connectivity and a Dynamic Routing
Protocol
Step 2
.
Trying 209.165.201.2 ... Open
se
HQ#
re :
Step 3
or te
lea
Enter the following commands on the HQ router:
t f ica
HQ# configure terminal
HQ(config)# interface GigabitEthernet0/1
HQ(config-if)# ip address 192.168.1.2 255.255.255.0
no upl
Step 4
Step 5
st o N
Step 6
Each router running OSPF requires a router ID. The router ID will be the highest IP address of the router on
a loopback interface, if configured, or the highest IP address on an interface, if a loopback interface is not
configured. Because loopback is a stable interface and cannot go down, it is recommended to configure the
loopback interface for the OSPF router ID.
Step 8
.
se
Enter the following commands on the Branch router:
re :
Branch(config-router)# network 192.168.1.0 0.0.0.255 area 0
or te
lea
Branch(config-router)# network 10.1.1.0 0.0.0.255 area 0
Branch(config-router)# network 10.1.10.0 0.0.0.255 area 0
Branch(config-router)# network 10.1.20.0 0.0.0.255 area 0
Branch(config-router)# network 10.100.100.100 0.0.0.0 area 0
t f ica
Task 5: Configure IPv6 Connectivity in the LAN
no upl
Step 2
Step 3
st o N
Step 1
The link-local IPv6 address is the same on all subinterfaces because the link-local IPv6 address is derived
from the MAC address, which is the same on all subinterfaces. All subinterfaces use the MAC address of
the physical interface.
L254 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.
Step 2
The default gateway on the PC is the link-local IPv6 address of the router of the directly connected interface
(GigabitEthernet0/0.10).
Step 6
The default gateway on the PC is the link-local IPv6 address of the router of the directly connected interface
.
se
(GigabitEthernet0/0.20).
re :
or te
lea
Step 2
t f ica
Enter the following commands on the Branch router:
Step 4
Po D
Branch#configure terminal
Branch(config)#interface GigabitEthernet0/1
Branch(config-if)#ipv6 address 2001:db8:c0a8:100::1/64
Step 1
The HQ router ID is 0.0.0.1. OSPFv3 uses an IPv4 address-like format of the router ID.
The Branch router ID is 10.100.100.100, which is the IPv4 address on the Loopback0 interface. OSPFv3
uses the same mechanisms as OSPF to determine the router ID.
.
se
re :
or te
lea
t f ica
no upl
ta, t D
be o
st o N
Po D
L256 Interconnecting Cisco Networking Devices, Part 1 2013 Cisco Systems, Inc.