ICND120LG

ICND1
Interconnecting Cisco Networking Devices, Part 1

Version 2.0
Lab Guide
Part Number: 97-3244-01
Americas Headquarters Cisco Systems, Inc. San Jose, CA
Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore
Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
2013 Cisco Systems, Inc.
Table of Contents
Lab 1-1: Performing Switch Startup and Initial Configuration
Visual Objective Required Resources Command List Job Aids Task 1: Perform a Reload and Verify that the Switch Is Unconfigured Task 2: Configure the Switch with a Hostname and an IP Address Task 3: Explore Context-Sensitive Help Task 4: Improve the Usability of the CLI
L-1
L-2 L-3 L-3 L-4 L-6 L-8 L-10 L-11
Lab 1-2: Troubleshooting Switch Media Issues

Visual Objective Required Resources Command List Job Aids Task 1: Lab Setup Task 2: Troubleshoot Connectivity Between Computer PC1 and Switch SW1 Task 3: Troubleshoot Connectivity Between Switch SW1 and the Branch Router
L-13
L-14 L-14 L-15 L-15 L-16 L-17 L-18
Lab 2-1: Performing Initial Router Setup and Configuration

Visual Objective Required Resources Command List Job Aids Task 1: Inspect the Router Hardware and Software Task 2: Create the Initial Router Configuration Task 3: Improve the Usability of the CLI Task 4: Discover Connected Neighbors with Cisco Discovery Protocol
L-19
L-20 L-20 L-21 L-21 L-23 L-24 L-26 L-28
Lab 2-2: Connecting to the Internet

Visual Objective Required Resources Command List Job Aids Task 1: Configure a Manual IP Address and Static Default Route Task 2: Configure a DHCP-Obtained IP Address Task 3: Configure NAT Task 4: Configure NAT with PAT
L-31
L-32 L-32 L-33 L-33 L-35 L-39 L-42 L-47
Lab 3-1: Enhancing the Security of the Initial Configuration

Visual Objective Required Resources Command List Job Aids
L-53
L-54 L-54 L-55 L-56
Task 1: Add Password Protection Task 2: Enable SSH Remote Access Task 3: Limit Remote Access to Selected Network Addresses Task 4: Configure a Login Banner
L-57 L-64 L-69 L-71
Lab 3-2: Device Hardening

Visual Objective Required Resources Command List Job Aids Task 1: Disable Unused Ports Task 2: Configure Port Security on a Switch Task 3: Disable Unused Services Task 4: Configure NTP
L-73
L-74 L-74 L-75 L-75 L-77 L-78 L-81 L-83
Lab 3-3: Filtering Traffic with ACLs

Visual Objective Required Resources Command List Job Aids Task 1: Configure an ACL Task 2: Lab Setup Task 3: Troubleshoot an ACL
L-85
L-86 L-86 L-87 L-87 L-88 L-95 L-96
Lab 4-1: Configuring Expanded Switched Networks

Visual Objective Required Resources Command List Job Aids Task 1: Configure a VLAN Task 2: Configure the Link Between Switches as a Trunk Task 3: Configure a Trunk Link on the Router
L-111
L-112 L-112 L-113 L-113 L-115 L-120 L-121
Lab 4-2: Configuring DHCP Server

Visual Objective Required Resources Command List Job Aids Task 1: Configure DHCP Pools Task 2: Exclude Specific IP Addresses from DHCP Pools Task 3: Configure DHCP Relay Agent Task 4: Manually Assign IP Addresses
L-125
L-126 L-126 L-126 L-127 L-129 L-133 L-134 L-135
Lab 4-3: Implementing OSPF

Visual Objective Required Resources Command List
L-139
L-140 L-140 L-141
ii
Job Aids Task 1: Connect the Router to the WAN Task 2: Configure OSPF
L-141 L-143 L-144
Lab 5-1: Configure and Verify Basic IPv6

Visual Objective Required Resources Command List Job Aids Task 1: Enable IPv6 on the Router
L-147
L-148 L-148 L-149 L-149 L-150
Lab 5-2: Configure and Verify Stateless Autoconfiguration

Visual Objective Required Resources Command List Job Aids Task 1: Enable Stateless Autoconfiguration on the Router
L-153
L-154 L-154 L-155 L-155 L-156
Lab 5-3: Configure and Verify IPv6 Routing

Visual Objective Required Resources Command List Job Aids Task 1: Enable IPv6 Static Routing Task 2: Enable OSPFv3
L-161
L-162 L-162 L-163 L-163 L-164 L-166
Lab S-1: ICND1 Superlab

Visual Objective Required Resources Command List Job Aids Task 1: Configure Basic Settings, VLANs, Trunks, and Port Security on Switches Task 2: Configure Inter-VLAN Routing Task 3: Configure Internet Connectivity Task 4: Configure WAN Connectivity and a Dynamic Routing Protocol Task 5: Configure IPv6 Connectivity in the LAN Task 6: Configure the OSPFv3 Routing Protocol
L-169
L-170 L-170 L-170 L-172 L-175 L-180 L-190 L-196 L-201 L-208
Lab Answer Keys

Lab 1-1: Performing Switch Startup and Initial Configuration Lab 1-2: Troubleshooting Switch Media Issues Lab 2-1: Performing Initial Router Setup and Configuration Lab 2-2: Connecting to the Internet Lab 3-1: Enhancing the Security of the Initial Configuration Lab 3-2: Device Hardening Lab 3-3: Filtering Traffic with ACLs Lab 4-1: Configuring Expanded Switched Networks
L-217
L-217 L-224 L-227 L-229 L-232 L-235 L-238 L-239
Lab Guide
iii
Lab 4-2: Configuring DHCP Server Lab 4-3: Implementing OSPF Lab 5-1: Configure and Verify Basic IPv6 Lab 5-2: Configure and Verify Stateless Autoconfiguration Lab 5-3: Configure and Verify IPv6 Routing Lab S-1: ICND1 Superlab
L-242 L-244 L-245 L-245 L-246 L-246
iv

Activity Overview
Objectives
In this activity, you will observe the switch boot procedure and perform basic switch configuration. After you have completed this activity, you will be able to meet these objectives: Restart the switch and verify the initial configuration messages Complete the initial configuration of the Cisco Catalyst switch Explore context-sensitive help Improve the usability of the CLI
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 1-1: Performing Switch Startup and Initial Configuration
Branch HQ Server
PC1
SW1
PC2
SW2
Detailed Visual Objective

Perform switch startup and initial configuration.
PC1
SW1
L-2
Required Resources
No additional resources are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Cisco IOS Switch Commands

Command ? or help clock set configure terminal copy running-config destination delete name do command Description In user EXEC mode, lists the subset of commands that are available at that level Manages the system clock Activates the configuration mode from the terminal Copies the switch running configuration file to another destination. A typical destination is the startup configuration. Deletes a file from flash memory Executes user EXEC or privileged EXEC commands from global configuration mode or other configuration modes or submodes, in any configuration mode Activates privileged EXEC mode. In privileged EXEC mode, more commands are available. This command requires you to enter the enable password if an enable password is configured. Terminates configuration mode Erases the startup configuration that is stored in nonvolatile memory Exits the current configuration mode Sets the number of lines that are held in the history buffer for recall. Two separate buffers are used: one for EXEC mode commands and the other for configuration mode commands Sets the system name, which forms part of the prompt Enters interface configuration mode for VLAN 1 to set the switch management IP address Sets the IP address and mask of the interface Enters line console configuration mode Synchronizes unsolicited messages and debugs privileged EXEC command output with solicited device output and prompts for a specific console port line or vty line Restarts the switch and reloads the Cisco IOS operating system and configuration Displays the system clock
enable
end erase startup-config exit history size number
hostname hostname interface vlan 1 ip address ip-address subnet-mask line console 0 logging synchronous
reload show clock
Lab Guide
L-3
Command show flash: show startup-config show terminal show version
Description Displays the layout and contents of a flash memory file system Displays the startup configuration settings that are saved in NVRAM Displays the current settings for the terminal Displays the configuration of the switch hardware and the various software versions
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device SW1 PC1 Hardware Catalyst 2960 Series Switch Any PC Operating System c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7
There are no console or enable passwords set for the router and switch in the initial lab setup. The table shows the username and password that are used to access PC1.
Device PC1 Username Administrator Password admin
L-4
Topology and IP Addressing Devices are connected by Ethernet connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
Topology and IP Addressing

PC1 Fa0/1 SW1
10.1.1.100
10.1.1.11
The table shows the interface identification and IP addresses that are used in this lab setup.
Device SW1 PC1 Interface VLAN1 Ethernet adapter local area connection IP Address 10.1.1.11 10.1.1.100 Subnet Mask 255.255.255.0 255.255.255.0
Lab Guide
L-5
Setting the IP Address on a PC On a PC, click Start and choose Control Panel. Click Change Adapter Settings and then right-click Local Area Network. Choose Properties. When you are presented with the Local Area Connection Properties dialog, click Internet Protocol version 4 (TCP/IPv4) and then click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click the Use the Following IP Address radio button and enter the appropriate IP address, subnet mask, and default gateway.
Task 1: Perform a Reload and Verify that the Switch Is Unconfigured

In this task, you will use the erase startup-config command to ensure that the switch has no prior configuration in the startup-config file. You will then reload the switch software and observe the output that is generated during the reload. Finally, you will investigate the properties of the switch. Activity Procedure Complete the following steps: Step 1 Access the CLI of switch SW1 and enter user EXEC mode. You will be provided with information about how to access the lab equipment.
L-6
Step 2 To see the effect of entering a privileged-level command in user EXEC mode, enter the command erase startup-config. What was the result of issuing the command in an incorrect EXEC mode?
Step 3 Enter privileged EXEC mode. How do you know if you are in privileged EXEC mode and not user EXEC mode?
Step 4 Erase the startup configuration. Because the switch also stores a small part of the configuration in the file, vlan.dat, stored in flash memory, delete it before performing a reload. Observe the output during the reload. Step 5 Press Enter when the switch boots and skip the initial configuration dialog. You will know when the switch has finished booting when you see "Press RETURN to get started!" in the console output. How do you know that the startup configuration has been erased?
Step 6 Using the appropriate show command, investigate the switch model number, software version, and amount of RAM and flash memory. Activity Verification You have completed this task when you attain these results: You performed a switch reload. You verified that the switch is unconfigured.
Lab Guide
L-7
Task 2: Configure the Switch with a Hostname and an IP Address

In this task, you will configure the switch with a hostname and an IP address. Activity Procedure Complete the following steps: Step 1 Change the hostname of the switch to SW1. Step 2 Assign an IP address to the VLAN 1 interface on switch SW1. Be sure that you assign the correct IP address, as described in the Job Aids section in the beginning of the lab document. Step 3 Access the PC1. Use the username and password that is described in the Job Aids section in order to log in.
L-8
Step 4 Assign the IP address of PC1, as listed in the Job Aids section. Leave the default gateway empty.
Step 5 From PC1, ping the VLAN 1 IP address of SW1 to confirm Layer 3 connectivity. Activity Verification You have completed this task when you attain these results: You configured the switch with a hostname and a VLAN 1 IP address. You configured PC1 with the correct IP address. Your ping from PC1 to the VLAN 1 IP address of SW1 was successful.
Lab Guide
L-9
Note
Configuring the IP address on the switch is not mandatory to start the switch running, but it is necessary for remote management access to the switch.
Task 3: Explore Context-Sensitive Help

In this task, you will use context-sensitive help to locate commands and complete command syntax. Activity Procedure Complete the following steps: Step 1 On switch SW1, enter privileged EXEC mode and enter ? (or help) to list the available commands. Step 2 Using the ? command, set the clock on the switch to the current time and date.
Note Pressing the Tab key automatically completes the command if the characters that you have entered are not ambiguous.
Step 3 Verify the current date and time using the appropriate show command. Step 4 Type the following comment line at the prompt and then press Enter: !ths command changuw the clck sped for the swch
Note An exclamation point (!) at the beginning of the line indicates that you are entering a comment. The comment will not be part of the switch configuration. Comments are a great help when you are working on a configuration in a text editor and plan to upload it to a device.
Step 5 Press Ctrl-P or press the Up Arrow key to see the previous line. Use the editor commands Ctrl-A, Ctrl-F, Ctrl-E, and Ctrl-B to move along the line, and use the Backspace key to delete unwanted characters. Using the editing commands, correct the comment line to read: !This command changes the clock speed for the switch. Activity Verification You have completed this task when you attain these results: You used the system help and command-completion functions.
L-10 Interconnecting Cisco Networking Devices, Part 1
You used the built-in editor and the keystrokes for cursor navigation.
Task 4: Improve the Usability of the CLI

In this task, you will enter commands to improve the usability of the CLI. You will increase the number of lines in the history buffer, increase the inactivity timer on the console port, and stop the attempted name resolution of mistyped commands. Activity Procedure Complete the following steps: Step 1 Using the show terminal command, verify that history is enabled, and determine the current history size for the console line. Step 2 Change the history size to 100 for the console line and verify that the change has taken place.
Note Alternatively, you could use the begin keyword. You will see the output beginning from the first match.
Step 3 The no ip domain lookup command disables the resolution of symbolic names. If you mistype a command, the system will not try to translate it into an IP address (it will take about 5 seconds to time out). Disable IP domain lookup. Step 4 The default console access EXEC timeout is set to 10 minutes. After 10 minutes of inactivity, the user is disconnected from console access and is required to reconnect. Change this timer to 60 minutes.
Note Make sure that you are in console line configuration mode. To execute user EXEC or privileged EXEC commands from global configuration mode or other configuration modes or submodes, use the do command in any configuration mode.
Step 5 The logging synchronous command synchronizes unsolicited messages and debugs privileged EXEC command output with the input from the CLI. If you are in the middle of typing a command, status messages will appear where you are typing. Enable synchronous logging on line console 0. Step 6 Save your running configuration to the startup configuration.
Lab Guide
L-11
Activity Verification You have completed this task when you attain these results: You changed the history buffer size. You disabled resolution of symbolic names. You set the inactivity timeout on the console line to 60 minutes. You enabled synchronous logging on the console line. You saved the running configuration to the startup configuration file.

Activity Overview
Objectives
In this activity, you will use troubleshooting guidelines to isolate and correct switch media issues. After completing this activity, you will be able to meet these objectives: Follow troubleshooting guidelines to determine the source of connectivity problems between a computer and a switch, and fix them Follow troubleshooting guidelines to determine the source of connectivity problems between a router and a switch, and fix them
Visual Objective
Visual Objective for Lab 1-2: Troubleshooting Switch Media Issues

Branch HQ Server
PC1
SW1
PC2
SW2

Branch
Troubleshooting Task 2 Troubleshooting Task 1
PC1
SW1
Required Resources
These are the resources and equipment that are required to complete this activity: Successful completion of Lab 1-1: Performing Switch Startup and Initial Configuration
Command List
Commands
Command configure terminal copy running-config startup-config duplex full enable interface FastEthernet 0/13 shutdown/no shutdown ping ip-address show interfaces FastEthernet 0/13 show ip interface brief Description Enters global configuration mode Saves the running configuration into NVRAM as the startup configuration Enables full duplex on an interface Enters the privileged EXEC mode command interpreter Specifies interface FastEthernet 0/13 and enters interface configuration mode Disables or enables an interface Uses ICMP echo requests and ICMP echo replies to determine whether a remote host is reachable Displays information about interface FastEthernet 0/13 Displays a brief summary of the interfaces on a device, which is useful for quickly checking the status of the device
Job Aids
Device Branch SW1 PC1 Hardware Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7
Topology and IP Addressing Devices are connected with Ethernet connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
Lab Guide
L-15

Gi0/0 10.1.1.1
Fa0/13
PC1
Fa0/1 10.1.1.100 10.1.1.11
SW1
Device Branch SW1 PC1 Interface Gi0/0 VLAN1 Ethernet adapter local area connection IP Address/Subnet Mask 10.1.1.1/24 10.1.1.11/24 10.1.1.100/24
Task 1: Lab Setup

In this setup task, you will load the configuration from the switch flash drive. Activity Procedure Complete these steps: Step 1 Access the CLI of switch SW1. You will be provided with information about accessing the lab equipment.
Step 2 Load the configuration file tshoot_media_issues_start.cfg from the flash drive of the switch.
SW1#copy flash:tshoot_sw_media.cfg run
At this point, you have loaded a configuration file that includes your trouble tickets, presented in Tasks 2 and 3. Activity Verification You have completed this task when you attain this result: You loaded a configuration file from the switch flash drive.
Task 2: Troubleshoot Connectivity Between Computer PC1 and Switch SW1

In this task, you will troubleshoot connectivity problems between switch SW1 and computer PC1. Activity Procedure Complete the following steps: Step 1 John calls you about an issue that he is experiencing while using PC1. He says that PC1 has no network connectivity, and he insists that somebody unplugged his computer from the switch. The senior engineers are out. You are the only one who can solve this problem right now. You have access only to switch SW1. Determine whether or not you can ping PC1 from switch SW1. The IP address of PC1 is listed in the Job Aids section of this document. Is there Layer 3 connectivity between the computer and the switch?
Step 2 What is the status of interface FastEthernet0/1 on switch SW1, which connects to the PC1? What does this status mean?
Note
Use the ? command and the Tab key to help you with the command syntax.
Lab Guide
L-17
Step 3 Correct the issue so that John can continue his work. Do not forget to verify Layer 3 connectivity between PC1 and SW1. Step 4 Save the configuration of switch SW1. Why is it important at this stage to save the configuration?
Activity Verification You have completed this task when you attain this result: You identified and corrected the problem that was reported by the user on PC1.
Task 3: Troubleshoot Connectivity Between Switch SW1 and the Branch Router
In this task, you will troubleshoot connectivity problems between the Branch router and switch SW1. You will correct the existing problem. Activity Procedure Complete the following steps: Step 1 Your colleague informs you that switch SW1 is showing messages about duplex mismatch and they are unable to prevent the messages. The senior engineers went out for lunch and left you alone to resolve this issue. How do you solve the problem indicated by this message? Using the appropriate show commands from the Command List section, identify the status of interface FastEthernet0/13, which connects to the Branch router. Step 2 Correct the issue that you identified. Do not forget to save the changes that you made. Activity Verification You have completed this task when you attain this result: You identified and corrected the connectivity problem.

Activity Overview
Objectives
In this activity, you will observe the router boot procedure and perform basic router configuration. After completing this activity, you will be able to meet these objectives: Inspect router hardware and software Perform initial router configuration Improve the usability of the CLI Use Cisco Discovery Protocol to discover how devices are interconnected
Visual Objective
Visual Objective for Lab 2-1: Performing Initial Router Setup and Configuration
Branch HQ Server
PC1
SW1
PC2
SW2

Verify the router and its settings. Branch Perform router initial configuration.
Use Cisco Discovery Protocol to discover how devices are interconnected. PC1 SW1
Required Resources
Command List
Cisco IOS Router Commands

Command configure terminal copy running-config destination description enable erase startup-config exec-timeout hostname hostname interface type module/slot/port ip address ip-address subnet-mask [no] ip domain lookup line console 0 logging synchronous ping ip_address reload show cdp show cdp neighbors [detail] Description Activates the configuration mode from the terminal Copies the running configuration file to another destination. A typical destination is the startup configuration. Adds a descriptive comment to the configuration of an interface Activates privileged EXEC mode. In privileged EXEC mode, more commands are available. Erases the startup configuration that is stored in nonvolatile memory Sets the interval before the user session is disconnected when idle Sets the system name, which forms part of the prompt Specifies an interface and enters interface configuration mode Sets the IP address and mask of the interface Enables or disables DNS resolution of symbolic names Enters line console configuration mode Synchronizes the display of router output messages with the command-line prompt Uses ICMP echo requests and ICMP echo replies to determine whether a remote host is reachable Restarts the router and reloads the Cisco IOS operating system Displays global Cisco Discovery Protocol information Displays brief information about discovered neighboring Cisco devices. If the keyword detail is used, detailed information about discovered devices is displayed. Displays information about all of the device interfaces Displays the startup configuration settings that are saved in nonvolatile memory Displays the configuration of the router hardware and the various software versions Disables or enables an interface
show interfaces show startup-config show version [no] shutdown
Job Aids
These job aids are available to help you complete the lab activity.
Lab Guide
L-21
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch SW1 PC1 Hardware Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7
Topology and IP Addressing Devices are connected with Ethernet connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup.

Gi0/0 10.1.1.1
Fa0/13
PC1
Fa0/1 10.1.1.100 10.1.1.11
SW1
Device Branch SW1 PC1 Interface Gi0/0 VLAN1 Ethernet adapter local area connection IP Address/Subnet Mask 10.1.1.1/24 10.1.1.11/24 10.1.1.100/24
Task 1: Inspect the Router Hardware and Software

In this task, you will first inspect the router hardware and software properties. You will verify that a startup configuration exists and delete it. You will then reload the router and observe the output that is generated during the reload. Activity Procedure Complete the following steps: Step 1 Access the CLI of router Branch and enter privileged EXEC mode. Step 2 Use the correct verification command to display hardware and software properties. Find and write down the following information:
Router model Serial number RAM Flash Software version
Use command show version in privileged EXEC mode on the Branch router to display information about the currently loaded software, along with hardware and device information.
Router#show version Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Thu 26-Jul-12 20:54 by prod_rel_team ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1) Router uptime is 15 minutes System returned to ROM by reload at 17:06:50 UTC Thu Nov 22 2012 System restarted at 17:09:24 UTC Thu Nov 22 2012 System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M1.bin" Last reload type: Normal Reload Last reload reason: Reload Command <output omitted> Cisco CISCO2901/K9 (revision 1.0) with 483328K/40960K bytes of memory. Processor board ID FCZ1642C5XJ 2 Gigabit Ethernet interfaces 1 Serial(sync/async) interface 1 terminal line DRAM configuration is 64 bits wide with parity enabled. 255K bytes of non-volatile configuration memory. 250880K bytes of ATA System CompactFlash 0 (Read/Write) <output omitted>
Lab Guide
L-23
Step 3 Use the correct show command to verify that the router has a startup configuration. If it has, erase the startup configuration by issuing the erase startup-config command.
Router#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete Router#
After you have erased the startup configuration, verify that it no longer exists.
Router#show startup-config startup-config is not present
Step 4 Reload the router and observe the console output during startup.
Router#reload Proceed with reload? [confirm] Sep 11 11:31:16.663: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2009 by cisco Systems, Inc. Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB CISCO2901/K9 platform with 524288 Kbytes of main memory Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled Readonly ROMMON initialized program load complete, entry point: 0x80803000, size: 0x1b340 program load complete, entry point: 0x80803000, size: 0x1b340 IOS Image Load Test <output omitted>
Activity Verification You have completed this task when you attain these results: You collected hardware and software device information. You erased the startup configuration. You reloaded the router and observed the startup output.
Task 2: Create the Initial Router Configuration

In this task, you will skip the initial configuration dialog and proceed with manual configuration. You will configure system parameters and router interfaces. You will then verify connectivity.
Activity Procedure Complete the following steps: Step 1 Skip the initial configuration dialog, terminate the autoinstall, and enter privileged EXEC mode. Step 2 Set the router host name to Branch. The prompt will reflect the new hostname. Step 3 Enable interface GigabitEthernet0/0 and set its description to Link to LAN Switch. Step 4 Configure the IP address 10.1.1.1 on the interface. Use subnet mask of 255.255.255.0. Step 5 Return to the privileged EXEC command and verify GigabitEthernet0/0 interface status, interface description, and correct IP address assignment by using a suitable verification command.
Branch#show interfaces GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is 5475.d08e.9ad8 (bia 5475.d08e.9ad8) Description: Link to LAN Switch Internet address is 10.1.1.1/24 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 100Mbps, media type is RJ45 <output omitted>
Step 6 Save the current configuration on the Branch router. Activity Verification You have completed this task when you attain these results: Step 1 The console prompt shows the configured hostname:
Branch#
Lab Guide
L-25
Step 2 You verified IP connectivity between router Branch and PC1 by using ICMP ping:
Branch#ping 10.1.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
The ping should be successful.

Note The ping might fail due to slow STP convergence on the SW1 switch. If the ping fails, try to issue another ping after a few seconds. The first ICMP packet could time out because ARP needs to obtain Layer 2 addressing before the packet can be sent out of the interface.
Note

In this task, you will improve the CLI experience by increasing the inactivity timer on the console line and by disabling the resolution of symbolic names. Activity Procedure Complete the following steps: Step 1 Change the EXEC timeout on the console line, which is set to 10 minutes by default, to a value of 60 minutes.
Step 2 Verify the EXEC timeout value on the Branch router:

Branch#show line console 0 Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int * 0 0 CTY 0 0 0/0 Line 0, Location: "", Type: "" Length: 24 lines, Width: 80 columns Status: PSI Enabled, Ready, Active, Automore On Capabilities: none Modem state: Ready RJ45 Console is in use USB Console baud rate = 9600 Modem hardware state: CTS* noDSR DTR RTS Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch 01:00:00 never none not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30 Autoselect Initial Wait not set <output omitted>
Step 3 Improve the readability of the console access by synchronizing unsolicited messages and debug outputs with the input from the CLI. Step 4 Disable the resolution of symbolic names to prevent the system from attempting to translate a mistyped command into an IP address. Step 5 Save the configured changes to the startup configuration. Activity Verification You have completed this task when you attain these results: You have set the inactivity timeout on the console line to 60 minutes. You have enabled synchronous logging on the console line. You have disabled resolution of symbolic names.
Lab Guide
L-27
Task 4: Discover Connected Neighbors with Cisco Discovery Protocol

In this task, you will use Cisco Discovery Protocol to obtain information about directly connected Cisco devices. You will gather information about neighbor capabilities and IP addresses and discover how devices are interconnected. Activity Procedure Complete the following steps: Step 1 On the Branch router, issue the show cdp command to verify that Cisco Discovery Protocol is enabled and to display its global information.
Branch#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled
Step 2 Enter the Cisco Discovery Protocol verification command to display all known neighboring Cisco devices. Write down the information about the discovered neighbors in the table:
Device ID # # Platform Local Interface Remote Interface (Port ID)
The information that you gather about the local and remote interfaces that are used reveals how neighboring devices are physically interconnected. On the Branch router, use the show cdp neighbors command to display all neighboring Cisco devices:
Branch#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Gig 0/0 158 S I WS-C2960- Fas 0/13
Use the Cisco Discovery Protocol verification command with the keyword detail to display additional information about other Cisco devices. Write down the IP address of a neighboring switch, with exact information about its platform and software version.
Branch#show cdp neighbors detail ------------------------Device ID: SW1 Entry address(es): IP address: 10.1.1.11 Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP Interface: GigabitEthernet0/0, Port ID (outgoing port): FastEthernet0/13 Holdtime : 146 sec Version : Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(1)SE3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Wed 30-May-12 14:26 by prod_rel_team advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000001E147CBD00FF0000 VTP Management Domain: 'rlab' Native VLAN: 1 Duplex: full Branch#
Lab Guide
L-29
Activity Verification You have completed this task when you attain these results: You observed Cisco Discovery Protocol output for directly attached Cisco neighbors. You gathered detailed information about a neighbor switch.

Activity Overview
Objectives
In this activity, you will establish Internet connectivity by enabling static routing, DHCP, and NAT. After completing this activity, you will be able to meet these objectives: Configure a static default route Enable DHCP on a public interface Configure NAT using a pool Configure NAT with PAT
Visual Objective
Visual Objective for Lab 2-2: Connecting to the Internet

Branch HQ Server
PC1
SW1
PC2
SW2

Configure NAT with PAT. Branch
Outside Inside
HQ Internet Server
Configure static and DHCPobtained IP addresses. SW1
PC1
PC2
Required Resources
Command List
Command access-list acl_id permit network wildcard_mask configure terminal debug ip icmp interface interface ip address dhcp ip address ip_address network_mask ip nat inside ip nat inside source list acl_id pool pool_name ip nat inside source list acl_id interface interface_name overload ip nat outside ip nat pool pool_name start_IP end_IP netmask mask ip route network network_mask next_hop_address ping ip_address show ip interface brief show ip nat translations show ip route show users shutdown telnet ip_address terminal monitor undebug all Description Configures a standard ACL that permits a network Enters global configuration mode Enables debugging of ICMP packets Enters interface configuration mode Configures an interface to obtain an IP address using DHCP Configures an IP address manually on an interface Configures an interface as NAT inside interface Configures a dynamic source NAT rule that translates addresses into IP addresses defined in the pool Configures a dynamic source NAT or PAT rule that translates addresses into the IP address of an interface Configures an interface as a NAT outside interface Configures a NAT pool Configures a static route Pings an IP address Displays the status and IP addresses of interfaces Displays active NAT translations Displays the routing table Displays information about the active lines on a router Disables an interface Establishes a Telnet session to an IP address Redirects debugging output to a Telnet session Disables all debugging
Job Aids
Lab Guide
L-33
Device Branch HQ SW1 PC1 PC2
Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Any PC
Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
There are no console or enable passwords set for the routers and switches in the initial lab setup. The table shows the username and password that are used to access PC1 and PC2.
Device PC1 PC2 Username Administrator Administrator Password admin admin
Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup.

Gi0/1 209.165.201.1 Gi0/1 209.165.201.2
Branch Internet
VLAN 1: 10.1.1.1 Gi0/0 Fa0/13
Server
172.16.1.100
HQ
PC1
10.1.1.100
Fa0/1 0/3 Fa0/3
SW1
10.1.1.11
PC2
10.1.1.101
Device Branch Branch HQ Interface Gi0/1 Gi0/0 Gi0/1 IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27
Device HQ SW1 PC1 PC2
Interface Loopback0 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection
IP Address/Subnet Mask 172.16.1.100/24 10.1.1.11/24 10.1.1.100/24 10.1.1.101/24
Task 1: Configure a Manual IP Address and Static Default Route

In this task, you will configure an IP address on the Internet-facing interface of the Branch router. You will also configure a static default route on the Branch router to reach Internet networks. Then you will verify connectivity between the Branch router, HQ router, and server. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Verify interface status and IP address on the Branch router.
Branch#show ip interface brief Interface IP-Address Embedded-Service-Engine0/0 unassigned GigabitEthernet0/0 10.1.1.1 GigabitEthernet0/1 unassigned GigabitEthernet0/2 unassigned
OK? YES YES YES YES
Method NVRAM manual NVRAM NVRAM
Status Protocol administratively down down up up administratively down down administratively down down
You should see that only GigabitEthernet0/0 is up and configured with an IP address. Step 3 Enable the GigabitEthernet0/1 interface. Manually assign the 209.165.201.1 IP address to the interface. Use a mask of 255.255.255.224.
Lab Guide
L-35
Step 4 Verify interface status and IP address on the Branch router again.
Branch#show ip interface brief Interface IP-Address Embedded-Service-Engine0/0 unassigned GigabitEthernet0/0 10.1.1.1 GigabitEthernet0/1 209.165.201.1 GigabitEthernet0/2 unassigned Serial0/0/0 unassigned
OK? YES YES YES YES YES
Method NVRAM manual manual NVRAM manual
Status Protocol administratively down down up up up up administratively down down administratively down down
The GigabitEthernet0/1 interface should be up and it should have an IP address configured. Step 5 From the Branch router, ping the HQ router at 209.165.201.2.
Branch#ping 209.165.201.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 209.165.201.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 m
The ping should be successful, because the destination IP address is in a directly connected network. Step 6 From the Branch router, ping the server at 172.16.1.100, which is behind the HQ router.
Branch#ping 172.16.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
The ping should not be successful. What is the reason for an unsuccessful ping?
Step 7 Verify the routing table on the Branch router.

Branch#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 L 10.1.1.1/32 is directly connected, GigabitEthernet0/0 209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C 209.165.201.0/27 is directly connected, GigabitEthernet0/1 L 209.165.201.1/32 is directly connected, GigabitEthernet0/1
Is there a route present for the IP address of the server? Step 8 On the Branch router, configure a static default route that points to the next-hop IP address 209.165.201.2. Step 9 Save the running configuration to the startup configuration. Step 10 From the Branch router, ping the server at 172.16.1.100 again.
Branch#ping 172.16.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
The ping should be successful because you configured a static default route.
Lab Guide
L-37

Branch#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 209.165.201.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 209.165.201.2 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 L 10.1.1.1/32 is directly connected, GigabitEthernet0/0 209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C 209.165.201.0/27 is directly connected, GigabitEthernet0/1 L 209.165.201.1/32 is directly connected, GigabitEthernet0/1
The default route is designated with S and an asterisk (*). Step 12 Remove the previously configured static default route from the Branch router to prepare the router for the next task. Step 13 Verify the routing table on the Branch router again to make sure that no default route is present on the router.
Branch#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 L 10.1.1.1/32 is directly connected, GigabitEthernet0/0 209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C 209.165.201.0/27 is directly connected, GigabitEthernet0/1 L 209.165.201.1/32 is directly connected, GigabitEthernet0/1
Activity Verification No additional verification is needed in this task.
Task 2: Configure a DHCP-Obtained IP Address

In this task, you will configure the Branch router to obtain an IP address using DHCP from the HQ router. The HQ router has been preconfigured as a DHCP server. You will also verify connectivity between the Branch router, HQ router, and server. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Configure the GigabitEthernet0/1 interface to obtain an IP address using DHCP. Step 3 Save the running configuration to the startup configuration. Step 4 Verify interface status and IP address on the Branch router.
Branch#show ip interface brief Interface IP-Address Embedded-Service-Engine0/0 unassigned GigabitEthernet0/0 10.1.1.1 GigabitEthernet0/1 209.165.201.1
OK? YES YES YES
Method NVRAM manual DHCP
Status Protocol administratively down down up up up up
The GigabitEthernet0/1 interface should be up and it should have an IP address that was configured through DHCP. Write down the IP address in the space that is provided.
Lab Guide
L-39

Branch#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 209.165.201.2 to network 0.0.0.0 S* 0.0.0.0/0 [254/0] via 209.165.201.2 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 L 10.1.1.1/32 is directly connected, GigabitEthernet0/0 209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C 209.165.201.0/27 is directly connected, GigabitEthernet0/1 L 209.165.201.3/32 is directly connected, GigabitEthernet0/1
You should see a default route present in the table. Where did the default route come from? Step 6 From the Branch router, ping the HQ router at 209.165.201.2.
Branch#ping 209.165.201.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 209.165.201.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 m
The ping should be successful. Step 7 From the Branch router, ping the server at 172.16.1.100.
Branch#ping 172.16.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
The ping should be successful because the Branch router received knowledge of the default gateway from the DHCP server. The Branch router set the default route automatically and it set the route next-hop IP address to the IP address of the default gateway..
Step 8 Access PC1. Step 9 From PC1, ping the Branch router at its public IP address, which was obtained through DHCP.
C:\>ping 209.165.201.1 Pinging 209.165.201.1 with 32 bytes of data: Reply from 209.165.201.1: bytes=32 time=1ms TTL=255 Reply from 209.165.201.1: bytes=32 time<1ms TTL=255 Reply from 209.165.201.1: bytes=32 time<1ms TTL=255 Reply from 209.165.201.1: bytes=32 time<1ms TTL=255 Ping statistics for 209.165.201.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms
The ping should be successful. Step 10 From PC1, ping the server at 172.16.1.100.
C:\>ping 172.16.1.100 Pinging 172.16.1.100 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 172.16.1.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The ping should not be successful. In the next step, you will examine why the ping is not successful. Step 11 Return to the Branch router and establish a remote Telnet session to the HQ router at 209.165.201.2. Enable debugging of ICMP packets using the debug ip icmp command. Direct the output of the debug messages to the Telnet session using the terminal monitor command. Leave the console window open.
Branch#telnet 209.165.201.2 Trying 209.165.201.2 ... Open HQ#debug ip icmp ICMP packet debugging is on HQ#terminal monitor
Lab Guide
L-41
Note
Establishing remote Telnet sessions and redirecting output of the debug messages to a remote session has not been discussed so far. In this task, it is needed only to verify that packets from PC1 actually reach the HQ router.
Step 12 Return to PC1 and ping the server at 172.16.1.100 again. Return to the HQ Telnet session and observe the debugging messages.
HQ# Sep 7 13:18:27.881: ICMP: echo topology BASE, dscp 0 topoid 0 HQ# Sep 7 13:18:32.853: ICMP: echo topology BASE, dscp 0 topoid 0 HQ# Sep 7 13:18:37.857: ICMP: echo topology BASE, dscp 0 topoid 0 HQ# Sep 7 13:18:42.861: ICMP: echo topology BASE, dscp 0 topoid 0
reply sent, src 172.16.1.100, dst 10.1.1.100, reply sent, src 172.16.1.100, dst 10.1.1.100, reply sent, src 172.16.1.100, dst 10.1.1.100, reply sent, src 172.16.1.100, dst 10.1.1.100,
You should see one debugging message for each ping packet coming from PC1. You can see that the pings actually reach the HQ router and replies are sent back to PC1. However, the HQ router is not aware of the network that PC1 is coming from and therefore discards the returning packets. You can verify this conclusion by verifying the routing table on the HQ router. What solution could be implemented on the Branch router to overcome this problem? Step 13 Return to the HQ Telnet session. Disable debugging and exit the Telnet session.
HQ#undebug all All possible debugging has been turned off HQ#exit [Connection to 209.165.201.2 closed by foreign host] Branch#
Task 3: Configure NAT

In this task, you will configure dynamic NAT on the Branch router to translate the IP addresses of inside hosts to public IP addresses. Then, you will verify the NAT configuration and connectivity from PC1 and PC2 to the server.
Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Configure a standard ACL that allows the 10.1.1.0/24 network. Use 1 as the ACL identifier. This ACL will be used to define networks that are eligible for NAT translations. Step 3 Create a NAT pool with the following parameters:
Pool name Starting IP address Ending IP address Network mask NAT_POOL 209.165.201.5 209.165.201.10 255.255.255.224
How many hosts that require NAT can you accommodate at the same time using this NAT pool? Step 4 Configure the GigabitEthernet0/0 interface as the NAT inside interface.
Note When you enable the interface as NAT inside, the router will block for approximately 1 minute. After that, you will see a log message about the router creating NVI0 interface. This interface is used internally by the router to perform NAT.
Step 5 Configure the GigabitEthernet0/1 interface as the NAT outside interface. Step 6 Configure a dynamic source NAT rule that will translate inside hosts into the IP addresses that were defined in the previously configured NAT pool. Use the previously configured ACL to specify hosts that are eligible for translations, and use the previously configured NAT pool. Step 7 Save the running configuration to the startup configuration.
Lab Guide
L-43
Activity Verification You have completed this task when you attain these results: Step 1 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a remote Telnet session to the server at 172.16.1.100 by clicking the Telnet radio button and entering the IP address into the Host Name input field.
You should be successful.

Note Recall that the server is actually implemented as loopback interface on the HQ router. Therefore, you will actually establish a Telnet session to the HQ router for testing purposes.
Step 2 Verify the user connection to the server using the show users command. This command will display management sessions to the router via console or via remote access.
HQ#show users Line 0 con 0 *514 vty 0
User
Host(s) idle idle
Idle 00:42:00 00:00:00
Location 209.165.201.5
You should see that the Telnet session from PC1 is seen as originating from a translated IP address. The translated IP address is the first free IP address from the NAT pool.
Note The session marked with an asterisk (*) is the one that is currently active and used.
Lab Guide
L-45
Step 3 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100. If PC2 is not configured with an IP address, assign it an IP address of 10.1.1.101/24.
Step 4 Verify the user connection to the server using the show users command.
HQ#show users Line 514 vty 0 *515 vty 1
User
Host(s) idle idle
Idle 00:00:29 00:00:00
Location 209.165.201.5 209.165.201.6
You should see that the Telnet session from PC2 is seen as originating from a translated IP address. The translated IP address is the next free IP address from the NAT pool. Step 5 Return to the Branch router. Verify that there are active NAT translations.
Branch#show ip nat translations Pro Inside global Inside local tcp 209.165.201.5:1035 10.1.1.100:1035 --- 209.165.201.5 10.1.1.100 tcp 209.165.201.6:1030 10.1.1.101:1030 --- 209.165.201.6 10.1.1.101
Outside local 172.16.1.100:23 --172.16.1.100:23 ---
Outside global 172.16.1.100:23 --172.16.1.100:23 ---
Notice that inside local IP addresses are translated into inside global IP addresses. Step 6 Close the Telnet session on PC1 and PC2.
Task 4: Configure NAT with PAT

In this task, you will configure dynamic NAT with PAT on the Branch router to translate the IP addresses of inside hosts to the public IP address of the Branch router. Then you will verify the NAT configuration and connectivity from PC1 and PC2 to the server. Activity Procedure Complete the following steps: Step 1 Return to the Branch router. Step 2 Remove the previously configured dynamic NAT rule.
Lab Guide
L-47
Step 3 Configure a dynamic source NAT/PAT (NAT with overload) rule that will translate inside hosts into the IP address of the router outside interface. Use the previously configured ACL to specify the hosts that are eligible for translations. How many hosts that require NAT can you accommodate at the same time by overloading the IP address of the interface? Step 4 Save the running configuration to the startup configuration. Activity Verification You have completed this task when you attain these results:
Step 1 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100.
You should be successful. Step 2 Verify the user connection to the server using the show users command.
HQ#show users Line *514 vty 0
User
Host(s) idle
Idle Location 00:00:00 209.165.201.1
You should see that the Telnet session from PC1 is seen as originating from the IP address of the Branch router outside interface.
Lab Guide
L-49
Step 4 Verify the user connection to the server using the show users command.
HQ#show users Line 514 vty 0 *515 vty 1
User
Host(s) idle idle
Idle Location 00:01:05 209.165.201.1 00:00:00 209.165.201.1
You should see that the Telnet session from PC2 is again seen as originating from the IP address of the Branch router outside interface. Step 5 Return to the Branch router. Verify that there are active NAT translations.
Branch#show ip nat translations Pro Inside global Inside local tcp 209.165.201.1:1042 10.1.1.100:1042 tcp 209.165.201.1:1036 10.1.1.101:1036
Outside local 172.16.1.100:23 172.16.1.100:23
Outside global 172.16.1.100:23 172.16.1.100:23
Notice that two inside local IP addresses are translated into the same inside global IP address, which is configured on the Branch router outside interface. To provide two distinct translations, different source ports are used. Step 6 Close the Telnet session on PC1 and PC2.
Lab Guide
L-51

Activity Overview
Objectives
Securing administrative access to devices is crucial because you do not want unauthorized users to have access to your network devices. In this lab, you will increase the security of the initial switch and router configuration. After you have completed this activity, you will be able to meet these objectives: Configure passwords on a router and switch Configure and limit remote access to SSH Configure an ACL to limit remote access Configure the login banner
Visual Objective
Visual Objective for Lab 3-1: Enhancing the Security of the Initial Configuration

Branch
Add password protection Enable SSH Con gure a login banner
Add password protection Enable SSH Limit access with an ACL Con gure a login banner
PC1
S W1
Required Resources
There are no additional resources that are required for this lab.
Command List
Commands
Command access-class number direction access-list number permit ip_address wildcard_mask banner login copy running-config startup-config crypto key generate rsa enable secret password end ip domain-name name ip ssh version [1 | 2] Description Applies the ACL to the vty line. The direction argument can have the value of either in or out. Creates a standard ACL that permits all traffic from or to a specified network Allows the configuration of a message that is displayed just before login Copies the switch running configuration file to the startup configuration file that is held in local NVRAM Generates the RSA key pairs to be used Sets a password for entering privileged EXEC mode. The password is protected using strong MD5-type encryption. Terminates configuration mode Supplies an IP domain name that is required by the cryptographic keygeneration process Specifies the version of SSH to be run. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command. Enters line console 0 configuration mode Enters vty configuration mode. Vty lines allow access to the switch for remote network management. The number of vty lines available is dependent on the Cisco IOS Software version. Typical values are 0-4 and 0-15 (inclusive). Activates the login process on the console or vty lines Makes the login process on the console or vty lines rely on (or use) the local authentication database Exits EXEC mode and requires reauthentication (if enabled) Assigns a password to the console or vty lines Displays all ACLs that are defined on the device Displays the active configuration Displays information about the active lines Starts an encrypted session with a remote networking device using the current user ID. The IP address identifies the destination device.
line console 0 line vty start_number end_number
login login local logout password show access-list show running-config show users ssh l username ip_address
Lab Guide
L-55
Command transport input [telnet | ssh | all] username username secret password
Description Specifies which protocols to use to connect to a specific line of the device Creates a username and password pair that can then be used as a local authentication database
Job Aids
Device Branch Headquarter s SW1 PC1 PC2 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
There are no console or enable passwords that are set for the routers and switches in the initial lab setup. The table shows the username and password that are used to access PC1 and PC2.
Device PC1 PC2 Username Administrator Administrator Password admin admin

Branch
Gi0/0 VLAN 1: 10.1.1.1 Fa0/13
PC1
Fa0/1 10.1.1.100
SW1
10.1.1.11
Device Branch Branch Headquarters Headquarters SW1 PC1 PC2 Interface Gi0/1 Gi0/0 Gi0/1 Loopback0 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27 172.16.1.100/24 10.1.1.11/24 10.1.1.100/24 10.1.1.101/24
Task 1: Add Password Protection

Following the initial configuration of the switch, where passwords have been configured for the vty lines, two potential security holes exist. First, a security breach is possible when the vty lines have the login process deactivated and the password is too simple. Second, security can be breached because the console port initially is not protected by a password at all. In this task, you will secure console access and access to privileged EXEC mode on a router and a switch. Activity Procedure Complete the following steps: Step 1 Access the Branch router.
Lab Guide
L-57
Step 2 Secure the console line with the password cisco. Step 3 Exit to the console login screen by issuing the end and exit commands. You will be asked for the password that you configured in the previous step.
Branch(config-line)#end Branch#exit Branch con0 is now available Press RETURN to get started. User Access Verification Password: Branch>
Step 4 Examine the running configuration and identify the password that was configured for the console line. Note that the password is in cleartext.
Branch#show running-config | section line con line con 0 exec-timeout 60 0 password cisco logging synchronous login
Step 5 Create the username ccna and assign the secret password cisco to it. Look at the Command List section to identify the correct command. Then change the mode of authentication on the console line so that this user is authenticated using this username and password.
Step 6 Exit to the console login screen by issuing the end and exit commands. You will be asked for a username and password. Enter the credentials that you created in the previous step.
Branch(config-line)#end Branch#exit Branch con0 is now available Press RETURN to get started. User Access Verification Username: ccna Password: Branch>
Step 7 Examine the running configuration and identify the username and password that you created. Note that the password is encrypted, not in cleartext. You could use the service password-encryption command to encode the cleartext password, but this encryption type is weak.
Branch#show running-config | section username username ccna secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
Step 8 Secure vty lines 0 through 15. Users should be able to log in using the username ccna and password cisco that you previously defined. For security reasons, the passwords for console and vty access should be different. Also, in production environments, you should use strong passwords (at least eight characters and a combination of letters, numbers, and special characters). In the lab environment, we are using the same passwords for console and vty access.
Lab Guide
L-59
Step 9 On PC1, open PuTTY and establish a Telnet session to the Branch router to verify that you configured vty security correctly.
Enter the appropriate credentials to log into the Branch router.
Step 10 On the Branch router, secure access to privileged EXEC mode with the password cisco. The password must be encrypted with strong encryption. Step 11 Save the changes that you made on the Branch router. Step 12 Exit privileged EXEC mode and then re-enter it. When prompted, enter the password that you configured in the previous step.
Branch#disable Branch>enable Password: Branch#
Step 13 Examine the running configuration of the Branch router and identify the line where the password that allows access to privileged EXEC mode is configured. Notice that the password is encrypted.
Branch#show running-config | section enable enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
Lab Guide
L-61
Step 14 Access switch SW1. Configure it with the enable secret password cisco. Users should be able to log into the console and vty lines by using the username ccna and the password cisco. Use strong encryption. Step 15 Save the changes that you made on the SW1 switch. Step 16 On the SW switch, go to the user EXEC mode by entering the end and exit commands. Log into the switch SW console by using the previously configured username and password in order to verify console protection.
SW1(config-line)#end SW1#exit SW1 con0 is now available Press RETURN to get started. User Access Verification Username: ccna Password: SW1>
Step 17 On the SW switch, enter the privileged EXEC mode by entering the previously configured password.
SW1>enable Password: SW1#
Step 18 Return to PC1, open PuTTY, and establish a Telnet session to the SW1 switch to verify that you configured vty security correctly.
Enter the appropriate credentials to log into the switch.
Lab Guide
L-63
Task 2: Enable SSH Remote Access

Previously, you protected passwords by using encryption. However, when remote management uses the Telnet protocol, which sends all characters in cleartext, including passwords, the potential exists for packet capture and exploitation of this information. In this task, you will configure SSH as an alternative to Telnet. If it is possible in your environment, it would be best to replace Telnet with SSH. Activity Procedure Complete the following steps: Step 1 Configure the Branch router for SSH access. Use cisco.com as the domain name. The key length should be 1024 bits. Use SSH version 2 and make SSH the only remote access that is allowed. Step 2 Save the changes that you made on the Branch router.
Step 3 Configure the SW1 switch for SSH access. Use cisco.com as the domain name, specify a key length of 1024 bits, use SSH version 2, and make SSH the only remote access that is allowed. Step 4 Save the changes that you made on the SW1 switch. Step 5 On PC1, open PuTTY and try to connect to the Branch router using Telnet. Your attempt will be unsuccessful.
Lab Guide
L-65
Step 6 Now try to remotely connect from PC1 to the Branch router using SSH. Your attempt should be successful. Leave the connection open for the next step.
Step 7 On the Branch router, show the users that are logged into the system. Identify the user that is using the vty line.
Branch#show users Line User * 0 con 0 ccna 514 vty 0 ccna Interface User
Host(s) idle idle Mode
Idle Location 00:00:00 00:00:27 10.1.1.100 Idle Peer Address
Lab Guide
L-67
Step 8 Return to PC1. Open another PuTTY and apply SSH to the SW1 switch in order to verify the SSH configuration on the switch. Your attempt should be successful.
Task 3: Limit Remote Access to Selected Network Addresses

In this task, you will create an ACL on the SW1 switch and apply it to the vty lines. The ACL will permit remote sessions from the Branch router but not from PC1. Activity Procedure Complete the following steps: Step 1 On the SW1 switch, define a standard ACL that will permit only the IP address of the Branch router. Any attempts to establish remote sessions from unauthorized devices should be logged. Step 2 Apply the defined ACL to all vty lines of the SW1 switch.
SW1(config)#line vty 0 15 SW1(config-line)#access-class 1 in
Step 3 Save the changes that you made on the SW1 switch.
Lab Guide
L-69
Activity Verification You have completed this task when you attain this result: Step 1 Try to establish an SSH remote session from PC1 to SW1 at 10.1.1.11. You should not be successful because the ACL that you defined allows only the Branch router to establish sessions to the SW1 switch.
Step 2 Try to establish an SSH remote session from the Branch router. You should be successful.
Branch#ssh -l ccna 10.1.1.11 Password: SW1>
Step 3 On the SW1 switch, show the ACL that you defined for the vty lines. Notice that the counters for both the permit and deny statements increased. If you did not define an explicit deny statement, a remote session from PC1 would still be denied, but you would not be able to see counters for denied remote session attempts.
SW1#show access-lists Standard IP access list 1 10 permit 10.1.1.1 (2 matches) 20 deny any log (3 matches)
Task 4: Configure a Login Banner

As part of any security policy, you must ensure that network resources are clearly identified as being off limits to the casual visitor. Hackers have successfully used the fact that a welcome screen was presented at login as their legal defense for forced entry into the network. Therefore, a message that clearly states that access is restricted should be presented when a user is attempting to access a network device (switch, router, and so on). The Cisco IOS banner command allows you to do so. Activity Procedure Complete the following steps: Step 1 Configure the Branch router with the following login banner message: ********** Warning ************* Access to this device is restricted to authorized persons only! Unauthorized access is prohibited. Violators will be prosecuted. *********************************************** Step 2 Save the changes that you made on the Branch router. Step 3 Configure the SW1 switch with the same login banner that you used for the Branch router in the previous step: ********** Warning ************* Access to this device is restricted to authorized persons only! Unauthorized access is prohibited. Violators will be prosecuted. ***********************************************
Lab Guide
L-71
Step 4 Save the changes that you made on the SW1 switch. Activity Verification You have completed this task when you attain these results: Step 1 Access the Branch router. Log out of the Branch router and then log back in. Notice the login banner that you were presented with as you logged in.
Branch#logout Branch con0 is now available Press RETURN to get started. ********** Warning ************* Access to this device is restricted to authorized persons only! Unauthorized access is prohibited. Violators will be prosecuted. *********************************************** User Access Verification Username: ccna Password:
Step 2 Access SW1. Log out of the SW1 switch console and then log back in. Notice the login banner that you were presented with as you logged in.
SW1#logout SW1 con0 is now available Press RETURN to get started. ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. *********************************************** User Access Verification Username: ccna Password:
Note
When accessing network devices via the SSH protocol, some terminal clients such as PuTTY display the login banner only after the username parameter is entered as input.

Activity Overview
Objectives
Device hardening is crucial to increasing security in the network. In this lab, you will perform security device hardening on a router and switch. After you have completed this activity, you will be able to meet these objectives: Disable unused ports Configure port security on a switch Disable unused services Configure NTP
Visual Objective
Visual Objective for Lab 3-2: Device Hardening

Configure NTP client and server Branch
Outside Inside
HQ Internet Server
NTP server PC1 SW1 Disable unused ports Configure port security Disable Cisco Discovery Protocol Configure NTP client
Required Resources
Command List
The table that follows describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Commands
Command [no] cdp enable configure terminal interface interface ntp master [stratum] ntp server {ip-address} ping dest_IP show cdp neighbors show interfaces show interfaces status show port-security interface interface show ntp associations show ntp status show port-security address [no] shutdown switchport mode access switchport port-security switchport port-security mac-address mac-address Description Enables or disables Cisco Discovery Protocol on an interface Enters configuration mode Enters interface configuration mode Configures Cisco IOS Software as an NTP master clock. Allows the software clock to be synchronized by an NTP time server Verifies connectivity between the source IP and destination IP Displays detailed information about neighboring devices that are discovered by using Cisco Discovery Protocol Displays statistics for all interfaces that are configured on the router Displays the status of interfaces Displays the port security settings that are defined for an interface Displays the status of NTP associations Displays the status of NTP Displays the secure MAC addresses for all ports Enables or disables an interface on the router Configures a switchport as an access port Enables the port security feature on the interface Enters a secure MAC address for the interface
Job Aids
Device Branch Headquarter s SW1 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3
Lab Guide
L-75
Device PC1 PC2
Hardware Any PC Any PC
Operating System Microsoft Windows 7 Microsoft Windows 7
The table shows usernames and passwords that are used to access the lab devices.
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password) Username Administrator Administrator ccna / ccna / Password admin admin cisco cisco cisco cisco

Gi0/1 209.165.201.1 Gi0/1 209.165.201.2
Branch Internet
VLAN 1: 10.1.1.1 Gi0/0 Fa0/13
Server
172.16.1.100
HQ
PC1
10.1.1.100
Fa0/1 0/3 Fa0/3
SW1
10.1.1.11
PC2
10.1.1.101
Device Branch Branch Headquarters Interface Gi0/1 Gi0/0 Gi0/1 IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27
Device Headquarters SW1 PC1 PC2
Interface Loopback0 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection
IP Address/Subnet Mask 172.16.1.100/24 10.1.1.11/24 10.1.1.100/24 10.1.1.101/24
Task 1: Disable Unused Ports

Unused ports on a switch can be a security risk. A hacker can plug a switch into an unused port and become part of the network. In this task, you will disable unused ports on a network switch. Activity Procedure Complete the following steps: Step 1 Access the SW1 switch. Step 2 Disable unused interfaces FastEthernet 0/14 to FastEthernet 0/24 with as few configuration steps as possible. Step 3 Examine the status of interfaces FastEthernet 0/14 to FastEthernet 0/24. You should see interfaces FastEthernet 0/14 to FastEthernet 0/24 as disabled.
SW1#show interfaces status Port Name <output omitted> Fa0/13 Fa0/14 Fa0/15 Fa0/16 Fa0/17 Fa0/18 Fa0/19 Fa0/20 Fa0/21 Fa0/22 Fa0/23 Fa0/24
Status connected disabled disabled disabled disabled disabled disabled disabled disabled disabled disabled disabled
Vlan 1 1 1 1 1 1 1 1 1 1 1 1
Duplex a-full auto auto auto auto auto auto auto auto auto auto auto
Speed Type a-100 auto auto auto auto auto auto auto auto auto auto auto 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX
Step 4 Save the running configuration to the startup configuration.
Lab Guide
L-77
Task 2: Configure Port Security on a Switch

Port security is a feature that is supported on Cisco Catalyst switches that restricts a switch port to a specific set or number of MAC addresses. In this task, you will configure port security on the switch interface that faces the router. You will also demonstrate a port security violation. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Examine the MAC address of the Branch router interface GigabitEthernet 0/0, which faces the SW1 switch. Write down the MAC address, which you will need to configure the port security feature.
Branch#show interfaces GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is f866.f231.7250 (bia f866.f231.7250)
Note
Your MAC address might be different from the the address that is shown in the output.
Step 3 Access the SW1 switch. Step 4 Configure interface FastEthernet0/13, which faces the Branch router, as a static access port. Step 5 Enable the port security feature on interface FastEthernet0/13. Manually specify the secure MAC address f866.f231.7251 (which is not the MAC address of the Branch router). You will simulate a port security violation by misconfiguring the secure MAC address.
Step 6 Observe the switch output and verify the status of SW1 interface FastEthernet0/13. Make sure that a port security violation occurred because of the misconfigured secure MAC address.
Sep 28 11:16:18.312: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13, putting Fa0/13 in err-disable state Sep 28 11:16:18.312: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address f866.f231.7250 on port FastEthernet0/13. Sep 28 11:16:19.318: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down Sep 28 11:16:20.317: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down SW1#show interfaces FastEthernet 0/13 FastEthernet0/13 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d) SW1#show port-security interface FastEthernet 0/13 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : f866.f231.7250:1 Security Violation Count : 1
A port security violation occurs due to management traffic (Cisco Discovery Protocol, for example) coming from the router toward the switch. Step 7 Try to ping PC1 at 10.1.1.100 from the Branch router. Your attempt should fail because the switch port connecting to the Branch router is error-disabled.
Branch#ping 10.1.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)
Step 8 Change the port security of the secure MAC address on SW1 interface FastEthernet0/13 to the correct MAC address, which you wrote down.
Note Your MAC address for the Branch router might be different from the address that was shown in the output.
Lab Guide
L-79
Step 9 Make the FastEthernet0/13 interface on SW1 operational again. Step 10 Observe the switch output. Verify the status of the FastEthernet0/13 interface on SW1 and make sure that the interface is operational again.
Sep 28 11:10:07.080: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up Sep 28 11:10:08.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up SW1#show interfaces FastEthernet 0/13 FastEthernet0/13 is down, line protocol is up Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d)
Step 11 Try to ping PC1 at 10.1.1.100 from the Branch router. Your attempt should succeed now.
Branch#ping 10.1.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds: !!!!!
Step 12 Display the secure MAC addresses for interface FastEthernet0/13.
SW1#show port-security address Secure Mac Address Table -------------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins) --------------------------------1 f866.f231.7250 SecureConfigured Fa0/13 -------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192
Step 13 Display the port security settings for the SW1 switch.
SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa0/13 1 1 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192
Step 14 Disable the port security feature on interface FastEthernet 0/13. Step 15 Save the running configuration to the startup configuration. Activity Verification No additional verification is needed in this task.
Task 3: Disable Unused Services

Some services may not be needed on the router and therefore can be disabled. You will disable Cisco Discovery Protocol on the switch interface toward the router. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Examine the neighbor devices of the Branch router. You should see the SW1 switch as the neighbor device.
Branch#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Gig 0/0 135 S I WS-C2960- Fas 0/13
Lab Guide
L-81
Step 3 Disable Cisco Discovery Protocol on the SW1 interface that is facing the Branch router. Step 4 Examine the neighbor devices of the Branch router. You should not see switch SW1 anymore as a neighbor device because you disabled Cisco Discovery Protocol on the switch interface toward the router.
Branch#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID
Note
It may take up to 3 minutes for the neighbor to disappear from the output because of the holddown timer that is set to 180 seconds.
Step 5 Examine the neighbor devices of the SW1 switch. You should see no neighbor device because you disabled Cisco Discovery Protocol on the switch interface toward the Branch router.
SW1#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID
Step 6 Enable Cisco Discovery Protocol on the SW1 interface that faces the Branch router. Step 7 Save the running configuration to the startup configuration. Activity Verification No additional verification is needed in this task.
Task 4: Configure NTP

Networks use NTP to synchronize the clocks of various devices across a network. Clock synchronization within a network is critical for digital certificates and for correct interpretation of events within syslog data. In this task, you will configure the Branch router as an NTP client of the server. The Branch router will also act as an NTP server for SW1 at the same time. The server has been preconfigured as the NTP server with stratum 3. Activity Procedure Complete the following steps: Step 1 Configure the Branch router as an NTP client of the server at 172.16.1.100. Step 2 Verify NTP associations on the Branch router.
Branch#show ntp associations address ref clock st when poll reach delay offset disp *~172.16.1.100 127.127.1.1 3 58 128 77 1.067 36.634 0.968 * sys.peer, #selected, + candidate, - outlyer, x falseticker, ~ configured
You should see that the Branch router synchronized its clock with the server.
Note It may take several minutes in order to synchronize the clock with the NTP server.
Step 3 Verify the NTP status on the Branch router.

Branch#show ntp status Clock is synchronized, stratum 4, reference is 172.16.1.100 nominal freq is 250.0000 Hz, actual freq is 249.9989 Hz, precision is 2**21 ntp uptime is 139700 (1/100 of seconds), resolution is 4016 reference time is D46AE7E9.B6A4139E (09:46:17.713 UTC Thu Dec 6 2012) clock offset is 35.7065 msec, root delay is 0.87 msec root dispersion is 40.23 msec, peer dispersion is 1.88 msec loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000004366 s/s system poll interval is 128, last update was 121 sec ago.
What is the stratum of the clock on the Branch router? Step 4 Access the SW1 switch.
Lab Guide
L-83
Step 5 Configure SW1 as an NTP client that will synchronize its time with the Branch router. Although the Branch router is configured only with NTP client configuration, it will respond to time requests from other clients. It will act as a server for switch SW1. Step 6 Verify the NTP status and the NTP association status on the SW1 switch.
SW1#show ntp status Clock is synchronized, stratum 5, reference is 10.1.1.1 nominal freq is 119.2092 Hz, actual freq is 119.2091 Hz, precision is 2**17 reference time is D46AEB16.D3639982 (09:59:50.825 UTC Thu Dec 6 2012) clock offset is 58.8216 msec, root delay is 2.30 msec root dispersion is 122.31 msec, peer dispersion is 8.38 msec loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000001118 s/s system poll interval is 128, last update was 862 sec ago. SW1#show ntp associations address ref clock st when poll reach delay offset disp *~10.1.1.1 172.16.1.100 4 115 128 377 1.436 58.821 8.389 * sys.peer, #selected, + candidate, - outlyer, x falseticker, ~ configured
You should see that SW1 synchronized its clock with the Branch router. What is the stratum of the clock on the SW1 switch?
Note It may take several minutes in order to synchronize the clock with the NTP server.
Step 7 Save the running configuration to the startup configuration. Activity Verification No additional verification is needed in this task.

Activity Overview
Objectives
A common mechanism for filtering traffic is the use of ACLs, which enable you to allow, limit, or restrict access to a network resource. In this lab, you will configure traffic filtering using ACLs. After you have completed this activity, you will be able to meet these objectives: Configure extended, named ACLs Troubleshoot ACLs
Visual Objective
Visual Objective for Lab 3-3: Filtering Traffic with ACLs

Branch HQ Server
PC1
SW1
PC2
SW2

All Other Traffic Allowed Telnet Allowed
Configure ACL Troubleshoot ACL Branch Internet HQ Server
Telnet Blocked
SW1 PC1
All Other Traffic Allowed
PC2
Required Resources
There are no additional required resources for this lab.
Command List
Commands
Command configure terminal interface interface ip access-group ACL_name {in | out} ip access-list extended ACL_name {permit | deny} {test conditions} show access-lists ACL_name show ip interface interface-type interface number Description Enters configuration mode Enters interface configuration mode Enables an IP ACL on an interface Defines an ACL and enters ACL configuration mode Creates ACL statements for a named ACL Displays the contents of all IP ACLs Displays IP-specific information for an interface, including the ACLs that are applied on an interface
Job Aids
Device Branch Headquarter s SW1 PC1 PC2 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password) Server (HTTP) Username Administrator Administrator ccna / ccna / ccna Password admin admin cisco cisco cisco cisco cisco
Lab Guide
L-87

Gi0/1 209.165.201.1 Gi0/1 209.165.201.2
Branch Internet
VLAN 1: 10.1.1.1 Gi0/0 Fa0/13
Server
172.16.1.100
HQ
PC1
10.1.1.100
Fa0/1 0/3 Fa0/3
SW1
10.1.1.11
PC2
10.1.1.101
Device Branch Branch Headquarters Headquarters SW1 PC1 PC2 Interface Gi0/1 Gi0/0 Gi0/1 Loopback0 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27 172.16.1.100/24 10.1.1.11/24 10.1.1.100/24 10.1.1.101/24
Task 1: Configure an ACL

ACLs enable you to control access to network resources based on Layer 3 packet-header information. In this task, you will configure an ACL that will prevent a Telnet connection from PC2 to the server. All other IP traffic will be permitted. Activity Procedure Complete the following steps:
Step 1 Access the Branch router. Use the credentials provided in the Job Aids section of the document in order to log in. Step 2 Configure an extended ACL named Telnet that will prevent a Telnet connection from PC2 to the server. All other IP traffic should be permitted. Step 3 Verify the content of the configured ACL.
Branch#show access-lists Telnet Extended IP access list Telnet 10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet 20 permit ip any any
Step 4 Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction. Step 5 Verify that the configured interface is applied to the GigabitEthernet0/0 interface in the correct direction.
Branch#show ip interface GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is Telnet Proxy ARP is enabled Local Proxy ARP is disabled <...output omitted...>
Step 6 Save the running configuration to the startup configuration.
Lab Guide
L-89
You should be successful. Step 8 Verify that the counter that was matched by the permit ACL statement increased.
Branch#show access-lists Telnet Extended IP access list Telnet 10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet 20 permit ip any any (10 matches)
Note
The actual number of ACL hits may differ from the outputs that are provided in the lab guide.
Lab Guide
L-91
You should not be successful because the configured ACL blocks Telnet traffic from PC2 to the server. Step 10 Verify that the counter that was matched by the deny ACL statement increased.
Branch#show access-lists Telnet Extended IP access list Telnet 10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet (9 matches) 20 permit ip any any (10 matches)
Lab Guide
L-93
Step 11 Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the credentials that are provided in the Job Aids section of the document in order to log in.
You should be successful. Step 13 Verify that the counter that was matched by the permit ACL statement increased.
Branch#show access-lists Telnet Extended IP access list Telnet 10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet (9 matches) 20 permit ip any any (274 matches)
Task 2: Lab Setup

In this lab setup procedure, you will load a configuration to the Branch router to create a trouble ticket. You will resolve this ticket in the next task.
Lab Guide
L-95
Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Copy the TSHOOT_Troubleshoot_ACLs_Branch.cfg file from the router flash memory into the router running configuration.
Branch#copy flash:TSHOOT_Troubleshoot_ACLs_Branch.cfg running-config 3341 bytes copied in 3.490 secs (957 bytes/sec)
Task 3: Troubleshoot an ACL

It is very important to be able to analyze the behavior of configured ACLs and to troubleshoot them. In this task, you will troubleshoot the previously loaded trouble ticket. You should change the configuration so that a Telnet connection from PC2 to the server is not permitted, while all other IP traffic to the server is allowed. Activity Procedure Complete the following steps:
Lab Guide
L-97
Lab Guide
L-99
You will be successful, although Telnet traffic from PC2 to the server should be blocked.
Lab Guide
L-101
You should be successful. Step 5 Access the Branch router.
Step 6 Verify that the configured ACL is applied to the GigabitEthernet0/0 interface in the correct direction.
Branch#show ip interface GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is Telnet Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled <...output omitted...>
Step 7 Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction. Step 8 Verify the contents of the configured ACL.
Branch#show access-lists Telnet Extended IP access list Telnet 10 permit ip any any (338 matches) 20 deny ip any any 30 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet
Step 9 Change the Telnet ACL so that it prevents Telnet connections from PC2 to the server. All other IP traffic should be permitted. Step 10 Save the running configuration to the startup configuration.
Lab Guide
L-103
Lab Guide
L-105
You should not be successful because the configured ACL blocks Telnet traffic from PC2 to the server.
Lab Guide
L-107
You should be successful. Activity Verification No additional verification is needed in this task.
Lab Guide
L-109

Activity Overview
Objectives
In this lab, you will configure two switches to meet specified VLAN requirements. After completing this activity, you will be able to meet these objectives: Configure VLANs Configure trunking Configure router with a trunk link
Visual Objective
Visual Objective for Lab 4-1: Configuring Expanded Switched Networks

Branch HQ Server
PC1
SW1
PC2
SW2

Configure VLANs and assign user ports to the proper VLAN
Gi0/1 PC1 VLAN 10 Fa0/3 PC2 VLAN 20 Fa0/3 Fa0/1 SW2 Fa0/13 Fa0/1 Branch
Configure a router with a trunk link

SW1
Configure trunking
Required Resources
There are no additional resources required for this lab.
Command List
Cisco IOS Commands

Command encapsulation dot1q vlan Description Enables IEEE 802.1Q encapsulation of traffic on a specified subinterface in VLANs. This command can be entered when you are in interface configuration mode. Enters interface configuration mode for the specified interface. Sets an IP address, along with the subnet mask, on an interface. Enter interface configuration mode to issue this command. Displays trunking information. Displays VLAN information. When you configure a router on a stick, use this command to verify trunking and VLANs. Disables or enables an interface. Issue this command from interface configuration mode. Assigns a port to a VLAN. Issue this command from interface configuration mode. Interface configuration mode command. There are four options. The two non-negotiating modes are trunk and switch, and the two DTP negotiation modes are dynamic auto and dynamic desirable. Specifies VLANs from which traffic is allowed over the trunk link. Creates the VLAN that is specified. Issue this command from global configuration mode.
interface interface_name interface_number ip address ip_address network_mask show interfaces trunk show vlan show vlans [no] shutdown switchport access vlan vlan switchport mode mode
switchport trunk allowed vlan vlan_list vlan vlan_number
Microsoft Windows Commands

Command ping ip_address tracert ip_address Description Issues a ping to the specified IP address Issues a traceroute to the specified IP address
Job Aids
Lab Guide
L-113
Device Branch Headquarter s SW1 SW2 PC1 PC2
Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Catalyst 2960 Series Switch Any PC Any PC
Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 c2960-lanlitek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password) Server (HTTP) Username Administrator Administrator ccna / ccna / ccna Password admin admin cisco cisco cisco cisco cisco
Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that will be used in this lab.

Gi0/1 209.165.201.1 Gi0/1 209.165.201.2
Branch Internet
VLAN1:10.1.1.1 Gi0/0
Server
172.16.1.100
HQ
Fa0/13
PC1
Fa0/1 10.1.1.100 a0/3 Fa0/3
SW1
10.1.1.11
Fa0/3
PC2
Fa0/1 10.1.1.101 10.1.1.12
SW2
Device Branch Branch Headquarters Headquarters SW1 SW2 PC1 PC2 Interface Gi0/1 Gi0/0 Gi0/1 Loopback0 VLAN1 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27 172.16.1.100/24 10.1.1.11/24 10.1.1.12/24 10.1.1.100/24 10.1.1.101/24
Task 1: Configure a VLAN

In this task, you will create VLANs and assign the ports that are specified to them. Activity Procedure Complete the following steps: Step 1 Access switch SW2. For the purpose of management, configure the VLAN 1 interface with the IP address 10.1.1.12/24.
Lab Guide
L-115
Step 2 Access PC2. Assign the IP address 10.1.1.101/24 to it. The default gateway should be set to the IP address of a Branch router.
Step 3 Access PC1 and ping PC2 (10.1.1.101). The ping should be successful because ports on both PCs are access ports belonging to VLAN 1.
C:\Users\Administrator>ping 10.1.1.101 Pinging 10.1.1.101 with 32 bytes of data: Reply from 10.1.1.101: bytes=32 time<3ms TTL=128 Reply from 10.1.1.101: bytes=32 time<3ms TTL=128 Reply from 10.1.1.101: bytes=32 time<2ms TTL=128 Reply from 10.1.1.101: bytes=32 time<2ms TTL=128 Ping statistics for 10.1.1.101: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 3ms, Average = 3ms
Step 4 On both switches, SW1 and SW2, create VLANs 10 and 20. Step 5 On SW1, assign the port to which PC1 connects (FastEthernet0/1) to VLAN 10. On SW2, assign the port to which PC2 connects (FastEthernet0/1) to VLAN 20. Step 6 Save the running configuration to the startup configuration on both switches. Step 7 Change the IP address of PC1 to 10.1.10.100/24. Set the default gateway to 10.1.10.1, which you will later configure on the Branch router. This step provides PC1 addressing in accordance with its VLAN assignment.
Lab Guide
L-117
Step 8 Change the IP address of PC2 to 10.1.20.100/24. Set the default gateway to 10.1.20.1, which you will later configure on the Branch router. This step provides PC2 addressing in accordance with its VLAN assignment.
Activity Verification You have completed this task when you attain these results:
Step 1 On SW1 and SW2, verify that VLANs 10 and 20 are present. SW1 should have FastEthernet0/1 belonging to VLAN 10, and SW2 should have FastEthernet0/1 belonging to VLAN 20.
SW1#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 10 VLAN0010 active Fa0/1 20 VLAN0020 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
SW2#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 10 VLAN0010 active 20 VLAN0020 active Fa0/1 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup <output omitted>
Lab Guide
L-119
Step 2 At this point, PC1 belongs to VLAN 10, and PC2 belongs to VLAN 20. From PC1, ping PC2 (10.1.20.100). The connectivity test should not be successful. You first need to configure a trunk between switches that will carry traffic from both VLANs and then configure a Layer 3 device that will route between those two VLANs.
C:\Users\Administrator> ping 10.1.20.100 Pinging 10.1.20.100 with 32 bytes of data: Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Ping statistics for 10.1.20.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Task 2: Configure the Link Between Switches as a Trunk

In this task, you will configure the link between two switches as a trunk. This configuration will enable the link to carry traffic from multiple VLANs. Activity Procedure Complete the following steps: Step 1 On switch SW1, configure the link toward switch SW2 (FastEthernet0/3) as a trunk. To follow the best practice, allow only VLANs 1, 10, and 20 to cross the trunk. You can limit which VLANs are allowed to traverse the trunk link with the switchport trunk allowed vlan command. By default, ports are in DTP negotiation mode (dynamic auto). This mode presents a security risk, so the best practice is to configure the ports manually to non-negotiation modes (access or trunk). Repeat the same procedure on SW2. Step 2 Save the running configuration to the startup configuration on both switches.
Step 3 On switch SW1, verify that the link toward SW2 is trunking and that VLANs 1, 10, and 20 are the only VLANs that are allowed.
SW1#show interfaces trunk Port Mode Encapsulation Fa0/3 on 802.1q Port Vlans allowed on trunk Fa0/3 1,10,20 <output omitted>
Status trunking
Native vlan 1
On switch SW2, verify that the link toward SW1 is trunking and that VLANs 1, 10, and 20 are the only VLANs that are allowed.
SW2#show interfaces trunk Port Mode Encapsulation Fa0/3 on 802.1q Port Vlans allowed on trunk Fa0/3 1,10,20 <output omitted>
Status trunking
Native vlan 1
Step 4 At this point, PC1 belongs to VLAN 10, and PC2 belongs to VLAN 20. The link between the two switches is configured to carry more than one VLAN. It is a trunk. From PC1, ping PC2 (10.1.20.100). The connectivity test will not be successful. You first need to configure a trunk between switches that will carry traffic from both VLANs and then configure a Layer 3 device that will route between those two VLANs.
C:\Users\Administrator> ping 10.1.20.100 Pinging 10.1.20.100 with 32 bytes of data: Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Ping statistics for 10.1.20.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Task 3: Configure a Trunk Link on the Router

In this task, you will configure a trunk link on the Branch router. It will serve as a Layer 3 device that will route between the two VLANs.
Lab Guide
L-121
Activity Procedure Complete the following steps: Step 1 On switch SW1, configure the link toward the Branch router (FastEthernet0/13) as a trunk. Step 2 Save the running configuration to the startup configuration on the SW1 switch. Step 3 On the Branch router, remove the IP address from the GigabitEthernet0/0 interface. Step 4 On the Branch router, configure three subinterfaces. Subinterface GigabitEthernet0/0.1 should have an IP address of 10.1.1.1/24 and belong to VLAN 1. Subinterface GigabitEthernet0/0.10 should have an IP address of 10.1.10.1/24 and belong to VLAN 10. Subinterface GigabitEthernet0/0.20 should have an IP address of 10.1.20.1/24 and belong to VLAN 20. Step 5 Save the running configuration to the startup configuration on the Branch router.
Step 6 On the Branch router, verify that you have interface IP addresses that are configured in VLANs 1, 10, and 20.
Branch#show vlans Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: GigabitEthernet0/0.1 This is configured as native Vlan for the following interface(s) GigabitEthernet0/0 Native-vlan Tx-type: Untagged Protocols Configured: Address: Received: IP 10.1.1.1 0 Other 0 2 packets, 518 bytes input 2 packets, 435 bytes output Virtual LAN ID: 10 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: GigabitEthernet0/0.10 Protocols Configured: Address: Received: IP 10.1.10.1 0 Other 0 0 packets, 0 bytes input 1 packets, 46 bytes output Virtual LAN ID: 20 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: GigabitEthernet0/0.20 Protocols Configured: Address: Received: IP 10.1.20.1 0 Other 0 0 packets, 0 bytes input 1 packets, 46 bytes output
: Transmitted: 0 2
Transmitted: 0 1
Transmitted: 0 1
Activity Verification You have completed this task when you attain these results: Step 1 Access PC1. Issue a ping command from PC1 to PC2 (10.1.20.100). The attempt should be successful. The first ping or first few pings might fail due to the ARP process.
C:\Users\Administrator> ping 10.1.20.100 Pinging 10.1.20.100 with 32 bytes of data: Reply from 10.1.20.100: bytes=32 time<3ms TTL=128 Reply from 10.1.20.100: bytes=32 time<3ms TTL=128 Reply from 10.1.20.100: bytes=32 time<2ms TTL=128 Reply from 10.1.20.100: bytes=32 time<2ms TTL=128 Ping statistics for 10.1.20.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 3ms, Average = 3ms
Lab Guide
L-123
Step 2 From PC1, use the traceroute (tracert command) utility to trace the path from PC1 to PC2. Notice that the traffic goes through the Branch router.
C:\Users\Administrator> tracert 10.1.20.100 Tracing route to 10.1.20.100 over a maximum of 30 hops 1 4 ms 1 ms 1 ms 10.1.10.1 2 2 ms 1 ms 1 ms 10.1.20.100 Trace complete.

Activity Overview
Objectives
In this lab, you will assign IP addresses to network devices using DHCP. After completing this activity, you will be able to meet these objectives: Configure a DHCP server Exclude specific IP addresses from DHCP pools Configure a DHCP relay agent
Visual Objective
Visual Objective for Lab 4-2: Configuring DHCP Server

Configure the DHCP server Branch DHCP Server Configure the DHCP relay agent SW1 Configure DHCP clients PC2 SW2
PC1
Required Resources
Command List
Cisco Commands
Command default-router address dns-server address ip dhcp excluded-address ip-address [last-ip-address] ip dhcp pool name ip helper-address address lease {days [hours] [minutes] | infinite} Description Specifies the IP address of the default router for a DHCP client. Specifies the IP address of the DNS server that is available to a DHCP client. Specifies the IP addresses that a DHCP server should not assign to a DHCP client. Configures a DHCP address pool and enters DCHP configuration mode. Enables forwarding of broadcasts that are received on the interface to the specified IP address. Specifies the duration of the lease. The default is a one-day lease.
Command network network-number [mask | prefix-length] show ip dhcp binding show ip interface brief show running-config
Description Defines addresses in the DHCP pool. Optionally, defines the subnet mask or prefix length. Either of these parameters determines which portion of the specified network number refers to the network part. Displays a list of all DHCP address bindings. Displays a brief summary of the IP information and status of an interface. Displays the running configuration.

Command ping ip_address ipconfig {/all} ipconfig /release ipconfig /renew Description Issues a ping to the specified IP address. Displays IP address information. Uses option /all to display all details. Releases the DHCP leases. Renews all network adapters and initiates a DHCP discover message if DHCP is enabled on the interface.
Job Aids
Device Branch Headquarter s SW1 SW2 PC1 PC2 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Catalyst 2960 Series Switch Any PC Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 c2960-lanlitek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
The table shows the usernames and passwords that are used to access the lab equipment.
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password) Username Administrator Administrator ccna / ccna / Password admin admin cisco cisco cisco cisco
Lab Guide
L-127

Gi0/1
Branch 209.165.201.1
Gi0/0VLAN 1:10.1.1.1 Gi0/0.10VLAN 10: 10.1.10.1 Gi0/0.20VLAN 20: 10.1.20.1
Gi0/1 209.165.201.2
DHCP Server
172.16.1.100
HQ
Fa0/13
PC1
10.1.10.100
Fa0/1 Fa0/3
SW1
10.1.1.11
Fa0/3
PC2
Fa0/1 10.1.20.100
SW2
10.1.1.12
Device Branch Branch Branch Branch HQ HQ SW1 SW2 PC1 PC2 Interface Gi0/1 Gi0/0.1 Gi0/0.10 Gi0/0.20 Gi0/1 Loopback0 VLAN1 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 10.1.10.1/24 10.1.20.1/24 209.165.201.2/27 172.16.1.100/24 10.1.1.11/24 10.1.1.12/24 10.1.10.100/24 10.1.20.100/24
VLAN Setup Three VLANs are configured on the switches. VLAN 1 is used for switch management, VLAN 10 is used to connect PC1, and VLAN 20 is used to connect PC2. A trunk is enabled between the switches and between the SW1 switch and the Branch router. The figure illustrates the trunk and VLAN setup.
VLAN Setup
Branch
Trunk VLAN 10
PC1
SW1
VLAN 1
PC2
VLAN 20
SW2
Task 1: Configure DHCP Pools

In this task, you will configure DHCP pools to enable the DHCP server implementation on a router. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Configure a DHCP pool named VLAN 10. The leased addresses should be part of network 10.1.10.0 /24. Step 2 Determine the router interface IP address for VLAN 10 and configure it as a default gateway for DHCP clients. Configure the same IP address for the DNS server.
Branch# show ip interface brief Any interface listed with OK? value "NO" does not have a valid configuration Interface IP-Address OK? Method Status Protocol Embedded-Service-Engine0/0 unassigned YES unset administratively down down GigabitEthernet0/0 10.1.1.1 YES DHCP up up GigabitEthernet0/0.10 10.1.10.1 YES manual up up GigabitEthernet0/0.20 10.1.20.1 YES manual up up GigabitEthernet0/1 209.165.201.1 YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down NVI0 unassigned NO unset up up Branch#
Lab Guide
L-129
Step 3 Change the default lease time to 2 hours. Step 4 Save the running configuration to the startup configuration on the Branch router. Step 5 Access PC1. Open the network adapter settings and edit the IPv4 settings. Set them to obtain an IP address and DNS address automatically.
Step 6 Verify that PC1 has obtained an IP address dynamically by executing a DHCP verification command on the Branch router.
Branch# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 10.1.10.2 0100.0c29.8fa8.a6 Oct 25 2012 12:18 PM
Type Automatic
In addition, verify the IP address settings using the command prompt on PC1.
C:\Windows\system32> ipconfig /all <output omitted> Ethernet adapter LAB: Connection-specific DNS Suffix Description . . . . . . . . . . Physical Address. . . . . . . . DHCP Enabled. . . . . . . . . . Autoconfiguration Enabled . . . Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Lease Obtained. . . . . . . . . Lease Expires . . . . . . . . . Default Gateway . . . . . . . . DHCP Server . . . . . . . . . . DHCPv6 IAID . . . . . . . . . . DHCPv6 Client DUID. . . . . . . DNS Servers . . . . . . . . . . NetBIOS over Tcpip. . . . . . .
. . . . . . . . . . . . . . . .
: : : : : : : : : : : : : : : :
VMware Accelerated AMD PCNet Adapter #2 00-0C-29-45-32-BE Yes Yes fe80::8c6e:3fe3:ca7e:c7c7%13(Preferred) 10.1.10.2(Preferred) 255.255.255.0 Friday, October 19, 2012 2:39:34 PM Friday, October 19, 2012 4:39:34 PM 10.1.10.1 10.1.10.1 285215785 00-01-00-01-13-3B-A1-51-00-0C-29-87-5C-B5 10.1.10.1 Disabled
Step 7 Configure a DHCP pool for VLAN 20. The leased addresses should be part of network 10.1.20.0 /24. For the DNS server and default gateway, use the router VLAN 20 interface (10.1.20.1). Set the lease time to 12 hours.
Lab Guide
L-131
Step 8 On the Branch router, verify the configured pools by using the show ip dhcp pool verification command.
Branch# show ip dhcp pool Pool VLAN10 : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 1 Pending event : none 1 subnet is currently in the pool : Current index IP address range 10.1.10.3 10.1.10.1 - 10.1.10.254 Pool VLAN20 : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 0 Pending event : none 1 subnet is currently in the pool : Current index IP address range 10.1.20.1 - 10.1.20.254 10.1.20.1
Leased addresses 1
Leased addresses 0
Step 9 Access PC2. Open the network adapter settings and edit the IPv4 settings. Set them to obtain an IP address and DNS address automatically. Step 10 Check the DHCP address bindings on the router to verify that PC2 has obtained an IP address dynamically. Activity Verification You have completed this task when you attain these results: Step 1 You verified that both PC1 and PC2 have dynamically assigned IP addresses.
Step 2 You have successfully verified connectivity between the PCs using the ping command:
C:\Windows\system32> ping 10.1.20.2 Pinging 10.1.20.2 with 32 bytes of data: Reply from 10.1.20.2: bytes=32 time=30ms TTL=127 Reply from 10.1.20.2: bytes=32 time=1ms TTL=127 Reply from 10.1.20.2: bytes=32 time=1ms TTL=127 Reply from 10.1.20.2: bytes=32 time=1ms TTL=127 Ping statistics for 10.1.20.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 30ms, Average = 8ms
Task 2: Exclude Specific IP Addresses from DHCP Pools

The configured DHCP server can assign any valid IP address from the pool to DHCP clients. Commonly, certain IP addresses within the subnet that are assigned to the DCHP pool are configured manually on some end hosts, such as servers or printers. In this task, you will configure DHCP to limit the valid IP addresses within the pool to the desired uses. Activity Procedure Complete the following steps: Step 1 On the Branch router, change the configuration of the DHCP server to assign IP addresses to DHCP clients only from x.x.x.100 to x.x.x.150 within the configured pools. Step 2 Save the running configuration to the startup configuration on the Branch router. Step 3 To verify the DHCP configuration, connect to PC1, enter the command prompt, and release the existing DHCP lease with the ipconfig /release command. Repeat this step on PC2. Step 4 Instruct PC1 to request new a DCHP lease by issuing the ipconfig /renew command. Repeat this step on PC2.
Lab Guide
L-133
Activity Verification You have completed this task when you have attained this result: Step 1 On the Branch router, verify that PC1 and PC2 have been assigned new IP addresses:
Branch# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 10.1.10.100 0100.0c29.4532.be Oct 19 2012 03:39 PM 10.1.20.100 0100.0c29.8807.34 Oct 20 2012 01:24 AM
Type Automatic Automatic
Task 3: Configure DHCP Relay Agent

In this task, you will reconfigure the Branch router to support a centralized DHCP server. Activity Procedure Complete the following steps: Step 1 Access the Branch router and remove the DHCP server configuration. Step 2 Verify that no DHCP server configuration is present on the Branch router by using a DHCP pool show command.
Branch# show ip dhcp pool Branch#
Step 3 Configure a DHCP relay agent on the Branch router to forward DHCP messages to a centralized DHCP server with IP address 172.16.1.100. Configure the relay agent on both logical subinterfaces, which are part of VLAN 10 and VLAN 20. Step 4 Save the running configuration to the startup configuration on the Branch router. Step 5 Access PC1 and release the current DHCP lease.
Step 6 Renew the DHCP lease using the ipconfig /renew command and verify that PC1 has dynamically obtained an IP address from the 10.1.10.20010.1.10.254 range.
C:\Windows\system32> ipconfig Windows IP Configuration Ethernet adapter LAB: Connection-specific DNS Suffix Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Default Gateway . . . . . . . . <output omitted>
. . . . .
: : : : :
fe80::1844:cd29:1d13:1905%13 10.1.10.200 255.255.255.0 10.1.10.1
Step 7 Renew the DHCP lease using the ipconfig /renew command and verify that PC2 has dynamically obtained an IP address from the 10.1.20.20010.1.20.254 range.
C:\Windows\system32> ipconfig /all <output omitted> Ethernet adapter LAB: Connection-specific DNS Suffix Description . . . . . . . . . . Physical Address. . . . . . . . DHCP Enabled. . . . . . . . . . Autoconfiguration Enabled . . . Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Lease Obtained. . . . . . . . . Lease Expires . . . . . . . . . Default Gateway . . . . . . . . DHCP Server . . . . . . . . . . <output omitted>
. . . . . . . . . . . .
: : : : : : : : : : : :
VMware Accelerated AMD PCNet Adapter #2 00-0C-29-50-EB-9D Yes Yes fe80::b423:4279:f330:b1f5%13(Preferred) 10.1.20.200 255.255.255.0 Tuesday, October 23, 2012 11:04:21 AM Tuesday, October 23, 2012 11:04:21 PM 10.1.20.1 209.165.201.2
Task 4: Manually Assign IP Addresses

In this task, you will manually assign IP addresses on both PCs. Activity Procedure Complete the following steps:
Lab Guide
L-135
Step 1 Access both PCs and edit the IPv4 network settings. Manually set the parameters according to the table.
IP Addressing
Device PC1 PC2 IP Address 10.1.10.100 10.1.20.100 Subnet Mask 255.255.255.0 255.255.255.0 Default Gateway 10.1.10.1 10.1.20.1
On PC1:
On PC2:
Step 2 To verify the manual settings, use the ping command to verify connectivity between PC1 and PC2.
Lab Guide
L-137

Activity Overview
Objectives
After completing this activity, you will be able to meet these objectives: Configure a WAN interface Configure OSPF
Visual Objective
Visual Objective for Lab 4-3: Implementing OSPF

Branch HQ Server
PC1
SW1
PC2
SW2

Change IP addressing
Branch
WAN HQ Configure OSPF
Server
PC1
SW1
Required Resources
Command List
Cisco Commands
Command interface interface ip address ip_address network_mask router ospf process_id Description Enters interface configuration mode. Sets an IP address, along with the subnet mask, on an interface. Enters interface configuration mode to issue this command. Starts the OSPF routing process with the specified process ID. The process ID is of local significance, so two routers can have different process IDs and still become neighbors. Shows a brief version of the operational state and IP information of all interfaces. Displays interface information that is related to OSPF. Shows all OSPF neighbors of the router. Displays the IP route table.
show ip interfaces brief show ip ospf interface show ip ospf neighbor show ip route

Command ping ip_address Description Issues a ping to the specified IP address.
Job Aids
Device Branch Headquarter s SW1 SW2 PC1 PC2 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Catalyst 2960 Series Switch Any PC Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 c2960-lanlitek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
Lab Guide
L-141
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password)
Username Administrator Administrator ccna / ccna /
Password admin admin cisco cisco cisco cisco
Topology and IP Addressing Devices are connected with Ethernet and serial connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup.

Gi0/1 .1.1 192.168.1.1 Gi0/1 192 192.168.1.2
Branch
VLAN1 - 10.1.1.1 VLAN10 - 10.1.10.1 VLAN20 - 10.1.20.1 Gi0/0 Fa0/13
WAN HQ
Server
172.16.1.100
PC1
Fa0/1 10.1.10.100
SW1
Device Branch Branch Branch Branch Headquarters Headquarters SW1 PC1 Interface Gi0/1 Gi0/0.1 Gi0/0.10 Gi0/0.20 Gi0/1 Loopback0 VLAN1 Ethernet adapter local area connection IP Address/Subnet Mask 192.168.1.1/24 10.1.1.1/24 10.1.10.1/24 10.1.20.1/24 192.168.1.2/24 172.16.1.100/24 10.1.1.11/24 10.1.10.100/24
VLAN Setup Three VLANs are configured on the switch. VLAN 1 is used for switch management, VLAN 10 is used to connect PC1. VLAN 20 is used to connect PC2, which is not used in this lab exercise.
VLAN Setup
Branch
Trunk VLAN 10
PC1 SW1
VLAN 1
Task 1: Connect the Router to the WAN

In this task, you will disconnect the Branch router from the Internet by removing DHCP and NAT configuration from the GigabitEthernet0/1 interface. You will use this link for WAN Ethernet connectivity instead. You will configure the interface for WAN connectivity by setting a private IP address on the interface. The Headquarters router has been already preconfigured for WAN connectivity. Activity Procedure Complete the following step: Step 1 Access the Branch router. Step 2 Remove DHCP and NAT configuration from the GigabitEthernet0/1 interface. Step 3 Configure IP address 192.168.1.1 with network mask 255.255.255.0 on the GigabitEthernet0/1 interface. Activity Verification You have completed this task when you attain these results:
Lab Guide
L-143
Step 1 On the Branch router, verify the operational state of interface GigabitEthernet0/1. Verify that the interface is configured with the correct IP address.
Branch# show ip interfaces brief Any interface listed with OK? value "NO" does not have a valid configuration Interface IP-Address OK? Method Status Protocol Embedded-Service-Engine0/0 unassigned YES unset administratively down down GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/0.1 10.1.1.1 YES manual up up GigabitEthernet0/0.10 10.1.10.1 YES manual up up GigabitEthernet0/0.20 10.1.20.1 YES manual up up GigabitEthernet0/1 192.168.1.1 YES manual up up Serial0/0/0 unassigned YES unset administratively down down NVI0 unassigned NO unset up up
Step 2 From the Branch router, ping the Headquarters router at 192.168.1.2. Your attempt should be successful.
Branch# ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
Step 3 From PC1, ping the server with the 172.16.1.100 IP address. Your attempt should not be successful because the Headquarters router does not have a path back to the 10.1.10.0/24 network.
C:\Users\Administrator> ping 172.16.1.100 Pinging 172.16.1.100 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 172.16.1.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Task 2: Configure OSPF

The Headquarters router was configured with OSPF by your coworker. In this task, you will configure OSPF on the Branch router. The two routers will then become neighbors and exchange routing information. Activity Procedure Complete the following steps:
Step 1 On the Branch router, enable single-area OSPF (area 0) and configure it so that it advertises networks 10.1.1.0/24, 10.1.10.0/24, 10.1.20.0./24, and 192.168.1.0/24. The Headquarters router was already configured with OSPF by your colleague. Activity Verification You have completed this task when you attain these results: Step 1 On the Branch router, determine whether you see the Headquarters router as a neighbor. The Headquarters router is configured with the router ID of 1.1.1.1.
Branch# show ip ospf neighbor Neighbor ID Pri State 1.1.1.1 1 FULL/BDR
Dead Time 00:00:35
Address 192.168.1.2
Interface GigabitEthernet0/1
Step 2 On the Branch router, verify that GigabitEthernet0/0.1, GigabitEthernet0/0.10, GigabitEthernet0/0.20, and GigabitEthernet0/1 are enabled for the OSPF process.
Branch# show InterGice Gi0/1 Gi0/0.20 Gi0/0.10 Gi0/0.1 ip ospf interface brief PID Area IP Address/Mask 100 0 192.168.1.1/24 100 0 10.1.20.1/24 100 0 10.1.10.1/24 100 0 10.1.1.1/24
Cost 1 1 1 1
State DR DR DR DR
Nbrs F/C 1/1 0/0 0/0 0/0
Lab Guide
L-145
Step 3 On the Branch router, view the routing table. Note the entry for the 172.16.1.0/24 network that was acquired via the OSPF routing process.
Branch# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, GigabitEthernet0/1 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0.1 L 10.1.1.1/32 is directly connected, GigabitEthernet0/0.1 C 10.1.10.0/24 is directly connected, GigabitEthernet0/0.10 L 10.1.10.1/32 is directly connected, GigabitEthernet0/0.10 C 10.1.20.0/24 is directly connected, GigabitEthernet0/0.20 L 10.1.20.1/32 is directly connected, GigabitEthernet0/0.20 172.16.0.0/32 is subnetted, 1 subnets O 172.16.1.100 [110/2] via 192.168.1.2, 00:07:00, GigabitEthernet0/1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet0/1 L 192.168.1.1/32 is directly connected, GigabitEthernet0/1
Step 4 From PC1, ping the 172.16.1.100 server. Your attempt should be successful because the HQ router now knows how to get back to the 10.1.10.0/24 network.
C:\Users\Administrator>ping 172.16.1.100 Pinging 172.16.1.100 with 32 bytes of data: Reply from 172.16.1.100: bytes=32 time=44ms TTL=128 Reply from 172.16.1.100: bytes=32 time=41ms TTL=128 Reply from 172.16.1.100: bytes=32 time=36ms TTL=128 Reply from 172.16.1.100: bytes=32 time=36ms TTL=128 Ping statistics for 172.16.1.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 36ms, Maximum = 44ms, Average = 39ms

Activity Overview
Objectives
In this activity, you will enable IPv6 globally and manually configure an IPv6 address on the interface. After completing this lab activity, you will be able to meet this objective: Enable IPv6 support on a router and perform basic configuration
Visual Objective
Visual Objective for Lab 5-1: Configure and Verify Basic IPv6
Branch HQ Server
PC1
SW1
PC2
SW2

Configure and verify basic IPv6
Branch
HQ
Required Resources
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration or verification Cisco IOS command assistance during the lab activity.
Commands
Command configure terminal exit interface interface ipv6 address ipv6_address/ipv6_mask ipv6 unicast-routing ping destination_address show ipv6 interface interface telnet ip_address traceroute ip_address Description Enters configuration mode Exits from the Telnet session Enters interface configuration mode Configures IPv6 address to the interface Enables IPv6 forwarding support on the router Pings the specified IP address Displays IPv6 status on the interface Uses Telnet to connect to the specified IP address Traces to the specified IP address
Job Aids
Device Branch HQ Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1
Device Branch (console access) Branch (enable password) Username ccna / Password cisco cisco
Topology and IP Addressing Devices are connected with an Ethernet connection. The figure illustrates IP addresses that are used in this lab setup.
Lab Guide
L-149

Server Branch HQ
2001:DB8:AC10:100::64
2001:DB8:D1A5:C900::1
Internet
2001:DB8:D1A5:C900::2
Device Branch HQ HQ Interface Gi0/1 Gi0/1 Loopback0 IP Address/Subnet Mask 2001:DB8:D1A5:C900::1/64 2001:DB8:D1A5:C900::2/64 2001:DB8:AC10:100::64/64
Task 1: Enable IPv6 on the Router

In this task, you will enable IPv6 globally and manually configure an IPv6 address on the interface. The HQ router is already configured with an IPv6 address on the Gigabit Ethernet interface. Activity Procedure Complete the following steps: Step 1 On the Branch router, enable IPv6 unicast routing. Step 2 On the Branch router, configure an IPv6 address on the GigabitEthernet0/1 interface. Step 3 Save the running configuration to the startup configuration.
Activity Verification You have completed this task when you attain this result: Step 1 On the Branch router, verify IPv6 setup on the GigabitEthernet 0/1 interface.
Branch#show ipv6 interface GigabitEthernet 0/1 GigabitEthernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2599 No Virtual link-local address(es): Description: Link to HQ Global unicast address(es): 2001:DB8:D1A5:C900::1, subnet is 2001:DB8:D1A5:C900::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FFE5:2599 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.
The GigabitEthernet0/1 interface is up and running. An IPv6 address is successfully enabled on the interface. Step 2 On the Branch router, ping the HQ router GigabitEthernet0/1 interface (2001:DB8:D1A5:C900::2). The ping should be successful.
Branch#ping 2001:db8:D1A5:C900::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:D1A5:C900::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
Lab Guide
L-151
Step 3 On the Branch router, trace route to the IPv6 address 2001:DB8:D1A5:C900::2. You should see a response from the HQ router.
Branch#traceroute 2001:db8:D1A5:C900::2 Type escape sequence to abort. Tracing the route to 2001:DB8:D1A5:C900::2 1 2001:DB8:D1A5:C900::2 0 msec 4 msec 0 msec
Step 4 From the Branch router, use Telnet to connect to IPv6 address 2001:DB8:D1A5:C900::2. You should see a successful Telnet to the HQ router.
Branch#telnet 2001:db8:D1A5:C900::2 Trying 2001:DB8:D1A5:C900::2 ... Open HQ#
Disconnect from the HQ router by performing the exit command.

HQ#exit [Connection to 2001:db8:D1A5:C900::2 closed by foreign host] Branch#

Activity Overview
Objectives
In this activity, you will enable stateless autoconfiguration. After completing this lab activity, you will be able to meet this objective: Configure and verify stateless autoconfiguration
Visual Objective
Visual Objective for Lab 5-2: Configure and Verify Stateless Autoconfiguration
Branch HQ Server
PC1
SW1
PC2
SW2

Enable and verify IPv6 stateless autoconfiguration
Branch
HQ
Required Resources
Command List
Commands
Command configure terminal exit interface interface ipv6 address autoconfig ping destination_address show ipv6 interface interface telnet ip_address traceroute ip_address Description Enters configuration mode Exits from the Telnet session Enters interface configuration mode Enables IPv6 autoconfiguration on the interface Pings the specified IP address Displays IPv6 status on the interface Uses Telnet to connect to the specified IP address Traces to the specified IP address
Job Aids
Lab Guide
L-155

Server Branch HQ
2001:DB8:AC10:100::64
2001:DB8:D1A5:C900::1
Internet
2001:DB8:D1A5:C900::2
Task 1: Enable Stateless Autoconfiguration on the Router

In this task, you will first remove a configured IPv6 address from the interface and then configure stateless autoconfiguration on the interface. The HQ router is already configured with the IPv6 address on the Gigabit Ethernet interface. Activity Procedure Complete the following steps:
Step 1 On the Branch router, verify the current GigabitEthernet 0/1 configuration.
Branch# show running-config interface GigabitEthernet 0/1 Building configuration... Current configuration : 166 bytes ! interface GigabitEthernet0/1 description Link to HQ ip address 209.165.201.1 255.255.255.224 duplex auto speed auto ipv6 address 2001:DB8:D1A5:C900::1/64 end
There is an IPv6 address that is configured on the interface. Step 2 On the Branch router, remove the IPv6 address from the GigabitEthernet 0/1 interface. Step 3 On the Branch router, configure stateless autoconfiguration on the GigabitEthernet 0/1 interface. Activity Verification You have completed this task when you attain these results:
Lab Guide
L-157
Step 1 On the Branch router, verify the IPv6 setup on the GigabitEthernet 0/1 interface.
Branch# show ipv6 interface GigabitEthernet 0/1 GigabitEthernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2599 No Virtual link-local address(es): Description: Link to HQ Stateless address autoconfig enabled Global unicast address(es): 2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599, subnet is 2001:DB8:D1A5:C900::/64 [EUI/CAL/PRE] valid lifetime 2591996 preferred lifetime 604796 Joined group address(es): FF02::1 FF02::2 FF02::1:FFE5:2599 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.
The GigabitEthernet 0/1 interface is up and running. The IPv6 address is successfully set on the interface. The IPv6 prefix is the same as what is configured on the HQ router, and the host portion of the IPv6 address is calculated from the GigabitEthernet 0/1 interface MAC address. Step 2 On the Branch router, ping the HQ router GigabitEthernet0/1 interface (2001:DB8:D1A5:C900::2). The ping should be successful.
Branch# ping 2001:db8:D1A5:C900::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:D1A5:C900::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
Step 3 On the Branch router, trace route to the IPv6 address 2001:DB8:D1A5:C900::2. You should see a response from the HQ router.
Branch# traceroute 2001:db8:D1A5:C900::2 Type escape sequence to abort. Tracing the route to 2001:DB8:D1A5:C900::2 1 2001:DB8:D1A5:C900::2 0 msec 4 msec 0 msec
Lab Guide
L-159

Activity Overview
Objectives
In this activity, you will configure and verify IPv6 routing by enabling static routing and OSPFv3. After completing this lab activity, you will be able to meet these objectives: Enable and verify static routing Enable and verify OSPFv3
Visual Objective
Visual Objective for Lab 5-3: Configure and Verify IPv6 Routing
Branch HQ Server
PC1
SW1
PC2
SW2

Configure IPv6 default route Enable OSPFv3
Server
Branch
HQ
Required Resources
Command List
Commands
Command configure terminal interface interface ipv6 ospf process_ID area area_ID [no] ipv6 route ::/0 interface next_hop ipv6 router ospf process_ID ping destination_address router-id router-id show ipv6 ospf show ipv6 ospf neighbor show ipv6 route Description Enters configuration mode. Enters interface configuration mode. Enables OSPFv3 routing on the interface. Enables or disables the IPv6 default route. Enables OSPFv3 and enters routing process mode. Pings the specified IP address. Configures the OSPFv3 router ID. The router ID is 32-bit value, written in the IPv4 form (x.x.x.x). Displays OSPFv3 settings. Displays OSPFv3 neighbors. Displays the IPv6 routing table.
Job Aids
Lab Guide
L-163

Server Branch HQ
2001:DB8:AC10:100::64
2001:DB8:D1A5:C900::1
Internet
2001:DB8:D1A5:C900::2
Task 1: Enable IPv6 Static Routing

In this task, you will configure the IPv6 default route on the Branch router. Activity Procedure Complete the following steps: Step 1 On the Branch router, verify IPv6 connectivity to the server at 2001:DB8:AC10:100::64.
Branch# ping 2001:DB8:AC10:100::64 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AC10:100::64, timeout is 2 seconds: % No valid source address for destination Success rate is 0 percent (0/1)
The ping is not successful because there is no valid route for network 2001:DB8:AC10:100::/64 in the routing table.
Step 2 On the Branch router, verify the IPv6 routing table.

Branch# show ipv6 route IPv6 Routing Table - default - 3 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - Neighbor Discovery, l - LISP O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 NDp 2001:DB8:D1A5:C900::/64 [2/0] via GigabitEthernet0/1, directly connected L 2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599/128 [0/0] via GigabitEthernet0/1, receive L FF00::/8 [0/0] via Null0, receive
From the IPv6 routing table output, you can confirm there is no route for a desirable network. Step 3 On the Branch router, configure a default IPv6 route pointing to the HQ router. Activity Verification You have completed this task when you attain these results: Step 1 On the Branch router, ping the server at 2001:DB8:AC10:100::64. The ping should be successful.
Branch# ping 2001:DB8:AC10:100::64 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AC10:100::64, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/8 ms
Lab Guide
L-165
Step 2 On the Branch router, verify the IPv6 routing table.

Branch# show ipv6 route IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - Neighbor Discovery, l - LISP O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 S ::/0 [1/0] via 2001:DB8:D1A5:C900::2, GigabitEthernet0/1 NDp 2001:DB8:D1A5:C900::/64 [2/0] via GigabitEthernet0/1, directly connected L 2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599/128 [0/0] via GigabitEthernet0/1, receive L FF00::/8 [0/0] via Null0, receive
There is still no route for network 2001:DB8:AC10:100::/64, but there is a static default route. The Branch router uses the default route to reach IPv6 networks that are not present in the routing table.
Task 2: Enable OSPFv3

In this task, you will first remove the default IPv6 route that is configured in the previous task, and you will enable OSPFv3. The HQ router is already configured with OSPFv3. Activity Procedure Complete the following steps: Step 1 On the Branch router, remove the static IPv6 default route. Step 2 On the Branch router, enable OSPFv3 with process ID 1 and router ID 0.0.0.2. Step 3 On the Branch router, enable OSPFv3 area 0 on the GigabitEthernet0/1 interface. Activity Verification You have completed this task when you attain these results:
Step 1 On the Branch router, observe the output on the console.

Nov 14 10:13:05.399: %OSPFv3-5-ADJCHG: Process 1, Nbr 0.0.0.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
The OSPFv3 adjacency between the Headquarters and Branch routers is established. Step 2 On the Branch router, display the OSPFv3 neighbor.
Branch# show ipv6 ospf neighbor Neighbor ID Pri State 0.0.0.1 1 FULL/DR
Dead Time 00:00:39
Interface ID 4
The Branch router has an active OSPFv3 neighborship to the router with router ID 0.0.0.1. The HQ router is using OSPFv3 router ID 0.0.0.1. Step 3 On the Branch router, display the OSPFv3 setup.
Branch# show ipv6 ospf Routing Process "ospfv3 1" with ID 0.0.0.2 Event-log enabled, Maximum number of events: 1000, Mode: cyclic < output omitted >
The OSPFv3 on the Branch router is using process ID 1 and router ID 0.0.0.2.
Lab Guide
L-167
Step 4 On the Branch router, display the IPv6 routing table.

Branch# show ipv6 route IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - Neighbor Discovery, l - LISP O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 O 2001:DB8:AC10:100::/64 [110/2] via FE80::FE99:47FF:FEE5:2551, GigabitEthernet0/1 NDp 2001:DB8:D1A5:C900::/64 [2/0] via GigabitEthernet0/1, directly connected L 2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599/128 [0/0] via GigabitEthernet0/1, receive L FF00::/8 [0/0] via Null0, receive
Observe the OSPFv3 route to network 2001:DB8:AC10:100::/64. Step 5 On the Branch router, verify connectivity to IPv6 address 2001:DB8:AC10:100::64.
Branch# ping 2001:DB8:AC10:100::64 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AC10:100::64, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
The ping is successful.

Activity Overview
Objectives
In this activity, you will repeat what you have learned throughout the course. After completing this activity, you will be able to meet these objectives: Configure basic settings, VLANs, trunks, and port security on the Cisco switch Configure inter-VLAN routing Configure Internet connectivity Configure WAN connectivity and dynamic routing protocol Configure IPv6 connectivity in a LAN Configure the OSPFv3 routing protocol
Visual Objective
Visual Objective for Lab S-1: ICND1 Superlab

Configure basic settings and interVLAN routing Branch
Internet/WAN
Configure WAN connectivity
Server HQ
Enable IPv6 connectivity

VLAN 10
Configure Internet connectivity SW1
PC1
VLAN 20
Configure VLANs, trunk, and port security SW2
PC2
Configure VLANs, trunk, and port security
Required Resources
These resources and equipment are required to complete this activity: A PC that is connected to the on-site lab or a PC with Internet connectivity to access the remote lab
Command List
Command access-list acl_id permit network configure terminal crypto key generate rsa delete name deny ip|tcp|udp source_network wildcard mask dst_network wildcard mask enable Description Creates a numbered access list entry. Activates the configuration mode from the terminal. Generates an RSA crypto key pair. Deletes a file from flash memory. Creates a deny access list entry. Activates privileged EXEC mode. In privileged EXEC mode, more commands are available. This command requires you to enter the enable password if an enable password is configured. Configures the enable password in encrypted form.
enable secret password
Command encapsulation dot1Q vlan [native] erase startup-config hostname hostname interface interface interface interface.subinterface ip access-list extended acl_name ip access-group acl_name in|out ip address ip-address subnet-mask ip domain-name domain ip nat inside source list acl_id interface interface overload ip nat inside ip nat outside ip route network mask next_hop_ip_address ip ssh version 2 ipv6 address ipv6-address/prefix_length ipv6 ospf process_id area area_id ipv6 router ospf process_id ipv6 unicast-routing line console 0 line vty start_line end_line logging synchronous login login local network network wildcard_mask area area_id password permit ip|tcp|udp source_network wildcard mask dst_network wildcard mask ping ip_address reload router ospf process_id
Description Sets the encapsulation type and VLAN on a subinterface on a router. Erases the startup configuration that is stored in nonvolatile memory. Sets the system name, which forms part of the prompt. Enters the interface configuration mode. Enters the subinterface configuration mode. Creates an extended, named ACL. Applies an extended ACL to an interface in the inbound or outbound direction. Sets the IP address and mask on an interface. Sets a domain name. Configures dynamic NAT with PAT. Configures an interface as NAT inside. Configures an interface as NAT outside. Configures a static route (including a default route). Enables SSH version 2. Sets the IPv6 address and prefix length on an interface. Enables an interface for OSPFv3 in an area. Creates the OSPFv3 process. Enables IPv6 routing on a router. Enters the line console configuration mode. Enters the virtual lines configuration mode. Enables synchronous logging on a line. Enables verification of a password on a line. Enables verification of a username and password on a line. Configures a router to advertise a network through OSPF. Sets the password on a line. Creates a permit access list entry. Pings a destination IP address. Restarts the switch and reloads the Cisco IOS operating system and configuration. Creates the OSPF process.
Lab Guide
L-171
Command show interfaces interface show interfaces interface switchport show interfaces interface trunk show ip access-lists show ip interface brief show ip route show ipv6 interface interface show ipv6 ospf show ipv6 neighbors show ipv6 route show ip nat translations show ip ospf neighbors show ipv6 ospf neighbors show mac address-table show users show port-security interface interface shutdown switchport access vlan vlan switchport mode access | trunk switchport port-security switchport port-security violation protect switchport port-security maximum number switchport port-security mac-address mac_address switchport trunk allowed vlan vlans telnet ip_address transport input ssh telnet username username password password vlan vlan_id
Description Displays the status of an interface. Displays the switchport status of a port. Displays the trunking status of a port. Displays configured access lists and hit counts. Displays the brief status of interfaces and their IP addresses. Displays the routing table. Displays IPv6 settings and status on an interface. Displays OSPFv3 settings on a router. Displays the IPv6 neighbor discovery table. Displays the IPv6 routing table. Displays the NAT table. Displays OSPF neighbors. Displays OSPFv3 neighbors. Displays the MAC address table on a switch. Displays users that are currently logged to a router. Displays port security information on an interface. Shuts down an interface. Uses the no version of the command to enable the interface. Specifies an access VLAN on a switchport. Configures a switchport as an access or trunk. Enables port security on a switchport. Configures the port security violation to protect. Specifies the maximum number of MAC addresses that can be seen on a port when port security is enabled. Manually defines MAC addresses that are allowed on a switchport when port security is enabled. Specifies allowed VLANs on a trunk link. Uses Telnet to connect to a destination IP address. Allows Telnet and SSH on virtual lines. Creates a user account in the local user database. Creates a VLAN on a switch.
Job Aids
Device Branch HQ SW1 SW2 PC1 PC2
Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Catalyst 2960 Series Switch Any PC Any PC
Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 c2960-lanlitek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
Topology and IP Addressing Devices are connected with Ethernet and serial connections. The figure illustrates the interface identification and IP addresses that will be used in this lab.

Branch
VLAN 110.1.1.1 VLAN 1010.1.10.1 Gi0/0 VLAN 2010.1.20.1 Fa0/13 Gi0/1 209.165.201.1 192.168.1.1 Gi0/1 209.165.201.2 192.168.1.2
Server
172.16.1.100
Internet HQ
PC1
10.1.10.100
Fa0/1 Fa0/3
SW1
10.1.1.11
Fa0/3
PC2
Fa0/1 10.1.20.100
SW2
10.1.1.12
The table shows the interface identification and IP addresses that will be used in this lab setup.
Device Branch Branch Branch Branch Branch HQ HQ SW1 Interface Looback10 Gi0/0.1 (VLAN1) Gi0/0.10 (VLAN10) Gi0/0.20 (VLAN20) Gi0/1 Gi0/1 Loopback0 VLAN1 IP Address or Subnet Mask 10.100.100.100/32 10.1.1.1/24 10.1.10.1/24 10.1.20.1/24 209.165.201.1/27, 192.168.1.1/24 209.165.201.2/27, 192.168.1.2/24 172.16.1.100/24 10.1.1.11/24
Lab Guide
L-173
Device SW2 PC1 PC2
Interface VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection
IP Address or Subnet Mask 10.1.1.12/24 10.1.10.100/24 10.1.20.100/24
IPv6 Addressing The figure illustrates IPv6 addresses that will be used in this lab.
IPv6 Addressing
Gi0/1 2001:db8 :D1A5:C900::2/64 2001:db8 :C0A8:100::2/64
Branch Internet
VLAN 12001:db8 :0A01:100::1/64 VLAN 102001:db8 :0A01:A00::1/64 VLAN 202001:db8 :0A01:1400::1/64 Gi0/1 2001:db8 :D1A5:C900::1/64 2001:db8 :C0A8:100::1/64
Server
2001:db8 :AC10:100::64/64
HQ
PC1
SW1
PC2
SW2
The table shows the interface identification and IPv6 addresses that will be used in this lab.
Device Branch Branch Branch Branch HQ HQ Interface Gi0/0.1 (VLAN1) Gi0/0.10 (VLAN10) Gi0/0.20 (VLAN20) Gi0/1 Gi0/1 Loopback0 IP Address or Subnet Mask 2001:db8 :0A01:100::1/64 2001:db8 :0A01:A00::1/64 2001:db8 :0A01:1400::1/64 2001:db8 :D1A5:C900::1/64, 2001:db8 :C0A8:100::1/64 2001:db8 :D1A5:C900::2/64, 2001:db8 :C0A8:100::2/64 2001:db8 :AC10:100::64/64
Task 1: Configure Basic Settings, VLANs, Trunks, and Port Security on Switches
In this task, you will first delete the existing configuration from SW1 and SW2 switches and reload them. Then you will configure basic settings on the switches and secure administrative access to the switches. You will also configure VLANs and trunks on the switches and put both PCs into different VLANs. Finally, you will enable port security on the switches to prevent unauthorized access to the LAN. Activity Procedure Complete the following steps: Step 1 Access the SW1 and SW2 switches. Step 2 Delete the startup configuration from the SW1 and SW2 switches. Delete the vlan.dat file from the flash memory of the switches and delete the VLAN information. Reload the switches in order to boot the switches with an empty configuration. Step 3 Configure a hostname (SW1, SW2) on the switches. Step 4 Configure IPv4 addresses on both switches for management purposes. Assign the IP address to the VLAN 1 interface. Use the Job Aids section of the document to determine the IP address for each switch. Enable the VLAN 1 interface. Step 5 Configure the enable password on the SW1 and SW2 switches. Use the command that will store the configured password in encrypted form. Use cisco as a password. Step 6 Secure console access to the switches by enabling the password on the console. Use cisco as a password. Enable synchronous logging on the console to make the input of commands easier. Step 7 Enable SSH version 2 remote access to the SW1 and SW2 switches. Use 1024-bit long RSA keys and cisco.com as the domain name. Allow Telnet and SSH on the virtual lines.
Lab Guide
L-175
Step 8 Create a local user account on the switches that will be used to authenticate users accessing the switches via SSH or Telnet. Use ccna as a username and cisco as a password. Configure the virtual lines for checking the username and password. Step 9 Create two additional VLANs on the switches. Use VLAN 10 and 20. Step 10 Configure a trunk between SW1 and SW2 switches over the FastEthernet0/3 port. Allow only VLANs 1, 10, and 20 on the trunk link. Shut down the FastEthernet0/4 port on both switches. Step 11 On SW1, configure the port connecting to PC1 (FastEthernet0/1) as the access port. Put the port into VLAN 10. Step 12 On SW2, configure the port connecting to PC2 (FastEthernet0/1) as the access port. Put the port into VLAN 20.
Step 13 Access PC1. Use administrator as a username and admin as a password in order to log in. Set the following IP settings on the LAB network adapter:
IP Address 10.1.10.100 Mask 255.255.255.0 Default Gateway 10.1.10.1
Lab Guide
L-177
Step 14 Access PC2. Use administrator as a username and admin as a password in order to log in. Set the following IP settings on the LAB network adapter:
IP Address 10.1.20.100 Mask 255.255.255.0 Default Gateway 10.1.20.1
Step 15 From PC1, which is in VLAN 10, ping the management IP address of SW1 (10.1.1.11) in VLAN 1.
C:\Windows\system32> ping 10.1.1.11 Pinging 10.1.1.11 with 32 bytes of data: Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Ping statistics for 10.1.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
The ping should be unsuccessful because routing between VLAN 1 and VLAN 10 has not been configured yet. Step 16 From PC2, which is in VLAN 20, ping the management IP address of SW1 (10.1.1.11) in VLAN 1.
C:\Windows\system32> ping 10.1.1.11 Pinging 10.1.1.11 with 32 bytes of data: Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Ping statistics for 10.1.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
The ping should be unsuccessful because routing between VLAN 1 and VLAN 20 has not been configured yet. Step 17 Return to SW1 and verify the MAC address table. Note the MAC address of PC1 and write it down.
SW1# show mac address-table Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU <output omitted> 1 001e.145e.4983 DYNAMIC Fa0/3 1 fc99.47e5.2700 DYNAMIC Fa0/13 10 000c.293b.709d DYNAMIC Fa0/1 10 000f.34f9.9181 DYNAMIC Fa0/1
Lab Guide
L-179
Note
If there is more then one MAC address that is seen on the FastEthernet0/1 interface, go to the PC and determine its MAC address using the ipconfig /all command.
Step 18 Return to SW2 and verify the MAC address table. Note the MAC address of PC2 and write it down.
SW1# show mac address-table Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU <output omitted> 1 001e.147c.6f03 DYNAMIC Fa0/3 10 000c.293b.709d DYNAMIC Fa0/3 20 000c.29a8.a05a DYNAMIC Fa0/1 20 000f.34f9.9183 DYNAMIC Fa0/1
Note
If there is more than one MAC address that is seen on the FastEthernet0/1 interface, go to the PC and determine its MAC address using the ipconfig /all command.
Step 19 On the SW1 and SW2 switches, enable port security on the interfaces connecting to the PCs (FastEthernet0/1) in order to allow only PCs to connect to the switches. You should first set up the parameters and then enable port security; otherwise, the port will be shut down due to a port security violation. Use the following port security parameters: Violation action: Protect Maximum MAC addresses: 1 MAC address: PC1 on SW1, PC2 on SW2 Activity Verification Verification of this task will be done after configuration of inter-VLAN routing.
Task 2: Configure Inter-VLAN Routing

In this task, you will first delete the existing configuration from the Branch router and reload it. You will then secure administrative access to the router and configure inter-VLAN routing among VLAN 1, 10, and 20. This way, you will enable connectivity among PC1, PC2, and management IP addresses on the switches. You will implement inter-VLAN routing on the Branch router by establishing a trunk link between the router and SW1 switch. Activity Procedure Complete the following steps:
Step 1 Access the Branch router. Step 2 Delete the startup configuration from the Branch router. Reload the router in order to boot the router with an empty configuration. Step 3 Configure the hostname on the Branch router. Step 4 Configure the enable password on the Branch router. Use the command that will store the configured password in secure encrypted form. Use cisco as a password. Step 5 Secure console access to the router by enabling the password on the console. Use cisco as a password. Enable synchronous logging on the console to make the input of commands easier. Step 6 Secure Telnet access to the router by enabling the password on virtual lines. Use cisco as a password. Step 7 Enable the GigabitEthernet0/0 interface on the Branch router. Create three subinterfaces on the interface and configure them with the following parameters:
Subinterface Identifier GigabitEthernet0/0.1 GigabitEthernet0/0.10 GigabitEthernet0/0.20 VLAN Identifier 1 (native VLAN) 10 20 IP Address/Mask 10.1.1.1/24 10.1.10.1/24 10.1.20.1/24
Step 8 Access the SW1 switch.
Lab Guide
L-181
Step 9 Configure the FastEthernet 0/13 port on the switch as a trunk. Allow only VLANs 1, 10, and 20 on the trunk link. This way, you will enable the switch to send traffic to or from all configured VLANs over the same port toward the Branch router. Activity Verification You have completed this task when you attain this result: Step 1 Verify the switchport status of the FastEthernet0/13 port on the SW1 switch:
SW1# show interfaces FastEthernet0/13 switchport Name: Fa0/13 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none
You should see that the interface is in trunking mode. Step 2 Verify the switch port status of the FastEthernet0/3 port on the SW1 switch:
SW1# show interfaces FastEthernet0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none
You should see that the interface is in trunking mode.
Step 3 Verify the trunking status of the FastEthernet0/3 port on the SW1 switch:
SW1# show interfaces FastEthernet0/3 trunk Port Mode Encapsulation Status Native vlan 802.1q trunking 1 Fa0/3 on Port Vlans allowed on trunk Fa0/3 1,10,20 Port Vlans allowed and active in management domain Fa0/3 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 1,10,20
You should see that the interface is in trunking mode, encapsulation is 802.1q, and VLANs 1, 10, and 20 are active and not pruned. Step 4 Verify the trunking status of the FastEthernet0/3 port on the SW2 switch:
SW2# show interfaces FastEthernet0/3 trunk Port Mode Encapsulation Status Native vlan Fa0/3 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/3 1,10,20 Port Vlans allowed and active in management domain Fa0/3 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 1,10,20
You should see that the interface is in trunking mode, encapsulation is 802.1q, and VLANs 1, 10, and 20 are active and not pruned. Step 5 On the Branch router, verify the state of configured subinterfaces:
Branch# show ip interface brief Interface IP-Address Embedded-Service-Engine0/0 unassigned GigabitEthernet0/0 unassigned GigabitEthernet0/0.1 10.1.1.1 GigabitEthernet0/0.10 10.1.10.1 GigabitEthernet0/0.20 10.1.20.1 <output omitted>
OK? YES YES YES YES YES
Method unset unset manual manual manual
Status Protocol administratively down down up up up up up up up up
You should see that the subinterfaces are configured with IP addresses and are operational.
Lab Guide
L-183
Step 6 Access PC1. Ping the SW1 management IP address at 10.1.1.11.

C:\Windows\system32> ping 10.1.1.11 Pinging 10.1.1.11 with 32 bytes of data: Request timed out. Reply from 10.1.1.11: bytes=32 time=8ms TTL=254 Reply from 10.1.1.11: bytes=32 time=2ms TTL=254 Reply from 10.1.1.11: bytes=32 time=2ms TTL=254 Ping statistics for 10.1.1.11: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 8ms, Average = 4ms
The ping should be successful. Step 7 Ping PC2 at 10.1.20.100 from PC1.
Step 8 On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish an SSH session to the SW1 management IP address at 10.1.1.11. Accept the fingerprint of the switches when asked. Use ccna as a username and cisco as a password in order to log in. Enter the privileged EXEC mode using the cisco password in order to verify that the enable password is properly configured.
login as: ccna Using keyboard-interactive authentication. Password: cisco SW1> enable Password: cisco SW1#
Establishment of the SSH session should be successful.
Lab Guide
L-185
Step 9 Verify port security information on the FastEthernet0/1 port on the SW1 switch. Use the previously established SSH session to access SW1.
SW1# show port-security interface FastEthernet0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Protect Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000c.293b.709d:10 Security Violation Count : 0
You should see that the port is protected, the security violation is set to protect, and the last seen MAC address is PC1 in VLAN 10.
Step 10 On PC1, open another PuTTY window by double-clicking the PuTTY icon again. Establish a Telnet session to the Branch router at 10.1.10.1. Use the cisco password to log in. Enter privileged EXEC mode using the cisco password in order to verify if the enable password is properly configured.
User Access Verification Password:cisco Branch>enable Password:cisco Branch#
Establishment of the Telnet session should be successful.
Lab Guide
L-187
Step 11 Access PC2. Ping the SW2 management IP address at 10.1.1.12.

C:\Windows\system32> ping 10.1.1.12 Pinging 10.1.1.12 with 32 bytes of data: Request timed out. Reply from 10.1.1.12: bytes=32 time=8ms TTL=254 Reply from 10.1.1.12: bytes=32 time=2ms TTL=254 Reply from 10.1.1.12: bytes=32 time=2ms TTL=254 Ping statistics for 10.1.1.12: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 8ms, Average = 4ms
Step 12 On PC2, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish an SSH session to the SW2 management IP address at 10.1.1.12. Accept the fingerprint of the switches when asked. Use ccna as a username and cisco as a password in order to log in. Enter the privileged EXEC mode using the cisco password in order to verify if the enable password is properly configured.
login as: ccna Using keyboard-interactive authentication. Password: cisco SW2> enable Password: cisco SW2#
Establishment of the SSH session should be successful.
Lab Guide
L-189
Step 13 Verify port security information on the FastEthernet0/1 port on the SW2 switch. Use the previously established SSH session to access SW2.
SW2# show port-security interface FastEthernet0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Protect Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000f.34f9.9183:20 Security Violation Count : 0
You should see that the port is protected, the security violation is set to protect, and the last seen MAC address is PC2 in VLAN 20. Step 14 Close all SSH and Telnet sessions on PC1 and PC2.
Task 3: Configure Internet Connectivity

In this task, you will configure the Branch router to provide Internet connectivity. This includes configuring IP addresses on an interface and default route. You will also configure NAT with PAT to hide internal addressing from the Internet. Finally, you will configure an ACL that will protect the router and LAN from traffic on the Internet. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Configure an IP address on the Branch router on the interface connecting to the Internet (GigabitEthernet0/1). Use 209.165.201.1/27 for the IP address. Enable the interface. Step 3 Configure a default route on the Branch router that will point to the HQ router as the next hop.
Step 4 Create a standard ACL that will permit users on VLAN 10 and 20. This ACL will be used to specify IP addresses that are eligible for NAT. Use 1 for the access list identifer. Step 5 Configure NAT with PAT on the Branch router for all LAN users. This includes users on VLAN 10 and 20. Refer to the previously configured ACL. Use the IP address on the GigabitEthernet0/1 interface for the translated IP address. Step 6 Configure a named extended ACL on the Branch router that will deny all TCP and UDP traffic coming from a source port greater than 1024. Permit all other IP traffic. Apply the ACL to the GigabitEthernet0/1 interface in the inbound direction.
Note This ACL will effectively block all connection attempts from the Internet, while the returning traffic to the LAN will be allowed. With a majority of well-known applications, you can expect that the source port of traffic returning from a server will have a value that is lower than 1024. For example, returning traffic that is coming from a Telnet server will have a source port with a value of 23. On the other hand, Telnet traffic that originates from a host will have a source port greater than 1024.
Activity Verification You have completed this task when you attain these results: Step 1 Verify the status of the GigabitEthernet0/1 interface on the Branch router.
Branch# show interfaces GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is fc99.47e5.2701 (bia fc99.47e5.2701) Internet address is 209.165.201.1/27 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 100Mbps, media type is RJ45
You should see that the interface is operational and that it has an IP address configured.
Lab Guide
L-191

Branch# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 209.165.201.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 209.165.201.2
You should see that the router has a default route that is configured, which points to the HQ router.
Step 3 Access PC1. Start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the server at 172.16.1.100.
HQ#

Note Recall that the server is simulated as the loopback interface on the HQ router.
Lab Guide
L-193
Step 4 On the HQ router, verify the user connection to the server using the show users command. Use the previously established Telnet session.
HQ# show users Line User *388 vty 0
Host(s) idle
Idle Location 00:00:00 209.165.201.1
You should see that the Telnet session from PC1 is seen as originating from the translated IP address. The translated IP address is the IP address of the GigabitEthernet0/1 interface on the Branch router. Step 5 Access PC2. Start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the server at 172.16.1.100.
HQ#
Step 6 On the HQ router, verify the user connection to the server using the show users command. Use the previously established Telnet session.
HQ# show users Line User 388 vty 0 *389 vty 1
Host(s) idle idle
Idle Location 00:01:02 209.165.201.1 00:00:00 209.165.201.1
You should also see that the Telnet session from PC2 is seen as originating from the translated IP address. The translated IP address is the IP address of the GigabitEthernet0/1 interface on the Branch router.. Step 7 Verify the translation table on the Branch router.
Branch# show ip nat translations Pro Inside global Inside local tcp 209.165.201.1:1037 10.1.10.100:1037 tcp 209.165.201.1:1033 10.1.20.100:1033
Outside local 172.16.1.100:23 172.16.1.100:23
Outside global 172.16.1.100:23 172.16.1.100:23
You should see two PAT translations. One translation is for PC1 at 10.1.10.100, and the second is for PC2 at 10.1.10.100. Both IP addresses translated to the same global IP address but with different source ports. Step 8 Return to the Telnet session on PC1. Try to establish a Telnet session from the HQ router to the Branch router twice or three times.
HQ# telnet 209.165.201.1 Trying 209.165.201.1 ... % Destination unreachable; gateway or host down HQ# telnet 209.165.201.1 Trying 209.165.201.1 ... % Destination unreachable; gateway or host down HQ# telnet 209.165.201.1 Trying 209.165.201.1 ... % Destination unreachable; gateway or host down
You should not be successful because the ACL denies connections that are initiated from the Internet.
Lab Guide
L-195
Step 9 Return to the Branch router console and verify the ACL hits.
Branch# show ip access-lists Standard IP access list 1 10 permit 10.1.10.0, wildcard bits 0.0.0.255 (4 matches) 20 permit 10.1.20.0, wildcard bits 0.0.0.255 (1 match) Extended IP access list OUTSIDE 10 deny tcp any gt 1024 any (3 matches) 20 deny udp any gt 1024 any 30 permit ip any any (122 matches)
You should see that the ACL denied three TCP packets coming from the TCP source port greater than 1024 to the Branch router. Step 10 Close all Telnet sessions on PC1 and PC2.
Task 4: Configure WAN Connectivity and a Dynamic Routing Protocol

In this task, you will configure the Branch router with WAN connectivity to the HQ router. This activity includes removing the NAT configuration from the GigabitEthernet0/1 interface and changing the IP address on the interface. You will also configure single-area OSPF on the Branch router in order to exchange routing information with the HQ router. The HQ router has been preconfigured with OSPF. However, you will have to change the IP addressing on the HQ router as well. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 From the Branch router, use Telnet to connect to the HQ router. Step 3 Change the IP address on the GigabitEthernet0/1 interface on the HQ router to 192.168.1.2 with network mask 255.255.255.0. Be careful not to mistype the IP address.
Note
Changing the IP address on the HQ router will terminate your Telnet session. If the session freezes, press Ctrl-Shift-6, followed by X. This action will pause the Telnet session, and you will return to the Branch router console. At the Branch router prompt, enter Disconnect to disconnect the frozen Telnet session permanently.
Step 4 On the Branch router, remove the NAT configuration from the GigabitEthernet0/1 interface. Step 5 Configure the IP address on the Branch router on the GigabitEthernet0/1 interface. Use 192.168.1.1/24 for the IP address. Step 6 Configure a loopback interface on the Branch router. Use 10 as the interface ID and 10.100.100.100/32 as the IP address. Why is it recommended to configure a loopback interface when enabling an OSPF routing protocol? Step 7 Create the OSPF routing process on the Branch router. Use 1 as the OSPF process ID. Step 8 Enable OSPF routing in Area 0 for the following networks: 192.168.1.0/24 10.1.1.0/24 10.1.10.0/24 10.1.20.0/24 10.100.100.100/32 Activity Verification You have completed this task when you attain these results:
Lab Guide
L-197
Step 1 From the Branch router, ping the HQ router at 192.168.1.2.

Branch# ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
The ping should be successful. Step 2 Verify OSPF neighbors on the Branch router.
Branch# show ip ospf neighbor Neighbor ID Pri State 1.1.1.1 1 FULL/DR
Dead Time 00:00:35
Address 192.168.1.2
You should see the HQ router as the OSPF neighbor in FULL state.

Branch# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0.1 L 10.1.1.1/32 is directly connected, GigabitEthernet0/0.1 C 10.1.10.0/24 is directly connected, GigabitEthernet0/0.10 L 10.1.10.1/32 is directly connected, GigabitEthernet0/0.10 C 10.1.20.0/24 is directly connected, GigabitEthernet0/0.20 L 10.1.20.1/32 is directly connected, GigabitEthernet0/0.20 C 10.100.100.100/32 is directly connected, Loopback10 172.16.0.0/32 is subnetted, 1 subnets O 172.16.1.100 [110/2] via 192.168.1.2, 00:02:10, GigabitEthernet0/1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet0/1 L 192.168.1.1/32 is directly connected, GigabitEthernet0/1
You should see the 172.16.1.0/24 network as the OSPF route. The network should be accessible over the GigabitEthernet0/1 interface. Step 4 Access PC1. Open a command prompt and ping the server at 172.16.1.100.
Lab Guide
L-199
Step 5 On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the HQ router at 192.168.1.2.
HQ#
Step 6 On the HQ router, verify the routing table. Use the previously established Telnet session.
HQ# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.1.1.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1 O 10.1.10.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1 O 10.1.20.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1 O 10.100.100.100/32 [110/2] via 192.168.1.1, 00:00:00, GigabitEthernet0/1 <output omitted>
You should see LAN networks accessible over the the Serial0/0/0 interface, with the Branch router as the next hop router. Step 7 Close the Telnet sessions on PC1.
Task 5: Configure IPv6 Connectivity in the LAN

In this task, you will enable IPV6 connectivity in the LAN. This activity includes enabling IPv6 on the Branch router and setting IPv6 addresses on the LAN subinterfaces of the router. On the PCs with Microsoft Windows 7, IPv6 is enabled by default. Therefore, the PCs will obtain IPv6 addresses automatically by using stateless autoconfiguration. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Enable IPv6 forwarding on the Branch router.
Lab Guide
L-201
Step 3 Configure subinterfaces on the GigabitEthernet0/0 interface with the following IPv6 addresses:
Subinterface Identifier GigabitEthernet0/0.1 GigabitEthernet0/0.10 GigabitEthernet0/0.20 VLAN Identifier 1 10 20 IPv6 Address/Mask 2001:db8:0A01:100::1/64 2001:db8:0A01:A00::1/64 2001:db8:0A01:1400::1/64
By configuring the IPv6 address on a router interface, the router starts sending router advertisements out of the interface. This enables PCs that are connected to the interface to automatically configure the IPv6 address on a network adapter and to set a default gateway. Activity Verification You have completed this task when you attain these results:
Step 1 Verify IPv6 settings and the status on all subinterfaces:

Branch# show ipv6 interface GigabitEthernet0/0.1 GigabitEthernet0/0.1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2700 No Virtual link-local address(es): Global unicast address(es): 2001:DB8:A01:100::1, subnet is 2001:DB8:A01:100::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FFE5:2700 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses. Branch# show ipv6 interface GigabitEthernet0/0.10 GigabitEthernet0/0.10 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2700 No Virtual link-local address(es): Global unicast address(es): 2001:DB8:A01:A00::1, subnet is 2001:DB8:A01:A00::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FFE5:2700 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses. Branch# show ipv6 interface GigabitEthernet0/0.20 GigabitEthernet0/0.20 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2700 No Virtual link-local address(es): Global unicast address(es): 2001:DB8:A01:1400::1, subnet is 2001:DB8:A01:1400::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FFE5:2700
Lab Guide
L-203
MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.
You should see all three subinterfaces that are enabled for IPv6. Each subinterface should have a link-local IPv6 address and one global IPv6 address. Note that the link-local IPv6 address is the same on all subinterfaces. Why is the link-local IPv6 address the same on all subinterfaces? Step 2 Access PC1. Open a command prompt and verify the IP settings.
C:\Windows\system32> ipconfig Windows IP Configuration Ethernet adapter LAB: Connection-specific DNS Suffix IPv6 Address. . . . . . . . . . Temporary IPv6 Address. . . . . Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Default Gateway . . . . . . . .
. . . . . . .
: : : : : : :
2001:db8:a01:a00:15e4:2bea:367f:8c5c 2001:db8:a01:a00:191b:d8a9:e435:33c1 fe80::15e4:2bea:367f:8c5c%13 10.1.10.100 255.255.255.0 fe80::fe99:47ff:fee5:2700%13 10.1.10.1
You should see that the PC is configured with one global IPv6 address, one temporary IPv6 address, the link-local IPv6 address, and the default gateway. You will see a percentage sign (%), followed by a number, at the end of the link-local IPv6 address and at the end of the default gateway. The number following the percentage sign identifies an interface on the PC, and it is not part of the IPv6 address and should be ignored when determining the IPv6 address of the the default gateway. Which router IPv6 address is configured as the default gateway on the PC?
Step 3 From PC1, ping the default gateway. Use the link-local IPv6 address as the destination IPv6 address.
C:\Windows\system32> ping fe80::fe99:47ff:fee5:2700 Pinging fe80::fe99:47ff:fee5:2700 with 32 bytes of data: Destination host unreachable. Reply from fe80::fe99:47ff:fee5:2700: time=3ms Reply from fe80::fe99:47ff:fee5:2700: time<1ms Reply from fe80::fe99:47ff:fee5:2700: time<1ms Ping statistics for fe80::fe99:47ff:fee5:2700: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 3ms, Average = 1ms
The ping should be successful. Step 4 From PC1, ping the directly connected interface of the Branch router. Use the global IPv6 address as the destination IPv6 address.
C:\Windows\system32> ping 2001:DB8:A01:A00::1 Pinging 2001:db8:a01:a00::1 with 32 bytes of data: Reply from 2001:db8:a01:a00::1: time=5ms Reply from 2001:db8:a01:a00::1: time<1ms Reply from 2001:db8:a01:a00::1: time<1ms Reply from 2001:db8:a01:a00::1: time<1ms Ping statistics for 2001:db8:a01:a00::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 5ms, Average = 1ms
Lab Guide
L-205
Step 5 On PC1, verify the neighbor discovery table to see mappings between IPv6 addresses and MAC addresses. Examine entries for the LAB interface.
C:\Windows\system32> netsh interface ipv6 show neighbors <output omitted> Interface 13: LAB Internet Address Physical Address -------------------------------------------- ----------------2001:db8:a01:a00::1 fc-99-47-e5-27-00 fe80::19eb:7144:6b5d:3377 00-0c-29-a8-a0-5a fe80::fe99:47ff:fee5:2700 fc-99-47-e5-27-00 ff02::2 33-33-00-00-00-02 ff02::16 33-33-00-00-00-16 ff02::1:2 33-33-00-01-00-02 ff02::1:3 33-33-00-01-00-03 ff02::1:ff00:1 33-33-ff-00-00-01 ff02::1:ff35:33c1 33-33-ff-35-33-c1 ff02::1:ff7f:8c5c 33-33-ff-7f-8c-5c ff02::1:ffe5:2700 33-33-ff-e5-27-00
Type ----------Stale (Router) Stale Stale (Router) Permanent Permanent Permanent Permanent Permanent Permanent Permanent Permanent
You should see neighbor discovery entries for link-local and global IPv6 addresses of the Branch router that you pinged before. Step 6 Access PC2. Open a command prompt and verify the IP settings.
C:\Windows\system32> ipconfig Windows IP Configuration Ethernet adapter LAB: Connection-specific DNS Suffix IPv6 Address. . . . . . . . . . Temporary IPv6 Address. . . . . Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Default Gateway . . . . . . . .
. . . . . . .
: : : : : : :
2001:db8:a01:1400:19eb:7144:6b5d:3377 2001:db8:a01:1400:78bd:f560:d1fd:b766 fe80::19eb:7144:6b5d:3377%13 10.1.20.100 255.255.255.0 fe80::fe99:47ff:fee5:2700%13 10.1.20.1
You should see that the PC is configured with one global IPv6 address, one temporary IPv6 address, the link-local IPv6 address and the default gateway. You will see a percent sign (%), followed by a number, at the end of the link-local IPv6 address and at the end of the default gateway. The number following the percent sign identifies an interface on the PC, and it is not part of the IPv6 address and should be ignored when determining the IPv6 address of the default gateway. Which router IPv6 address is configured as the default gateway on the PC?
Step 7 From PC2, ping the default gateway. Use the link-local IPv6 address as the destination IPv6 address.
C:\Windows\system32> ping fe80::fe99:47ff:fee5:2700 Pinging fe80::fe99:47ff:fee5:2700 with 32 bytes of data: Destination host unreachable. Reply from fe80::fe99:47ff:fee5:2700: time=4ms Reply from fe80::fe99:47ff:fee5:2700: time<1ms Reply from fe80::fe99:47ff:fee5:2700: time<1ms Ping statistics for fe80::fe99:47ff:fee5:2700: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 4ms, Average = 1ms
The ping should be successful. Step 8 From PC2, ping the directly connected interface of the Branch router. Use the global IPv6 address as the destination IPv6 address.
C:\Windows\system32> ping 2001:DB8:A01:A00::1 Pinging 2001:db8:a01:a00::1 with 32 bytes of data: Reply from 2001:db8:a01:a00::1: time=9ms Reply from 2001:db8:a01:a00::1: time<1ms Reply from 2001:db8:a01:a00::1: time<1ms Reply from 2001:db8:a01:a00::1: time<1ms Ping statistics for 2001:db8:a01:a00::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 9ms, Average = 2ms
Lab Guide
L-207
Step 9 On PC2, verify the neighbor discovery table to see mappings between IPv6 addresses and MAC addresses. Examine entries for the LAB interface.
C:\Windows\system32> netsh interface ipv6 show neighbors <output omitted> Interface 13: LAB Internet Address Physical Address -------------------------------------------- ----------------2001:db8:a01:1400::1 fc-99-47-e5-27-00 fe80::15e4:2bea:367f:8c5c 00-0c-29-3b-70-9d fe80::fe99:47ff:fee5:2700 fc-99-47-e5-27-00 ff02::2 33-33-00-00-00-02 ff02::16 33-33-00-00-00-16 ff02::1:2 33-33-00-01-00-02 ff02::1:3 33-33-00-01-00-03 ff02::1:ff53:e7a0 33-33-ff-53-e7-a0 ff02::1:ff5d:3377 33-33-ff-5d-33-77 ff02::1:ff7f:8c5c 33-33-ff-7f-8c-5c ff02::1:ffe5:2700 33-33-ff-e5-27-00 ff02::1:fffd:b766 33-33-ff-fd-b7-66
Type ----------Stale (Router) Stale Stale (Router) Permanent Permanent Permanent Permanent Permanent Permanent Permanent Permanent Permanent
You should see neighbor discovery entries for the link-local and global IPv6 addresses of the Branch router that you pinged before. Step 10 Return to the Branch router. Verify the neighbor discovery table.
Branch# show ipv6 neighbors IPv6 Address FE80::19EB:7144:6B5D:3377 FE80::15E4:2BEA:367F:8C5C 2001:DB8:A01:1400:78BD:F560:D1FD:B766 2001:DB8:A01:A00:191B:D8A9:E435:33C1
Age 3 11 4 8
Link-layer Addr 000c.29a8.a05a 000c.293b.709d 000c.29a8.a05a 000c.293b.709d
State STALE STALE STALE STALE
Interface Gi0/0.20 Gi0/0.10 Gi0/0.20 Gi0/0.10
You should see two entries for each PC. One entry is for the link-local IPv6 address, and the other is for the global IPv6 address.
Task 6: Configure the OSPFv3 Routing Protocol

In this task, you will enable the OSPFv3 routing protocol to route for IPv6 between the Branch and HQ routers. The HQ router has been preconfigured. Activity Procedure Complete the following steps:
Step 1 Access the Branch router. Step 2 From the Branch router, use Telnet to connect to the HQ router at 192.168.1.2 using IPv4. Step 3 Remove the existing IPv6 address from the GigabitEthernet0/1 interface on the HQ router. Set the IPv6 address on the interface to 2001:db8:c0a8:100::2/64. Include the interface into the OSPFv3 routing protocol with Process ID 1 and Area 0. Exit the Telnet session. Step 4 On the Branch router, configure the GigabitEthernet0/1 interface with 2001:db8:c0a8:100::1/64 IPv6 address. Step 5 From the Branch router, ping the HQ router at 2001:db8:c0a8:100::2 to verify IPv6 connectivity between the routers.
Branch# ping 2001:db8:c0a8:100::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:C0A8:100::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/54/56 ms
The ping should be successful. Step 6 From the Branch router, use Telnet to connect to the HQ router at 2001:db8:c0a8:100::2.
Branch# telnet 2001:db8:c0a8:100::2 Trying 2001:DB8:C0A8:100::2 ... Open HQ#
The Telnet should be successful.
Lab Guide
L-209
Step 7 Verify the existing OSPFv3 configuration on the HQ router.

interface Loopback0 ip address 172.16.1.100 255.255.255.0 ipv6 address 2001:DB8:AC10:100::64/64 ipv6 ospf network point-to-point ipv6 ospf 1 area 0 ! <output omitted> ! interface GigabitEthernet0/1 description Link to Branch ip address 192.168.1.2 255.255.255.0 duplex auto speed auto ipv6 address 2001:DB8:C0A8:100::2/64 ipv6 ospf 1 area 0 ! <output omitted> ! ipv6 router ospf 1 router-id 0.0.0.1
You should see that the OSPFv3 process is configured and that Loopback0 and GigabitEthernet0/1 are enabled for OSPFv3. Step 8 Close the Telnet session. Step 9 Create an OSPFv3 process on the Branch router. Use 1 as the Process ID.
Branch(config)# ipv6 router ospf 1
Step 10 Enable the following interfaces for OSPFv3 in Area 0: GigabitEthernet0/1 GigabitEthernet0/0.1 GigabitEthernet0/0.10 GigabitEthernet0/0.20
Branch(config)# interface GigabitEthernet0/1 Branch(config-if)# ipv6 ospf 1 area 0 Branch(config-if)# Branch(config)# interface GigabitEthernet0/0.1 Branch(config-subif)# ipv6 ospf 1 area 0 Branch(config-if)# Branch(config-subif)# interface GigabitEthernet0/0.10 Branch(config-subif)# ipv6 ospf 1 area 0 Branch(config-if)# Branch(config-subif)# interface GigabitEthernet0/0.20 Branch(config-subif)# ipv6 ospf 1 area 0
You should see that OSPFv3 adjacency went up immediately after you enabled OSPFv3 on the GigabitEthernet0/1 interface:
*Dec 7 13:59:21.815: %OSPFv3-5-ADJCHG: Process 1, Nbr 0.0.0.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
Activity Verification You have completed this task when you attain these results: Step 1 Verify OSPFv3 neighbors on the Branch router.
Branch# show ipv6 ospf neighbor OSPFv3 Router with ID (10.100.100.100) (Process ID 1) Neighbor ID Pri State Dead Time Interface ID Interface 0.0.0.1 1 FULL/DR 00:00:30 4 GigabitEthernet0/1
You should see the HQ router as the OSPFv3 neighbor. What is the HQ router ID?
Lab Guide
L-211
Step 2 Verify OSPFv3 settings on the Branch router.

Branch# show ipv6 ospf Routing Process "ospfv3 1" with ID 10.100.100.100 Event-log enabled, Maximum number of events: 1000, Mode: cyclic Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0. Checksum Sum 0x000000 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Graceful restart helper support enabled Reference bandwidth unit is 100 mbps Area BACKBONE(0) Number of interfaces in this area is 4 SPF algorithm executed 3 times Number of LSA 9. Checksum Sum 0x0523AD Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0
You should see that OSPFv3 is enabled for four interfaces in Area 0. What is the Branch router ID?
Step 3 Verify the IPv6 routing table on the Branch router.

Branch# show ipv6 route IPv6 Routing Table - default - 10 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2001:DB8:A01:100::/64 [0/0] via GigabitEthernet0/0.1, directly connected L 2001:DB8:A01:100::1/128 [0/0] via GigabitEthernet0/0.1, receive C 2001:DB8:A01:A00::/64 [0/0] via GigabitEthernet0/0.10, directly connected L 2001:DB8:A01:A00::1/128 [0/0] via GigabitEthernet0/0.10, receive C 2001:DB8:A01:1400::/64 [0/0] via GigabitEthernet0/0.20, directly connected L 2001:DB8:A01:1400::1/128 [0/0] via GigabitEthernet0/0.20, receive O 2001:DB8:AC10:100::/64 [110/2] via FE80::FE99:47FF:FEDE:B4B9, GigabitEthernet0/1 C 2001:DB8:C0A8:100::/64 [0/0] via GigabitEthernet0/1, directly connected L 2001:DB8:C0A8:100::1/128 [0/0] via GigabitEthernet0/1, receive L FF00::/8 [0/0] via Null0, receive
You should see the 2001:DB8:AC10:100::/64 network that is learned through OSPF and with the HQ router as the next hop. This is the network where the server is located. Step 4 Access PC1 and open a command prompt. Ping the server at 2001:db8:ac10:100::64.
C:\Windows\system32> ping 2001:db8:ac10:100::64 Pinging 2001:db8:ac10:100::64 with 32 bytes of data: Reply from 2001:db8:ac10:100::64: time=56ms Reply from 2001:db8:ac10:100::64: time=45ms Reply from 2001:db8:ac10:100::64: time=46ms Reply from 2001:db8:ac10:100::64: time=46ms Ping statistics for 2001:db8:ac10:100::64: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 45ms, Maximum = 56ms, Average = 48ms
Lab Guide
L-213
Step 5 On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the server at 2001:DB8:AC10:100::64.
HQ#

Note Recall that the server is simulated as the loopback interface on the HQ router.
Step 6 Verify the IPv6 routing table on the HQ router.

HQ# show ipv6 route IPv6 Routing Table - default - 8 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 O 2001:DB8:A01:100::/64 [110/2] via FE80::6E20:56FF:FE17:B149, GigabitEthernet0/1 O 2001:DB8:A01:A00::/64 [110/2] via FE80::6E20:56FF:FE17:B149, GigabitEthernet0/1 O 2001:DB8:A01:1400::/64 [110/2] via FE80::6E20:56FF:FE17:B149, GigabitEthernet0/1 <output omitted>
You should see all three LANs that are learned through OSPFv3 with the Branch router as the next hop router.
Lab Guide
L-215
Lab Answer Keys

Task 1: Perform a Reload and Verify that the Switch Is Unconfigured
Step 2 Since the erase startup-config command is a privileged-level command, entering it in user EXEC mode will have no effect on the system. You were informed that the command is invalid.
Switch>erase startup-config ^ % Invalid input detected at '^' marker.
Step 3 When you have a right arrow (>) symbol after the device hostname, you are in user EXEC mode. When you issued the enable command, you moved into privileged EXEC mode, which is indicated by the pound sign (#) after the hostname. Enter privileged EXEC mode by typing enable in user EXEC mode.
Switch>enable Switch#
Step 4 When you enter the erase startup-config command within privileged EXEC mode, it is accepted and you are prompted to press Enter to confirm this action.
SwitchX#delete vlan.dat Delete filename [vlan.dat]? Delete flash:/vlan.dat? [confirm] Switch#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete
When you enter the reload command within privileged EXEC mode, you are asked to confirm the reload. Press Enter at that point.
Switch#reload Proceed with reload? [confirm] *Mar 1 00:16:18.229: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command. Boot Sector Filesystem (bs) installed, fsid: 2 Base ethernet MAC Address: 00:1e:14:7c:bd:00 Xmodem file system is available. The password-recovery mechanism is enabled. Initializing Flash... flashfs[0]: 549 files, 19 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 32514048 flashfs[0]: Bytes used: 14942208 flashfs[0]: Bytes available: 17571840 flashfs[0]: flashfs fsck took 11 seconds. ...done Initializing Flash. done. Loading "flash:/c2960-lanbasek9-mz.150-1.SE3/c2960-lanbasek9-mz.150-1.SE3.bin"... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ < output omitted > 64K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address : 00:1E:14:7C:BD:00 Motherboard assembly number : 73-10390-04 Power supply part number : 341-0097-02 Motherboard serial number : FOC114131RV Power supply serial number : AZS113600YM Model revision number : D0 Motherboard revision number : A0 Model number : WS-C2960-24TT-L System serial number : FOC1141Z8W9 Top Assembly Part Number : 800-27221-03 Top Assembly Revision Number : B0 Version ID : V03 CLEI Code Number : COM3L00BRB Hardware Board Revision Number : 0x01 Switch Ports Model SW Version SW Image ------ ----- ----------------------* 1 26 WS-C2960-24TT-L 15.0(1)SE3 C2960-LANBASEK9-M Press RETURN to get started!
Step 5 Your results should resemble the output displayed here. You should have answered No to the question (Would you like to enter the initial configuration dialog?).
--- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]: no Switch>
If you skipped the initial configuration dialog, there is no startup configuration present. Alternatively, you can verify that there is no configuration present by entering privileged EXEC mode and issuing the show startup-config command.
Switch>enable Switch#show startup-config startup-config is not present
Step 6 You can issue the show version command from either user or privileged EXEC mode. In the output here, you see that the switch is a WS-C2960-24TT-L type, the software version is 15.0(1)SE3, and there is 65536 KB (or 64 MB) of RAM. Note that your device may have different properties.
Switch#show version Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(1)SE3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Wed 30-May-12 14:26 by prod_rel_team ROM: Bootstrap program is C2960 boot loader BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE6, RELEASE SOFTWARE (fc1) Switch1 uptime is 4 hours, 31 minutes System returned to ROM by power-on System restarted at 09:25:53 UTC Fri Aug 17 2012 System image file is "flash:/c2960-lanbasek9-mz.150-1.SE3/c2960-lanbasek9-mz. 150-1.SE3.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K bytes of memory. < output omitted >
The show flash: command output here shows that the switch has 32514048 bytes (32 MB) of flash memory and that 17569280 bytes of that memory is free (16.8 MB). Note that your device may have different properties.
Lab Guide
L-219
Switch#show flash Directory of flash:/ 2 drwx 256 Aug 8 2012 567 -rwx 556 Nov 21 2012 568 -rwx 2072 Nov 21 2012 32514048 bytes total (17573376 bytes
12:23:45 +00:00 08:17:08 +00:00 11:05:33 +00:00 free)
c2960-lanbasek9-mz.150-1.SE3 vlan.dat multiple-fs
Task 2: Configure the Switch with a Hostname and an IP Address

Step 1 Enter privileged EXEC mode and then global configuration mode. Issue the hostname command, as shown in the following output. Notice the change in the hostname of the device in the last line of the output.
Switch#enable Switch#configure terminal Enter configuration commands, one per line. Switch(config)#hostname SW1 SW1(config)#
End with CNTL/Z.
Step 2 First, make sure that you are in global configuration mode.
SW1(config)#
Then enter interface configuration mode for VLAN 1 and assign it the proper IP address and network mask.
SW1(config)#interface vlan 1 SW1(config-if)#ip address 10.1.1.11 255.255.255.0
Step 5 On PC1, click the Start button, enter cmd, and click Enter. When you are presented with a command prompt window, enter ping, followed by the IP address of the VLAN 1 interface on the switch. This Layer 3 test should succeed.
Task 3: Explore Context-Sensitive Help

Step 1 After you enter privileged EXEC mode and enter ?, you are presented with a list of available commands. Each command is listed with a description.
SW1>enable SW1#? Exec commands: access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface access-template Create a temporary Access-List entry archive manage archive files beep Blocks Extensible Exchange Protocol commands < output omitted > where List active connections write Write running configuration to memory, network, or terminal
Step 2 First, make sure that you are in privileged EXEC mode. Enter clock, followed by ?. Complete the configuration as displayed here.
SW1#clock ? set Set the time and date SW1#clock set ? hh:mm:ss Current Time SW1#clock set 12:57:22 ? <1-31> Day of the month MONTH Month of the year SW1#clock set 12:57:22 17 ? MONTH Month of the year SW1#clock set 12:57:22 17 8 ? % Unrecognized command Lan_Switch_1#clock set 12:57:22 17 August ? <1993-2035> Year SW1#clock set 12:57:22 17 August 2012 ? <cr> SW1#clock set 12:57:22 17 August 2012
Step 3 When you are familiar only with how a command begins, you can get help by using the ? command. It will list all commands that begin with the sequence of letters that you entered.
Lab Guide
L-221
SW1#sh? shell show SW1#show ? aaa access-lists aliases archive arp authentication auto beep boot buffers cable-diagnostics call-home capability cca cdp cisp class-map clock cluster cns configuration controllers crypto SW1#show clock? clock SW1#show clock 13:01:24.145 UTC Fri
Show AAA values List access lists Display alias commands Archive functions ARP table Shows Auth Manager registrations or sessions Show Automation Template Show BEEP information show boot attributes Buffer pool statistics Show Cable Diagnostics Results Show command for call home Capability Information CCA information CDP information Shows CISP information Show CPL Class Map Display the system clock Cluster information CNS agents Contents of Non-Volatile memory Interface controller status Encryption module
Aug 17 2012

Step 1 You can enter the show terminal command and then investigate the output to determine the current history size. Alternatively, you can use the pipe (|) along with the include command and the keyword history size to print out just the line with the information.
SW1>show terminal | include history size History is enabled, history size is 20.
Step 2 Enter global configuration mode.

SW1#configure terminal Enter configuration commands, one per line.
End with CNTL/Z.
Enter line console 0 configuration mode.

SW1(config)#line console 0
Change the history size to 100.

SW1(config-line)#history size 100
Issue the exit command twice to get back to privileged EXEC mode.
SW1(config-line)#exit SW1(config)#exit
Verify that the history size is changed.

SW1#show terminal | i history size History is enabled, history size is 100.
Step 3 You must be in global configuration mode before issuing the no ip domain lookup command.
SW1>enable SW1#configure terminal SW1(config)#no ip domain-lookup
Step 4 Issue the exec-timeout 60 command to set the console timeout expiration timer to one hour.
SW1(config-line)#exec-timeout 60
Verify that idle exec timeout is set to one hour. Use the verification command directly from console configuration mode.
SW1(config-line)#do show terminal | begin Timeouts Timeouts: Idle EXEC Idle Session Modem Answer 01:00:00 never <output omitted> SW1(config-line)#exit
Session none
Dispatch not set
Step 5 Make sure that you are in global configuration mode and then enter line console 0 configuration mode. Last, enable synchronous logging as shown in the output here.
SW1(config)#line console 0 SW1(config-line)#logging synchronous SW1(config-line)#exit SW1(config)#exit
Lab Guide
L-223
Step 6 This command copies the running configuration to the startup configuration. If you do not save the configuration, you will lose it the next time the switch is restarted.
SW1#copy running-config startup-config
If you press Enter when asked for the destination filename, the running configuration is stored as the startup configuration.
Destination filename [startup-config]? Building configuration... [OK]

Task 2: Troubleshoot Connectivity Between Computer PC1 and Switch SW1
Step 1 When you issue a ping from SW1 to PC1, your success rate is 0 percent, so there is no Layer 3 connectivity between the two devices.
SW1>ping 10.1.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Step 2 The output of the show interfaces FastEthernet0/1 command tells you that the interface toward PC1 is administratively down, which means that the interface was disabled by the administrator.
SW1>enable SW1#show interfaces FastEthernet0/1 FastEthernet0/1 is administratively down, line protocol is down (disabled) Hardware is Fast Ethernet, address is 001e.147c.bd01 (bia 001e.147c.bd01) MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed, media type is 10/100BaseTX

SW1#configure terminal Enter configuration commands, one per line.
End with CTRL-Z.
Enter interface configuration mode for FastEthernet 0/1 and enable the interface with the no shutdown command.
SW1(config)#interface FastEthernet 0/1 SW1(config-if)#no shutdown
Finally, verify Layer 3 connectivity between PC1 and SW1 by issuing a ping command. It should be successful.
SW1#ping 10.1.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
Step 4 It is important to save the configuration of SW1 because the no shutdown command would disappear if the switch is restarted. John would again be cut off from the network.
Task 3: Troubleshoot Connectivity Between Switch SW1 and the Branch Router
Step 1 Because you have console logging enabled (which you can verify with the show logging command), the switch is reporting. This message tells you that the interfaces of SW1 and Branch have different duplex settings. It looks like the Branch router FastEthernet0/0 interface is configured for full duplex, while interface FastEthernet0/13 on the switch is not configured for full duplex.
Aug 21 14:39:52.112: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/13 (not full duplex), with Branch FastEthernet0/0 (full duplex).
Use the show interfaces FastEthernet Fa0/13 command to identify the duplex setting on the interface.
Lab Guide
L-225
SW1#show interfaces FastEthernet 0/13 FastEthernet 0/13 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.147c.bd0d (bia 001e.147c.bd0d) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported < output omitted >
You can also use the show ip interface brief command to verify status of all interfaces. It shows that interface FastEthernet 0/13 is in an up/up state. This status means that even though the duplex settings are mismatched on the link, it is still functional. The drawback is that the connection is not efficient. With halfduplex operation, data cannot be sent and received at the same time.
SW1#show ip interface brief Interface IP-Address < output omitted > FastEthernet0/13 unassigned <output omitted>
OK? Method Status YES unset up
Protocol up

SW1#configure terminal Enter configuration commands, one per line. End with CTRL-Z.
Enter interface configuration mode.

SW1(config)#interface FastEthernet 0/13
Change the duplex setting to full.

SW1(config-if)#duplex full
Save your changes by copying the running configuration to the startup configuration.
SW1(config)#interface FastEthernet 0/13 SW1(config-if)#end SW1#copy run start Destination filename [startup-config]? Building configuration... [OK]

Task 1: Inspect the Router Hardware and Software
Step 1 Enter this command on the Branch router:
Router>enable Router#
Task 2: Create the Initial Router Configuration

Step 1 Answer No to the initial configuration dialog question and use the enable command to enter privileged EXEC mode.
Would you like to enter the initial configuration dialog? [yes/no]: no Would you like to terminate autoinstall? [yes]: <output omitted> Router> Router>enable Router#
Step 2 Use the command hostname to set the hostname.

Router(config)# Router(config)#hostname Branch Branch(config)#
Step 3 Enter these commands on the Branch router to enter interface configuration mode, enable the interface, and provide a description:
Branch(config)#interface GigabitEthernet 0/0 Branch(config-if)#no shutdown %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up Branch(config-if)#description Link to LAN Switch
Lab Guide
L-227

Branch(config-if)#ip address 10.1.1.1 255.255.255.0
Step 6 Use this command on the Branch router:

Branch#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] Branch#

Step 1 Enter these commands on the Branch router:
Branch#configure terminal Branch(config)#line console 0 Branch(config-line)#exec-timeout 60 0
Step 3 Use the logging synchronous command on the Branch router:

Branch(config-line)#logging synchronous
Step 4 On the Branch router, use the command no ip domain lookup in global configuration mode to disable the resolution of symbolic names.
Branch(config)#no ip domain lookup
Step 5 On the Branch router, use the command write memory to copy the configuration into NVRAM.
Branch#write memory

Task 1: Configure a Manual IP Address and Static Default Route
Step 3 Enter the following commands on the Branch router:
Branch(config)#interface GigabitEthernet0/1 Branch(config-if)#no shutdown Branch(config-if)#ip address 209.165.201.1 255.255.255.224
Step 6 The Branch router does not have a route to reach networks that are not directly connected. Step 7 No, there is no route present for the IP address of the server. Step 8 Enter the following command on the Branch router:
Branch#configure terminal Branch(config)#ip route 0.0.0.0 0.0.0.0 209.165.201.2

Branch(config)#exit Branch#copy running-config startup-config
Step 12 Enter the following command on the Branch router:

Branch(config)#no ip route 0.0.0.0 0.0.0.0 209.165.201.2
Task 2: Configure a DHCP-Obtained IP Address
Lab Guide
L-229

Branch(config-if)#interface GigabitEthernet0/1 Branch(config-if)#ip address dhcp

Branch(config-if)#exit Branch(config)#exit Branch#copy running-config startup-config
Step 5 The default route was set by the Branch router automatically. The Branch router received knowledge of the default gateway from the DHCP server and it set the static route next-hop IP address to the IP address of the default gateway. Step 12 The solution that could be implemented on the Branch router to provide connectivity between PC1 and the server is NAT. With NAT, the source IP address in a packet would be translated into the outside IP address of the Branch router. The HQ router would then know how to send a returning packet back to the Branch router, because the routers are directly connected. The destination IP address in the packet would be then translated back to the IP address of PC1 and sent to PC1.
Task 3: Configure NAT

Branch(config)#access-list 1 permit 10.1.1.0 0.0.0.255

Branch(config)#ip nat pool NAT_POOL 209.165.201.5 209.165.201.10 netmask 255.255.255.224
You can accommodate up to six hosts at the same time using the configured NAT pool. Step 4 Enter the following commands on the Branch router:
Branch(config)#interface GigabitEthernet0/0 Branch(config-if)#ip nat inside

Branch(config)#interface GigabitEthernet0/1 Branch(config-if)#ip nat outside

Branch(config)#ip nat inside source list 1 pool NAT_POOL

Task 4: Configure NAT with PAT

Branch(config)#no ip nat inside source list 1 pool NAT_POOL Dynamic mapping in use, do you want to delete all entries? [no]: yes
Step 3 Enter the following command on the Branch router (and then answer with yes):
Branch(config)#ip nat inside source list 1 interface GigabitEthernet0/1 overload
Lab Guide
L-231
You can accommodate approximately 64,000 hosts by overloading one IP address. Step 4 Enter the following commands on the Branch router:

Task 1: Add Password Protection
Step 2 Enter this sequence of commands into the Branch router:
Branch>enable Branch#configure terminal Branch(config)#line console 0 Branch(config-line)#password cisco Branch(config-line)#login
Step 5 Enter the following command sequence into the Branch router:
Branch(config)#username ccna secret cisco Branch(config)#line console 0 Branch(config-line)#login local

Branch(config)#line vty 0 15 Branch(config-line)#login local

Branch(config)#enable secret cisco

Branch#copy running-config startup-config
Step 14 Enter this sequence of commands on SW1:

SW1(config)#enable secret cisco SW1(config)#username ccna secret cisco SW1(config)#line console 0 SW1(config-line)#login local SW1(config-line)#line vty 0 15 SW1(config-line)#login local
Step 15 Enter this command on the SW1 switch:

Task 2: Enable SSH Remote Access

Step 1 Enter this sequence of commands on the Branch router:
Branch(config)#ip domain-name cisco.com Branch(config)#crypto key generate rsa The name for the keys will be: Branch.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] Branch(config)#line vty 0 15 Branch(config-line)#transport input ssh Branch(config-line)#exit Branch(config)#ip ssh version 2

Lab Guide
L-233
Step 3 Enter this sequence of commands on the SW1 switch:

SW1(config)#ip domain-name cisco.com SW1(config)#crypto key generate rsa The name for the keys will be: SW1.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] SW1(config)#line vty 0 15 SW1(config-line)#transport input ssh SW1(config-line)#ip ssh version 2

Task 3: Limit Remote Access to Selected Network Addresses

SW1(config)#access-list 1 permit host 10.1.1.1 SW1(config)#access-list 1 deny any log

Task 4: Configure a Login Banner

Branch(config)#banner login #********** Warning ************* Enter TEXT message. End with the character '#'. Access to this device is restricted to authorized persons only! Unauthorized access is prohibited. Violators will be prosecuted. ***********************************************#

Step 3 Enter the following command on the SW1 switch:

SW1(config)#banner login #********** Warning ************* Enter TEXT message. End with the character '#'. Access to this device is restricted to authorized persons only! Unauthorized access is prohibited. Violators will be prosecuted. ***********************************************#


Task 1: Disable Unused Ports
Step 2 Enter this sequence of commands into the SW1 switch:
SW1(config)#interface range FastEthernet 0/14 - 24 SW1(config-if-range)#shutdown
Step 4 Enter the following commands on the SW1 switch:

Task 2: Configure Port Security on a Switch
Lab Guide
L-235
Step 4 Enter these commands on the SW1 switch:

SW1(config)#interface FastEthernet 0/13 SW1(config-if)#switchport mode access

SW1(config-if)#switchport port-security mac-address f866.f231.7251 SW1(config-if)#switchport port-security

SW1(config-if)#no switchport port-security mac-address f866.f231.7251 SW1(config-if)#switchport port-security mac-address f866.f231.7250

SW1(config-if)#shutdown SW1(config-if)#no shutdown
Step 14 Enter this command into the SW1 switch:

SW1(config-if)#no switchport port-security

Task 3: Disable Unused Services
Step 3 Enter this sequence of commands into the switch.

SW1(config)#interface FastEthernet 0/13 SW1(config-if)#no cdp enable
Step 6 Enter this sequence of commands into the switch.

SW1(config)#interface FastEthernet 0/13 SW1(config-if)#cdp enable

Task 4: Configure NTP

Branch(config)#ntp server 172.16.1.100
Step 3 The stratum of the clock on the Branch router is 4. Step 5 Enter the following command on the SW1 switch:
SW1(config)#ntp server 10.1.1.1
Step 6 The stratum of the clock on the SW1 switch is 5.
Lab Guide
L-237
Step 7 Enter the following commands on the SW1 switch and Branch router:

Task 1: Configure an ACL
Branch(config)#ip access-list extended Telnet Branch(config-ext-nacl)#deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet Branch(config-ext-nacl)#permit ip any any

Branch(config)#interface GigabitEthernet 0/0 Branch(config-if)#ip access-group Telnet in

Task 3: Troubleshoot an ACL

Branch(config)#interface GigabitEthernet 0/0 Branch(config-if)#no ip access-group out Branch(config-if)#ip access-group in

Branch(config)#ip access-list extended Telnet Branch(config-ext-nacl)#no 10 Branch(config-ext-nacl)#no 20 Branch(config-ext-nacl)#40 permit ip any any


Task 1: Configure a VLAN
SW2#configure terminal SW2(config)#interface vlan 1 SW2(config-if)#ip address 10.1.1.12 255.255.255.0

SW1#configure terminal SW1(config)#vlan 10 SW1(config)-vlan)#vlan 20
Enter this sequence of commands on SW2:

SW2#configure terminal SW2(config)#vlan 10 SW2(config)-vlan)#vlan 20
Lab Guide
L-239

SW1(config)#interface FastEthernet0/1 SW1(config-if)#switchport access vlan 10
Enter this sequence of commands on SW2:

SW2(config)#interface FastEthernet0/1 SW2(config-if)#switchport access vlan 20
Step 6 Enter the following command on the SW1 switch.

Enter the following command on the SW2 switch.

Task 2: Configure the Link Between Switches as a Trunk

SW1(config)#interface FastEthernet 0/3 SW1(config-if)#switchport mode trunk SW1(config-if)#switchport trunk allowed vlan 1,10,20
Enter this sequence of commands on the SW2 switch:

SW2(config)#interface FastEthernet 0/3 SW2(config-if)#switchport mode trunk SW2(config-if)#switchport trunk allowed vlan 1,10,20

Enter the following command on the SW2 switch.
Task 3: Configure a Trunk Link on the Router

SW1(config)#interface FastEthernet 0/13 SW1(config-if)#switchport mode trunk

Step 3 Enter the following commands on the Branch router.

Branch#configure terminal Branch(config)#interface GigabitEthernet0/0 Branch(config-if)#no ip address

Branch(config)#interface GigabitEthernet 0/0.1 Branch(config-if)#encapsulation dot1q 1 Branch(config-if)#ip address 10.1.1.1 255.255.255.0 Branch(config-if)#exit Branch(config)#interface GigabitEthernet 0/0.10 Branch(config-if)#encapsulation dot1q 10 Branch(config-if)#ip address 10.1.10.1 255.255.255.0 Branch(config-if)#exit Branch(config)#interface GigabitEthernet 0/0.20 Branch(config-if)#encapsulation dot1q 20 Branch(config-if)#ip address 10.1.20.1 255.255.255.0
Step 5 Enter the following command on the Branch router.

Lab Guide
L-241

Task 1: Configure DHCP Pools
Step 1 Enter global configuration mode and enter this sequence of commands on the Branch router:
Branch(config)# ip dhcp pool VLAN10 Branch(dhcp-config)# network 10.1.10.0 /24
Step 2 Define the default gateway and DNS server for the configured DHCP pool, as indicated in the output.
Branch(config)# ip dhcp pool VLAN10 Branch(dhcp-config)# default-router 10.1.10.1 Branch(dhcp-config)# dns-server 10.1.10.1
Step 3 Enter this command on the router:

Branch(dhcp-config)# lease 0 2

Branch# copy running-config startup-config

Branch(config)# ip dhcp pool VLAN20 Branch(dhcp-config)# network 10.1.20.0 /24 Branch(dhcp-config)# default-router 10.1.20.1 Branch(dhcp-config)# dns-server 10.1.20.1 Branch(dhcp-config)# lease 0 12
Step 10 Use the show ip dhcp binding command to verify that PC2 has obtained an IP address dynamically.
Branch# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 10.1.10.2 0100.0c29.4532.be Oct 19 2012 03:39 PM 10.1.20.2 0100.0c29.8807.34 Oct 20 2012 01:24 AM
Type Automatic Automatic
Task 2: Exclude Specific IP Addresses from DHCP Pools

Step 1 To exclude specific IP addresses, use the ip dhcp excluded-address command, as indicated in the output.
Branch(config)# Branch(config)# Branch(config)# Branch(config)# ip ip ip ip dhcp dhcp dhcp dhcp excluded-address excluded-address excluded-address excluded-address 10.1.10.1 10.1.10.99 10.1.10.150 10.1.10.254 10.1.20.1 10.1.20.99 10.1.20.150 10.1.20.254

Task 3: Configure DHCP Relay Agent

Step 1 Use the following commands to remove the DHCP pool configuration:
Branch(config)# no ip dhcp pool VLAN10 Branch(config)# no ip dhcp pool VLAN20
Step 3 Configure the DHCP relay agent using the ip helper-address command on both subinterfaces, as indicated in the output:
Branch(config)# interface GigabitEthernet 0/0.10 Branch(config-subif)# ip helper-address 172.16.1.100 Branch(config-subif)# exit Branch(config)# interface GigabitEthernet 0/0.20 Branch(config-subif)# ip helper-address 172.16.1.100
Lab Guide
L-243

Step 5 Release the current DHCP lease using the ipconfig /release command.

Task 1: Connect the Router to the WAN
Branch# configure terminal Branch(config)# interface GigabitEthernet0/1 Branch(config-if)# no ip nat outside Branch(config-if)# no ip address dhcp

Branch(config-if)# ip address 192.168.1.1 255.255.255.0
Task 2: Configure OSPF

Branch(config)# router Branch(config-router)# Branch(config-router)# Branch(config-router)# Branch(config-router)# ospf 100 network 10.1.1.0 0.0.0.255 area 0 network 10.1.10.0 0.0.0.255 area 0 network 10.1.20.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0

Task 1: Enable IPv6 on the Router
Branch(config)#ipv6 unicast-routing

Branch(config)#interface GigabitEthernet 0/1 Branch(config-if)#ipv6 address 2001:db8:D1A5:C900::1/64


Task 1: Enable Stateless Autoconfiguration on the Router
Branch(config)# interface GigabitEthernet 0/1 Branch(config-if)# no ipv6 address 2001:DB8:D1A5:C900::1/64

Branch(config)# interface GigabitEthernet 0/1 Branch(config-if)# ipv6 address autoconfig
Lab Guide
L-245

Task 1: Enable IPv6 Static Routing
Branch(config)# ipv6 route ::/0 Gi0/1 2001:DB8:D1A5:C900::2
Task 2: Enable OSPFv3

Branch(config)# no ipv6 route ::/0 Gi0/1 2001:DB8:D1A5:C900::2

Branch(config)# ipv6 router ospf 1 Branch(config-rtr)# router-id 0.0.0.2

Branch(config)# interface GigabitEthernet 0/1 Branch(config-if)# ipv6 ospf 1 area 0

Task 1: Configure Basic Settings, VLANs, Trunks, and Port Security on Switches
Step 2 Enter the following commands on the SW1 and SW2 switches:
SW1# erase startup-config SW1# delete vlan.dat SW1# reload
SW2# erase startup-config SW2# delete vlan.dat SW2# reload

Switch# configure terminal Switch(config)# hostname SW1
Enter the following commands on the SW2 switch:

Switch# configure terminal Switch(config)# hostname SW2

SW1(config-if)# interface vlan 1 SW1(config-if)# ip address 10.1.1.11 255.255.255.0 SW1(config-if)# no shutdown

SW2(config-if)# interface vlan 1 SW2(config-if)# ip address 10.1.1.12 255.255.255.0 SW2(config-if)# no shutdown

SW1(config)# enable secret cisco

SW2(config)# enable secret cisco
Lab Guide
L-247

SW1(config)# line SW1(config-line)# SW1(config-line)# SW1(config-line)# con 0 password cisco login logging synchronous

SW2(config)# line SW2(config-line)# SW2(config-line)# SW2(config-line)# con 0 password cisco login logging synchronous

SW1(config)# ip domain-name cisco.com SW1(config)# crypto key generate rsa SW1(config)# ip ssh version 2 SW1(config)# line vty 0 4 SW1(config-line)# transport input ssh telnet

SW2(config)# ip domain-name cisco.com SW2(config)# crypto key generate rsa SW2(config)# ip ssh version 2 SW2(config)# line vty 0 4 SW2(config-line)# transport input ssh telnet

SW1(config)# username ccna password cisco SW1(config)# line vty 0 4 SW1(config-line)# login local

SW2(config)# username ccna password cisco SW2(config)# line vty 0 4 SW2(config-line)# login local

SW1(config)# vlan 10 SW1(config-vlan)# exit SW1(config)# vlan 20

SW2(config)# vlan 10 SW2(config-vlan)# exit SW2(config)# vlan 20

SW1(config)# interface FastEthernet0/3 SW1(config-if)# switchport mode trunk SW1(config-if)# switchport trunk allowed vlan 1,10,20 SW1(config)# SW1(config)# interface FastEthernet0/4 SW1(config-if)# shutdown

SW2(config)# interface FastEthernet0/3 SW2(config-if)# switchport mode trunk SW2(config-if)# switchport trunk allowed vlan 1,10,20 SW2(config)# SW2(config)# interface FastEthernet0/4 SW2(config-if)# shutdown

SW1(config)# interface FastEthernet0/1 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 10
Lab Guide
L-249
SW2(config)# interface FastEthernet0/1 SW2(config-if)# switchport mode access SW2(config-if)# switchport access vlan 20

SW1# configure terminal SW1(config)# interface FastEthernet0/1 SW1(config-if)# switchport port-security violation protect SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address 000c.293b.709d SW1(config-if)# switchport port-security

SW2# configure terminal SW2(config)# interface FastEthernet0/1 SW2(config-if)# switchport port-security violation protect SW2(config-if)# switchport port-security maximum 1 SW2(config-if)# switchport port-security mac-address 000c.29a8.a05a SW2(config-if)# switchport port-security
Task 2: Configure Inter-VLAN Routing

Branch# erase startup-config Branch# reload

Router# configure terminal Router(config)# hostname Branch

Branch(config)# enable secret cisco

Branch(config)# line Branch(config-line)# Branch(config-line)# Branch(config-line)# con 0 password cisco login logging synchronous

Branch(config)# line vty 0 4 Branch(config-line)# password cisco Branch(config-line)# login

Branch(config)# interface GigabitEthernet0/0 Branch(config-if)# no shutdown Branch(config)# Branch(config-if)# interface GigabitEthernet0/0.1 Branch(config-subif)# encapsulation dot1Q 1 native Branch(config-subif)# ip address 10.1.1.1 255.255.255.0 Branch(config)# Branch(config-subif)# interface GigabitEthernet0/0.10 Branch(config-subif)# encapsulation dot1Q 10 Branch(config-subif)# ip address 10.1.10.1 255.255.255.0 Branch(config)# Branch(config-subif)# interface GigabitEthernet0/0.20 Branch(config-subif)# encapsulation dot1Q 20 Branch(config-subif)# ip address 10.1.20.1 255.255.255.0

SW1# configure terminal SW1(config)# interface FastEthernet0/13 SW1(config-if)# switchport mode trunk SW1(config-if)# switchport trunk allowed vlan 1,10,20
Task 3: Configure Internet Connectivity
Lab Guide
L-251

Branch# configure terminal Branch(config)# interface GigabitEthernet0/1 Branch(config-if)# ip address 209.165.201.1 255.255.255.224 Branch(config-if)# no shutdown

Branch(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.2

Branch(config)# access-list 1 permit 10.1.10.0 0.0.0.255 Branch(config)# access-list 1 permit 10.1.20.0 0.0.0.255

Branch(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload Branch(config)# interface GigabitEthernet0/1 Branch(config-if)# ip nat outside Branch(config-subif)# Branch(config-if)# interface GigabitEthernet0/0.10 Branch(config-subif)# ip nat inside Branch(config-subif)# Branch(config-subif)# interface GigabitEthernet0/0.20 Branch(config-subif)# ip nat inside

Branch(config)# ip access-list extended OUTSIDE Branch(config-ext-nacl)# deny tcp any gt 1024 any Branch(config-ext-nacl)# deny udp any gt 1024 any Branch(config-ext-nacl)# permit ip any any Branch(config)# Branch(config)# interface GigabitEthernet0/1 Branch(config-if)# ip access-group OUTSIDE in
Task 4: Configure WAN Connectivity and a Dynamic Routing Protocol

Branch# telnet 209.165.201.2 Trying 209.165.201.2 ... Open HQ#
Step 3 Enter the following commands on the HQ router:

HQ# configure terminal HQ(config)# interface GigabitEthernet0/1 HQ(config-if)# ip address 192.168.1.2 255.255.255.0

Branch# configure terminal Branch(config)# interface GigabitEthernet0/1 Branch(config-if)# no ip nat outside

Branch# configure terminal Branch(config)# interface GigabitEthernet0/1 Branch(config-if)# ip address 192.168.1.1 255.255.255.0

Branch(config)# interface Loopback10 Branch(config-if)# ip address 10.100.100.100 255.255.255.255
Each router running OSPF requires a router ID. The router ID will be the highest IP address of the router on a loopback interface, if configured, or the highest IP address on an interface, if a loopback interface is not configured. Because loopback is a stable interface and cannot go down, it is recommended to configure the loopback interface for the OSPF router ID.
Lab Guide
L-253

Branch(config)# router ospf 1

Branch(config-router)# Branch(config-router)# Branch(config-router)# Branch(config-router)# Branch(config-router)# network network network network network 192.168.1.0 0.0.0.255 area 0 10.1.1.0 0.0.0.255 area 0 10.1.10.0 0.0.0.255 area 0 10.1.20.0 0.0.0.255 area 0 10.100.100.100 0.0.0.0 area 0
Task 5: Configure IPv6 Connectivity in the LAN

Branch# configure terminal Branch(config)# ipv6 unicast-routing

Branch(config-if)# interface GigabitEthernet0/0.1 Branch(config-subif)# ipv6 address 2001:db8:0A01:100::1/64 Branch(config)# Branch(config-subif)# interface GigabitEthernet0/0.10 Branch(config-subif)# ipv6 address 2001:db8:0A01:A00::1/64 Branch(config)# Branch(config-subif)# interface GigabitEthernet0/0.20 Branch(config-subif)# ipv6 address 2001:db8:0A01:1400::1/64
Step 1 The link-local IPv6 address is the same on all subinterfaces because the link-local IPv6 address is derived from the MAC address, which is the same on all subinterfaces. All subinterfaces use the MAC address of the physical interface.
Step 2 The default gateway on the PC is the link-local IPv6 address of the router of the directly connected interface (GigabitEthernet0/0.10). Step 6 The default gateway on the PC is the link-local IPv6 address of the router of the directly connected interface (GigabitEthernet0/0.20).
Task 6: Configure the OSPFv3 Routing Protocol

Branch# telnet 192.168.1.2 Trying 192.168.1.2 ... Open HQ#
Step 3 Enter the following commands on the HQ router:

HQ# configure terminal HQ(config)# interface GigabitEthernet0/1 HQ(config-if)# no ipv6 address 2001:DB8:D1A5:C900::2/64 HQ(config-if)# ipv6 address 2001:db8:c0a8:100::2/64 HQ(config-if)# ipv6 ospf 1 area 0 HQ(config-if)# end HQ# exit

Branch#configure terminal Branch(config)#interface GigabitEthernet0/1 Branch(config-if)#ipv6 address 2001:db8:c0a8:100::1/64
Step 1 The HQ router ID is 0.0.0.1. OSPFv3 uses an IPv4 address-like format of the router ID.
Lab Guide
L-255
Step 2 The Branch router ID is 10.100.100.100, which is the IPv4 address on the Loopback0 interface. OSPFv3 uses the same mechanisms as OSPF to determine the router ID.

ICND120LG

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

ICND120LG

Enviado por

Direitos autorais:

Formatos disponíveis

ICND1

Interconnecting Cisco Networking Devices, Part 1

Americas Headquarters Cisco Systems, Inc. San Jose, CA

Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore

Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands

2013 Cisco Systems, Inc.

Lab 1-2: Troubleshooting Switch Media Issues

Lab 2-1: Performing Initial Router Setup and Configuration

Lab 2-2: Connecting to the Internet

Lab 3-1: Enhancing the Security of the Initial Configuration

L-57 L-64 L-69 L-71

Lab 3-2: Device Hardening

Lab 3-3: Filtering Traffic with ACLs

Lab 4-1: Configuring Expanded Switched Networks

Lab 4-2: Configuring DHCP Server

Lab 4-3: Implementing OSPF

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

L-141 L-143 L-144

Lab 5-1: Configure and Verify Basic IPv6

Lab 5-2: Configure and Verify Stateless Autoconfiguration

Lab 5-3: Configure and Verify IPv6 Routing

Lab S-1: ICND1 Superlab

Lab Answer Keys

2013 Cisco Systems, Inc.

L-242 L-244 L-245 L-245 L-246 L-246

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Lab 1-1: Performing Switch Startup and Initial Configuration

2013 Cisco Systems, Inc.

Detailed Visual Objective

2013 Cisco Systems, Inc.

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Cisco IOS Switch Commands

end erase startup-config exit history size number

reload show clock

2013 Cisco Systems, Inc.

Command show flash: show startup-config show terminal show version

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Topology and IP Addressing

2013 Cisco Systems, Inc.

2013 Cisco Systems, Inc.

Task 1: Perform a Reload and Verify that the Switch Is Unconfigured

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

2013 Cisco Systems, Inc.

Task 2: Configure the Switch with a Hostname and an IP Address

Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

2013 Cisco Systems, Inc.

Task 3: Explore Context-Sensitive Help

L-10 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Task 4: Improve the Usability of the CLI

2013 Cisco Systems, Inc.

L-12 Interconnecting Cisco Networking Devices, Part 1

2013 Cisco Systems, Inc.

Lab 1-2: Troubleshooting Switch Media Issues

Visual Objective for Lab 1-2: Troubleshooting Switch Media Issues

2013 Cisco Systems, Inc.

Detailed Visual Objective