Escolar Documentos
Profissional Documentos
Cultura Documentos
Lab Guide
Part Number: 97-3244-01
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
Table of Contents
Lab 1-1: Performing Switch Startup and Initial Configuration
Visual Objective Required Resources Command List Job Aids Task 1: Perform a Reload and Verify that the Switch Is Unconfigured Task 2: Configure the Switch with a Hostname and an IP Address Task 3: Explore Context-Sensitive Help Task 4: Improve the Usability of the CLI
L-1
L-2 L-3 L-3 L-4 L-6 L-8 L-10 L-11
L-13
L-14 L-14 L-15 L-15 L-16 L-17 L-18
L-19
L-20 L-20 L-21 L-21 L-23 L-24 L-26 L-28
L-31
L-32 L-32 L-33 L-33 L-35 L-39 L-42 L-47
L-53
L-54 L-54 L-55 L-56
Task 1: Add Password Protection Task 2: Enable SSH Remote Access Task 3: Limit Remote Access to Selected Network Addresses Task 4: Configure a Login Banner
L-73
L-74 L-74 L-75 L-75 L-77 L-78 L-81 L-83
L-85
L-86 L-86 L-87 L-87 L-88 L-95 L-96
L-111
L-112 L-112 L-113 L-113 L-115 L-120 L-121
L-125
L-126 L-126 L-126 L-127 L-129 L-133 L-134 L-135
L-139
L-140 L-140 L-141
ii
Job Aids Task 1: Connect the Router to the WAN Task 2: Configure OSPF
L-147
L-148 L-148 L-149 L-149 L-150
L-153
L-154 L-154 L-155 L-155 L-156
L-161
L-162 L-162 L-163 L-163 L-164 L-166
L-169
L-170 L-170 L-170 L-172 L-175 L-180 L-190 L-196 L-201 L-208
L-217
L-217 L-224 L-227 L-229 L-232 L-235 L-238 L-239
Lab Guide
iii
Lab 4-2: Configuring DHCP Server Lab 4-3: Implementing OSPF Lab 5-1: Configure and Verify Basic IPv6 Lab 5-2: Configure and Verify Stateless Autoconfiguration Lab 5-3: Configure and Verify IPv6 Routing Lab S-1: ICND1 Superlab
iv
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 1-1: Performing Switch Startup and Initial Configuration
Branch HQ Server
PC1
SW1
PC2
SW2
PC1
SW1
L-2
Required Resources
No additional resources are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
enable
hostname hostname interface vlan 1 ip address ip-address subnet-mask line console 0 logging synchronous
Lab Guide
L-3
Description Displays the layout and contents of a flash memory file system Displays the startup configuration settings that are saved in NVRAM Displays the current settings for the terminal Displays the configuration of the switch hardware and the various software versions
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device SW1 PC1 Hardware Catalyst 2960 Series Switch Any PC Operating System c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7
There are no console or enable passwords set for the router and switch in the initial lab setup. The table shows the username and password that are used to access PC1.
Device PC1 Username Administrator Password admin
L-4
Topology and IP Addressing Devices are connected by Ethernet connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
10.1.1.100
10.1.1.11
The table shows the interface identification and IP addresses that are used in this lab setup.
Device SW1 PC1 Interface VLAN1 Ethernet adapter local area connection IP Address 10.1.1.11 10.1.1.100 Subnet Mask 255.255.255.0 255.255.255.0
Lab Guide
L-5
Setting the IP Address on a PC On a PC, click Start and choose Control Panel. Click Change Adapter Settings and then right-click Local Area Network. Choose Properties. When you are presented with the Local Area Connection Properties dialog, click Internet Protocol version 4 (TCP/IPv4) and then click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click the Use the Following IP Address radio button and enter the appropriate IP address, subnet mask, and default gateway.
L-6
Step 2 To see the effect of entering a privileged-level command in user EXEC mode, enter the command erase startup-config. What was the result of issuing the command in an incorrect EXEC mode?
Step 3 Enter privileged EXEC mode. How do you know if you are in privileged EXEC mode and not user EXEC mode?
Step 4 Erase the startup configuration. Because the switch also stores a small part of the configuration in the file, vlan.dat, stored in flash memory, delete it before performing a reload. Observe the output during the reload. Step 5 Press Enter when the switch boots and skip the initial configuration dialog. You will know when the switch has finished booting when you see "Press RETURN to get started!" in the console output. How do you know that the startup configuration has been erased?
Step 6 Using the appropriate show command, investigate the switch model number, software version, and amount of RAM and flash memory. Activity Verification You have completed this task when you attain these results: You performed a switch reload. You verified that the switch is unconfigured.
Lab Guide
L-7
L-8
Step 4 Assign the IP address of PC1, as listed in the Job Aids section. Leave the default gateway empty.
Step 5 From PC1, ping the VLAN 1 IP address of SW1 to confirm Layer 3 connectivity. Activity Verification You have completed this task when you attain these results: You configured the switch with a hostname and a VLAN 1 IP address. You configured PC1 with the correct IP address. Your ping from PC1 to the VLAN 1 IP address of SW1 was successful.
Lab Guide
L-9
Note
Configuring the IP address on the switch is not mandatory to start the switch running, but it is necessary for remote management access to the switch.
Step 3 Verify the current date and time using the appropriate show command. Step 4 Type the following comment line at the prompt and then press Enter: !ths command changuw the clck sped for the swch
Note An exclamation point (!) at the beginning of the line indicates that you are entering a comment. The comment will not be part of the switch configuration. Comments are a great help when you are working on a configuration in a text editor and plan to upload it to a device.
Step 5 Press Ctrl-P or press the Up Arrow key to see the previous line. Use the editor commands Ctrl-A, Ctrl-F, Ctrl-E, and Ctrl-B to move along the line, and use the Backspace key to delete unwanted characters. Using the editing commands, correct the comment line to read: !This command changes the clock speed for the switch. Activity Verification You have completed this task when you attain these results: You used the system help and command-completion functions.
You used the built-in editor and the keystrokes for cursor navigation.
Step 3 The no ip domain lookup command disables the resolution of symbolic names. If you mistype a command, the system will not try to translate it into an IP address (it will take about 5 seconds to time out). Disable IP domain lookup. Step 4 The default console access EXEC timeout is set to 10 minutes. After 10 minutes of inactivity, the user is disconnected from console access and is required to reconnect. Change this timer to 60 minutes.
Note Make sure that you are in console line configuration mode. To execute user EXEC or privileged EXEC commands from global configuration mode or other configuration modes or submodes, use the do command in any configuration mode.
Step 5 The logging synchronous command synchronizes unsolicited messages and debugs privileged EXEC command output with the input from the CLI. If you are in the middle of typing a command, status messages will appear where you are typing. Enable synchronous logging on line console 0. Step 6 Save your running configuration to the startup configuration.
Lab Guide
L-11
Activity Verification You have completed this task when you attain these results: You changed the history buffer size. You disabled resolution of symbolic names. You set the inactivity timeout on the console line to 60 minutes. You enabled synchronous logging on the console line. You saved the running configuration to the startup configuration file.
Visual Objective
The figure illustrates what you will accomplish in this activity.
PC1
SW1
PC2
SW2
PC1
SW1
Required Resources
These are the resources and equipment that are required to complete this activity: Successful completion of Lab 1-1: Performing Switch Startup and Initial Configuration
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Commands
Command configure terminal copy running-config startup-config duplex full enable interface FastEthernet 0/13 shutdown/no shutdown ping ip-address show interfaces FastEthernet 0/13 show ip interface brief Description Enters global configuration mode Saves the running configuration into NVRAM as the startup configuration Enables full duplex on an interface Enters the privileged EXEC mode command interpreter Specifies interface FastEthernet 0/13 and enters interface configuration mode Disables or enables an interface Uses ICMP echo requests and ICMP echo replies to determine whether a remote host is reachable Displays information about interface FastEthernet 0/13 Displays a brief summary of the interfaces on a device, which is useful for quickly checking the status of the device
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch SW1 PC1 Hardware Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7
There are no console or enable passwords set for the router and switch in the initial lab setup. The table shows the username and password that are used to access PC1.
Device PC1 Username Administrator Password admin
Topology and IP Addressing Devices are connected with Ethernet connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
Lab Guide
L-15
Fa0/13
PC1
Fa0/1 10.1.1.100 10.1.1.11
SW1
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch SW1 PC1 Interface Gi0/0 VLAN1 Ethernet adapter local area connection IP Address/Subnet Mask 10.1.1.1/24 10.1.1.11/24 10.1.1.100/24
Step 2 Load the configuration file tshoot_media_issues_start.cfg from the flash drive of the switch.
SW1#copy flash:tshoot_sw_media.cfg run
At this point, you have loaded a configuration file that includes your trouble tickets, presented in Tasks 2 and 3. Activity Verification You have completed this task when you attain this result: You loaded a configuration file from the switch flash drive.
Step 2 What is the status of interface FastEthernet0/1 on switch SW1, which connects to the PC1? What does this status mean?
Note
Use the ? command and the Tab key to help you with the command syntax.
Lab Guide
L-17
Step 3 Correct the issue so that John can continue his work. Do not forget to verify Layer 3 connectivity between PC1 and SW1. Step 4 Save the configuration of switch SW1. Why is it important at this stage to save the configuration?
Activity Verification You have completed this task when you attain this result: You identified and corrected the problem that was reported by the user on PC1.
Task 3: Troubleshoot Connectivity Between Switch SW1 and the Branch Router
In this task, you will troubleshoot connectivity problems between the Branch router and switch SW1. You will correct the existing problem. Activity Procedure Complete the following steps: Step 1 Your colleague informs you that switch SW1 is showing messages about duplex mismatch and they are unable to prevent the messages. The senior engineers went out for lunch and left you alone to resolve this issue. How do you solve the problem indicated by this message? Using the appropriate show commands from the Command List section, identify the status of interface FastEthernet0/13, which connects to the Branch router. Step 2 Correct the issue that you identified. Do not forget to save the changes that you made. Activity Verification You have completed this task when you attain this result: You identified and corrected the connectivity problem.
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 2-1: Performing Initial Router Setup and Configuration
Branch HQ Server
PC1
SW1
PC2
SW2
Use Cisco Discovery Protocol to discover how devices are interconnected. PC1 SW1
Required Resources
No additional resources are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Job Aids
These job aids are available to help you complete the lab activity.
Lab Guide
L-21
The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch SW1 PC1 Hardware Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7
There are no console or enable passwords set for the router and switch in the initial lab setup. The table shows the username and password that are used to access PC1.
Device PC1 Username Administrator Password admin
Topology and IP Addressing Devices are connected with Ethernet connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
Fa0/13
PC1
Fa0/1 10.1.1.100 10.1.1.11
SW1
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch SW1 PC1 Interface Gi0/0 VLAN1 Ethernet adapter local area connection IP Address/Subnet Mask 10.1.1.1/24 10.1.1.11/24 10.1.1.100/24
Use command show version in privileged EXEC mode on the Branch router to display information about the currently loaded software, along with hardware and device information.
Router#show version Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Thu 26-Jul-12 20:54 by prod_rel_team ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1) Router uptime is 15 minutes System returned to ROM by reload at 17:06:50 UTC Thu Nov 22 2012 System restarted at 17:09:24 UTC Thu Nov 22 2012 System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M1.bin" Last reload type: Normal Reload Last reload reason: Reload Command <output omitted> Cisco CISCO2901/K9 (revision 1.0) with 483328K/40960K bytes of memory. Processor board ID FCZ1642C5XJ 2 Gigabit Ethernet interfaces 1 Serial(sync/async) interface 1 terminal line DRAM configuration is 64 bits wide with parity enabled. 255K bytes of non-volatile configuration memory. 250880K bytes of ATA System CompactFlash 0 (Read/Write) <output omitted>
Lab Guide
L-23
Step 3 Use the correct show command to verify that the router has a startup configuration. If it has, erase the startup configuration by issuing the erase startup-config command.
Router#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete Router#
After you have erased the startup configuration, verify that it no longer exists.
Router#show startup-config startup-config is not present
Step 4 Reload the router and observe the console output during startup.
Router#reload Proceed with reload? [confirm] Sep 11 11:31:16.663: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2009 by cisco Systems, Inc. Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB CISCO2901/K9 platform with 524288 Kbytes of main memory Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled Readonly ROMMON initialized program load complete, entry point: 0x80803000, size: 0x1b340 program load complete, entry point: 0x80803000, size: 0x1b340 IOS Image Load Test <output omitted>
Activity Verification You have completed this task when you attain these results: You collected hardware and software device information. You erased the startup configuration. You reloaded the router and observed the startup output.
Activity Procedure Complete the following steps: Step 1 Skip the initial configuration dialog, terminate the autoinstall, and enter privileged EXEC mode. Step 2 Set the router host name to Branch. The prompt will reflect the new hostname. Step 3 Enable interface GigabitEthernet0/0 and set its description to Link to LAN Switch. Step 4 Configure the IP address 10.1.1.1 on the interface. Use subnet mask of 255.255.255.0. Step 5 Return to the privileged EXEC command and verify GigabitEthernet0/0 interface status, interface description, and correct IP address assignment by using a suitable verification command.
Branch#show interfaces GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is 5475.d08e.9ad8 (bia 5475.d08e.9ad8) Description: Link to LAN Switch Internet address is 10.1.1.1/24 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 100Mbps, media type is RJ45 <output omitted>
Step 6 Save the current configuration on the Branch router. Activity Verification You have completed this task when you attain these results: Step 1 The console prompt shows the configured hostname:
Branch#
Lab Guide
L-25
Step 2 You verified IP connectivity between router Branch and PC1 by using ICMP ping:
Branch#ping 10.1.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
Note
Step 3 Improve the readability of the console access by synchronizing unsolicited messages and debug outputs with the input from the CLI. Step 4 Disable the resolution of symbolic names to prevent the system from attempting to translate a mistyped command into an IP address. Step 5 Save the configured changes to the startup configuration. Activity Verification You have completed this task when you attain these results: You have set the inactivity timeout on the console line to 60 minutes. You have enabled synchronous logging on the console line. You have disabled resolution of symbolic names.
Lab Guide
L-27
Step 2 Enter the Cisco Discovery Protocol verification command to display all known neighboring Cisco devices. Write down the information about the discovered neighbors in the table:
Device ID # # Platform Local Interface Remote Interface (Port ID)
The information that you gather about the local and remote interfaces that are used reveals how neighboring devices are physically interconnected. On the Branch router, use the show cdp neighbors command to display all neighboring Cisco devices:
Branch#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Gig 0/0 158 S I WS-C2960- Fas 0/13
Use the Cisco Discovery Protocol verification command with the keyword detail to display additional information about other Cisco devices. Write down the IP address of a neighboring switch, with exact information about its platform and software version.
Branch#show cdp neighbors detail ------------------------Device ID: SW1 Entry address(es): IP address: 10.1.1.11 Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP Interface: GigabitEthernet0/0, Port ID (outgoing port): FastEthernet0/13 Holdtime : 146 sec Version : Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(1)SE3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Wed 30-May-12 14:26 by prod_rel_team advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000001E147CBD00FF0000 VTP Management Domain: 'rlab' Native VLAN: 1 Duplex: full Branch#
Lab Guide
L-29
Activity Verification You have completed this task when you attain these results: You observed Cisco Discovery Protocol output for directly attached Cisco neighbors. You gathered detailed information about a neighbor switch.
Visual Objective
The figure illustrates what you will accomplish in this activity.
PC1
SW1
PC2
SW2
HQ Internet Server
PC1
PC2
Required Resources
No additional resources are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Command access-list acl_id permit network wildcard_mask configure terminal debug ip icmp interface interface ip address dhcp ip address ip_address network_mask ip nat inside ip nat inside source list acl_id pool pool_name ip nat inside source list acl_id interface interface_name overload ip nat outside ip nat pool pool_name start_IP end_IP netmask mask ip route network network_mask next_hop_address ping ip_address show ip interface brief show ip nat translations show ip route show users shutdown telnet ip_address terminal monitor undebug all Description Configures a standard ACL that permits a network Enters global configuration mode Enables debugging of ICMP packets Enters interface configuration mode Configures an interface to obtain an IP address using DHCP Configures an IP address manually on an interface Configures an interface as NAT inside interface Configures a dynamic source NAT rule that translates addresses into IP addresses defined in the pool Configures a dynamic source NAT or PAT rule that translates addresses into the IP address of an interface Configures an interface as a NAT outside interface Configures a NAT pool Configures a static route Pings an IP address Displays the status and IP addresses of interfaces Displays active NAT translations Displays the routing table Displays information about the active lines on a router Disables an interface Establishes a Telnet session to an IP address Redirects debugging output to a Telnet session Disables all debugging
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Lab Guide
L-33
Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Any PC
There are no console or enable passwords set for the routers and switches in the initial lab setup. The table shows the username and password that are used to access PC1 and PC2.
Device PC1 PC2 Username Administrator Administrator Password admin admin
Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
Branch Internet
VLAN 1: 10.1.1.1 Gi0/0 Fa0/13
Server
172.16.1.100
HQ
PC1
10.1.1.100
SW1
10.1.1.11
PC2
10.1.1.101
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch Branch HQ Interface Gi0/1 Gi0/0 Gi0/1 IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27
Interface Loopback0 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection
Status Protocol administratively down down up up administratively down down administratively down down
You should see that only GigabitEthernet0/0 is up and configured with an IP address. Step 3 Enable the GigabitEthernet0/1 interface. Manually assign the 209.165.201.1 IP address to the interface. Use a mask of 255.255.255.224.
Lab Guide
L-35
Step 4 Verify interface status and IP address on the Branch router again.
Branch#show ip interface brief Interface IP-Address Embedded-Service-Engine0/0 unassigned GigabitEthernet0/0 10.1.1.1 GigabitEthernet0/1 209.165.201.1 GigabitEthernet0/2 unassigned Serial0/0/0 unassigned
Status Protocol administratively down down up up up up administratively down down administratively down down
The GigabitEthernet0/1 interface should be up and it should have an IP address configured. Step 5 From the Branch router, ping the HQ router at 209.165.201.2.
Branch#ping 209.165.201.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 209.165.201.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 m
The ping should be successful, because the destination IP address is in a directly connected network. Step 6 From the Branch router, ping the server at 172.16.1.100, which is behind the HQ router.
Branch#ping 172.16.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
The ping should not be successful. What is the reason for an unsuccessful ping?
Is there a route present for the IP address of the server? Step 8 On the Branch router, configure a static default route that points to the next-hop IP address 209.165.201.2. Step 9 Save the running configuration to the startup configuration. Step 10 From the Branch router, ping the server at 172.16.1.100 again.
Branch#ping 172.16.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
The ping should be successful because you configured a static default route.
Lab Guide
L-37
The default route is designated with S and an asterisk (*). Step 12 Remove the previously configured static default route from the Branch router to prepare the router for the next task. Step 13 Verify the routing table on the Branch router again to make sure that no default route is present on the router.
Branch#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 L 10.1.1.1/32 is directly connected, GigabitEthernet0/0 209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C 209.165.201.0/27 is directly connected, GigabitEthernet0/1 L 209.165.201.1/32 is directly connected, GigabitEthernet0/1
The GigabitEthernet0/1 interface should be up and it should have an IP address that was configured through DHCP. Write down the IP address in the space that is provided.
Lab Guide
L-39
You should see a default route present in the table. Where did the default route come from? Step 6 From the Branch router, ping the HQ router at 209.165.201.2.
Branch#ping 209.165.201.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 209.165.201.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 m
The ping should be successful. Step 7 From the Branch router, ping the server at 172.16.1.100.
Branch#ping 172.16.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
The ping should be successful because the Branch router received knowledge of the default gateway from the DHCP server. The Branch router set the default route automatically and it set the route next-hop IP address to the IP address of the default gateway..
Step 8 Access PC1. Step 9 From PC1, ping the Branch router at its public IP address, which was obtained through DHCP.
C:\>ping 209.165.201.1 Pinging 209.165.201.1 with 32 bytes of data: Reply from 209.165.201.1: bytes=32 time=1ms TTL=255 Reply from 209.165.201.1: bytes=32 time<1ms TTL=255 Reply from 209.165.201.1: bytes=32 time<1ms TTL=255 Reply from 209.165.201.1: bytes=32 time<1ms TTL=255 Ping statistics for 209.165.201.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms
The ping should be successful. Step 10 From PC1, ping the server at 172.16.1.100.
C:\>ping 172.16.1.100 Pinging 172.16.1.100 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 172.16.1.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The ping should not be successful. In the next step, you will examine why the ping is not successful. Step 11 Return to the Branch router and establish a remote Telnet session to the HQ router at 209.165.201.2. Enable debugging of ICMP packets using the debug ip icmp command. Direct the output of the debug messages to the Telnet session using the terminal monitor command. Leave the console window open.
Branch#telnet 209.165.201.2 Trying 209.165.201.2 ... Open HQ#debug ip icmp ICMP packet debugging is on HQ#terminal monitor
Lab Guide
L-41
Note
Establishing remote Telnet sessions and redirecting output of the debug messages to a remote session has not been discussed so far. In this task, it is needed only to verify that packets from PC1 actually reach the HQ router.
Step 12 Return to PC1 and ping the server at 172.16.1.100 again. Return to the HQ Telnet session and observe the debugging messages.
HQ# Sep 7 13:18:27.881: ICMP: echo topology BASE, dscp 0 topoid 0 HQ# Sep 7 13:18:32.853: ICMP: echo topology BASE, dscp 0 topoid 0 HQ# Sep 7 13:18:37.857: ICMP: echo topology BASE, dscp 0 topoid 0 HQ# Sep 7 13:18:42.861: ICMP: echo topology BASE, dscp 0 topoid 0
reply sent, src 172.16.1.100, dst 10.1.1.100, reply sent, src 172.16.1.100, dst 10.1.1.100, reply sent, src 172.16.1.100, dst 10.1.1.100, reply sent, src 172.16.1.100, dst 10.1.1.100,
You should see one debugging message for each ping packet coming from PC1. You can see that the pings actually reach the HQ router and replies are sent back to PC1. However, the HQ router is not aware of the network that PC1 is coming from and therefore discards the returning packets. You can verify this conclusion by verifying the routing table on the HQ router. What solution could be implemented on the Branch router to overcome this problem? Step 13 Return to the HQ Telnet session. Disable debugging and exit the Telnet session.
HQ#undebug all All possible debugging has been turned off HQ#exit [Connection to 209.165.201.2 closed by foreign host] Branch#
Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Configure a standard ACL that allows the 10.1.1.0/24 network. Use 1 as the ACL identifier. This ACL will be used to define networks that are eligible for NAT translations. Step 3 Create a NAT pool with the following parameters:
Pool name Starting IP address Ending IP address Network mask NAT_POOL 209.165.201.5 209.165.201.10 255.255.255.224
How many hosts that require NAT can you accommodate at the same time using this NAT pool? Step 4 Configure the GigabitEthernet0/0 interface as the NAT inside interface.
Note When you enable the interface as NAT inside, the router will block for approximately 1 minute. After that, you will see a log message about the router creating NVI0 interface. This interface is used internally by the router to perform NAT.
Step 5 Configure the GigabitEthernet0/1 interface as the NAT outside interface. Step 6 Configure a dynamic source NAT rule that will translate inside hosts into the IP addresses that were defined in the previously configured NAT pool. Use the previously configured ACL to specify hosts that are eligible for translations, and use the previously configured NAT pool. Step 7 Save the running configuration to the startup configuration.
Lab Guide
L-43
Activity Verification You have completed this task when you attain these results: Step 1 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a remote Telnet session to the server at 172.16.1.100 by clicking the Telnet radio button and entering the IP address into the Host Name input field.
Step 2 Verify the user connection to the server using the show users command. This command will display management sessions to the router via console or via remote access.
HQ#show users Line 0 con 0 *514 vty 0
User
Location 209.165.201.5
You should see that the Telnet session from PC1 is seen as originating from a translated IP address. The translated IP address is the first free IP address from the NAT pool.
Note The session marked with an asterisk (*) is the one that is currently active and used.
Lab Guide
L-45
Step 3 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100. If PC2 is not configured with an IP address, assign it an IP address of 10.1.1.101/24.
Step 4 Verify the user connection to the server using the show users command.
HQ#show users Line 514 vty 0 *515 vty 1
User
You should see that the Telnet session from PC2 is seen as originating from a translated IP address. The translated IP address is the next free IP address from the NAT pool. Step 5 Return to the Branch router. Verify that there are active NAT translations.
Branch#show ip nat translations Pro Inside global Inside local tcp 209.165.201.5:1035 10.1.1.100:1035 --- 209.165.201.5 10.1.1.100 tcp 209.165.201.6:1030 10.1.1.101:1030 --- 209.165.201.6 10.1.1.101
Notice that inside local IP addresses are translated into inside global IP addresses. Step 6 Close the Telnet session on PC1 and PC2.
Lab Guide
L-47
Step 3 Configure a dynamic source NAT/PAT (NAT with overload) rule that will translate inside hosts into the IP address of the router outside interface. Use the previously configured ACL to specify the hosts that are eligible for translations. How many hosts that require NAT can you accommodate at the same time by overloading the IP address of the interface? Step 4 Save the running configuration to the startup configuration. Activity Verification You have completed this task when you attain these results:
Step 1 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100.
You should be successful. Step 2 Verify the user connection to the server using the show users command.
HQ#show users Line *514 vty 0
User
Host(s) idle
You should see that the Telnet session from PC1 is seen as originating from the IP address of the Branch router outside interface.
Lab Guide
L-49
Step 3 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100.
Step 4 Verify the user connection to the server using the show users command.
HQ#show users Line 514 vty 0 *515 vty 1
User
You should see that the Telnet session from PC2 is again seen as originating from the IP address of the Branch router outside interface. Step 5 Return to the Branch router. Verify that there are active NAT translations.
Branch#show ip nat translations Pro Inside global Inside local tcp 209.165.201.1:1042 10.1.1.100:1042 tcp 209.165.201.1:1036 10.1.1.101:1036
Notice that two inside local IP addresses are translated into the same inside global IP address, which is configured on the Branch router outside interface. To provide two distinct translations, different source ports are used. Step 6 Close the Telnet session on PC1 and PC2.
Lab Guide
L-51
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 3-1: Enhancing the Security of the Initial Configuration
Add password protection Enable SSH Limit access with an ACL Con gure a login banner
PC1
S W1
Required Resources
There are no additional resources that are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Commands
Command access-class number direction access-list number permit ip_address wildcard_mask banner login copy running-config startup-config crypto key generate rsa enable secret password end ip domain-name name ip ssh version [1 | 2] Description Applies the ACL to the vty line. The direction argument can have the value of either in or out. Creates a standard ACL that permits all traffic from or to a specified network Allows the configuration of a message that is displayed just before login Copies the switch running configuration file to the startup configuration file that is held in local NVRAM Generates the RSA key pairs to be used Sets a password for entering privileged EXEC mode. The password is protected using strong MD5-type encryption. Terminates configuration mode Supplies an IP domain name that is required by the cryptographic keygeneration process Specifies the version of SSH to be run. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command. Enters line console 0 configuration mode Enters vty configuration mode. Vty lines allow access to the switch for remote network management. The number of vty lines available is dependent on the Cisco IOS Software version. Typical values are 0-4 and 0-15 (inclusive). Activates the login process on the console or vty lines Makes the login process on the console or vty lines rely on (or use) the local authentication database Exits EXEC mode and requires reauthentication (if enabled) Assigns a password to the console or vty lines Displays all ACLs that are defined on the device Displays the active configuration Displays information about the active lines Starts an encrypted session with a remote networking device using the current user ID. The IP address identifies the destination device.
login login local logout password show access-list show running-config show users ssh l username ip_address
Lab Guide
L-55
Command transport input [telnet | ssh | all] username username secret password
Description Specifies which protocols to use to connect to a specific line of the device Creates a username and password pair that can then be used as a local authentication database
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch Headquarter s SW1 PC1 PC2 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
There are no console or enable passwords that are set for the routers and switches in the initial lab setup. The table shows the username and password that are used to access PC1 and PC2.
Device PC1 PC2 Username Administrator Administrator Password admin admin
Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
PC1
Fa0/1 10.1.1.100
SW1
10.1.1.11
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch Branch Headquarters Headquarters SW1 PC1 PC2 Interface Gi0/1 Gi0/0 Gi0/1 Loopback0 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27 172.16.1.100/24 10.1.1.11/24 10.1.1.100/24 10.1.1.101/24
Lab Guide
L-57
Step 2 Secure the console line with the password cisco. Step 3 Exit to the console login screen by issuing the end and exit commands. You will be asked for the password that you configured in the previous step.
Branch(config-line)#end Branch#exit Branch con0 is now available Press RETURN to get started. User Access Verification Password: Branch>
Step 4 Examine the running configuration and identify the password that was configured for the console line. Note that the password is in cleartext.
Branch#show running-config | section line con line con 0 exec-timeout 60 0 password cisco logging synchronous login
Step 5 Create the username ccna and assign the secret password cisco to it. Look at the Command List section to identify the correct command. Then change the mode of authentication on the console line so that this user is authenticated using this username and password.
Step 6 Exit to the console login screen by issuing the end and exit commands. You will be asked for a username and password. Enter the credentials that you created in the previous step.
Branch(config-line)#end Branch#exit Branch con0 is now available Press RETURN to get started. User Access Verification Username: ccna Password: Branch>
Step 7 Examine the running configuration and identify the username and password that you created. Note that the password is encrypted, not in cleartext. You could use the service password-encryption command to encode the cleartext password, but this encryption type is weak.
Branch#show running-config | section username username ccna secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
Step 8 Secure vty lines 0 through 15. Users should be able to log in using the username ccna and password cisco that you previously defined. For security reasons, the passwords for console and vty access should be different. Also, in production environments, you should use strong passwords (at least eight characters and a combination of letters, numbers, and special characters). In the lab environment, we are using the same passwords for console and vty access.
Lab Guide
L-59
Step 9 On PC1, open PuTTY and establish a Telnet session to the Branch router to verify that you configured vty security correctly.
Step 10 On the Branch router, secure access to privileged EXEC mode with the password cisco. The password must be encrypted with strong encryption. Step 11 Save the changes that you made on the Branch router. Step 12 Exit privileged EXEC mode and then re-enter it. When prompted, enter the password that you configured in the previous step.
Branch#disable Branch>enable Password: Branch#
Step 13 Examine the running configuration of the Branch router and identify the line where the password that allows access to privileged EXEC mode is configured. Notice that the password is encrypted.
Branch#show running-config | section enable enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
Lab Guide
L-61
Step 14 Access switch SW1. Configure it with the enable secret password cisco. Users should be able to log into the console and vty lines by using the username ccna and the password cisco. Use strong encryption. Step 15 Save the changes that you made on the SW1 switch. Step 16 On the SW switch, go to the user EXEC mode by entering the end and exit commands. Log into the switch SW console by using the previously configured username and password in order to verify console protection.
SW1(config-line)#end SW1#exit SW1 con0 is now available Press RETURN to get started. User Access Verification Username: ccna Password: SW1>
Step 17 On the SW switch, enter the privileged EXEC mode by entering the previously configured password.
SW1>enable Password: SW1#
Step 18 Return to PC1, open PuTTY, and establish a Telnet session to the SW1 switch to verify that you configured vty security correctly.
Lab Guide
L-63
Step 3 Configure the SW1 switch for SSH access. Use cisco.com as the domain name, specify a key length of 1024 bits, use SSH version 2, and make SSH the only remote access that is allowed. Step 4 Save the changes that you made on the SW1 switch. Step 5 On PC1, open PuTTY and try to connect to the Branch router using Telnet. Your attempt will be unsuccessful.
Lab Guide
L-65
Step 6 Now try to remotely connect from PC1 to the Branch router using SSH. Your attempt should be successful. Leave the connection open for the next step.
Step 7 On the Branch router, show the users that are logged into the system. Identify the user that is using the vty line.
Branch#show users Line User * 0 con 0 ccna 514 vty 0 ccna Interface User
Lab Guide
L-67
Step 8 Return to PC1. Open another PuTTY and apply SSH to the SW1 switch in order to verify the SSH configuration on the switch. Your attempt should be successful.
Step 3 Save the changes that you made on the SW1 switch.
Lab Guide
L-69
Activity Verification You have completed this task when you attain this result: Step 1 Try to establish an SSH remote session from PC1 to SW1 at 10.1.1.11. You should not be successful because the ACL that you defined allows only the Branch router to establish sessions to the SW1 switch.
Step 2 Try to establish an SSH remote session from the Branch router. You should be successful.
Branch#ssh -l ccna 10.1.1.11 Password: SW1>
Step 3 On the SW1 switch, show the ACL that you defined for the vty lines. Notice that the counters for both the permit and deny statements increased. If you did not define an explicit deny statement, a remote session from PC1 would still be denied, but you would not be able to see counters for denied remote session attempts.
SW1#show access-lists Standard IP access list 1 10 permit 10.1.1.1 (2 matches) 20 deny any log (3 matches)
Lab Guide
L-71
Step 4 Save the changes that you made on the SW1 switch. Activity Verification You have completed this task when you attain these results: Step 1 Access the Branch router. Log out of the Branch router and then log back in. Notice the login banner that you were presented with as you logged in.
Branch#logout Branch con0 is now available Press RETURN to get started. ********** Warning ************* Access to this device is restricted to authorized persons only! Unauthorized access is prohibited. Violators will be prosecuted. *********************************************** User Access Verification Username: ccna Password:
Step 2 Access SW1. Log out of the SW1 switch console and then log back in. Notice the login banner that you were presented with as you logged in.
SW1#logout SW1 con0 is now available Press RETURN to get started. ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. *********************************************** User Access Verification Username: ccna Password:
Note
When accessing network devices via the SSH protocol, some terminal clients such as PuTTY display the login banner only after the username parameter is entered as input.
Visual Objective
The figure illustrates what you will accomplish in this activity.
HQ Internet Server
NTP server PC1 SW1 Disable unused ports Configure port security Disable Cisco Discovery Protocol Configure NTP client
Required Resources
No additional resources are required for this lab.
Command List
The table that follows describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Commands
Command [no] cdp enable configure terminal interface interface ntp master [stratum] ntp server {ip-address} ping dest_IP show cdp neighbors show interfaces show interfaces status show port-security interface interface show ntp associations show ntp status show port-security address [no] shutdown switchport mode access switchport port-security switchport port-security mac-address mac-address Description Enables or disables Cisco Discovery Protocol on an interface Enters configuration mode Enters interface configuration mode Configures Cisco IOS Software as an NTP master clock. Allows the software clock to be synchronized by an NTP time server Verifies connectivity between the source IP and destination IP Displays detailed information about neighboring devices that are discovered by using Cisco Discovery Protocol Displays statistics for all interfaces that are configured on the router Displays the status of interfaces Displays the port security settings that are defined for an interface Displays the status of NTP associations Displays the status of NTP Displays the secure MAC addresses for all ports Enables or disables an interface on the router Configures a switchport as an access port Enables the port security feature on the interface Enters a secure MAC address for the interface
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch Headquarter s SW1 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3
Lab Guide
L-75
The table shows usernames and passwords that are used to access the lab devices.
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password) Username Administrator Administrator ccna / ccna / Password admin admin cisco cisco cisco cisco
Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
Branch Internet
VLAN 1: 10.1.1.1 Gi0/0 Fa0/13
Server
172.16.1.100
HQ
PC1
10.1.1.100
SW1
10.1.1.11
PC2
10.1.1.101
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch Branch Headquarters Interface Gi0/1 Gi0/0 Gi0/1 IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27
Interface Loopback0 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection
Status connected disabled disabled disabled disabled disabled disabled disabled disabled disabled disabled disabled
Vlan 1 1 1 1 1 1 1 1 1 1 1 1
Duplex a-full auto auto auto auto auto auto auto auto auto auto auto
Speed Type a-100 auto auto auto auto auto auto auto auto auto auto auto 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX
Lab Guide
L-77
Note
Your MAC address might be different from the the address that is shown in the output.
Step 3 Access the SW1 switch. Step 4 Configure interface FastEthernet0/13, which faces the Branch router, as a static access port. Step 5 Enable the port security feature on interface FastEthernet0/13. Manually specify the secure MAC address f866.f231.7251 (which is not the MAC address of the Branch router). You will simulate a port security violation by misconfiguring the secure MAC address.
Step 6 Observe the switch output and verify the status of SW1 interface FastEthernet0/13. Make sure that a port security violation occurred because of the misconfigured secure MAC address.
Sep 28 11:16:18.312: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13, putting Fa0/13 in err-disable state Sep 28 11:16:18.312: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address f866.f231.7250 on port FastEthernet0/13. Sep 28 11:16:19.318: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down Sep 28 11:16:20.317: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down SW1#show interfaces FastEthernet 0/13 FastEthernet0/13 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d) SW1#show port-security interface FastEthernet 0/13 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : f866.f231.7250:1 Security Violation Count : 1
A port security violation occurs due to management traffic (Cisco Discovery Protocol, for example) coming from the router toward the switch. Step 7 Try to ping PC1 at 10.1.1.100 from the Branch router. Your attempt should fail because the switch port connecting to the Branch router is error-disabled.
Branch#ping 10.1.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)
Step 8 Change the port security of the secure MAC address on SW1 interface FastEthernet0/13 to the correct MAC address, which you wrote down.
Note Your MAC address for the Branch router might be different from the address that was shown in the output.
Lab Guide
L-79
Step 9 Make the FastEthernet0/13 interface on SW1 operational again. Step 10 Observe the switch output. Verify the status of the FastEthernet0/13 interface on SW1 and make sure that the interface is operational again.
Sep 28 11:10:07.080: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up Sep 28 11:10:08.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up SW1#show interfaces FastEthernet 0/13 FastEthernet0/13 is down, line protocol is up Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d)
Step 11 Try to ping PC1 at 10.1.1.100 from the Branch router. Your attempt should succeed now.
Branch#ping 10.1.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds: !!!!!
SW1#show port-security address Secure Mac Address Table -------------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins) --------------------------------1 f866.f231.7250 SecureConfigured Fa0/13 -------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192
Step 13 Display the port security settings for the SW1 switch.
SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa0/13 1 1 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192
Step 14 Disable the port security feature on interface FastEthernet 0/13. Step 15 Save the running configuration to the startup configuration. Activity Verification No additional verification is needed in this task.
Lab Guide
L-81
Step 3 Disable Cisco Discovery Protocol on the SW1 interface that is facing the Branch router. Step 4 Examine the neighbor devices of the Branch router. You should not see switch SW1 anymore as a neighbor device because you disabled Cisco Discovery Protocol on the switch interface toward the router.
Branch#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID
Note
It may take up to 3 minutes for the neighbor to disappear from the output because of the holddown timer that is set to 180 seconds.
Step 5 Examine the neighbor devices of the SW1 switch. You should see no neighbor device because you disabled Cisco Discovery Protocol on the switch interface toward the Branch router.
SW1#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID
Step 6 Enable Cisco Discovery Protocol on the SW1 interface that faces the Branch router. Step 7 Save the running configuration to the startup configuration. Activity Verification No additional verification is needed in this task.
You should see that the Branch router synchronized its clock with the server.
Note It may take several minutes in order to synchronize the clock with the NTP server.
What is the stratum of the clock on the Branch router? Step 4 Access the SW1 switch.
Lab Guide
L-83
Step 5 Configure SW1 as an NTP client that will synchronize its time with the Branch router. Although the Branch router is configured only with NTP client configuration, it will respond to time requests from other clients. It will act as a server for switch SW1. Step 6 Verify the NTP status and the NTP association status on the SW1 switch.
SW1#show ntp status Clock is synchronized, stratum 5, reference is 10.1.1.1 nominal freq is 119.2092 Hz, actual freq is 119.2091 Hz, precision is 2**17 reference time is D46AEB16.D3639982 (09:59:50.825 UTC Thu Dec 6 2012) clock offset is 58.8216 msec, root delay is 2.30 msec root dispersion is 122.31 msec, peer dispersion is 8.38 msec loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000001118 s/s system poll interval is 128, last update was 862 sec ago. SW1#show ntp associations address ref clock st when poll reach delay offset disp *~10.1.1.1 172.16.1.100 4 115 128 377 1.436 58.821 8.389 * sys.peer, #selected, + candidate, - outlyer, x falseticker, ~ configured
You should see that SW1 synchronized its clock with the Branch router. What is the stratum of the clock on the SW1 switch?
Note It may take several minutes in order to synchronize the clock with the NTP server.
Step 7 Save the running configuration to the startup configuration. Activity Verification No additional verification is needed in this task.
Visual Objective
The figure illustrates what you will accomplish in this activity.
PC1
SW1
PC2
SW2
Telnet Blocked
SW1 PC1
PC2
Required Resources
There are no additional required resources for this lab.
Command List
The table that follows describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Commands
Command configure terminal interface interface ip access-group ACL_name {in | out} ip access-list extended ACL_name {permit | deny} {test conditions} show access-lists ACL_name show ip interface interface-type interface number Description Enters configuration mode Enters interface configuration mode Enables an IP ACL on an interface Defines an ACL and enters ACL configuration mode Creates ACL statements for a named ACL Displays the contents of all IP ACLs Displays IP-specific information for an interface, including the ACLs that are applied on an interface
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch Headquarter s SW1 PC1 PC2 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Any PC Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
The table shows usernames and passwords that are used to access the lab devices.
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password) Server (HTTP) Username Administrator Administrator ccna / ccna / ccna Password admin admin cisco cisco cisco cisco cisco
Lab Guide
L-87
Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
Branch Internet
VLAN 1: 10.1.1.1 Gi0/0 Fa0/13
Server
172.16.1.100
HQ
PC1
10.1.1.100
SW1
10.1.1.11
PC2
10.1.1.101
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch Branch Headquarters Headquarters SW1 PC1 PC2 Interface Gi0/1 Gi0/0 Gi0/1 Loopback0 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27 172.16.1.100/24 10.1.1.11/24 10.1.1.100/24 10.1.1.101/24
Step 1 Access the Branch router. Use the credentials provided in the Job Aids section of the document in order to log in. Step 2 Configure an extended ACL named Telnet that will prevent a Telnet connection from PC2 to the server. All other IP traffic should be permitted. Step 3 Verify the content of the configured ACL.
Branch#show access-lists Telnet Extended IP access list Telnet 10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet 20 permit ip any any
Step 4 Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction. Step 5 Verify that the configured interface is applied to the GigabitEthernet0/0 interface in the correct direction.
Branch#show ip interface GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is Telnet Proxy ARP is enabled Local Proxy ARP is disabled <...output omitted...>
Lab Guide
L-89
Step 7 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100.
You should be successful. Step 8 Verify that the counter that was matched by the permit ACL statement increased.
Branch#show access-lists Telnet Extended IP access list Telnet 10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet 20 permit ip any any (10 matches)
Note
The actual number of ACL hits may differ from the outputs that are provided in the lab guide.
Lab Guide
L-91
Step 9 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100.
You should not be successful because the configured ACL blocks Telnet traffic from PC2 to the server. Step 10 Verify that the counter that was matched by the deny ACL statement increased.
Branch#show access-lists Telnet Extended IP access list Telnet 10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet (9 matches) 20 permit ip any any (10 matches)
Lab Guide
L-93
Step 11 Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the credentials that are provided in the Job Aids section of the document in order to log in.
Step 12 Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the credentials that are provided in the Job Aids section of the document in order to log in.
You should be successful. Step 13 Verify that the counter that was matched by the permit ACL statement increased.
Branch#show access-lists Telnet Extended IP access list Telnet 10 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet (9 matches) 20 permit ip any any (274 matches)
Lab Guide
L-95
Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Copy the TSHOOT_Troubleshoot_ACLs_Branch.cfg file from the router flash memory into the router running configuration.
Branch#copy flash:TSHOOT_Troubleshoot_ACLs_Branch.cfg running-config 3341 bytes copied in 3.490 secs (957 bytes/sec)
Step 1 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100.
Lab Guide
L-97
Step 2 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100.
Lab Guide
L-99
You will be successful, although Telnet traffic from PC2 to the server should be blocked.
Step 3 Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the credentials that are provided in the Job Aids section of the document in order to log in.
Lab Guide
L-101
Step 4 Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the credentials that are provided in the Job Aids section of the document in order to log in.
Step 6 Verify that the configured ACL is applied to the GigabitEthernet0/0 interface in the correct direction.
Branch#show ip interface GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is Telnet Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled <...output omitted...>
Step 7 Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction. Step 8 Verify the contents of the configured ACL.
Branch#show access-lists Telnet Extended IP access list Telnet 10 permit ip any any (338 matches) 20 deny ip any any 30 deny tcp host 10.1.1.101 host 172.16.1.100 eq telnet
Step 9 Change the Telnet ACL so that it prevents Telnet connections from PC2 to the server. All other IP traffic should be permitted. Step 10 Save the running configuration to the startup configuration.
Lab Guide
L-103
Step 11 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100.
Lab Guide
L-105
Step 12 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at 172.16.1.100.
You should not be successful because the configured ACL blocks Telnet traffic from PC2 to the server.
Lab Guide
L-107
Step 13 Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the credentials that are provided in the Job Aids section of the document in order to log in.
Step 14 Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address 172.16.1.100. Use the credentials that are provided in the Job Aids section of the document in order to log in.
You should be successful. Activity Verification No additional verification is needed in this task.
Lab Guide
L-109
Visual Objective
The figure illustrates what you will accomplish in this activity.
PC1
SW1
PC2
SW2
Configure trunking
Required Resources
There are no additional resources required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
interface interface_name interface_number ip address ip_address network_mask show interfaces trunk show vlan show vlans [no] shutdown switchport access vlan vlan switchport mode mode
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Lab Guide
L-113
Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Catalyst 2960 Series Switch Any PC Any PC
Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 c2960-lanlitek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
The table shows usernames and passwords that are used to access the lab devices.
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password) Server (HTTP) Username Administrator Administrator ccna / ccna / ccna Password admin admin cisco cisco cisco cisco cisco
Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that will be used in this lab.
Branch Internet
VLAN1:10.1.1.1 Gi0/0
Server
172.16.1.100
HQ
Fa0/13
PC1
Fa0/1 10.1.1.100 a0/3 Fa0/3
SW1
10.1.1.11
Fa0/3
PC2
Fa0/1 10.1.1.101 10.1.1.12
SW2
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch Branch Headquarters Headquarters SW1 SW2 PC1 PC2 Interface Gi0/1 Gi0/0 Gi0/1 Loopback0 VLAN1 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 209.165.201.2/27 172.16.1.100/24 10.1.1.11/24 10.1.1.12/24 10.1.1.100/24 10.1.1.101/24
Lab Guide
L-115
Step 2 Access PC2. Assign the IP address 10.1.1.101/24 to it. The default gateway should be set to the IP address of a Branch router.
Step 3 Access PC1 and ping PC2 (10.1.1.101). The ping should be successful because ports on both PCs are access ports belonging to VLAN 1.
C:\Users\Administrator>ping 10.1.1.101 Pinging 10.1.1.101 with 32 bytes of data: Reply from 10.1.1.101: bytes=32 time<3ms TTL=128 Reply from 10.1.1.101: bytes=32 time<3ms TTL=128 Reply from 10.1.1.101: bytes=32 time<2ms TTL=128 Reply from 10.1.1.101: bytes=32 time<2ms TTL=128 Ping statistics for 10.1.1.101: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 3ms, Average = 3ms
Step 4 On both switches, SW1 and SW2, create VLANs 10 and 20. Step 5 On SW1, assign the port to which PC1 connects (FastEthernet0/1) to VLAN 10. On SW2, assign the port to which PC2 connects (FastEthernet0/1) to VLAN 20. Step 6 Save the running configuration to the startup configuration on both switches. Step 7 Change the IP address of PC1 to 10.1.10.100/24. Set the default gateway to 10.1.10.1, which you will later configure on the Branch router. This step provides PC1 addressing in accordance with its VLAN assignment.
Lab Guide
L-117
Step 8 Change the IP address of PC2 to 10.1.20.100/24. Set the default gateway to 10.1.20.1, which you will later configure on the Branch router. This step provides PC2 addressing in accordance with its VLAN assignment.
Activity Verification You have completed this task when you attain these results:
Step 1 On SW1 and SW2, verify that VLANs 10 and 20 are present. SW1 should have FastEthernet0/1 belonging to VLAN 10, and SW2 should have FastEthernet0/1 belonging to VLAN 20.
SW1#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 10 VLAN0010 active Fa0/1 20 VLAN0020 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
SW2#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 10 VLAN0010 active 20 VLAN0020 active Fa0/1 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup <output omitted>
Lab Guide
L-119
Step 2 At this point, PC1 belongs to VLAN 10, and PC2 belongs to VLAN 20. From PC1, ping PC2 (10.1.20.100). The connectivity test should not be successful. You first need to configure a trunk between switches that will carry traffic from both VLANs and then configure a Layer 3 device that will route between those two VLANs.
C:\Users\Administrator> ping 10.1.20.100 Pinging 10.1.20.100 with 32 bytes of data: Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Ping statistics for 10.1.20.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Step 3 On switch SW1, verify that the link toward SW2 is trunking and that VLANs 1, 10, and 20 are the only VLANs that are allowed.
SW1#show interfaces trunk Port Mode Encapsulation Fa0/3 on 802.1q Port Vlans allowed on trunk Fa0/3 1,10,20 <output omitted>
Status trunking
Native vlan 1
On switch SW2, verify that the link toward SW1 is trunking and that VLANs 1, 10, and 20 are the only VLANs that are allowed.
SW2#show interfaces trunk Port Mode Encapsulation Fa0/3 on 802.1q Port Vlans allowed on trunk Fa0/3 1,10,20 <output omitted>
Status trunking
Native vlan 1
Step 4 At this point, PC1 belongs to VLAN 10, and PC2 belongs to VLAN 20. The link between the two switches is configured to carry more than one VLAN. It is a trunk. From PC1, ping PC2 (10.1.20.100). The connectivity test will not be successful. You first need to configure a trunk between switches that will carry traffic from both VLANs and then configure a Layer 3 device that will route between those two VLANs.
C:\Users\Administrator> ping 10.1.20.100 Pinging 10.1.20.100 with 32 bytes of data: Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Ping statistics for 10.1.20.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Lab Guide
L-121
Activity Procedure Complete the following steps: Step 1 On switch SW1, configure the link toward the Branch router (FastEthernet0/13) as a trunk. Step 2 Save the running configuration to the startup configuration on the SW1 switch. Step 3 On the Branch router, remove the IP address from the GigabitEthernet0/0 interface. Step 4 On the Branch router, configure three subinterfaces. Subinterface GigabitEthernet0/0.1 should have an IP address of 10.1.1.1/24 and belong to VLAN 1. Subinterface GigabitEthernet0/0.10 should have an IP address of 10.1.10.1/24 and belong to VLAN 10. Subinterface GigabitEthernet0/0.20 should have an IP address of 10.1.20.1/24 and belong to VLAN 20. Step 5 Save the running configuration to the startup configuration on the Branch router.
Step 6 On the Branch router, verify that you have interface IP addresses that are configured in VLANs 1, 10, and 20.
Branch#show vlans Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: GigabitEthernet0/0.1 This is configured as native Vlan for the following interface(s) GigabitEthernet0/0 Native-vlan Tx-type: Untagged Protocols Configured: Address: Received: IP 10.1.1.1 0 Other 0 2 packets, 518 bytes input 2 packets, 435 bytes output Virtual LAN ID: 10 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: GigabitEthernet0/0.10 Protocols Configured: Address: Received: IP 10.1.10.1 0 Other 0 0 packets, 0 bytes input 1 packets, 46 bytes output Virtual LAN ID: 20 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: GigabitEthernet0/0.20 Protocols Configured: Address: Received: IP 10.1.20.1 0 Other 0 0 packets, 0 bytes input 1 packets, 46 bytes output
: Transmitted: 0 2
Transmitted: 0 1
Transmitted: 0 1
Activity Verification You have completed this task when you attain these results: Step 1 Access PC1. Issue a ping command from PC1 to PC2 (10.1.20.100). The attempt should be successful. The first ping or first few pings might fail due to the ARP process.
C:\Users\Administrator> ping 10.1.20.100 Pinging 10.1.20.100 with 32 bytes of data: Reply from 10.1.20.100: bytes=32 time<3ms TTL=128 Reply from 10.1.20.100: bytes=32 time<3ms TTL=128 Reply from 10.1.20.100: bytes=32 time<2ms TTL=128 Reply from 10.1.20.100: bytes=32 time<2ms TTL=128 Ping statistics for 10.1.20.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 3ms, Average = 3ms
Lab Guide
L-123
Step 2 From PC1, use the traceroute (tracert command) utility to trace the path from PC1 to PC2. Notice that the traffic goes through the Branch router.
C:\Users\Administrator> tracert 10.1.20.100 Tracing route to 10.1.20.100 over a maximum of 30 hops 1 4 ms 1 ms 1 ms 10.1.10.1 2 2 ms 1 ms 1 ms 10.1.20.100 Trace complete.
Visual Objective
The figure illustrates what you will accomplish in this activity.
PC1
Required Resources
No additional resources are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Cisco Commands
Command default-router address dns-server address ip dhcp excluded-address ip-address [last-ip-address] ip dhcp pool name ip helper-address address lease {days [hours] [minutes] | infinite} Description Specifies the IP address of the default router for a DHCP client. Specifies the IP address of the DNS server that is available to a DHCP client. Specifies the IP addresses that a DHCP server should not assign to a DHCP client. Configures a DHCP address pool and enters DCHP configuration mode. Enables forwarding of broadcasts that are received on the interface to the specified IP address. Specifies the duration of the lease. The default is a one-day lease.
Command network network-number [mask | prefix-length] show ip dhcp binding show ip interface brief show running-config
Description Defines addresses in the DHCP pool. Optionally, defines the subnet mask or prefix length. Either of these parameters determines which portion of the specified network number refers to the network part. Displays a list of all DHCP address bindings. Displays a brief summary of the IP information and status of an interface. Displays the running configuration.
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch Headquarter s SW1 SW2 PC1 PC2 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Catalyst 2960 Series Switch Any PC Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 c2960-lanlitek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
The table shows the usernames and passwords that are used to access the lab equipment.
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password) Username Administrator Administrator ccna / ccna / Password admin admin cisco cisco cisco cisco
Lab Guide
L-127
Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
Branch 209.165.201.1
Gi0/0VLAN 1:10.1.1.1 Gi0/0.10VLAN 10: 10.1.10.1 Gi0/0.20VLAN 20: 10.1.20.1
Gi0/1 209.165.201.2
DHCP Server
172.16.1.100
HQ
Fa0/13
PC1
10.1.10.100
Fa0/1 Fa0/3
SW1
10.1.1.11
Fa0/3
PC2
Fa0/1 10.1.20.100
SW2
10.1.1.12
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch Branch Branch Branch HQ HQ SW1 SW2 PC1 PC2 Interface Gi0/1 Gi0/0.1 Gi0/0.10 Gi0/0.20 Gi0/1 Loopback0 VLAN1 VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection IP Address/Subnet Mask 209.165.201.1/27 10.1.1.1/24 10.1.10.1/24 10.1.20.1/24 209.165.201.2/27 172.16.1.100/24 10.1.1.11/24 10.1.1.12/24 10.1.10.100/24 10.1.20.100/24
VLAN Setup Three VLANs are configured on the switches. VLAN 1 is used for switch management, VLAN 10 is used to connect PC1, and VLAN 20 is used to connect PC2. A trunk is enabled between the switches and between the SW1 switch and the Branch router. The figure illustrates the trunk and VLAN setup.
VLAN Setup
Branch
Trunk VLAN 10
PC1
SW1
VLAN 1
PC2
VLAN 20
SW2
Lab Guide
L-129
Step 3 Change the default lease time to 2 hours. Step 4 Save the running configuration to the startup configuration on the Branch router. Step 5 Access PC1. Open the network adapter settings and edit the IPv4 settings. Set them to obtain an IP address and DNS address automatically.
Step 6 Verify that PC1 has obtained an IP address dynamically by executing a DHCP verification command on the Branch router.
Branch# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 10.1.10.2 0100.0c29.8fa8.a6 Oct 25 2012 12:18 PM
Type Automatic
In addition, verify the IP address settings using the command prompt on PC1.
C:\Windows\system32> ipconfig /all <output omitted> Ethernet adapter LAB: Connection-specific DNS Suffix Description . . . . . . . . . . Physical Address. . . . . . . . DHCP Enabled. . . . . . . . . . Autoconfiguration Enabled . . . Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Lease Obtained. . . . . . . . . Lease Expires . . . . . . . . . Default Gateway . . . . . . . . DHCP Server . . . . . . . . . . DHCPv6 IAID . . . . . . . . . . DHCPv6 Client DUID. . . . . . . DNS Servers . . . . . . . . . . NetBIOS over Tcpip. . . . . . .
. . . . . . . . . . . . . . . .
: : : : : : : : : : : : : : : :
VMware Accelerated AMD PCNet Adapter #2 00-0C-29-45-32-BE Yes Yes fe80::8c6e:3fe3:ca7e:c7c7%13(Preferred) 10.1.10.2(Preferred) 255.255.255.0 Friday, October 19, 2012 2:39:34 PM Friday, October 19, 2012 4:39:34 PM 10.1.10.1 10.1.10.1 285215785 00-01-00-01-13-3B-A1-51-00-0C-29-87-5C-B5 10.1.10.1 Disabled
Step 7 Configure a DHCP pool for VLAN 20. The leased addresses should be part of network 10.1.20.0 /24. For the DNS server and default gateway, use the router VLAN 20 interface (10.1.20.1). Set the lease time to 12 hours.
Lab Guide
L-131
Step 8 On the Branch router, verify the configured pools by using the show ip dhcp pool verification command.
Branch# show ip dhcp pool Pool VLAN10 : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 1 Pending event : none 1 subnet is currently in the pool : Current index IP address range 10.1.10.3 10.1.10.1 - 10.1.10.254 Pool VLAN20 : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 0 Pending event : none 1 subnet is currently in the pool : Current index IP address range 10.1.20.1 - 10.1.20.254 10.1.20.1
Leased addresses 1
Leased addresses 0
Step 9 Access PC2. Open the network adapter settings and edit the IPv4 settings. Set them to obtain an IP address and DNS address automatically. Step 10 Check the DHCP address bindings on the router to verify that PC2 has obtained an IP address dynamically. Activity Verification You have completed this task when you attain these results: Step 1 You verified that both PC1 and PC2 have dynamically assigned IP addresses.
Step 2 You have successfully verified connectivity between the PCs using the ping command:
C:\Windows\system32> ping 10.1.20.2 Pinging 10.1.20.2 with 32 bytes of data: Reply from 10.1.20.2: bytes=32 time=30ms TTL=127 Reply from 10.1.20.2: bytes=32 time=1ms TTL=127 Reply from 10.1.20.2: bytes=32 time=1ms TTL=127 Reply from 10.1.20.2: bytes=32 time=1ms TTL=127 Ping statistics for 10.1.20.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 30ms, Average = 8ms
Lab Guide
L-133
Activity Verification You have completed this task when you have attained this result: Step 1 On the Branch router, verify that PC1 and PC2 have been assigned new IP addresses:
Branch# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 10.1.10.100 0100.0c29.4532.be Oct 19 2012 03:39 PM 10.1.20.100 0100.0c29.8807.34 Oct 20 2012 01:24 AM
Step 3 Configure a DHCP relay agent on the Branch router to forward DHCP messages to a centralized DHCP server with IP address 172.16.1.100. Configure the relay agent on both logical subinterfaces, which are part of VLAN 10 and VLAN 20. Step 4 Save the running configuration to the startup configuration on the Branch router. Step 5 Access PC1 and release the current DHCP lease.
Step 6 Renew the DHCP lease using the ipconfig /renew command and verify that PC1 has dynamically obtained an IP address from the 10.1.10.20010.1.10.254 range.
C:\Windows\system32> ipconfig Windows IP Configuration Ethernet adapter LAB: Connection-specific DNS Suffix Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Default Gateway . . . . . . . . <output omitted>
. . . . .
: : : : :
Step 7 Renew the DHCP lease using the ipconfig /renew command and verify that PC2 has dynamically obtained an IP address from the 10.1.20.20010.1.20.254 range.
C:\Windows\system32> ipconfig /all <output omitted> Ethernet adapter LAB: Connection-specific DNS Suffix Description . . . . . . . . . . Physical Address. . . . . . . . DHCP Enabled. . . . . . . . . . Autoconfiguration Enabled . . . Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Lease Obtained. . . . . . . . . Lease Expires . . . . . . . . . Default Gateway . . . . . . . . DHCP Server . . . . . . . . . . <output omitted>
. . . . . . . . . . . .
: : : : : : : : : : : :
VMware Accelerated AMD PCNet Adapter #2 00-0C-29-50-EB-9D Yes Yes fe80::b423:4279:f330:b1f5%13(Preferred) 10.1.20.200 255.255.255.0 Tuesday, October 23, 2012 11:04:21 AM Tuesday, October 23, 2012 11:04:21 PM 10.1.20.1 209.165.201.2
Lab Guide
L-135
Step 1 Access both PCs and edit the IPv4 network settings. Manually set the parameters according to the table.
IP Addressing
Device PC1 PC2 IP Address 10.1.10.100 10.1.20.100 Subnet Mask 255.255.255.0 255.255.255.0 Default Gateway 10.1.10.1 10.1.20.1
On PC1:
On PC2:
Step 2 To verify the manual settings, use the ping command to verify connectivity between PC1 and PC2.
C:\Windows\system32> ping 10.1.20.100 Pinging 10.1.20.100 with 32 bytes of data: Reply from 10.1.20.100: bytes=32 time=12ms TTL=127 Reply from 10.1.20.100: bytes=32 time=1ms TTL=127 Reply from 10.1.20.100: bytes=32 time=1ms TTL=127 Reply from 10.1.20.100: bytes=32 time=1ms TTL=127 Ping statistics for 10.1.20.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 12ms, Average = 3ms
Lab Guide
L-137
Visual Objective
The figure illustrates what you will accomplish in this activity.
PC1
SW1
PC2
SW2
Branch
Server
PC1
SW1
Required Resources
No additional resources are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Cisco Commands
Command interface interface ip address ip_address network_mask router ospf process_id Description Enters interface configuration mode. Sets an IP address, along with the subnet mask, on an interface. Enters interface configuration mode to issue this command. Starts the OSPF routing process with the specified process ID. The process ID is of local significance, so two routers can have different process IDs and still become neighbors. Shows a brief version of the operational state and IP information of all interfaces. Displays interface information that is related to OSPF. Shows all OSPF neighbors of the router. Displays the IP route table.
show ip interfaces brief show ip ospf interface show ip ospf neighbor show ip route
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch Headquarter s SW1 SW2 PC1 PC2 Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Catalyst 2960 Series Switch Any PC Any PC Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 c2960-lanlitek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
The table shows the usernames and passwords that are used to access the lab equipment.
Lab Guide
L-141
Device PC1 PC2 Branch (console access) Branch (enable password) SW1 (console access) SW1 (enable password)
Topology and IP Addressing Devices are connected with Ethernet and serial connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup.
Branch
VLAN1 - 10.1.1.1 VLAN10 - 10.1.10.1 VLAN20 - 10.1.20.1 Gi0/0 Fa0/13
WAN HQ
Server
172.16.1.100
PC1
Fa0/1 10.1.10.100
SW1
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch Branch Branch Branch Headquarters Headquarters SW1 PC1 Interface Gi0/1 Gi0/0.1 Gi0/0.10 Gi0/0.20 Gi0/1 Loopback0 VLAN1 Ethernet adapter local area connection IP Address/Subnet Mask 192.168.1.1/24 10.1.1.1/24 10.1.10.1/24 10.1.20.1/24 192.168.1.2/24 172.16.1.100/24 10.1.1.11/24 10.1.10.100/24
VLAN Setup Three VLANs are configured on the switch. VLAN 1 is used for switch management, VLAN 10 is used to connect PC1. VLAN 20 is used to connect PC2, which is not used in this lab exercise.
VLAN Setup
Branch
Trunk VLAN 10
PC1 SW1
VLAN 1
Lab Guide
L-143
Step 1 On the Branch router, verify the operational state of interface GigabitEthernet0/1. Verify that the interface is configured with the correct IP address.
Branch# show ip interfaces brief Any interface listed with OK? value "NO" does not have a valid configuration Interface IP-Address OK? Method Status Protocol Embedded-Service-Engine0/0 unassigned YES unset administratively down down GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/0.1 10.1.1.1 YES manual up up GigabitEthernet0/0.10 10.1.10.1 YES manual up up GigabitEthernet0/0.20 10.1.20.1 YES manual up up GigabitEthernet0/1 192.168.1.1 YES manual up up Serial0/0/0 unassigned YES unset administratively down down NVI0 unassigned NO unset up up
Step 2 From the Branch router, ping the Headquarters router at 192.168.1.2. Your attempt should be successful.
Branch# ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
Step 3 From PC1, ping the server with the 172.16.1.100 IP address. Your attempt should not be successful because the Headquarters router does not have a path back to the 10.1.10.0/24 network.
C:\Users\Administrator> ping 172.16.1.100 Pinging 172.16.1.100 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 172.16.1.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Step 1 On the Branch router, enable single-area OSPF (area 0) and configure it so that it advertises networks 10.1.1.0/24, 10.1.10.0/24, 10.1.20.0./24, and 192.168.1.0/24. The Headquarters router was already configured with OSPF by your colleague. Activity Verification You have completed this task when you attain these results: Step 1 On the Branch router, determine whether you see the Headquarters router as a neighbor. The Headquarters router is configured with the router ID of 1.1.1.1.
Branch# show ip ospf neighbor Neighbor ID Pri State 1.1.1.1 1 FULL/BDR
Address 192.168.1.2
Interface GigabitEthernet0/1
Step 2 On the Branch router, verify that GigabitEthernet0/0.1, GigabitEthernet0/0.10, GigabitEthernet0/0.20, and GigabitEthernet0/1 are enabled for the OSPF process.
Branch# show InterGice Gi0/1 Gi0/0.20 Gi0/0.10 Gi0/0.1 ip ospf interface brief PID Area IP Address/Mask 100 0 192.168.1.1/24 100 0 10.1.20.1/24 100 0 10.1.10.1/24 100 0 10.1.1.1/24
Cost 1 1 1 1
State DR DR DR DR
Lab Guide
L-145
Step 3 On the Branch router, view the routing table. Note the entry for the 172.16.1.0/24 network that was acquired via the OSPF routing process.
Branch# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, GigabitEthernet0/1 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0.1 L 10.1.1.1/32 is directly connected, GigabitEthernet0/0.1 C 10.1.10.0/24 is directly connected, GigabitEthernet0/0.10 L 10.1.10.1/32 is directly connected, GigabitEthernet0/0.10 C 10.1.20.0/24 is directly connected, GigabitEthernet0/0.20 L 10.1.20.1/32 is directly connected, GigabitEthernet0/0.20 172.16.0.0/32 is subnetted, 1 subnets O 172.16.1.100 [110/2] via 192.168.1.2, 00:07:00, GigabitEthernet0/1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet0/1 L 192.168.1.1/32 is directly connected, GigabitEthernet0/1
Step 4 From PC1, ping the 172.16.1.100 server. Your attempt should be successful because the HQ router now knows how to get back to the 10.1.10.0/24 network.
C:\Users\Administrator>ping 172.16.1.100 Pinging 172.16.1.100 with 32 bytes of data: Reply from 172.16.1.100: bytes=32 time=44ms TTL=128 Reply from 172.16.1.100: bytes=32 time=41ms TTL=128 Reply from 172.16.1.100: bytes=32 time=36ms TTL=128 Reply from 172.16.1.100: bytes=32 time=36ms TTL=128 Ping statistics for 172.16.1.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 36ms, Maximum = 44ms, Average = 39ms
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 5-1: Configure and Verify Basic IPv6
Branch HQ Server
PC1
SW1
PC2
SW2
Branch
HQ
Required Resources
No additional resources are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration or verification Cisco IOS command assistance during the lab activity.
Commands
Command configure terminal exit interface interface ipv6 address ipv6_address/ipv6_mask ipv6 unicast-routing ping destination_address show ipv6 interface interface telnet ip_address traceroute ip_address Description Enters configuration mode Exits from the Telnet session Enters interface configuration mode Configures IPv6 address to the interface Enables IPv6 forwarding support on the router Pings the specified IP address Displays IPv6 status on the interface Uses Telnet to connect to the specified IP address Traces to the specified IP address
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch HQ Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1
The table shows the usernames and passwords that are used to access the lab equipment.
Device Branch (console access) Branch (enable password) Username ccna / Password cisco cisco
Topology and IP Addressing Devices are connected with an Ethernet connection. The figure illustrates IP addresses that are used in this lab setup.
Lab Guide
L-149
2001:DB8:D1A5:C900::1
Internet
2001:DB8:D1A5:C900::2
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch HQ HQ Interface Gi0/1 Gi0/1 Loopback0 IP Address/Subnet Mask 2001:DB8:D1A5:C900::1/64 2001:DB8:D1A5:C900::2/64 2001:DB8:AC10:100::64/64
Activity Verification You have completed this task when you attain this result: Step 1 On the Branch router, verify IPv6 setup on the GigabitEthernet 0/1 interface.
Branch#show ipv6 interface GigabitEthernet 0/1 GigabitEthernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2599 No Virtual link-local address(es): Description: Link to HQ Global unicast address(es): 2001:DB8:D1A5:C900::1, subnet is 2001:DB8:D1A5:C900::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FFE5:2599 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.
The GigabitEthernet0/1 interface is up and running. An IPv6 address is successfully enabled on the interface. Step 2 On the Branch router, ping the HQ router GigabitEthernet0/1 interface (2001:DB8:D1A5:C900::2). The ping should be successful.
Branch#ping 2001:db8:D1A5:C900::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:D1A5:C900::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
Lab Guide
L-151
Step 3 On the Branch router, trace route to the IPv6 address 2001:DB8:D1A5:C900::2. You should see a response from the HQ router.
Branch#traceroute 2001:db8:D1A5:C900::2 Type escape sequence to abort. Tracing the route to 2001:DB8:D1A5:C900::2 1 2001:DB8:D1A5:C900::2 0 msec 4 msec 0 msec
Step 4 From the Branch router, use Telnet to connect to IPv6 address 2001:DB8:D1A5:C900::2. You should see a successful Telnet to the HQ router.
Branch#telnet 2001:db8:D1A5:C900::2 Trying 2001:DB8:D1A5:C900::2 ... Open HQ#
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 5-2: Configure and Verify Stateless Autoconfiguration
Branch HQ Server
PC1
SW1
PC2
SW2
Branch
HQ
Required Resources
No additional resources are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration or verification Cisco IOS command assistance during the lab activity.
Commands
Command configure terminal exit interface interface ipv6 address autoconfig ping destination_address show ipv6 interface interface telnet ip_address traceroute ip_address Description Enters configuration mode Exits from the Telnet session Enters interface configuration mode Enables IPv6 autoconfiguration on the interface Pings the specified IP address Displays IPv6 status on the interface Uses Telnet to connect to the specified IP address Traces to the specified IP address
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch HQ Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1
The table shows the usernames and passwords that are used to access the lab equipment.
Device Branch (console access) Branch (enable password) Username ccna / Password cisco cisco
Topology and IP Addressing Devices are connected with an Ethernet connection. The figure illustrates IP addresses that are used in this lab setup.
Lab Guide
L-155
2001:DB8:D1A5:C900::1
Internet
2001:DB8:D1A5:C900::2
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch HQ HQ Interface Gi0/1 Gi0/1 Loopback0 IP Address/Subnet Mask 2001:DB8:D1A5:C900::1/64 2001:DB8:D1A5:C900::2/64 2001:DB8:AC10:100::64/64
Step 1 On the Branch router, verify the current GigabitEthernet 0/1 configuration.
Branch# show running-config interface GigabitEthernet 0/1 Building configuration... Current configuration : 166 bytes ! interface GigabitEthernet0/1 description Link to HQ ip address 209.165.201.1 255.255.255.224 duplex auto speed auto ipv6 address 2001:DB8:D1A5:C900::1/64 end
There is an IPv6 address that is configured on the interface. Step 2 On the Branch router, remove the IPv6 address from the GigabitEthernet 0/1 interface. Step 3 On the Branch router, configure stateless autoconfiguration on the GigabitEthernet 0/1 interface. Activity Verification You have completed this task when you attain these results:
Lab Guide
L-157
Step 1 On the Branch router, verify the IPv6 setup on the GigabitEthernet 0/1 interface.
Branch# show ipv6 interface GigabitEthernet 0/1 GigabitEthernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FEE5:2599 No Virtual link-local address(es): Description: Link to HQ Stateless address autoconfig enabled Global unicast address(es): 2001:DB8:D1A5:C900:FE99:47FF:FEE5:2599, subnet is 2001:DB8:D1A5:C900::/64 [EUI/CAL/PRE] valid lifetime 2591996 preferred lifetime 604796 Joined group address(es): FF02::1 FF02::2 FF02::1:FFE5:2599 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.
The GigabitEthernet 0/1 interface is up and running. The IPv6 address is successfully set on the interface. The IPv6 prefix is the same as what is configured on the HQ router, and the host portion of the IPv6 address is calculated from the GigabitEthernet 0/1 interface MAC address. Step 2 On the Branch router, ping the HQ router GigabitEthernet0/1 interface (2001:DB8:D1A5:C900::2). The ping should be successful.
Branch# ping 2001:db8:D1A5:C900::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:D1A5:C900::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
Step 3 On the Branch router, trace route to the IPv6 address 2001:DB8:D1A5:C900::2. You should see a response from the HQ router.
Branch# traceroute 2001:db8:D1A5:C900::2 Type escape sequence to abort. Tracing the route to 2001:DB8:D1A5:C900::2 1 2001:DB8:D1A5:C900::2 0 msec 4 msec 0 msec
Lab Guide
L-159
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 5-3: Configure and Verify IPv6 Routing
Branch HQ Server
PC1
SW1
PC2
SW2
Server
Branch
HQ
Required Resources
No additional resources are required for this lab.
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration or verification Cisco IOS command assistance during the lab activity.
Commands
Command configure terminal interface interface ipv6 ospf process_ID area area_ID [no] ipv6 route ::/0 interface next_hop ipv6 router ospf process_ID ping destination_address router-id router-id show ipv6 ospf show ipv6 ospf neighbor show ipv6 route Description Enters configuration mode. Enters interface configuration mode. Enables OSPFv3 routing on the interface. Enables or disables the IPv6 default route. Enables OSPFv3 and enters routing process mode. Pings the specified IP address. Configures the OSPFv3 router ID. The router ID is 32-bit value, written in the IPv4 form (x.x.x.x). Displays OSPFv3 settings. Displays OSPFv3 neighbors. Displays the IPv6 routing table.
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Device Branch HQ Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1
The table shows the usernames and passwords that are used to access the lab equipment.
Device Branch (console access) Branch (enable password) Username ccna / Password cisco cisco
Topology and IP Addressing Devices are connected with an Ethernet connection. The figure illustrates IP addresses that are used in this lab setup.
Lab Guide
L-163
2001:DB8:D1A5:C900::1
Internet
2001:DB8:D1A5:C900::2
The table shows the interface identification and IP addresses that are used in this lab setup.
Device Branch HQ HQ Interface Gi0/1 Gi0/1 Loopback0 IP Address/Subnet Mask 2001:DB8:D1A5:C900::1/64 2001:DB8:D1A5:C900::2/64 2001:DB8:AC10:100::64/64
The ping is not successful because there is no valid route for network 2001:DB8:AC10:100::/64 in the routing table.
From the IPv6 routing table output, you can confirm there is no route for a desirable network. Step 3 On the Branch router, configure a default IPv6 route pointing to the HQ router. Activity Verification You have completed this task when you attain these results: Step 1 On the Branch router, ping the server at 2001:DB8:AC10:100::64. The ping should be successful.
Branch# ping 2001:DB8:AC10:100::64 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AC10:100::64, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/8 ms
Lab Guide
L-165
There is still no route for network 2001:DB8:AC10:100::/64, but there is a static default route. The Branch router uses the default route to reach IPv6 networks that are not present in the routing table.
The OSPFv3 adjacency between the Headquarters and Branch routers is established. Step 2 On the Branch router, display the OSPFv3 neighbor.
Branch# show ipv6 ospf neighbor Neighbor ID Pri State 0.0.0.1 1 FULL/DR
Interface ID 4
Interface GigabitEthernet0/1
The Branch router has an active OSPFv3 neighborship to the router with router ID 0.0.0.1. The HQ router is using OSPFv3 router ID 0.0.0.1. Step 3 On the Branch router, display the OSPFv3 setup.
Branch# show ipv6 ospf Routing Process "ospfv3 1" with ID 0.0.0.2 Event-log enabled, Maximum number of events: 1000, Mode: cyclic < output omitted >
The OSPFv3 on the Branch router is using process ID 1 and router ID 0.0.0.2.
Lab Guide
L-167
Observe the OSPFv3 route to network 2001:DB8:AC10:100::/64. Step 5 On the Branch router, verify connectivity to IPv6 address 2001:DB8:AC10:100::64.
Branch# ping 2001:DB8:AC10:100::64 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AC10:100::64, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
Visual Objective
The figure illustrates what you will accomplish in this activity.
Server HQ
PC1
VLAN 20
PC2
Required Resources
These resources and equipment are required to complete this activity: A PC that is connected to the on-site lab or a PC with Internet connectivity to access the remote lab
Command List
The table that follows describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity.
Command access-list acl_id permit network configure terminal crypto key generate rsa delete name deny ip|tcp|udp source_network wildcard mask dst_network wildcard mask enable Description Creates a numbered access list entry. Activates the configuration mode from the terminal. Generates an RSA crypto key pair. Deletes a file from flash memory. Creates a deny access list entry. Activates privileged EXEC mode. In privileged EXEC mode, more commands are available. This command requires you to enter the enable password if an enable password is configured. Configures the enable password in encrypted form.
Command encapsulation dot1Q vlan [native] erase startup-config hostname hostname interface interface interface interface.subinterface ip access-list extended acl_name ip access-group acl_name in|out ip address ip-address subnet-mask ip domain-name domain ip nat inside source list acl_id interface interface overload ip nat inside ip nat outside ip route network mask next_hop_ip_address ip ssh version 2 ipv6 address ipv6-address/prefix_length ipv6 ospf process_id area area_id ipv6 router ospf process_id ipv6 unicast-routing line console 0 line vty start_line end_line logging synchronous login login local network network wildcard_mask area area_id password permit ip|tcp|udp source_network wildcard mask dst_network wildcard mask ping ip_address reload router ospf process_id
Description Sets the encapsulation type and VLAN on a subinterface on a router. Erases the startup configuration that is stored in nonvolatile memory. Sets the system name, which forms part of the prompt. Enters the interface configuration mode. Enters the subinterface configuration mode. Creates an extended, named ACL. Applies an extended ACL to an interface in the inbound or outbound direction. Sets the IP address and mask on an interface. Sets a domain name. Configures dynamic NAT with PAT. Configures an interface as NAT inside. Configures an interface as NAT outside. Configures a static route (including a default route). Enables SSH version 2. Sets the IPv6 address and prefix length on an interface. Enables an interface for OSPFv3 in an area. Creates the OSPFv3 process. Enables IPv6 routing on a router. Enters the line console configuration mode. Enters the virtual lines configuration mode. Enables synchronous logging on a line. Enables verification of a password on a line. Enables verification of a username and password on a line. Configures a router to advertise a network through OSPF. Sets the password on a line. Creates a permit access list entry. Pings a destination IP address. Restarts the switch and reloads the Cisco IOS operating system and configuration. Creates the OSPF process.
Lab Guide
L-171
Command show interfaces interface show interfaces interface switchport show interfaces interface trunk show ip access-lists show ip interface brief show ip route show ipv6 interface interface show ipv6 ospf show ipv6 neighbors show ipv6 route show ip nat translations show ip ospf neighbors show ipv6 ospf neighbors show mac address-table show users show port-security interface interface shutdown switchport access vlan vlan switchport mode access | trunk switchport port-security switchport port-security violation protect switchport port-security maximum number switchport port-security mac-address mac_address switchport trunk allowed vlan vlans telnet ip_address transport input ssh telnet username username password password vlan vlan_id
Description Displays the status of an interface. Displays the switchport status of a port. Displays the trunking status of a port. Displays configured access lists and hit counts. Displays the brief status of interfaces and their IP addresses. Displays the routing table. Displays IPv6 settings and status on an interface. Displays OSPFv3 settings on a router. Displays the IPv6 neighbor discovery table. Displays the IPv6 routing table. Displays the NAT table. Displays OSPF neighbors. Displays OSPFv3 neighbors. Displays the MAC address table on a switch. Displays users that are currently logged to a router. Displays port security information on an interface. Shuts down an interface. Uses the no version of the command to enable the interface. Specifies an access VLAN on a switchport. Configures a switchport as an access or trunk. Enables port security on a switchport. Configures the port security violation to protect. Specifies the maximum number of MAC addresses that can be seen on a port when port security is enabled. Manually defines MAC addresses that are allowed on a switchport when port security is enabled. Specifies allowed VLANs on a trunk link. Uses Telnet to connect to a destination IP address. Allows Telnet and SSH on virtual lines. Creates a user account in the local user database. Creates a VLAN on a switch.
Job Aids
These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices.
Hardware Cisco 2901 Integrated Services Router Cisco 2901 Integrated Services Router Catalyst 2960 Series Switch Catalyst 2960 Series Switch Any PC Any PC
Operating System c2900-universalk9-mz.SPA.152-4.M1 c2900-universalk9-mz.SPA.152-4.M1 c2960-lanbasek9-mz.150-1.SE3 c2960-lanlitek9-mz.150-1.SE3 Microsoft Windows 7 Microsoft Windows 7
Topology and IP Addressing Devices are connected with Ethernet and serial connections. The figure illustrates the interface identification and IP addresses that will be used in this lab.
Server
172.16.1.100
Internet HQ
PC1
10.1.10.100
Fa0/1 Fa0/3
SW1
10.1.1.11
Fa0/3
PC2
Fa0/1 10.1.20.100
SW2
10.1.1.12
The table shows the interface identification and IP addresses that will be used in this lab setup.
Device Branch Branch Branch Branch Branch HQ HQ SW1 Interface Looback10 Gi0/0.1 (VLAN1) Gi0/0.10 (VLAN10) Gi0/0.20 (VLAN20) Gi0/1 Gi0/1 Loopback0 VLAN1 IP Address or Subnet Mask 10.100.100.100/32 10.1.1.1/24 10.1.10.1/24 10.1.20.1/24 209.165.201.1/27, 192.168.1.1/24 209.165.201.2/27, 192.168.1.2/24 172.16.1.100/24 10.1.1.11/24
Lab Guide
L-173
Interface VLAN1 Ethernet adapter local area connection Ethernet adapter local area connection
IPv6 Addressing The figure illustrates IPv6 addresses that will be used in this lab.
IPv6 Addressing
Gi0/1 2001:db8 :D1A5:C900::2/64 2001:db8 :C0A8:100::2/64
Branch Internet
VLAN 12001:db8 :0A01:100::1/64 VLAN 102001:db8 :0A01:A00::1/64 VLAN 202001:db8 :0A01:1400::1/64 Gi0/1 2001:db8 :D1A5:C900::1/64 2001:db8 :C0A8:100::1/64
Server
2001:db8 :AC10:100::64/64
HQ
PC1
SW1
PC2
SW2
The table shows the interface identification and IPv6 addresses that will be used in this lab.
Device Branch Branch Branch Branch HQ HQ Interface Gi0/0.1 (VLAN1) Gi0/0.10 (VLAN10) Gi0/0.20 (VLAN20) Gi0/1 Gi0/1 Loopback0 IP Address or Subnet Mask 2001:db8 :0A01:100::1/64 2001:db8 :0A01:A00::1/64 2001:db8 :0A01:1400::1/64 2001:db8 :D1A5:C900::1/64, 2001:db8 :C0A8:100::1/64 2001:db8 :D1A5:C900::2/64, 2001:db8 :C0A8:100::2/64 2001:db8 :AC10:100::64/64
Task 1: Configure Basic Settings, VLANs, Trunks, and Port Security on Switches
In this task, you will first delete the existing configuration from SW1 and SW2 switches and reload them. Then you will configure basic settings on the switches and secure administrative access to the switches. You will also configure VLANs and trunks on the switches and put both PCs into different VLANs. Finally, you will enable port security on the switches to prevent unauthorized access to the LAN. Activity Procedure Complete the following steps: Step 1 Access the SW1 and SW2 switches. Step 2 Delete the startup configuration from the SW1 and SW2 switches. Delete the vlan.dat file from the flash memory of the switches and delete the VLAN information. Reload the switches in order to boot the switches with an empty configuration. Step 3 Configure a hostname (SW1, SW2) on the switches. Step 4 Configure IPv4 addresses on both switches for management purposes. Assign the IP address to the VLAN 1 interface. Use the Job Aids section of the document to determine the IP address for each switch. Enable the VLAN 1 interface. Step 5 Configure the enable password on the SW1 and SW2 switches. Use the command that will store the configured password in encrypted form. Use cisco as a password. Step 6 Secure console access to the switches by enabling the password on the console. Use cisco as a password. Enable synchronous logging on the console to make the input of commands easier. Step 7 Enable SSH version 2 remote access to the SW1 and SW2 switches. Use 1024-bit long RSA keys and cisco.com as the domain name. Allow Telnet and SSH on the virtual lines.
Lab Guide
L-175
Step 8 Create a local user account on the switches that will be used to authenticate users accessing the switches via SSH or Telnet. Use ccna as a username and cisco as a password. Configure the virtual lines for checking the username and password. Step 9 Create two additional VLANs on the switches. Use VLAN 10 and 20. Step 10 Configure a trunk between SW1 and SW2 switches over the FastEthernet0/3 port. Allow only VLANs 1, 10, and 20 on the trunk link. Shut down the FastEthernet0/4 port on both switches. Step 11 On SW1, configure the port connecting to PC1 (FastEthernet0/1) as the access port. Put the port into VLAN 10. Step 12 On SW2, configure the port connecting to PC2 (FastEthernet0/1) as the access port. Put the port into VLAN 20.
Step 13 Access PC1. Use administrator as a username and admin as a password in order to log in. Set the following IP settings on the LAB network adapter:
IP Address 10.1.10.100 Mask 255.255.255.0 Default Gateway 10.1.10.1
Lab Guide
L-177
Step 14 Access PC2. Use administrator as a username and admin as a password in order to log in. Set the following IP settings on the LAB network adapter:
IP Address 10.1.20.100 Mask 255.255.255.0 Default Gateway 10.1.20.1
Step 15 From PC1, which is in VLAN 10, ping the management IP address of SW1 (10.1.1.11) in VLAN 1.
C:\Windows\system32> ping 10.1.1.11 Pinging 10.1.1.11 with 32 bytes of data: Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Reply from 10.1.10.100: Destination host unreachable. Ping statistics for 10.1.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
The ping should be unsuccessful because routing between VLAN 1 and VLAN 10 has not been configured yet. Step 16 From PC2, which is in VLAN 20, ping the management IP address of SW1 (10.1.1.11) in VLAN 1.
C:\Windows\system32> ping 10.1.1.11 Pinging 10.1.1.11 with 32 bytes of data: Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Reply from 10.1.20.100: Destination host unreachable. Ping statistics for 10.1.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
The ping should be unsuccessful because routing between VLAN 1 and VLAN 20 has not been configured yet. Step 17 Return to SW1 and verify the MAC address table. Note the MAC address of PC1 and write it down.
SW1# show mac address-table Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU <output omitted> 1 001e.145e.4983 DYNAMIC Fa0/3 1 fc99.47e5.2700 DYNAMIC Fa0/13 10 000c.293b.709d DYNAMIC Fa0/1 10 000f.34f9.9181 DYNAMIC Fa0/1
Lab Guide
L-179
Note
If there is more then one MAC address that is seen on the FastEthernet0/1 interface, go to the PC and determine its MAC address using the ipconfig /all command.
Step 18 Return to SW2 and verify the MAC address table. Note the MAC address of PC2 and write it down.
SW1# show mac address-table Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU <output omitted> 1 001e.147c.6f03 DYNAMIC Fa0/3 10 000c.293b.709d DYNAMIC Fa0/3 20 000c.29a8.a05a DYNAMIC Fa0/1 20 000f.34f9.9183 DYNAMIC Fa0/1
Note
If there is more than one MAC address that is seen on the FastEthernet0/1 interface, go to the PC and determine its MAC address using the ipconfig /all command.
Step 19 On the SW1 and SW2 switches, enable port security on the interfaces connecting to the PCs (FastEthernet0/1) in order to allow only PCs to connect to the switches. You should first set up the parameters and then enable port security; otherwise, the port will be shut down due to a port security violation. Use the following port security parameters: Violation action: Protect Maximum MAC addresses: 1 MAC address: PC1 on SW1, PC2 on SW2 Activity Verification Verification of this task will be done after configuration of inter-VLAN routing.
Step 1 Access the Branch router. Step 2 Delete the startup configuration from the Branch router. Reload the router in order to boot the router with an empty configuration. Step 3 Configure the hostname on the Branch router. Step 4 Configure the enable password on the Branch router. Use the command that will store the configured password in secure encrypted form. Use cisco as a password. Step 5 Secure console access to the router by enabling the password on the console. Use cisco as a password. Enable synchronous logging on the console to make the input of commands easier. Step 6 Secure Telnet access to the router by enabling the password on virtual lines. Use cisco as a password. Step 7 Enable the GigabitEthernet0/0 interface on the Branch router. Create three subinterfaces on the interface and configure them with the following parameters:
Subinterface Identifier GigabitEthernet0/0.1 GigabitEthernet0/0.10 GigabitEthernet0/0.20 VLAN Identifier 1 (native VLAN) 10 20 IP Address/Mask 10.1.1.1/24 10.1.10.1/24 10.1.20.1/24
Lab Guide
L-181
Step 9 Configure the FastEthernet 0/13 port on the switch as a trunk. Allow only VLANs 1, 10, and 20 on the trunk link. This way, you will enable the switch to send traffic to or from all configured VLANs over the same port toward the Branch router. Activity Verification You have completed this task when you attain this result: Step 1 Verify the switchport status of the FastEthernet0/13 port on the SW1 switch:
SW1# show interfaces FastEthernet0/13 switchport Name: Fa0/13 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none
You should see that the interface is in trunking mode. Step 2 Verify the switch port status of the FastEthernet0/3 port on the SW1 switch:
SW1# show interfaces FastEthernet0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none
Step 3 Verify the trunking status of the FastEthernet0/3 port on the SW1 switch:
SW1# show interfaces FastEthernet0/3 trunk Port Mode Encapsulation Status Native vlan 802.1q trunking 1 Fa0/3 on Port Vlans allowed on trunk Fa0/3 1,10,20 Port Vlans allowed and active in management domain Fa0/3 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 1,10,20
You should see that the interface is in trunking mode, encapsulation is 802.1q, and VLANs 1, 10, and 20 are active and not pruned. Step 4 Verify the trunking status of the FastEthernet0/3 port on the SW2 switch:
SW2# show interfaces FastEthernet0/3 trunk Port Mode Encapsulation Status Native vlan Fa0/3 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/3 1,10,20 Port Vlans allowed and active in management domain Fa0/3 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 1,10,20
You should see that the interface is in trunking mode, encapsulation is 802.1q, and VLANs 1, 10, and 20 are active and not pruned. Step 5 On the Branch router, verify the state of configured subinterfaces:
Branch# show ip interface brief Interface IP-Address Embedded-Service-Engine0/0 unassigned GigabitEthernet0/0 unassigned GigabitEthernet0/0.1 10.1.1.1 GigabitEthernet0/0.10 10.1.10.1 GigabitEthernet0/0.20 10.1.20.1 <output omitted>
You should see that the subinterfaces are configured with IP addresses and are operational.
Lab Guide
L-183
The ping should be successful. Step 7 Ping PC2 at 10.1.20.100 from PC1.
C:\Windows\system32> ping 10.1.20.100 Pinging 10.1.20.100 with 32 bytes of data: Reply from 10.1.20.100: bytes=32 time=15ms TTL=127 Reply from 10.1.20.100: bytes=32 time=1ms TTL=127 Reply from 10.1.20.100: bytes=32 time=1ms TTL=127 Reply from 10.1.20.100: bytes=32 time=1ms TTL=127 Ping statistics for 10.1.20.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 15ms, Average = 4ms
Step 8 On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish an SSH session to the SW1 management IP address at 10.1.1.11. Accept the fingerprint of the switches when asked. Use ccna as a username and cisco as a password in order to log in. Enter the privileged EXEC mode using the cisco password in order to verify that the enable password is properly configured.
login as: ccna Using keyboard-interactive authentication. Password: cisco SW1> enable Password: cisco SW1#
Lab Guide
L-185
Step 9 Verify port security information on the FastEthernet0/1 port on the SW1 switch. Use the previously established SSH session to access SW1.
SW1# show port-security interface FastEthernet0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Protect Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000c.293b.709d:10 Security Violation Count : 0
You should see that the port is protected, the security violation is set to protect, and the last seen MAC address is PC1 in VLAN 10.
Step 10 On PC1, open another PuTTY window by double-clicking the PuTTY icon again. Establish a Telnet session to the Branch router at 10.1.10.1. Use the cisco password to log in. Enter privileged EXEC mode using the cisco password in order to verify if the enable password is properly configured.
Lab Guide
L-187
Step 12 On PC2, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish an SSH session to the SW2 management IP address at 10.1.1.12. Accept the fingerprint of the switches when asked. Use ccna as a username and cisco as a password in order to log in. Enter the privileged EXEC mode using the cisco password in order to verify if the enable password is properly configured.
login as: ccna Using keyboard-interactive authentication. Password: cisco SW2> enable Password: cisco SW2#
Lab Guide
L-189
Step 13 Verify port security information on the FastEthernet0/1 port on the SW2 switch. Use the previously established SSH session to access SW2.
SW2# show port-security interface FastEthernet0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Protect Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000f.34f9.9183:20 Security Violation Count : 0
You should see that the port is protected, the security violation is set to protect, and the last seen MAC address is PC2 in VLAN 20. Step 14 Close all SSH and Telnet sessions on PC1 and PC2.
Step 4 Create a standard ACL that will permit users on VLAN 10 and 20. This ACL will be used to specify IP addresses that are eligible for NAT. Use 1 for the access list identifer. Step 5 Configure NAT with PAT on the Branch router for all LAN users. This includes users on VLAN 10 and 20. Refer to the previously configured ACL. Use the IP address on the GigabitEthernet0/1 interface for the translated IP address. Step 6 Configure a named extended ACL on the Branch router that will deny all TCP and UDP traffic coming from a source port greater than 1024. Permit all other IP traffic. Apply the ACL to the GigabitEthernet0/1 interface in the inbound direction.
Note This ACL will effectively block all connection attempts from the Internet, while the returning traffic to the LAN will be allowed. With a majority of well-known applications, you can expect that the source port of traffic returning from a server will have a value that is lower than 1024. For example, returning traffic that is coming from a Telnet server will have a source port with a value of 23. On the other hand, Telnet traffic that originates from a host will have a source port greater than 1024.
Activity Verification You have completed this task when you attain these results: Step 1 Verify the status of the GigabitEthernet0/1 interface on the Branch router.
Branch# show interfaces GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is fc99.47e5.2701 (bia fc99.47e5.2701) Internet address is 209.165.201.1/27 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 100Mbps, media type is RJ45
You should see that the interface is operational and that it has an IP address configured.
Lab Guide
L-191
You should see that the router has a default route that is configured, which points to the HQ router.
Step 3 Access PC1. Start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the server at 172.16.1.100.
HQ#
Lab Guide
L-193
Step 4 On the HQ router, verify the user connection to the server using the show users command. Use the previously established Telnet session.
HQ# show users Line User *388 vty 0
Host(s) idle
You should see that the Telnet session from PC1 is seen as originating from the translated IP address. The translated IP address is the IP address of the GigabitEthernet0/1 interface on the Branch router. Step 5 Access PC2. Start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the server at 172.16.1.100.
HQ#
Step 6 On the HQ router, verify the user connection to the server using the show users command. Use the previously established Telnet session.
HQ# show users Line User 388 vty 0 *389 vty 1
You should also see that the Telnet session from PC2 is seen as originating from the translated IP address. The translated IP address is the IP address of the GigabitEthernet0/1 interface on the Branch router.. Step 7 Verify the translation table on the Branch router.
Branch# show ip nat translations Pro Inside global Inside local tcp 209.165.201.1:1037 10.1.10.100:1037 tcp 209.165.201.1:1033 10.1.20.100:1033
You should see two PAT translations. One translation is for PC1 at 10.1.10.100, and the second is for PC2 at 10.1.10.100. Both IP addresses translated to the same global IP address but with different source ports. Step 8 Return to the Telnet session on PC1. Try to establish a Telnet session from the HQ router to the Branch router twice or three times.
HQ# telnet 209.165.201.1 Trying 209.165.201.1 ... % Destination unreachable; gateway or host down HQ# telnet 209.165.201.1 Trying 209.165.201.1 ... % Destination unreachable; gateway or host down HQ# telnet 209.165.201.1 Trying 209.165.201.1 ... % Destination unreachable; gateway or host down
You should not be successful because the ACL denies connections that are initiated from the Internet.
Lab Guide
L-195
Step 9 Return to the Branch router console and verify the ACL hits.
Branch# show ip access-lists Standard IP access list 1 10 permit 10.1.10.0, wildcard bits 0.0.0.255 (4 matches) 20 permit 10.1.20.0, wildcard bits 0.0.0.255 (1 match) Extended IP access list OUTSIDE 10 deny tcp any gt 1024 any (3 matches) 20 deny udp any gt 1024 any 30 permit ip any any (122 matches)
You should see that the ACL denied three TCP packets coming from the TCP source port greater than 1024 to the Branch router. Step 10 Close all Telnet sessions on PC1 and PC2.
Note
Changing the IP address on the HQ router will terminate your Telnet session. If the session freezes, press Ctrl-Shift-6, followed by X. This action will pause the Telnet session, and you will return to the Branch router console. At the Branch router prompt, enter Disconnect to disconnect the frozen Telnet session permanently.
Step 4 On the Branch router, remove the NAT configuration from the GigabitEthernet0/1 interface. Step 5 Configure the IP address on the Branch router on the GigabitEthernet0/1 interface. Use 192.168.1.1/24 for the IP address. Step 6 Configure a loopback interface on the Branch router. Use 10 as the interface ID and 10.100.100.100/32 as the IP address. Why is it recommended to configure a loopback interface when enabling an OSPF routing protocol? Step 7 Create the OSPF routing process on the Branch router. Use 1 as the OSPF process ID. Step 8 Enable OSPF routing in Area 0 for the following networks: 192.168.1.0/24 10.1.1.0/24 10.1.10.0/24 10.1.20.0/24 10.100.100.100/32 Activity Verification You have completed this task when you attain these results:
Lab Guide
L-197
The ping should be successful. Step 2 Verify OSPF neighbors on the Branch router.
Branch# show ip ospf neighbor Neighbor ID Pri State 1.1.1.1 1 FULL/DR
Address 192.168.1.2
Interface GigabitEthernet0/1
You should see the HQ router as the OSPF neighbor in FULL state.
You should see the 172.16.1.0/24 network as the OSPF route. The network should be accessible over the GigabitEthernet0/1 interface. Step 4 Access PC1. Open a command prompt and ping the server at 172.16.1.100.
C:\Windows\system32> ping 172.16.1.100 Pinging 172.16.1.100 with 32 bytes of data: Reply from 172.16.1.100: bytes=32 time=42ms TTL=254 Reply from 172.16.1.100: bytes=32 time=36ms TTL=254 Reply from 172.16.1.100: bytes=32 time=35ms TTL=254 Reply from 172.16.1.100: bytes=32 time=36ms TTL=254 Ping statistics for 172.16.1.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 35ms, Maximum = 42ms, Average = 37ms
Lab Guide
L-199
Step 5 On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the HQ router at 192.168.1.2.
HQ#
Step 6 On the HQ router, verify the routing table. Use the previously established Telnet session.
HQ# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.1.1.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1 O 10.1.10.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1 O 10.1.20.0/24 [110/2] via 192.168.1.1, 00:03:33, GigabitEthernet0/1 O 10.100.100.100/32 [110/2] via 192.168.1.1, 00:00:00, GigabitEthernet0/1 <output omitted>
You should see LAN networks accessible over the the Serial0/0/0 interface, with the Branch router as the next hop router. Step 7 Close the Telnet sessions on PC1.
Lab Guide
L-201
Step 3 Configure subinterfaces on the GigabitEthernet0/0 interface with the following IPv6 addresses:
Subinterface Identifier GigabitEthernet0/0.1 GigabitEthernet0/0.10 GigabitEthernet0/0.20 VLAN Identifier 1 10 20 IPv6 Address/Mask 2001:db8:0A01:100::1/64 2001:db8:0A01:A00::1/64 2001:db8:0A01:1400::1/64
By configuring the IPv6 address on a router interface, the router starts sending router advertisements out of the interface. This enables PCs that are connected to the interface to automatically configure the IPv6 address on a network adapter and to set a default gateway. Activity Verification You have completed this task when you attain these results:
Lab Guide
L-203
MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.
You should see all three subinterfaces that are enabled for IPv6. Each subinterface should have a link-local IPv6 address and one global IPv6 address. Note that the link-local IPv6 address is the same on all subinterfaces. Why is the link-local IPv6 address the same on all subinterfaces? Step 2 Access PC1. Open a command prompt and verify the IP settings.
C:\Windows\system32> ipconfig Windows IP Configuration Ethernet adapter LAB: Connection-specific DNS Suffix IPv6 Address. . . . . . . . . . Temporary IPv6 Address. . . . . Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Default Gateway . . . . . . . .
. . . . . . .
: : : : : : :
You should see that the PC is configured with one global IPv6 address, one temporary IPv6 address, the link-local IPv6 address, and the default gateway. You will see a percentage sign (%), followed by a number, at the end of the link-local IPv6 address and at the end of the default gateway. The number following the percentage sign identifies an interface on the PC, and it is not part of the IPv6 address and should be ignored when determining the IPv6 address of the the default gateway. Which router IPv6 address is configured as the default gateway on the PC?
Step 3 From PC1, ping the default gateway. Use the link-local IPv6 address as the destination IPv6 address.
C:\Windows\system32> ping fe80::fe99:47ff:fee5:2700 Pinging fe80::fe99:47ff:fee5:2700 with 32 bytes of data: Destination host unreachable. Reply from fe80::fe99:47ff:fee5:2700: time=3ms Reply from fe80::fe99:47ff:fee5:2700: time<1ms Reply from fe80::fe99:47ff:fee5:2700: time<1ms Ping statistics for fe80::fe99:47ff:fee5:2700: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 3ms, Average = 1ms
The ping should be successful. Step 4 From PC1, ping the directly connected interface of the Branch router. Use the global IPv6 address as the destination IPv6 address.
C:\Windows\system32> ping 2001:DB8:A01:A00::1 Pinging 2001:db8:a01:a00::1 with 32 bytes of data: Reply from 2001:db8:a01:a00::1: time=5ms Reply from 2001:db8:a01:a00::1: time<1ms Reply from 2001:db8:a01:a00::1: time<1ms Reply from 2001:db8:a01:a00::1: time<1ms Ping statistics for 2001:db8:a01:a00::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 5ms, Average = 1ms
Lab Guide
L-205
Step 5 On PC1, verify the neighbor discovery table to see mappings between IPv6 addresses and MAC addresses. Examine entries for the LAB interface.
C:\Windows\system32> netsh interface ipv6 show neighbors <output omitted> Interface 13: LAB Internet Address Physical Address -------------------------------------------- ----------------2001:db8:a01:a00::1 fc-99-47-e5-27-00 fe80::19eb:7144:6b5d:3377 00-0c-29-a8-a0-5a fe80::fe99:47ff:fee5:2700 fc-99-47-e5-27-00 ff02::2 33-33-00-00-00-02 ff02::16 33-33-00-00-00-16 ff02::1:2 33-33-00-01-00-02 ff02::1:3 33-33-00-01-00-03 ff02::1:ff00:1 33-33-ff-00-00-01 ff02::1:ff35:33c1 33-33-ff-35-33-c1 ff02::1:ff7f:8c5c 33-33-ff-7f-8c-5c ff02::1:ffe5:2700 33-33-ff-e5-27-00
Type ----------Stale (Router) Stale Stale (Router) Permanent Permanent Permanent Permanent Permanent Permanent Permanent Permanent
You should see neighbor discovery entries for link-local and global IPv6 addresses of the Branch router that you pinged before. Step 6 Access PC2. Open a command prompt and verify the IP settings.
C:\Windows\system32> ipconfig Windows IP Configuration Ethernet adapter LAB: Connection-specific DNS Suffix IPv6 Address. . . . . . . . . . Temporary IPv6 Address. . . . . Link-local IPv6 Address . . . . IPv4 Address. . . . . . . . . . Subnet Mask . . . . . . . . . . Default Gateway . . . . . . . .
. . . . . . .
: : : : : : :
You should see that the PC is configured with one global IPv6 address, one temporary IPv6 address, the link-local IPv6 address and the default gateway. You will see a percent sign (%), followed by a number, at the end of the link-local IPv6 address and at the end of the default gateway. The number following the percent sign identifies an interface on the PC, and it is not part of the IPv6 address and should be ignored when determining the IPv6 address of the default gateway. Which router IPv6 address is configured as the default gateway on the PC?
Step 7 From PC2, ping the default gateway. Use the link-local IPv6 address as the destination IPv6 address.
C:\Windows\system32> ping fe80::fe99:47ff:fee5:2700 Pinging fe80::fe99:47ff:fee5:2700 with 32 bytes of data: Destination host unreachable. Reply from fe80::fe99:47ff:fee5:2700: time=4ms Reply from fe80::fe99:47ff:fee5:2700: time<1ms Reply from fe80::fe99:47ff:fee5:2700: time<1ms Ping statistics for fe80::fe99:47ff:fee5:2700: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 4ms, Average = 1ms
The ping should be successful. Step 8 From PC2, ping the directly connected interface of the Branch router. Use the global IPv6 address as the destination IPv6 address.
C:\Windows\system32> ping 2001:DB8:A01:A00::1 Pinging 2001:db8:a01:a00::1 with 32 bytes of data: Reply from 2001:db8:a01:a00::1: time=9ms Reply from 2001:db8:a01:a00::1: time<1ms Reply from 2001:db8:a01:a00::1: time<1ms Reply from 2001:db8:a01:a00::1: time<1ms Ping statistics for 2001:db8:a01:a00::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 9ms, Average = 2ms
Lab Guide
L-207
Step 9 On PC2, verify the neighbor discovery table to see mappings between IPv6 addresses and MAC addresses. Examine entries for the LAB interface.
C:\Windows\system32> netsh interface ipv6 show neighbors <output omitted> Interface 13: LAB Internet Address Physical Address -------------------------------------------- ----------------2001:db8:a01:1400::1 fc-99-47-e5-27-00 fe80::15e4:2bea:367f:8c5c 00-0c-29-3b-70-9d fe80::fe99:47ff:fee5:2700 fc-99-47-e5-27-00 ff02::2 33-33-00-00-00-02 ff02::16 33-33-00-00-00-16 ff02::1:2 33-33-00-01-00-02 ff02::1:3 33-33-00-01-00-03 ff02::1:ff53:e7a0 33-33-ff-53-e7-a0 ff02::1:ff5d:3377 33-33-ff-5d-33-77 ff02::1:ff7f:8c5c 33-33-ff-7f-8c-5c ff02::1:ffe5:2700 33-33-ff-e5-27-00 ff02::1:fffd:b766 33-33-ff-fd-b7-66
Type ----------Stale (Router) Stale Stale (Router) Permanent Permanent Permanent Permanent Permanent Permanent Permanent Permanent Permanent
You should see neighbor discovery entries for the link-local and global IPv6 addresses of the Branch router that you pinged before. Step 10 Return to the Branch router. Verify the neighbor discovery table.
Branch# show ipv6 neighbors IPv6 Address FE80::19EB:7144:6B5D:3377 FE80::15E4:2BEA:367F:8C5C 2001:DB8:A01:1400:78BD:F560:D1FD:B766 2001:DB8:A01:A00:191B:D8A9:E435:33C1
Age 3 11 4 8
You should see two entries for each PC. One entry is for the link-local IPv6 address, and the other is for the global IPv6 address.
Step 1 Access the Branch router. Step 2 From the Branch router, use Telnet to connect to the HQ router at 192.168.1.2 using IPv4. Step 3 Remove the existing IPv6 address from the GigabitEthernet0/1 interface on the HQ router. Set the IPv6 address on the interface to 2001:db8:c0a8:100::2/64. Include the interface into the OSPFv3 routing protocol with Process ID 1 and Area 0. Exit the Telnet session. Step 4 On the Branch router, configure the GigabitEthernet0/1 interface with 2001:db8:c0a8:100::1/64 IPv6 address. Step 5 From the Branch router, ping the HQ router at 2001:db8:c0a8:100::2 to verify IPv6 connectivity between the routers.
Branch# ping 2001:db8:c0a8:100::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:C0A8:100::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/54/56 ms
The ping should be successful. Step 6 From the Branch router, use Telnet to connect to the HQ router at 2001:db8:c0a8:100::2.
Branch# telnet 2001:db8:c0a8:100::2 Trying 2001:DB8:C0A8:100::2 ... Open HQ#
Lab Guide
L-209
You should see that the OSPFv3 process is configured and that Loopback0 and GigabitEthernet0/1 are enabled for OSPFv3. Step 8 Close the Telnet session. Step 9 Create an OSPFv3 process on the Branch router. Use 1 as the Process ID.
Branch(config)# ipv6 router ospf 1
Step 10 Enable the following interfaces for OSPFv3 in Area 0: GigabitEthernet0/1 GigabitEthernet0/0.1 GigabitEthernet0/0.10 GigabitEthernet0/0.20
Branch(config)# interface GigabitEthernet0/1 Branch(config-if)# ipv6 ospf 1 area 0 Branch(config-if)# Branch(config)# interface GigabitEthernet0/0.1 Branch(config-subif)# ipv6 ospf 1 area 0 Branch(config-if)# Branch(config-subif)# interface GigabitEthernet0/0.10 Branch(config-subif)# ipv6 ospf 1 area 0 Branch(config-if)# Branch(config-subif)# interface GigabitEthernet0/0.20 Branch(config-subif)# ipv6 ospf 1 area 0
You should see that OSPFv3 adjacency went up immediately after you enabled OSPFv3 on the GigabitEthernet0/1 interface:
*Dec 7 13:59:21.815: %OSPFv3-5-ADJCHG: Process 1, Nbr 0.0.0.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
Activity Verification You have completed this task when you attain these results: Step 1 Verify OSPFv3 neighbors on the Branch router.
Branch# show ipv6 ospf neighbor OSPFv3 Router with ID (10.100.100.100) (Process ID 1) Neighbor ID Pri State Dead Time Interface ID Interface 0.0.0.1 1 FULL/DR 00:00:30 4 GigabitEthernet0/1
You should see the HQ router as the OSPFv3 neighbor. What is the HQ router ID?
Lab Guide
L-211
You should see that OSPFv3 is enabled for four interfaces in Area 0. What is the Branch router ID?
You should see the 2001:DB8:AC10:100::/64 network that is learned through OSPF and with the HQ router as the next hop. This is the network where the server is located. Step 4 Access PC1 and open a command prompt. Ping the server at 2001:db8:ac10:100::64.
C:\Windows\system32> ping 2001:db8:ac10:100::64 Pinging 2001:db8:ac10:100::64 with 32 bytes of data: Reply from 2001:db8:ac10:100::64: time=56ms Reply from 2001:db8:ac10:100::64: time=45ms Reply from 2001:db8:ac10:100::64: time=46ms Reply from 2001:db8:ac10:100::64: time=46ms Ping statistics for 2001:db8:ac10:100::64: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 45ms, Maximum = 56ms, Average = 48ms
Lab Guide
L-213
Step 5 On PC1, start PuTTY by double-clicking the PuTTY icon on the desktop. Establish a Telnet session to the server at 2001:DB8:AC10:100::64.
HQ#
You should see all three LANs that are learned through OSPFv3 with the Branch router as the next hop router.
Lab Guide
L-215
Step 3 When you have a right arrow (>) symbol after the device hostname, you are in user EXEC mode. When you issued the enable command, you moved into privileged EXEC mode, which is indicated by the pound sign (#) after the hostname. Enter privileged EXEC mode by typing enable in user EXEC mode.
Switch>enable Switch#
Step 4 When you enter the erase startup-config command within privileged EXEC mode, it is accepted and you are prompted to press Enter to confirm this action.
SwitchX#delete vlan.dat Delete filename [vlan.dat]? Delete flash:/vlan.dat? [confirm] Switch#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete
When you enter the reload command within privileged EXEC mode, you are asked to confirm the reload. Press Enter at that point.
Switch#reload Proceed with reload? [confirm] *Mar 1 00:16:18.229: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command. Boot Sector Filesystem (bs) installed, fsid: 2 Base ethernet MAC Address: 00:1e:14:7c:bd:00 Xmodem file system is available. The password-recovery mechanism is enabled. Initializing Flash... flashfs[0]: 549 files, 19 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 32514048 flashfs[0]: Bytes used: 14942208 flashfs[0]: Bytes available: 17571840 flashfs[0]: flashfs fsck took 11 seconds. ...done Initializing Flash. done. Loading "flash:/c2960-lanbasek9-mz.150-1.SE3/c2960-lanbasek9-mz.150-1.SE3.bin"... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ < output omitted > 64K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address : 00:1E:14:7C:BD:00 Motherboard assembly number : 73-10390-04 Power supply part number : 341-0097-02 Motherboard serial number : FOC114131RV Power supply serial number : AZS113600YM Model revision number : D0 Motherboard revision number : A0 Model number : WS-C2960-24TT-L System serial number : FOC1141Z8W9 Top Assembly Part Number : 800-27221-03 Top Assembly Revision Number : B0 Version ID : V03 CLEI Code Number : COM3L00BRB Hardware Board Revision Number : 0x01 Switch Ports Model SW Version SW Image ------ ----- ----------------------* 1 26 WS-C2960-24TT-L 15.0(1)SE3 C2960-LANBASEK9-M Press RETURN to get started!
Step 5 Your results should resemble the output displayed here. You should have answered No to the question (Would you like to enter the initial configuration dialog?).
--- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]: no Switch>
If you skipped the initial configuration dialog, there is no startup configuration present. Alternatively, you can verify that there is no configuration present by entering privileged EXEC mode and issuing the show startup-config command.
Switch>enable Switch#show startup-config startup-config is not present
Step 6 You can issue the show version command from either user or privileged EXEC mode. In the output here, you see that the switch is a WS-C2960-24TT-L type, the software version is 15.0(1)SE3, and there is 65536 KB (or 64 MB) of RAM. Note that your device may have different properties.
Switch#show version Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(1)SE3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Wed 30-May-12 14:26 by prod_rel_team ROM: Bootstrap program is C2960 boot loader BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE6, RELEASE SOFTWARE (fc1) Switch1 uptime is 4 hours, 31 minutes System returned to ROM by power-on System restarted at 09:25:53 UTC Fri Aug 17 2012 System image file is "flash:/c2960-lanbasek9-mz.150-1.SE3/c2960-lanbasek9-mz. 150-1.SE3.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K bytes of memory. < output omitted >
The show flash: command output here shows that the switch has 32514048 bytes (32 MB) of flash memory and that 17569280 bytes of that memory is free (16.8 MB). Note that your device may have different properties.
Lab Guide
L-219
Switch#show flash Directory of flash:/ 2 drwx 256 Aug 8 2012 567 -rwx 556 Nov 21 2012 568 -rwx 2072 Nov 21 2012 32514048 bytes total (17573376 bytes
Step 2 First, make sure that you are in global configuration mode.
SW1(config)#
Then enter interface configuration mode for VLAN 1 and assign it the proper IP address and network mask.
SW1(config)#interface vlan 1 SW1(config-if)#ip address 10.1.1.11 255.255.255.0
Step 5 On PC1, click the Start button, enter cmd, and click Enter. When you are presented with a command prompt window, enter ping, followed by the IP address of the VLAN 1 interface on the switch. This Layer 3 test should succeed.
Step 2 First, make sure that you are in privileged EXEC mode. Enter clock, followed by ?. Complete the configuration as displayed here.
SW1#clock ? set Set the time and date SW1#clock set ? hh:mm:ss Current Time SW1#clock set 12:57:22 ? <1-31> Day of the month MONTH Month of the year SW1#clock set 12:57:22 17 ? MONTH Month of the year SW1#clock set 12:57:22 17 8 ? % Unrecognized command Lan_Switch_1#clock set 12:57:22 17 August ? <1993-2035> Year SW1#clock set 12:57:22 17 August 2012 ? <cr> SW1#clock set 12:57:22 17 August 2012
Step 3 When you are familiar only with how a command begins, you can get help by using the ? command. It will list all commands that begin with the sequence of letters that you entered.
Lab Guide
L-221
SW1#sh? shell show SW1#show ? aaa access-lists aliases archive arp authentication auto beep boot buffers cable-diagnostics call-home capability cca cdp cisp class-map clock cluster cns configuration controllers crypto SW1#show clock? clock SW1#show clock 13:01:24.145 UTC Fri
Show AAA values List access lists Display alias commands Archive functions ARP table Shows Auth Manager registrations or sessions Show Automation Template Show BEEP information show boot attributes Buffer pool statistics Show Cable Diagnostics Results Show command for call home Capability Information CCA information CDP information Shows CISP information Show CPL Class Map Display the system clock Cluster information CNS agents Contents of Non-Volatile memory Interface controller status Encryption module
Aug 17 2012
Issue the exit command twice to get back to privileged EXEC mode.
SW1(config-line)#exit SW1(config)#exit
Step 3 You must be in global configuration mode before issuing the no ip domain lookup command.
SW1>enable SW1#configure terminal SW1(config)#no ip domain-lookup
Step 4 Issue the exec-timeout 60 command to set the console timeout expiration timer to one hour.
SW1(config-line)#exec-timeout 60
Verify that idle exec timeout is set to one hour. Use the verification command directly from console configuration mode.
SW1(config-line)#do show terminal | begin Timeouts Timeouts: Idle EXEC Idle Session Modem Answer 01:00:00 never <output omitted> SW1(config-line)#exit
Session none
Step 5 Make sure that you are in global configuration mode and then enter line console 0 configuration mode. Last, enable synchronous logging as shown in the output here.
SW1(config)#line console 0 SW1(config-line)#logging synchronous SW1(config-line)#exit SW1(config)#exit
Lab Guide
L-223
Step 6 This command copies the running configuration to the startup configuration. If you do not save the configuration, you will lose it the next time the switch is restarted.
SW1#copy running-config startup-config
If you press Enter when asked for the destination filename, the running configuration is stored as the startup configuration.
Destination filename [startup-config]? Building configuration... [OK]
Step 2 The output of the show interfaces FastEthernet0/1 command tells you that the interface toward PC1 is administratively down, which means that the interface was disabled by the administrator.
SW1>enable SW1#show interfaces FastEthernet0/1 FastEthernet0/1 is administratively down, line protocol is down (disabled) Hardware is Fast Ethernet, address is 001e.147c.bd01 (bia 001e.147c.bd01) MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed, media type is 10/100BaseTX
Enter interface configuration mode for FastEthernet 0/1 and enable the interface with the no shutdown command.
SW1(config)#interface FastEthernet 0/1 SW1(config-if)#no shutdown
Finally, verify Layer 3 connectivity between PC1 and SW1 by issuing a ping command. It should be successful.
SW1#ping 10.1.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
Step 4 It is important to save the configuration of SW1 because the no shutdown command would disappear if the switch is restarted. John would again be cut off from the network.
SW1#copy running-config startup-config
Task 3: Troubleshoot Connectivity Between Switch SW1 and the Branch Router
Step 1 Because you have console logging enabled (which you can verify with the show logging command), the switch is reporting. This message tells you that the interfaces of SW1 and Branch have different duplex settings. It looks like the Branch router FastEthernet0/0 interface is configured for full duplex, while interface FastEthernet0/13 on the switch is not configured for full duplex.
Aug 21 14:39:52.112: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/13 (not full duplex), with Branch FastEthernet0/0 (full duplex).
Use the show interfaces FastEthernet Fa0/13 command to identify the duplex setting on the interface.
Lab Guide
L-225
SW1#show interfaces FastEthernet 0/13 FastEthernet 0/13 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.147c.bd0d (bia 001e.147c.bd0d) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported < output omitted >
You can also use the show ip interface brief command to verify status of all interfaces. It shows that interface FastEthernet 0/13 is in an up/up state. This status means that even though the duplex settings are mismatched on the link, it is still functional. The drawback is that the connection is not efficient. With halfduplex operation, data cannot be sent and received at the same time.
SW1#show ip interface brief Interface IP-Address < output omitted > FastEthernet0/13 unassigned <output omitted>
Protocol up
Save your changes by copying the running configuration to the startup configuration.
SW1(config)#interface FastEthernet 0/13 SW1(config-if)#end SW1#copy run start Destination filename [startup-config]? Building configuration... [OK]
Step 3 Enter these commands on the Branch router to enter interface configuration mode, enable the interface, and provide a description:
Branch(config)#interface GigabitEthernet 0/0 Branch(config-if)#no shutdown %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up Branch(config-if)#description Link to LAN Switch
Lab Guide
L-227
Step 4 On the Branch router, use the command no ip domain lookup in global configuration mode to disable the resolution of symbolic names.
Branch(config)#no ip domain lookup
Step 5 On the Branch router, use the command write memory to copy the configuration into NVRAM.
Branch#write memory
Step 6 The Branch router does not have a route to reach networks that are not directly connected. Step 7 No, there is no route present for the IP address of the server. Step 8 Enter the following command on the Branch router:
Branch#configure terminal Branch(config)#ip route 0.0.0.0 0.0.0.0 209.165.201.2
Lab Guide
L-229
Step 5 The default route was set by the Branch router automatically. The Branch router received knowledge of the default gateway from the DHCP server and it set the static route next-hop IP address to the IP address of the default gateway. Step 12 The solution that could be implemented on the Branch router to provide connectivity between PC1 and the server is NAT. With NAT, the source IP address in a packet would be translated into the outside IP address of the Branch router. The HQ router would then know how to send a returning packet back to the Branch router, because the routers are directly connected. The destination IP address in the packet would be then translated back to the IP address of PC1 and sent to PC1.
You can accommodate up to six hosts at the same time using the configured NAT pool. Step 4 Enter the following commands on the Branch router:
Branch(config)#interface GigabitEthernet0/0 Branch(config-if)#ip nat inside
Step 3 Enter the following command on the Branch router (and then answer with yes):
Branch(config)#ip nat inside source list 1 interface GigabitEthernet0/1 overload
Lab Guide
L-231
You can accommodate approximately 64,000 hosts by overloading one IP address. Step 4 Enter the following commands on the Branch router:
Branch(config)#exit Branch#copy running-config startup-config
Step 5 Enter the following command sequence into the Branch router:
Branch(config)#username ccna secret cisco Branch(config)#line console 0 Branch(config-line)#login local
Lab Guide
L-233
Lab Guide
L-235
Step 3 The stratum of the clock on the Branch router is 4. Step 5 Enter the following command on the SW1 switch:
SW1(config)#ntp server 10.1.1.1
Lab Guide
L-237
Step 7 Enter the following commands on the SW1 switch and Branch router:
SW1#copy running-config startup-config
Lab Guide
L-239
Lab Guide
L-241
Step 2 Define the default gateway and DNS server for the configured DHCP pool, as indicated in the output.
Branch(config)# ip dhcp pool VLAN10 Branch(dhcp-config)# default-router 10.1.10.1 Branch(dhcp-config)# dns-server 10.1.10.1
Step 10 Use the show ip dhcp binding command to verify that PC2 has obtained an IP address dynamically.
Branch# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 10.1.10.2 0100.0c29.4532.be Oct 19 2012 03:39 PM 10.1.20.2 0100.0c29.8807.34 Oct 20 2012 01:24 AM
Step 3 Configure the DHCP relay agent using the ip helper-address command on both subinterfaces, as indicated in the output:
Branch(config)# interface GigabitEthernet 0/0.10 Branch(config-subif)# ip helper-address 172.16.1.100 Branch(config-subif)# exit Branch(config)# interface GigabitEthernet 0/0.20 Branch(config-subif)# ip helper-address 172.16.1.100
Lab Guide
L-243
Step 5 Release the current DHCP lease using the ipconfig /release command.
Lab Guide
L-245
Lab Guide
L-247
Lab Guide
L-249
SW2(config)# interface FastEthernet0/1 SW2(config-if)# switchport mode access SW2(config-if)# switchport access vlan 20
Lab Guide
L-251
Each router running OSPF requires a router ID. The router ID will be the highest IP address of the router on a loopback interface, if configured, or the highest IP address on an interface, if a loopback interface is not configured. Because loopback is a stable interface and cannot go down, it is recommended to configure the loopback interface for the OSPF router ID.
Lab Guide
L-253
Step 1 The link-local IPv6 address is the same on all subinterfaces because the link-local IPv6 address is derived from the MAC address, which is the same on all subinterfaces. All subinterfaces use the MAC address of the physical interface.
Step 2 The default gateway on the PC is the link-local IPv6 address of the router of the directly connected interface (GigabitEthernet0/0.10). Step 6 The default gateway on the PC is the link-local IPv6 address of the router of the directly connected interface (GigabitEthernet0/0.20).
Step 1 The HQ router ID is 0.0.0.1. OSPFv3 uses an IPv4 address-like format of the router ID.
Lab Guide
L-255
Step 2 The Branch router ID is 10.100.100.100, which is the IPv4 address on the Loopback0 interface. OSPFv3 uses the same mechanisms as OSPF to determine the router ID.