Icnd110 LG Secured

ICND1
Interconnecting Cisco
Networking Devices
Part 1
Version 1.0

Lab Guide

Editorial, Production, and Web Services: 07.25.07

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.

DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.

Table of Contents
Lab Guide 1
Overview 1
Outline 1
Lab 1-1: Using Windows Applications as Network Tools 3
Activity Objective 3
Visual Objective 3
Required Resources 3
Command List 4
Job Aids 4
Task 1: Obtain the Current IP Address Information 4
Task 2: View the Network Properties of the PC Ethernet Adapter 6
Task 3: Test Connectivity to the Default Gateway Router 8
Task 4: View the ARP Bindings of IP Address to MAC Address 9
Lab 1-2: Observing the TCP Three-Way Handshake 10
Visual Objective 10
Command List 11
Job Aids 11
Task 1: Prepare the Sniffer Software to Capture a TCP Flow 11
Task 2: Generate the TCP Flow to Be Captured 13
Task 3: Inspect the TCP Initialization Sequence 16
Lab 1-3: Observing Extended PC Network Information 19
Visual Objective 19
Command List 20
Job Aids 20
Task 1: Obtain the Full Current IP Addressing Information 20
Task 2: Test Connectivity to the DNS Server 21
Task 3: Tracing Connectivity to the DNS Server 22
Lab 2-1: Connecting to Remote Lab Equipment 24
Visual Objective 24
Command List 25
Job Aid 25
Task 1: Connect to Remote Console Server 26
Task 2: Connect to Remote VPN Router 30
Lab 2-2: Performing Switch Startup and Initial Configuration 34
Visual Objective 34
Command List 34
Job Aids 35
Task 1: Connect to Your Assigned Workgroup Switch 36
Task 2: Verify That Switch Is Unconfigured and Reload 37
Task 3: Use System Configuration Dialog to Produce an Initial Configuration 41
Task 4: Add Default Gateway to Initial Configuration 45
Lab 2-3: Enhancing the Security of Initial Switch Configuration 46
Visual Objective 46
Command List 47
Job Aids 49
Task 1: Add Password Protection to Console Port and Vty Lines 49
Task 2: Activate Password Encryption Service 51
Task 3: Apply a Login Banner 52
ii Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 2007 Cisco Systems, Inc.
Task 4: Enable SSH Protocol for Remote Management 53
Task 5: Configure Port Security on a Switch 56
Task 6: Disable Unused Ports and Place All Ports in Access Mode 60
Lab 2-4: Operating and Configuring a Cisco IOS Device 62
Visual Objective 62
Command List 63
Job Aids 64
Task 1: Explore Context-Sensitive Help 64
Task 2: Edit an Incorrect Command 65
Task 3: Improve the Usability of the CLI 66
Lab 4-1: Converting Decimal to Binary and Binary to Decimal 68
Visual Objective 68
Command List 68
Job Aids 68
Activity Preparation 69
Task 1: Convert from Decimal Notation to Binary Format 69
Task 2: Convert from Binary Notation to Decimal Format 69
Lab 4-2: Classifying Network Addressing 70
Visual Objective 70
Command List 70
Job Aids 70
Task 1: Convert from Decimal IP Address to Binary Format 71
Task 2: Convert from Binary Format to Decimal IP Address 72
Task 3: Identify IP Address Classes 73
Task 4: Identify Valid and Invalid Host IP Addresses 73
Lab 4-3: Computing Usable Subnetworks and Hosts 74
Visual Objective 74
Command List 74
Job Aids 74
Task 1: Determine the Number of Bits Required to Subnet a Class C Network 75
Task 2: Determine the Number of Bits Required to Subnet a Class B Network 75
Task 3: Determine the Number of Bits Required to Subnet a Class A Network 76
Lab 4-4: Calculating Subnet Masks 77
Visual Objective 77
Command List 77
Job Aids 78
Task 1: Determine the Number of Possible Network Addresses 78
Task 2: Given a Network Address, Define Subnets 78
Task 3: Given Another Network Address, Define Subnets 79
Task 4: Given a Network Address and Classful Address, Define Subnets 80
Task 5: Given a Network Block and Classful Address, Define Subnets 81
Lab 4-5: Performing Initial Router Startup 85
Visual Objective 85
Command List 85
2007 Cisco Systems, Inc. Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 iii
Job Aids 86
Task 1: Remove Any Residual Configuration from Your Router 86
Task 2: Reload the Router and Observe the Startup Output 87
Lab 4-6: Performing Initial Router Configuration 90
Visual Objective 90
Command List 90
Job Aids 91
Task 1: Enter the Initial Configuration Using the setup Command 91
Task 2: Validate the Router Configuration 95
Lab 4-7: Enhancing the Security of Initial Router Configuration 96
Visual Objective 96
Command List 97
Job Aids 98
Task 1: Add Password Protection to Console Port 98
Task 2: Activate Password Encryption Service 100
Task 3: Apply a Login Banner 101
Task 4: Enable SSH Protocol for Remote Management 102
Lab 4-8: Using Cisco SDM to Configure DHCP Server Function 105
Visual Objective 105
Command List 106
Job Aids 106
Task 1: Configuring the Router to Support Web-Based Applications, a User with Privilege 15,
and Telnet and SSH 107
Task 2: Use Cisco SDM to Configure a DHCP Pool 108
Task 2: Using Tools to Correlate Network Information 112
Lab 4-9: Managing Remote Access Sessions 114
Command List 114
Job Aids 115
Task 1: Improve the Usability of the Router CLI 115
Task 2: Connect to Your Remote Workgroup via VPN Tunnel 117
Task 3: Using the Cisco IOS CLI Commands to Control Telnet and SSH Sessions 118
Lab 5-1: Connecting to the Internet 123
Command List 124
Job Aids 124
Task 1: Use Cisco SDM to Configure the Ethernet Connection to the Internet 124
Task 2: Use the CLI to Verify and Observe the Operation of PAT on Your Workgroup Router 130
Lab 5-2: Connecting to the Main Office 133
Command List 134
Job Aids 134
Task 1: Configure Your Workgroup Router Serial 0/0/0 135
Task 2: Test Connectivity to Your Assigned Remote Network 136
Task 3: Add a Static Route Entry for Your Remote Network 137
iv Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 2007 Cisco Systems, Inc.
Lab 5-3: Enabling Dynamic Routing to the Main Office 139
Command List 140
Job Aids 140
Task 1: Configure RIP Routing Protocol on Your Workgroup Router 140
Task 2: Replace the Existing Static Route and Test Connectivity 142
Lab 6-1: Using Cisco Discovery Protocol 144
Command List 145
Job Aids 145
Task 1: Use and Control Cisco Discovery Protocol on Your Workgroup Router 145
Task 2: Use and Control Cisco Discovery Protocol on Your Workgroup Switch 148
Lab 6-2: Managing Router Startup Options 150
Command List 151
Job Aids 151
Task 1: Modify the Configuration Register 151
Task 2: Observe the Flash File System and Add Boot System Commands 154
Lab 6-3: Managing Cisco Devices 157
Command List 158
Job Aids 159
Task 1: Copy Configuration Files 159
Task 2: Use debug Commands 162
Lab 6-4: Confirming the Reconfiguration of the Branch Network 165
Command Lists 166
Job Aids 166
Task 1: Connect to the Remote Lab 170
Task 2: Prepare to Verify Your Configuration 170
Task 3: Verify Your Configuration 171
Answer Key 173
Lab 2-2 Answer Key: Performing Switch Startup and Initial Configuration 173
Lab 2-3 Answer Key: Enhancing the Security of Initial Switch Configuration 175
Lab 2-4 Answer Key: Operating and Configuring a Cisco IOS Device 179
Lab 4-1 Answer Key: Converting Decimal to Binary and Binary to Decimal 183
Task 1: Convert from Decimal Notation to Binary Format 183
Task 2: Convert from Binary Notation to Decimal Format 183
Lab 4-2 Answer Key: Classifying Network Addressing 184
Task 1: Convert from Decimal IP Address to Binary Format 184
Task 2: Convert from Binary Format to Decimal IP Address 185
Task 3: Identify IP Address Classes 186
Task 4: Identify Valid and Invalid Host IP Addresses 186
Lab 4-3 Answer Key: Computing Usable Subnetworks and Hosts 187
Task 1: Determine the Number of Bits Required to Subnet a Class C Network 187
Task 2: Determine the Number of Bits Required to Subnet a Class B Network 187
Task 3: Determine the Number of Bits Required to Subnet a Class A Network 187
Lab 4-4: Answer Key 188
Task 1: Determine the Number of Possible Network Addresses 188
Task 2: Given a Network Block, Define Subnets 188
2007 Cisco Systems, Inc. Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 v
Task 3: Given Another Network Block, Define Subnets 189
Lab 4-5 Answer Key: Performing Initial Router Startup 194
Lab 4-6 Answer Key: Performing Initial Router Configuration 197
Lab 4-7 Answer Key: Enhancing the Security of Initial Router Configuration 199
Lab 4-8 Answer Key: Using Cisco SDM to Configure DHCP Server Function 201
Lab 4-9 Answer Key: Managing Remote Access Sessions 204
Lab 5-1 Answer Key: Connecting to the Internet 207
Lab 5-2 Answer Key: Connecting to the Main Office 210
Lab 5-3 Answer Key: Enabling Dynamic Routing to the Main Office 213
Lab 6-1 Answer Key: Using Cisco Discovery Protocol 216
Lab 6-2 Answer Key: Managing Router Startup Options 223
Lab 6-3 Answer Key: Managing Cisco Devices 226
Lab 6-4 Answer Key: Confirming the Reconfiguration of the Branch Network 227

vi Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 2007 Cisco Systems, Inc.

ICND1
Lab Guide
Overview
This guide presents instructions and other information concerning the lab activities for this
course. You can find the solutions in the lab activity Answer Key.
Outline
This guide includes these activities:
Lab 1-1: Using Windows Applications as Network Tools
Lab 1-2: Observing the TCP Three-Way Handshake
Lab 1-3: Observing Extended PC Network Information
Lab 2-1: Connecting to Remote Lab Equipment
Lab 2-2: Performing Switch Startup and Initial Configuration
Lab 2-3: Enhancing the Security of Initial Switch Configuration
Lab 2-4: Operating and Configuring a Cisco IOS Device
Lab 4-1: Converting Decimal to Binary and Binary to Decimal
Lab 4-2: Classifying Network Addressing
Lab 4-3: Computing Usable Subnetworks and Hosts
Lab 4-4: Calculating Subnet Masks
Lab 4-5: Performing Initial Router Startup
Lab 4-6: Performing Initial Router Configuration
Lab 4-7: Enhancing the Security of Initial Router Configuration
Lab 4-8: Using Cisco SDM to Configure DHCP Server Function
Lab 4-9: Managing Remote Access Sessions
Lab 5-1: Connecting to the Internet
Lab 5-2: Connecting to the Main Office
Lab 5-3: Enabling Dynamic Routing to the Main Office
2 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 2007 Cisco Systems, Inc.
Lab 6-1: Using Cisco Discovery Protocol
Lab 6-2: Managing Router Startup Options
Lab 6-3: Managing Cisco Devices
Lab 6-4: Confirming the Reconfiguration of the Branch Network
Answer Key
2007 Cisco Systems, Inc. Lab Guide 3
Lab 1-1: Using Windows Applications as Network
Tools
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will be able to use Windows applications and commands to investigate the
IP configuration of your PC, and your local network. After completing this activity, you will be
able to meet these objectives:
Using the Windows command ipconfig, determine the current network addressing
information of a PC.
Using the Windows command ping, determine test connectivity to the default gateway
router.
Using the Windows command arp a, view the ARP table of the local PC and determine
the association between the IP address and the MAC address of the default-gateway
Visual Objective
The figure illustrates what you will accomplish in this activity.
2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.03
Visual Objective for Lab 1-1
Using Windows Applications as Network Tools

Required Resources
These are the resources and equipment that are required to complete this activity:
A PC connected to a functioning network, with connectivity to the Internet
Command List
The table describes the commands that are used in this activity.
Windows Commands
Command Description
arp -a This command with the a parameter obtains the output of
the ARP table. It should be remembered that the entries to
the ARP table are removed after 5 minutes of inactivity.
ipconfig This command outputs the current IP address, network
mask, and default gateway IP address.
ping ping (-t)
Job Aids
These job aids are available to help you complete the lab activity.
There are no job aids for this lab.
Task 1: Obtain the Current IP Address Information
In order to obtain the current IP address information, it is necessary to use the Windows
ipconfig command. To access Windows commands it is necessary to open a Command
window.
Activity Procedure
Complete these steps:
Step 1 From the Windows desktop, click start.
Step 2 Choose run, and enter cmd in the Run window dialog box. Click OK to continue.
Step 3 From the Command window prompt, enter ipconfig. It is not necessary to capitalize
the command.
Step 4 Your output should resemble one of the four examples below.

Nonworking example 1: The output indicates no connectivity; probably the Ethernet cable is
not physically connected.

C:\Documents and Settings>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Nonworking example 2: The output indicates the PC is waiting to obtain its IP address
information automatically. This will be a transient output; it will either successfully get an
address or retry the ipconfig command periodically until it changes to one of the remaining
examples below.




Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :

Nonworking example 3: The output indicates the PC network adapter was unable to obtain an
IP address automatically, so the PC will use a generated link local address. Getting an address
may seem like success, but it really indicates that there is no connectivity to an IP address
server. This address will not be useful for network connectivity. If you see an IP address
beginning with 169.254.x.x, you do not have a valid address.




Connection-specific DNS Suffix . :
Autoconfiguration IP Address. . . : 169.254.249.221
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :

Working example 1: The output indicates that the PC either has a preconfigured IP address or
it successfully obtained its IP address automatically. Your IP address, subnet mask, or default
gateway will most likely be different than what is shown.




Connection-specific DNS Suffix . : cisco.com
IP Address. . . . . . . . . . . . : 192.168.1.105
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

Step 1 If you have a problem, ask your instructor for assistance. Continue only if you have
a valid IP address.
Step 2 Write the values you obtained from the ipconfig command in the spaces below, as
you will be using them in later tasks:
PC IP address
IP default gateway address

Activity Verification
You have completed this task when you attain this result:
You obtained valid IP address information from the ipconfig command.
Task 2: View the Network Properties of the PC Ethernet
Adapter
Use the Windows operating system Network Properties dialog window. In this task you will
only view the configuration, but the same process would be followed should it be necessary to
modify or supply new IP network address values.
Activity Procedure
Step 1 From the Windows desktop, click the Local Area Connection shortcut on your
desktop.

Step 2 From the Local Area Connection status window, click the Properties button.

Step 3 At the Local Area Connection Properties window scroll down to the bottom and left-
click the Internet Protocol(TCP/IP) to highlight it. Then click the Properties
button.

Step 4 At the Internet Protocol (TCP/IP) Properties window, you might find the Obtain an
IP Address Automatically radio button already set, with all the fields blank, as
shown below.

Step 5 Alternatively, you might see the Use the Following IP Address radio button chosen,
and the fields configured with IP address information matching the output you
obtained from the ipconfig command.
Note Below is an example only. Do not change your settings.

Step 6 Close all the dialog boxes and return to the Windows desktop.
You have completed this task when you attain these results:
You used the Windows TCP/IP properties to view the current configuration for the local
area connection.
The values set in the TCP/IP properties were consistent with the information you obtained
using the ipconfig command.
Task 3: Test Connectivity to the Default Gateway Router
Using the Windows command ping allows you to test the connectivity of the network. Its
output demonstrates success or failure and gives an indication of the round-trip time taken.
Activity Procedure
Step 1 From the Command window prompt, enter ping followed by the address of your
default gateway that you obtained in Task 1.
Step 2 The first example below is an unsuccessful ping. Should you get this output you
should ask your instructor for assistance.
Nonworking example: The output indicates that no reply was received from the target IP
address.
C:\Documents and Settings>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Working example: This indicates successful receipt of replies from the target IP address.


Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Step 3 Notice that by default the Windows command sends four ping packets (ICMP echo
requests).
You used the Windows ping command to test the connectivity to your default gateway
router.
The round trip time should be very low.
Task 4: View the ARP Bindings of IP Address to MAC Address
The Windows command arp a allows you to view the binding of the logical IP address and
the physical MAC address.
Activity Procedure
Step 1 From the Command window prompt, enter arp a. It is necessary to use the a
parameter to get the output of the ARP table.
C:\Documents and Settings>arp -a

Interface: 192.168.1.125 --- 0x2
Internet Address Physical Address Type
192.168.1.1 00-00-0c-07-ac-04 dynamic

Step 2 Your output should resemble the output in Step 1. If you did not get any values, it
may be that the ARP table has timed-out the entry and you need to repeat Step 1 of
the previous task.
Step 3 Close your open Command window by typing exit at the prompt.
You were able to view the binding of the IP address to the MAC address.
Lab 1-2: Observing the TCP Three-Way
Handshake
Activity Objective
In this activity, you will use a packet sniffer software application to view the TCP initial
three-way handshake. After completing this activity, you will be able to meet these objectives:
Start the packet sniffer software application, to monitor the appropriate Ethernet interface
for recording the packet flow
Generate a TCP connection using a web browser
Observe the initial packets of the TCP flow, especially the SYN packet, SYN ACK packet,
and finally the ACK packet
Visual Objective
Observing the TCP Three-Way Handshake

Required Resources
A PC with access to the Internet
The Wireshark packet sniffer Windows application
Student Guide Module 1, Lesson 1
Command List
The table describes the applications that are used in this activity.
PC Applications
Windows Application Description
Internet Explorer Web browser, provides access to rich media content.
Wireshark A packet sniffer application.

Caution Installing and or using a packet sniffer application may be considered a breach of an
organizations security policy, leading to serious legal and financial consequences. It is
recommended that before downloading, installing, or running such an application, you obtain
permission to do so.
Job Aids
Task 1: Prepare the Sniffer Software to Capture a TCP Flow
In this task you will open the Wireshark application and apply the packet capture to your active
Ethernet interface.
Activity Procedure
Step 1 Open the Wireshark application by double-clicking its icon, which should be visible on your
desktop.

Step 2 Choose Capture, then choose Interfaces from the drop-down menu.

Step 3 Choose your local network Ethernet interface adapter. If this process is unclear, ask your
instructor for assistance. Click the Start button associated with the chosen interface. Make a
note of the IP address associated with your chosen Ethernet adapter, because it will be the
source IP address you will look for when examining captured packets.
Note your IP address here: _______________________________

Step 4 The capture windows will now be active.

Step 5 You will look more closely at the capture windows after you have captured the TCP flow.
Step 6 You may see some packets filling up the uppermost window. This will depend on the level of
background activity on the network you are attached to.
You have an open packet-capture window, associated with the Ethernet interface connected
to your default router.
Task 2: Generate the TCP Flow to Be Captured
You will use a web browser (Internet Explorer) to connect to a web server. The actual web
server chosen is not really important. The HTTP data that is used to carry web page text and
graphics uses TCP transport for reliability. The alternative best-effort protocol, you will recall,
would be UDP. All you are interested in is the initial exchange done by TCP to set up the
connection.
Activity Procedure
Step 1 At the PC desktop double-click the Internet Explorer icon to launch the web
browser.
Step 2 Enter the destination name or address. Your instructor may provide you with a name
or address different from www.cisco.com. If so, write down this information in
the space provided: ___________________________________________________

Step 3 Return to the already open Wireshark application and choose Capture > Stop from
the drop-down menu.

Step 4 If you have many TCP packets that are unrelated to your TCP connection, you may
need to use the filter capability of Wireshark.
Step 5 To use a preconfigured filter, click the Analyze tab. Then click Display Filters.
Step 6 In the Wireshark: Display Filter window, click TCP only then click the OK
button.

Step 7 In the top window of the Wireshark application, use the scroll bar to place the first
captured TCP packet at the top of the window. This should be the first packet in the
flow.

Step 8 Observe the Info column of the captured packets in the top window; look for three
packets similar to those shown below. Two groups of three packets are shown
highlighted as an example.

Step 9 Note the first packet number in the sequence you have identified in your capture
window. There is no need to find more than one sequence of packets. In the example
above, packet 1 and packet 12 both begin a sequence. You will observe the contents
of these packets in detail in the next task.
Write down the packet number of first packet in TCP sequence in the space provided:
________________________________________________________________________

Step 10 If necessary, return to Step 4 in this task.
You have identified that you have captured the packet sequence described in Step 8.
You have noted the first packet in the sequence to be inspected in detail.
Task 3: Inspect the TCP Initialization Sequence
You will use the Packet Details window of the Wireshark application to view the TCP
parameters exchanged during the initial startup sequence, often referred to as the three-way
handshake.
Activity Procedure
Step 1 In the top window of the Wireshark application click (anywhere) on the line
containing the first packet identified in the previous task. This will highlight the line
and make the two lower windows fill with the decoded information from that packet.
Step 2 In the example that follows. the Wireshark windows were adjusted to allow the
information to be viewed in a compact size. The middle window contains the
detailed decoding of the packet.
Step 3 Clicking the + icon on the left side will expand the view of the TCP information.
The view can be contracted by clicking the icon.

Step 4 Notice in this example that the (forward) sequence number is set to zero, and the
SYN bit is 1 (set) in the Flags field.
Step 5 Click the next packet in the sequence (top window) and the detailed information will
change to match the new values.

Step 6 Notice in the reply packet that the (backward) sequence number is set to 0, and that
the acknowledgment number appears and is set to 1. Also in the Flags field, the
acknowledgment bit and the SYN bit are 1 (set).
Step 7 Click the next packet in the sequence (top window) and the detailed information will
change to match the new values.

Step 8 In the third and final packet in the exchange, notice that the (forward) sequence
number is now set to 1, the acknowledgment number is set to 1, and in the Flags
field, only the acknowledgment bit is 1 (set). At this point, the TCP connection is
said to be established, as both ends have synchronized their sequence and
acknowledgment numbers, as well as other parameters not discussed.
Step 9 Close the Wireshark application and all other open windows.
You have selected and decoded your three identified captured packets, and the values
match those shown and discussed in the examples within the task.

Lab 1-3: Observing Extended PC Network
Information
Activity Objective
In this activity, you will use PC tools to gather network-related information. After completing
this activity, you will be able to meet these objectives:
Using the Windows command ipconfig /all, determine IP addresses of the DNS servers
available to your PC
Using the IP address of one of the DNS servers from Task 1, test connectivity to the DNS
servers using the Windows ping command
Using the Windows command tracert /d, obtain the IP addresses of the routers traversed to
reach the DNS server tested in Task 2
Visual Objective
Observing Extended PC Network Information

Required Resources
A PC connected to a functioning network, with connectivity to the Internet
Command List
Windows Commands
Command Description
ipconfig /all This command outputs all the current IP network
information.
ping ping (-t)
tracert /d <ip Address> Displays the IP address of the router at each hop as a
packet traverses the network towards the destination IP
address.
Job Aids
Task 1: Obtain the Full Current IP Addressing Information
In order to obtain the full current IP address information on your PC, it is necessary to use the
Windows ipconfig /all command. To access Windows commands it is necessary to open a
Command window.
Activity Procedure
Step 1 From the Windows desktop, click start.
Step 2 Choose run, and enter cmd in the run window dialog box; click OK to continue.
Step 3 From the Command window prompt, enter ipconfig /all. It is necessary to add the
/all to get the full output.

Step 4 You will see from your own output that some extra, useful information is now
visible.
Step 5 Note the IP address of the first DNS server from the output of the prior step in the
space provided.
_________________________________________________________________
You have obtained the IP address of a DNS server from the output of the ipconfig /all
command on your PC.
Task 2: Test Connectivity to the DNS Server
In this task you will use the ping command to test the connectivity that you noted in the
previous task.
Activity Procedure
Step 1 From the Command window prompt, enter ping <DNS IP Address>. Your output
should be similar to the example below (which uses a fictitious IP address).

Step 2 A successful ping indicates both that the packets are being received and that the
return packets are being routed back to your PC successfully.
Step 3 The implications of an unsuccessful ping sequence require more investigation. If
you assume the ping attempts were unsuccessful, then the next step would be to try
to see where in the network the problem was occurring.
You have used the Windows ping command to successfully test connectivity to the IP
address of the DNS server you noted in Task 1.
Task 3: Tracing Connectivity to the DNS Server
In this task you will use the tracert /d command to trace the path to your DNS server that you
noted in the previous task. The /d parameter in the command stops the attempt to use DNS to
look up the IP addresses discovered along the path and put them in the output. In this scenario,
DNS is not working, so attempting a lookup would waste time. You will use tracert without /d
to see what the output would look like when DNS is able to resolve the some or all of the IP
addresses.
Activity Procedure
Step 1 Below is an example of an unsuccessful trace attempt to the DNS server. The
sequence would have continued until 30 hops had been tried. You will see that ^C
<ctrl-C> was used to terminate the command earlier than the default number.

Step 2 From the Command window prompt, enter tracert /d <DNS IP Address>. Your
output should be similar to the example below (which uses fictitious IP addresses).

Step 3 Now that you have seen that the route to the DNS server is working, use the
command without the /d parameter to see what the output looks like when symbolic
names are available. Your output should be similar to the example below (which
uses fictitious IP addresses).

Step 4 Close the Command window by clicking the X button in the top right corner.
You have used the tracert /d command on your PC to suppress DNS lookup during the
trace to the destination address.
You have used the tracert command without the /d parameter on your PC to display the
symbolic names associated with specific IP addresses discovered during the trace to the
destination address.

Lab 2-1: Connecting to Remote Lab Equipment
Complete this lab activity to test the connectivity in your pod and to practice the methods for
both connection to the console server and connecting using the VPN client.
Activity Objective
In this activity, you will begin preparations for subsequent labs by testing and practicing the
connectivity for your assigned workgroup equipment, which you will use for the remaining lab
practice exercises in the course. After completing this activity, you will be able to meet these
objectives:
Connect to your assigned workgroup equipment using a console (terminal) server so that
switches and routers may be configured via the console ports.
Connect to your assigned workgroup equipment using the VPN client software so your PC
will be connected through an interface on your workgroup switch. This will allow the
configuration of your workgroup router using Cisco Router and Security Device Manager
(SDM).
Visual Objective
The figures illustrate what you will accomplish in this activity.
Connecting to Remote Lab Equipment

Your lab equipment is located remotely and will be accessed in two distinct ways.
The first method is by connecting using SSH connectivity. This provides access to a console
server (also known as a terminal server). The console server has serial connections to the
console ports of the Cisco switches and routers used in the labs. This first method sends packets
across the Internet. In these packets, the data is individually protected by encryption.
The second method is by connecting using a VPN. This provides access via a VPN router to the
same network that your workgroup switch is connected to. This second method sends packets
via an encrypted tunnel across the Internet.
Required Resources
These are the resources and equipment required to complete this activity:
Lab topology configured for the this course
Student pod consisting of one Cisco Catalyst 2960 switch and one Cisco 2811 router (or
functionally equivalent Cisco devices)
Classroom reference materials as follows:
Lab Guide
Student PC or workstation with SSH and VPN client access to workstation pod devices
Command List
The table describes the applications and command used in this activity.
PC Application
Windows Applications Description
Putty SSH Client Terminal emulation application which supports SSH protocol
Cisco VPN Client VPN client software application
Windows Command
ipconfig /all Command that outputs all the current IP network information
Job Aid
This job aid is available to help you complete the lab activity:
Fill in this table of class-dependent network and connection information, using the values
provided by your instructor.
Table 1: Network and Connection Information
Information Instructor-Assigned Value
Your assigned workgroup (letter)
IP address of the console server
Username and password for SSH
IP address of the VPN-RTR (if different from above)
VPN Client Connection Entry name
Username and Password for VPN (if different from
SSH)

SSH terminal emulation application

Table 2: TFTP Server IP Address Information
Workgroup TFTP Server IP
Address
Address
A 10.2.2.1 E 10.6.6.1
B 10.3.3.1 F 10.7.7.1
C 10.4.4.1 G 10.8.8.1
D 10.5.5.1 H 10.9.9.1
Task 1: Connect to Remote Console Server
In this task you will use an SSH-capable terminal emulation application. This terminal emulator
will enable you to configure and control the Cisco remote network devices via their console
port.

Activity Procedure
Step 1 From the desktop of your PC, double-click the icon of the terminal emulator. In the
example, PuTTY is being used.
Step 2 Ensure that the SSH radio button is selected. Enter the IP address of the console
server in the Host Name field and click Open.

Step 3 Enter the SSH login name and password at the prompts, using those you have noted
in Table 1. You may see a PuTTY security warning if PuTTY does not have the host
key cached; answer Yes to proceed.

Step 4 A banner message followed by a table showing item numbers used to connect to the
workgroups is displayed. Read the information regarding the escape sequence used
to return from a switch or router connection to the menus. To do this, press the
following keys simultaneously: Ctrl-Shift-6. Then release them and press x
(lowercase).

Step 5 Select your workgroup by entering its associated item number.

Step 6 You are now at the Workgroup menu. Your choices are to choose 1 to connect to the
router, 2 to connect to the switch type, or exit to return to the previous menu. Type
exit to return to the previous menu. Type exit followed by the Enter key.

Step 7 Now type exit followed by the Enter key to end the SSH session.

Step 8 Depending on the terminal emulator used, the window may close, go blank, or
appear unchanged. However, the session has ended, and any keystrokes will be
ignored.
Step 9 Close the terminal emulation application, if it did not close automatically.
You were able to access the remote console server using the information provided in Table
1.
You were able to access the Workgroup menu of your assigned pod.
You were able to navigate back to the main menu, end the terminal session, and close the
application.
Task 2: Connect to Remote VPN Router
In this task you will use the Cisco VPN client software to access the remote lab. Once there you
will observe the changes to your local PC IP addressing and discuss the changes to the packet
forwarding behavior.
Activity Procedure
Step 1 From your PC desktop, open the Cisco VPN client by clicking the VPN Client icon.

Step 2 Choose the connection entry associated with your assigned workgroup.

Step 3 Click the Connect icon on top left of the application window.

Step 4 The Connect icon changes and a User Authentication window opens.
Step 5 Type the VPN username and password you recorded in Table 1, and press Enter.
After a momentary pause, the VPN windows close. A small Padlock icon that was
placed in the system tray at the bottom right side of the screen goes from an open
padlock to a closed padlock. If the window does NOT close, manually minimize it.

Step 6 In order to view the changes to the IP addressing of the PC, it is necessary to open a
Command window and use the IPCONFIG command.

Step 7 When you do this you will observe that a second Ethernet adapter now has an IP
address and mask. Your output may be different, however this address and mask is
specific to the workgroup addressing used in the labs which follow. The VPN
adapter does NOT have a default gateway specified, as the packet forwarding
behavior has been modified such that networks that have been configured on the
VPN router will be forwarded through the tunnel. This will occur automatically, and
any not matching will be sent to the configured default gateway associated with the
other Ethernet adapter.
Step 8 You should be able to ping successfully the address 10.x.x.1, where x = 2 for WG A,
3 for WG B, and so forth, with x = 9 for WG H. If you are unsuccessful, you should
ask your instructor for assistance. Your output should be similar to the example
below.


Reply from 10.10.10.1: bytes=32 time=9ms TTL=127

Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 9ms, Average = 8ms

Step 9 In later labs you will use the VPN tunnel to allow the connection of a browser to
your workgroup router.
Step 10 In order to terminate your VPN connection, double-click the system tray Padlock
icon, which will open the VPN application window. You can also right-click the
padlock icon and choose Disconnect.

Step 11 Click the Disconnect icon in the top right of the VPN application window. This will
close the tunnel connection and remove the IP addressing changes to the PC.
Step 12 Close the VPN application window.
Step 13 Confirm that the PC has its original network IP address by using the IPCONFIG
command in the Command window.

Step 14 Having confirmed that the connection information has been removed, close any
remaining Windows applications.
You were able to access the remote lab network, using the VPN client application and the
information recorded in Table 1.
You were able to confirm access using ping and web connectivity.

Lab 2-2: Performing Switch Startup and Initial
Configuration
Activity Objective
In this activity, you will connect to your workgroup switch and complete the initial device
configuration. After completing this activity, you will be able to meet these objectives:
Restart the switch and verify the initial configuration messages
Complete the initial configuration of the Cisco Catalyst switch
Visual Objective
10.9.9.11
10.8.8.11
10.7.7.11
10.6.6.11
10.5.5.11
10.4.4.11
10.3.3.11
10.2.2.11
Switch IP
Address
255.255.255.0 SwitchH
255.255.255.0 SwitchG
255.255.255.0 SwitchF
255.255.255.0 SwitchE
255.255.255.0 SwitchD
255.255.255.0 SwitchC
255.255.255.0 SwitchB
255.255.255.0 SwitchA
Subnet Mask
Workgroup
Hostname
Visual Objective for Lab 2-2 Performing
Switch Startup and Initial Configuration

Required Resources
These resources and equipment are required to complete this activity:
PC with connectivity to the remote lab
An SSH-capable terminal emulation application
Your assigned pod information from Lab 2-1
Command List
Switch Cisco IOS Commands
Command Description
configure terminal Activates the configuration mode from the terminal.
copy running-config
destination
Copies the switch running configuration file to another
destination. A typical destination is the startup
configuration.
enable Activates the privileged EXEC mode. In privileged EXEC
mode, more commands are available. This command
requires you to enter the enable password if an enable
password is configured.
enable password password The enable password protects access to the enable mode.
However this password is stored in cleartext in the
configuration.
enable secret secret_password The encrypted enable password protects access to the
enable mode. An enable secret password overrides the
cleartext enable password, should both be configured.
end This configuration command terminates the configuration
mode.
erase startup-config Erases the startup configuration stored in nonvolatile
memory.
hostname hostname Sets the system name, which forms part of the prompt.
interface vlan 1 Enters the interface configuration mode for VLAN 1 to set
the switch management IP address.
ip address ip-address mask Sets the IP address and mask of the interface.
ip default-gateway ip-address Sets the default gateway of the switch. The default
gateway is the router, which will forward IP packets that are
not destined for the local network.
line vty 0 15 Enters the virtual terminal line configuration mode. Vty lines
allow access to the switch for remote network
management. The number of vty line available is
dependant on the Cisco IOS Software version. Typical
values are 0-4 and 0-15 (inclusive).
login This configuration line command applies a login process
requiring a username and password for access.
password line password Assigns a password to the console or vty ports.
reload Restarts the switch and reloads the Cisco IOS operating
system and configuration.
show interface vlan 1 Displays the switch IP address information (Cisco Catalyst
2950).
[no] shutdown Use the shutdown interface configuration command to
disable an interface. Use the no form of this command to
restart a disabled interface.
Job Aids
These job aids are available to help you complete the lab activity. The table contains the
required information to be entered during initial switch configuration.
Table 1: Password Information
Configuration Parameter Value
Enable password cisco
Enable secret password sanfran
Hostname Refer to Table 2
IP address and subnet mask Refer to Table 2
IP default gateway 10.x.x.3 (where x.x is your workgroups second- and third-
octet address)
vty password sanjose
Table 2: Switch IP Address Information
Workgroup Hostname Switch IP Address Mask
A SwitchA 10.2.2.11 255.255.255.0
B SwitchB 10.3.3.11 255.255.255.0
C SwitchC 10.4.4.11 255.255.255.0
D SwitchD 10.5.5.11 255.255.255.0
E SwitchE 10.6.6.11 255.255.255.0
F SwitchF 10.7.7.11 255.255.255.0
G SwitchG 10.8.8.11 255.255.255.0
H SwitchH 10.9.9.11 255.255.255.0
Task 1: Connect to Your Assigned Workgroup Switch
In this task you will connect to your assigned workgroup using the information and procedure
from Lab 2-1.
Activity Procedure
Step 1 Connect via SSH to your workgroup switch using the information from Lab 2-1.
Step 2 At the first menu enter the item number that corresponds to your assigned
workgroup. This will be a number from between 1 and 8.
Step 3 At the workgroup menu, enter cls2. When you are prompted to confirm, press the
Enter key. This clears any previous open connection; you may need to do this in
later labs if your connection is terminated unexpectedly. Your display should be
similar to the example below.
************************ ICND WG_Z **************************
************************ MENU **************************
To exit ssh session and return to the menu press
<CTRL>+<SHFT>+<6> then <X>. To clear a connection to begin
a new console session type cls# (where # = the menu item number)
Type "exit" to return to main menu.
*****************************************************************
ITEM# DEVICE NAME
-----------------------------------------------------------------

1 WorkGroup Z Router

2 WorkGroup Z Switch

exit Return to main menu

Please enter selection: cls2
[confirm]<ENTER>
[OK]

Step 4 Connect to your workgroup switch by entering the menu number 2 and then pressing
Enter. Your display should be similar to this example.
************************ ICND WG_Z **************************
************************ MENU **************************
To exit ssh session and return to the menu press
<CTRL>+<SHFT>+<6> then <X>. To clear a connection to begin
a new console session type cls# (where # = the menu item number)
Type "exit" to return to main menu.
*****************************************************************
ITEM# DEVICE NAME
-----------------------------------------------------------------

1 WorkGroup Z Router

2 WorkGroup Z Switch

exit Return to main menu

Please enter selection: 2
Trying swa (10.10.10.12, 2067)... Open

You were able to access your assigned workgroup switch on the remote lab network, using
the SSH client application and the information recorded in Table 1 of Lab 2-1.
Task 2: Verify That Switch Is Unconfigured and Reload
In this task, you will use the erase startup-config command to ensure that the switch has no
prior configuration saved to the startup-config file stored in NVRAM (nonvolatile memory).
You will then reload the switch software and observe the output generated during the reload.
Activity Procedure
Step 1 You will need to press Enter several times to get the switch to display the prompt. If
you see the output Switch> proceed to Step 3. If not, proceed to Step 2.
Step 2 If your output resembles that displayed below, answer Yes to the question shown.
Press Enter twice.

Would you like to terminate autoinstall? [yes]: yes

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Switch>
Switch>

Step 3 You are currently in the user mode. To see the effect of entering a privileged
command in the user mode, enter the command erase startup-config. Your display
should be similar to the example below.
Switch>erase startup-config
^
% Invalid input detected at '^' marker.

Step 4 The output is the response to entering a privileged EXEC command when in user
mode. Enter the command enable. Your display should be similar to the example
below.

Switch>enable
Switch#

Step 5 Notice that the switch prompt changed from Switch> to Switch#. This indicates that
you are in enable EXEC mode. When you now enter the erase startup-config
command, it is accepted. Press the Enter key to confirm and press Enter again to get
the switch prompt. Your display should be similar to the example below.
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]<ENTER>
[OK]
Erase of nvram: complete
00:18:46: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram <ENTER>
Switch#
Step 6 Enter the reload command. The switch will prompt for confirmation. Confirm that
you want to proceed with the reload. You will then be presented with a lot of output,
giving the status of the switch during the reload process. Your display should be
similar to the example below. Some repeating text has been omitted to reduce the
output length.
Switch#reload
Proceed with reload? [confirm]<ENTER>

00:21:00: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

Base ethernet MAC Address: 00:1a:6d:44:6c:80
Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash...
flashfs[0]: 597 files, 19 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32514048
flashfs[0]: Bytes used: 8208384
flashfs[0]: Bytes available: 24305664
flashfs[0]: flashfs fsck took 9 seconds.
...done Initializing Flash.
Boot Sector Filesystem (bs) installed, fsid: 3
done.
Loading "flash:c2960-lanbasek9-mz.122-25.SEE2/c2960-lanbasek9-mz.122-
25.SEE2.bin"...@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
..
.. text omitted
..
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File "flash:c2960-lanbasek9-mz.122-25.SEE2/c2960-lanbasek9-mz.122-25.SEE2.bin"
uncompressed and installed, entry point: 0x3000
executing...

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2, RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 28-Jul-06 11:57 by yenanh
Image text-base: 0x00003000, data-base: 0x00BB7944

Initializing flashfs...

flashfs[1]: 597 files, 19 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 32514048
flashfs[1]: Bytes used: 8208384
flashfs[1]: Bytes available: 24305664
flashfs[1]: flashfs fsck took 1 seconds.
flashfs[1]: Initialization complete....done Initializing flashfs.

POST: CPU MIC register Tests : Begin
POST: CPU MIC register Tests : End, Status Passed

POST: PortASIC Memory Tests : Begin
POST: PortASIC Memory Tests : End, Status Passed

POST: CPU MIC PortASIC interface Loopback Tests : Begin
POST: CPU MIC PortASIC interface Loopback Tests : End, Status Passed

POST: PortASIC RingLoopback Tests : Begin
POST: PortASIC RingLoopback Tests : End, Status Passed

POST: PortASIC CAM Subsystem Tests : Begin
POST: PortASIC CAM Subsystem Tests : End, Status Passed

POST: PortASIC Port Loopback Tests : Begin
POST: PortASIC Port Loopback Tests : End, Status Passed

Waiting for Port download...Complete

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C2960-24TT-L (PowerPC405) processor (revision B0) with 61440K/4088K bytes of
memory.
Processor board ID FOC1048ZE27
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:1A:6D:44:6C:80
Motherboard assembly number : 73-10390-03
Power supply part number : 341-0097-02
Motherboard serial number : FOC10483A1C
Power supply serial number : DCA104382KM
Model revision number : B0
Motherboard revision number : C0
Model number : WS-C2960-24TT-L
System serial number : FOC1048ZE27
Top Assembly Part Number : 800-27221-02
Top Assembly Revision Number : C0
Version ID : V02
CLEI Code Number : COM3L00BRA
Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C2960-24TT-L 12.2(25)SEE2 C2960-LANBASEK9-M

Press RETURN to get started!

00:00:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:40: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:01:01: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2, RELEASE
SOFTWARE (fc1)
00:01:03: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state
to up
to up
to up
to up
00:01:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Step 7 At the prompt, to terminate AutoInstall, press Enter to accept the default, which is
yesyou do want to terminate AutoInstall.
Would you like to terminate autoinstall? [yes]:<ENTER>
Step 8 Now you are at the prompt to enter the initial configuration dialog. At this point you
have completed this task. Note that you will answer the question in Step 1 of next task.

Would you like to enter the initial configuration dialog? [yes/no]:

You were able to erase any existing configuration.
You were able to obtain the output similar that that given in Steps 6 through 8.
Task 3: Use System Configuration Dialog to Produce an Initial
Configuration
Continuing the process started in the last task, you will choose the initial configuration dialog
and will see the System Configuration Dialog displayed. You will then enter basic values for
your switch. This configuration mode is also known as setup, from the command-line method
to activate it.
Activity Procedure
Step 1 You are ready to complete the initial configuration. At the prompt (from the last step
of the previous task repeated below), Enter yes and then press Enter. To continue
with the switch configuration. Throughout the following configuration, your entries
are shown in bolded text.

Would you like to enter the initial configuration dialog? [yes/no]:yes

Step 2 Decline entering basic management setup by entering no.
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system

Would you like to enter basic management setup? [yes/no]: no

Step 3 Decline the review of interfaces by entering no to this question.

First, would you like to see the current interface summary? [yes]: no
Step 4 Enter the hostname for your assigned switch (for example SwitchJ ).
Configuring global parameters:

Enter host name [Switch]: SwitchX

Step 5 Enter all the passwords using the information in Lab 2-2, Table 1.

The enable secret is a password used to protect access to privileged EXEC and
configuration modes. This password, after entered, becomes encrypted in the
configuration.
Enter enable secret: sanfran

Step 6 The enable password is used when you do not specify an enable secret password, with
some older software versions and some boot images.

Enter enable password: cisco

Step 7 The virtual terminal password is used to protect access to the router over a network
interface.

Enter virtual terminal password: sanjose

Step 8 Answer no to the Configure SNMP Network Management prompt.

Configure SNMP Network Management? [no]: no

Step 9 Answer yes to Do You Want to Configure Vlan1 Interface? Your IP address
information can be obtained Table 2.

Configuring interface parameters:

Do you want to configure Vlan1 interface? [no]: yes
Configure IP on this interface? [no]: yes
IP address for this interface: 10.x.x.11
Subnet mask for this interface [255.0.0.0] : 255.255.255.0
Class A network is 10.0.0.0, 24 subnet bits; mask is /24

Step 10 Answer no to all the remaining Configure Interface prompts.

Do you want to configure FastEthernet0/1 interface? [yes]: no
























Do you want to configure GigabitEthernet0/1 interface? [yes]: no

Do you want to configure GigabitEthernet0/2 interface? [yes]: no

Step 11 Answer no to the Enable as a Cluster Command Switch prompt.

Would you like to enable as a cluster command switch? [yes/no]: no

Step 12 The setup process now outputs the Cisco IOS commands, which you should verify are
correct. Press the Spacebar when prompted with --More-- to get additional output.
The following configuration command script was created:

hostname SwitchX
enable secret 5 $1$3PTL$CG2pEpzgAJO3pkB7If4P9.
enable password cisco
line vty 0 15
password sanjose
no snmp-server
!
!
interface Vlan1
no shutdown
ip address 10.10.10.11 255.255.255.0
!
interface FastEthernet0/1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
!
!
end

Step 13 If the initial configuration displayed is correct, enter 2 to save this configuration to the
startup configuration in NVRAM and exit the setup mode.

[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2
Building configuration...
[OK]
Use the enabled mode 'configure' command to modify this configuration.

Your initial configuration output accurately matched the values assigned to your
workgroup switch.
You chose option 2 to save to NVRAM and exit the setup mode.
Task 4: Add Default Gateway to Initial Configuration
Having used the setup mode to configure your switch, it is necessary to add the IP of the default
gateway router. The default gateway will be used when packets need to be forwarded via the
Vlan 1 management interface to a non-directly-connected network. You will be configuring the
router in a later lab.
Activity Procedure
Step 1 To go from user EXEC mode to enable mode, enter the enable command. Then enter
the password when prompted.
Note Remember that you set the enable password to sanfran in the previous task.
Step 2 From the enable mode, enter configure terminal command. This command is often
abbreviated to conf t. Your display should be similar to the example below.
SwitchX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#
Step 3 Enter the command ip default-gateway 10.x.x.3, where x.x represents the second and
third octets of the address assigned to your switch interface VLAN 1. Your display
SwitchX(config)#ip default-gateway 10.10.10.3
SwitchX(config)#
Step 4 Leave the configuration mode by entering the command end. Your display should be
similar to the example below.
SwitchX(config)#end
SwitchX#
1d00h: %SYS-5-CONFIG_I: Configured from console by console
Step 5 Enter the command copy running-config startup-config to save the running
configuration to NVRAM. You will be prompted to confirm the destination filename.
Confirm it by pressing the Enter key. Your display should be similar to the example
below.
SwitchX#copy running-config startup-config
Destination filename [startup-config]?
[OK]
SwitchX#
Note A common shorthand entry for copy running-config startup-config is copy run start.
You have added the default gateway IP address to the running configuration
You saved the running configuration to the startup-config file
Lab 2-3: Enhancing the Security of Initial Switch
Configuration
Activity Objective
In this activity, you will increase the security of the initial switch configuration. After
completing this activity, you will be able to meet these objectives:
Add password protection to the console and vty lines
Use the Cisco IOS configuration command to encrypt all passwords
Add a banner message to the login process
Increase the security of remote management of the switch by adding the SSH protocol to
the vty lines
Increase the security of the physical interfaces by configuring various methods of MAC
address security
Disable unused interfaces
Visual Objective
10.9.9.11
10.8.8.11
10.7.7.11
10.6.6.11
10.5.5.11
10.4.4.11
10.3.3.11
10.2.2.11
Switch IP
Address
255.255.255.0 SwitchH
255.255.255.0 SwitchG
255.255.255.0 SwitchF
255.255.255.0 SwitchE
255.255.255.0 SwitchD
255.255.255.0 SwitchC
255.255.255.0 SwitchB
255.255.255.0 SwitchA
Subnet Mask
Workgroup
Hostname
Visual Objective for Lab 2-3 Enhancing
the Security of Switch Configuration

Required Resources
Successful completion of Lab 2-2
Command List
Command Description
? or help In user EXEC mode, Cisco IOS Software lists the subset of commands
available at that privilege level.
banner login Allows the configuration of a message which will be displayed at the
time of the login process.
clear mac-address-table dynamic
interface int-id
Clears the dynamically learned MAC addresses associated with the
interface specified.
clear port-security sticky
interface int-id access
Clears the secure MAC addresses associated with the interface
specified. The access parameter ensures that trunk ports are not
affected.
copy running-config destination Copies the switch running configuration file to another destination.
Typical destination is the startup configuration.
copy running-config startup-
config
Copies the switch running configuration file to the startup configuration
file that is held in local NVRAM.
crypto key generate rsa Generates the RSA key pairs to be used.
enable Activates the privileged EXEC mode. In privileged EXEC mode, more
commands are available. This command requires you to enter the
enable password if an enable password is configured.
end This configuration command terminates the configuration mode.
interface int-id Enters interface configuration mode.
interface range int-id - last-port-
number
Allows the grouping of interfaces, such that following interface
configuration commands will be applied to all the interfaces specified
simultaneously.
ip domain-name name Supplies an IP domain name, which is required by the crypto key
generation process.
ip ssh version [1 | 2] Specifies the version of SSH to be run. To disable the version of SSH
that was configured and to return to compatibility mode, use the no
form of this command.
line console 0 Enters the line console 0 configuration mode.
line vty 0 15 Enters the virtual terminal line configuration mode. Vty lines allow
access to the switch for remote network management. The number of
vty lines available depends on the Cisco IOS Software version. Typical
values are 0 to 4 and 0 to 15 (inclusive).
login Activates the login process on the console or vty lines.
login local Activates the login process on the console or vty lines to require using
the local authentication database
logout Exits the EXEC mode, requiring reauthentication (if enabled).
password Assigns a password to the console or vty lines.
ping ip-address Common tool used to troubleshoot the accessibility of devices. It uses
ICMP path echo requests and ICMP path echo replies to determine
whether a remote host is active. The ping command also measures
the amount of time it takes to receive the echo reply.
reload Restarts the switch, reloads the Cisco IOS operating system
service password-encryption Enable the service which will encrypt all passwords in the running
configuration.
show ip arp Display the IP address resolution table, which hold the binding
between IP addresses and their respective MAC addresses.
show ip ssh Shows the current settings of the SSH protocol.
show mac-address-table
dynamic
Displays only the dynamically learned MAC addresses in the table.
show mac-address-table
interface int-id
Displays only the MAC addresses in the table associated with the
specified interface.
show port-security interface int-id Displays all administrative and operational status of all secure ports on
a switch. Optionally displays specific interface security settings or all
secure MAC addresses.
show running-config Displays the active configuration.
show running-config interface
int-id
Displays the running configuration of the interface specified in the
command.
shutdown
no shutdown
Disables and enables an interface.
switchport mode access Sets the port to access mode. Use the no version of this command to
reset default values.
switchport port-security Enables port security on an interface. Entered without keywords.
switchport port-security mac-
address sticky
Sets the secure MAC addresses associated with an interface to be
learned dynamically.
switchport port-security
maximum [number]
Sets the maximum number of secure MAC addresses for the interface.
Use the no version of this command to remove it.
violation violation mode
Sets the action to be taken when a security violation occurs. Protect,
restrict, and shutdown are the three valid modes.
transport input telnet ssh Specifies which protocols to use to connect to a specific line of the
switch.
username username password
password
Creates a username and password pair, which can then be used as a
local authentication database.

Job Aids
Refer to Lab 2-1 for information regarding connection.
Table 1: Current Passwords
Switch console login none
Switch enable password cisco
Switch enable secret password sanfran
Switch vty login password sanjose
Task 1: Add Password Protection to Console Port and Vty
Lines
Following the initial configuration of the switch, where passwords have been configured for the
vty lines, two potential security holes exist. First, a security breach is possible when the vty
lines have the login process deactivated and the password is too simple. Second, security can be
breached when the console port currently is not protected by a password at all.
Activity Procedure
Step 1 Connect to your remote workgroup switch via the console server, and enter the
necessary commands and passwords to get to the enable EXEC prompt.
Step 2 At the user EXEC prompt, enter the command enable, followed by the enable
password for your switch.
Step 3 At the privileged EXEC prompt (sometimes called the enable prompt) of your
assigned switch, enter config t.
Step 4 Access the console port configuration by entering the command line console 0.
Step 5 At the line console configuration mode, use the password sanjose for the console
line. Enter the command password sanjose.
Step 6 Enter the command login, which will require a password to be supplied to access the
switch via the console in the future.
Step 7 Enter the command line vty 0 15.
Step 8 Enter the command login, which will be applied to all 16 lines (0 through 15).
Step 9 Enter the command end, which will return you to the enable EXEC prompt.
Step 10 Enter the show running-config command and observe the output to see that you
have correctly configured line console 0 and vty lines 0 through 15. Your output
should be similar to the example below, where the line configuration is shown in
bold text. You will observe that the passwords for both the line console and vty lines
are stored in cleartext.
SwitchX#show running-config
..
..Text omitted
..
!
line con 0
password sanjose
login
line vty 0 4
password sanjose
login
line vty 5 15
password sanjose
login
!
end
Step 11 You will now test your configured password by logging out of and back into the
switch via the console.
Step 12 Enter the command logout.
Step 13 Press the Enter key to get a password prompt.
Step 14 Supply the password the you just configured to get to the user EXEC prompt.
Step 15 Enter the command and password to get to the enable EXEC prompt.
Step 16 Your output for Steps 12 though 15 should be similar to the example below.
SwitchX#logout

..
..empty lines omitted
..

SwitchX con0 is now available

Press RETURN to get started.

..
..

User Access Verification

Password:
SwitchX>enable
Password:
SwitchX#
You configured the console and vty lines to require a password.
You inspected the configuration and observed that the line passwords are stored in
cleartext.
You tested the login process and password access to the console line successfully.
Your output matches the example in Step 14.
Task 2: Activate Password Encryption Service
As discussed in the previous task, some passwords are stored in cleartext. This can be a security
issue when the configurations are transmitted and stored on remote file systems. In this task,
you will configure the password encryption service to secure all cleartext passwords with
encryption.
Activity Procedure
Step 1 From the enable EXEC prompt, enter the command to get to global configuration
mode.
Step 2 Enter the command service password-encryption.
Step 3 Enter the command to return to the enable EXEC prompt.
Step 4 Enter the command to see the running configuration. Concentrate on the first few
lines and the last few lines of the configuration to see that the service password-
encryption command is now active and the effect it has on the line passwords. Your
output should be similar to the example below, with the bold text highlighting output
of particular interest.
SwitchX(config)#service password-encryption
SwitchX(config)#end
SwitchX#
00:38:45: %SYS-5-CONFIG_I: Configured from console by console
SwitchX#show running-config

Current configuration : 1453 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
..
..Text omitted
..

!
!
line con 0
password 7 14041305060B392E
login
line vty 0 4
password 7 14041305060B392E
login
line vty 5 15
password 7 120A041918041F01
login
!
end

Step 5 Enter the command to save the running configuration to startup-config.
You have enabled the password encryption service
You have displayed the running configuration and observed the encryption of the line
passwords
You have saved your running configuration
Task 3: Apply a Login Banner
As part of any security policy it is necessary to ensure that network resources are clearly
identified as being off limits to the casual visitor. Hackers have in the past successfully used the
fact that a welcome screen was presented at login as a legal defense for forced entry into the
network. A message that clearly states that access is restricted should be presented when a user
is attempting to access a network device (switch, router, and so on). The banner Cisco IOS
configuration command allows this to be done.
Activity Procedure
Step 1 Enter the command to access the global configuration prompt.
Step 2 Enter the command banner login % and press the Enter key. The percent symbol
(%) is the opening delimiter of the text that will form the message.
Step 3 Enter text to form your message followed by %.
Note Do NOT use percent symbols as part of your banner message textthey will be interpreted
as the closing delimiter of your message.
Step 4 Below is an example of the output of the configuration of a banner message.
SwitchX(config)#banner login %
Enter TEXT message. End with the character '%'.
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************%
SwitchX(config)#
Step 5 Enter the command to return to the EXEC mode.
Step 6 Enter the command to display the running configuration. Your output should be
similar to the example below, which has been edited to show just the banner
configuration. Notice that your text delimiter has been replaced with a ^C, which is a
nontext control character.
!
banner login ^C
********** Warning *************

**************************************************************^C
!
Step 7 Use the logout command to end your console session. Then log back in to the enable
prompt. Observe the display to see your banner message being presented, prior to
password entry. Your output should be similar to the example below, which has
been edited to reduce space.
SwitchX#logout

SwitchX con0 is now available


********* Warning *************

**************************************************************


Password:
SwitchX>en
Password:
SwitchX#
You have configured a login banner message that clearly states that access to the switch is
restricted.
You have tested the login message, and it does give a warning prior to password prompt.
You have saved your configuration.
Task 4: Enable SSH Protocol for Remote Management
In a previous task, you protected passwords by using encryption. However, if the process of
remote management uses the Telnet protocol, which sends all characters in cleartext including
passwords, the potential exists for packet capture and exploitation of that information. In this
task you will configure the SSH protocol as an alternative to Telnet. If it is possible in your
environment, it would be best to replace Telnet with SSH. To operate, SSH requires the
following:
A username and password
A defined hostname
A defined IP domain
An RSA encryption key
Activity Procedure
Step 1 At the enable EXEC prompt, enter the command to access the global configuration
prompt.
Step 2 The SSH protocol requires the use of a username and password pair. As this has not
yet been configured, you must configure it now. Enter the command username
username password password. In this example, you will use netadmin for both.
Obviously, in the real-world environment, a much stronger username and password
pair should be used.
Step 3 The generation of a SSH cryptographic key requires that both the hostname and
domain name be configured. You have configured the hostname, so it is necessary to
configure the domain name. Normally you would use your organization domain
name, but in the lab you will use cisco.com.
Step 4 Enter the command ip domain-name domain name.
Step 5 Enter the command crypto key generate rsa. You will be prompted for a key size;
512 is the default, but you will enter 1024 to produce a more secure key. Your
output should be similar to the example below, which is edited to include only the
lines pertaining to this task.
SwitchX(config)#username netadmin password netadmin
SwitchX(config)#ip domain-name cisco.com
SwitchX(config)#crypto key generate rsa
The name for the keys will be: SwitchX.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys ...[OK]

01:26:52: %SSH-5-ENABLED: SSH 1.99 has been enabled
Step 6 Enter the command ip ssh version 2 to enable the required SSH version.
Step 8 Enter the command login local. This changes the login process to use the locally
configured username and password pairs.
Step 9 Enter the command transport input telnet ssh. This configures the 16 vty lines to
support both Telnet or SSH. Your output should be similar to the example below.
SwitchX(config)#line vty 0 15
SwitchX(config-line)#login local
SwitchX(config-line)#transport input telnet ssh
Step 10 Enter the command to return to enable EXEC prompt.
Step 11 Enter the command show ip ssh.
SwitchX#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Step 12 To test your configuration, you need to make a VPN tunnel connection to the remote
lab using the method from Lab 2-1, Task 2. On your PC, open your SSH terminal
client application. Use the IP address of your workgroup switch and the username
and password pair that you configured in Step 2 of this task.
Step 13 Below is an example of a successful connection with the PuTTY application and
using SSH.

Step 14 Enter the logout command to exit the PuTTY connection.
Step 15 Open the Windows Command window and enter the command telnet 10.x.x.11
(your workgroup switch IP address). Your output should be similar to the example
below.

Step 16 Enter the username and password in the new Telnet Command window that
automatically opens. Having established that Telnet is working simultaneously with
SSH, type logout at the user EXEC prompt and close your Command window by
typing exit at the Command window prompt. Your output should be similar to the
example below.

Step 17 Enter the command to save your configuration to startup-config.
You configured the vty lines to support the SSH version 2 protocol.
You successfully directly connected to your workgroup switch using SSH and Telnet, thus
proving that both are being supported simultaneously.
You saved your configuration.
Task 5: Configure Port Security on a Switch
In this task, you will configure the switch to permit only a defined number of MAC addresses
on the first access port, and also specify the action to take should this number be exceeded. You
will determine how many addresses are being learned dynamically, then modify the interface to
permit one less than this number, so that a MAC violation will occur. You will use show
commands to observe the status and behavior of the switch before finally setting the secure
number of addresses back to a viable non-error-producing value.
Activity Procedure
Access your SwitchX console port, where x identifies your pod. Complete the following steps
to configure port security on the workgroup switch:
Caution You should have saved the current running configuration at the end of the previous lab. If
you are in doubt then save your running configuration to startup-config prior to reloading.
Step 1 Enter the commands to reload your switch.
Step 2 Enter the commands to get to the enable EXEC prompt.
Step 3 Enter the command ping to test connectivity to the IP address in the table below.
You will complete the table in Steps 4 and 5.
MAC Address Table
Device IP address MAC address
10.x.x.100
Unmanaged device
Step 4 Enter the command show ip arp. This will display the bindings between the IP
address and the MAC address. Enter the corresponding MAC address in the
table above. Your output should be similar to the example below.
SwitchX#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.x.x.11 - 001a.6d44.6cc0 ARPA Vlan1
Internet 10.x.x.100 0 001a.2fe7.3089 ARPA Vlan1

Step 5 Enter the command show mac-address-table int fa0/1. There should be one MAC
not associated with the IP address you just pinged. This is the MAC address of the
unmanaged device. Use this to complete the table from Step 3 above. Your output
SwitchX#show mac-address-table int fa0/1
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0017.5a78.be01 DYNAMIC Fa0/1
1 001a.2fe7.3089 DYNAMIC Fa0/1
Total Mac Addresses for this criterion: 2

Step 6 Before you configure port security, you need to clear the dynamically learned MAC
address entries. Enter the command clear mac-address-table dynamic int fa0/1.
Step 7 Wait at least 10 seconds before entering the show mac-address-table int fa0/1 to
see the effect of this command. You will see that the MAC address of the
unmanaged device is still in the MAC address table. This is because this device is
periodically sending Layer 2 frames. Other Ethernet interfaces may be set to
periodically send keep-alive frames. However, you should see only the MAC
addresses being learned at this time. Your output should be similar to the example
below.
SwitchX#show mac-address-table int fa0/1
Mac Address Table
-------------------------------------------

---- ----------- -------- -----
1 0017.5a78.be0f DYNAMIC Fa0/1
Step 8 Enter the command configure t.
Step 9 Enter the command interface fa0/1.
Step 10 Disable the interface by entering the shutdown command.
Step 11 Before port security features can be applied to an switchport, it has to be in non-
auto-negotiation mode. Enter the command switchport mode access.
Step 12 Before activating port security, it is necessary to set the maximum number of MAC
addresses to an appropriate value if there are more than the default of 1. However, as
the intention is to trigger a MAC address violation, and in Step 5 you saw there were
two MAC addresses associated with this interface, no action is necessary.
Step 13 Another parameter that should be set before the activation of port security is what
action to take when more MAC addresses attempt to use the interface than have
been configured. This is known as the violation action. The default action is
shutdown, which will error-disable the interface. Initially you will use this default
value, so that you get experience resetting the interface.
Step 14 Enter the command switchport port-security mac-address sticky. This will cause
MAC addresses that are learned to be saved in the running configuration. If the
configuration is subsequently saved to startup-config, they will be remembered upon
a restart.
Step 15 Enter the command switchport port-security. Entering the command without any
parameters activates port security. If this is not done, then port-security remains
disabled.
Step 16 Enter the command no shutdown to re-enable the switchport.
Step 17 Enter the command end to leave configuration mode and return to the enable EXEC
prompt.
Step 18 Wait for 20 seconds before entering the command show running-config int fa0/1 to
display the portion of the running configuration for interface fa0/1. Your output
should be similar to the example below, which has some lines shown in bold for
emphasis.
SwitchX#show running-config int fa0/1

!
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5a78.be0f
end
Step 19 Enter the show port-security int fa0/1 command to display the current port security
settings.
SwitchX#show port-security int fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0017.5a78.be01:1
Security Violation Count : 0
Step 20 Enter the command show mac-address dynamic int fa0/1 to show the dynamic
MAC table entries for int fa0/1 only. You should not see any entries, because they
would have been converted to static (sticky) entries. Your output should be similar
to the example below.
SwitchX#show mac-address dynamic int fa0/1
Mac Address Table
-------------------------------------------
---- ----------- -------- -----
Step 21 Use the ping command to create a port-security violation, ping 10.x.x.100. Your
output should be similar to the example below.
23:07:41: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1,
putting Fa0/1 in err-disable state
23:07:41: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
caused by MAC address 001a.2fe7.3089 on port FastEthernet0/1.
23:07:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to down.
23:07:43: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down....
Success rate is 0 percent (0/5)
SwitchX#
Step 22 Enter the show port-security interface fa0/1 command to display the current port
security settings.
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Last Source Address:Vlan : 001a.2fe7.3089:1
Step 23 It is now necessary to modify the maximum value of allowable MAC addresses to
two. It is also necessary to change the violation action to restrict and then return the
interface from error disable state to administratively up.
Step 24 Before you attempt to modify the port security setting, it is best to clear the MAC
table entries.
Step 25 Enter the command clear port-security sticky int fa0/1 access. Note: By restricting
the action of the clear command to only the interface that you are currently dealing
with, you avoid the risk of inadvertently impacting other interfaces.
Step 26 Enter the command configure t.
Step 27 Enter the command int fa0/1.
Step 28 Enter the command switchport port-security maximum 2.
Step 29 Enter the command switchport port-security violation restrict. The restrict
violation action does not shut down the interface; instead it blocks the frames,
generates a local message, and increments the security violation count. This
violation action is appropriate for a low-security environment.
Step 30 To return the interface to administratively up from error disable, it is necessary to
first enter the command shutdown and then enter the command no shutdown to
bring the interface back up.
Step 31 Enter the command end to leave configuration mode and return to the enable EXEC
prompt.
Step 32 Wait 20 seconds before you test your configuration by using the ping command to
10.x.x.100.
Step 33 The example below shows the output of the show running-config int fa0/1
command. Your output should be similar.
SwitchX#show running-config int fa0/1

!
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky 0017.5a78.be01
switchport port-security mac-address sticky 001a.2fe7.3089
end

Step 34 The example below shows the output of the show port-security int fa0/1 command.
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Last Source Address:Vlan : 001a.2fe7.3089:1
Step 35 Compare the bolded text with the output of Step 22, which should show that the port
is up and that the violation mode is now to Restrict rather than Shutdown the
interface.
Step 36 Save your running configuration to startup-config.
The switch was configured to permit one dynamically learned MAC addresses on the first
access port (fa0/1)
The port was forced into a port-security violation resulting in it being error disabled
The configuration was then changed to support two dynamically learned addresses, and the
violation action was modified to restrict access and not shutdown the port
The port was returned from error disable to administratively up state
The port was retested and no port-security violations were triggered
The running configuration was saved to startup-config
Task 6: Disable Unused Ports and Place All Ports in Access
Mode
In this task, you will shut down all unused ports. You will also move all switchports from auto
negotiation to fixed in access mode. This action makes the switch more resilient to security
attacks from devices which have direct connection to the switch. In this task, it is given that the
following ports are currently not in use: Fa0/3 through Fa0/10, Fa0/13 through fa0/24, and
Gi0/1 through Gi0/2.
Activity Procedure
Step 1 At the enable EXEC prompt enter the command to access the global configuration
prompt.
Step 2 Enter the command interface range fa0/3 - 10. All the commands that follow will
be applied to the ports specified.
Step 3 Enter the command shutdown.
Step 4 Enter the command interface range fa0/13 - 24 to replace the previous range
command.
Step 6 Enter the command interface range gi0/1 - 2 to replace the previous range
command.
Step 8 Return to the enable EXEC prompt.
Step 9 Enter the command to display the running configuration to confirm that only the
intended interfaces were shut down.
Step 11 Enter the command interface range fa0/1 - 24, gi0/1 - 2 to include all ports in the
range. Notice in this instance the interface ranges have been grouped into a single
command by using the , (comma) as a separator.
Step 12 Enter the command switchport mode access.
Step 13 Return to the enable EXEC prompt.
Step 14 Enter the command to display the running configuration to confirm that all the
interfaces were placed into access mode.
Step 15 When you are certain that all ports are in access mode, and all ports with the
exception of fa0/1, fa0/2, fa0/11, and fa0/12 are shut down, save your running
configuration to startup-config.
Configured the given range of unused ports to be shut down
Configured all ports to be in access mode
Saved the running configuration to startup-config

Lab 2-4: Operating and Configuring a Cisco IOS
Device
Activity Objective
In this activity, you will demonstrate and practice the use of the CLI features of your
workgroup switch. After completing this activity, you will be able to meet these objectives:
Explore context-sensitive help
Edit incorrect CLI commands on the switch
Examine the switch status using show commands
Visual Objective
Operating and Configuring a Cisco IOS Device
10.9.9.11
10.8.8.11
10.7.7.11
10.6.6.11
10.5.5.11
10.4.4.11
10.3.3.11
10.2.2.11
Switch IP
Address
255.255.255.0 SwitchH
255.255.255.0 SwitchG
255.255.255.0 SwitchF
255.255.255.0 SwitchE
255.255.255.0 SwitchD
255.255.255.0 SwitchC
255.255.255.0 SwitchB
255.255.255.0 SwitchA
Subnet Mask
Workgroup
Hostname

Required Resources
Command List
Command Description
? or help

In user mode, Cisco IOS Software lists a subset of the
available commands.
After you enter enable and enter your enable password for
privileged mode, a much larger list of available commands
is displayed.
clock set Manages the system clock.
enable Activates privileged mode. In privileged mode, more
commands are available.
This command requires you to enter the enable password if
an enable password is configured. If an enable secret
password is also configured, the enable secret password
overrides the enable password.
exec time-out Sets the inactivity time allowed before a session will be
automatically logged out.
history size Sets the number of lines held in the history buffer for recall.
Two separate buffers are used, one for EXEC mode
commands and the other for configuration mode
commands.
[no] ip domain-lookup The command-line interpreter by default tries, when
receiving a command it does not recognize, to interpret it
as a symbolic name for an IP address. The no form of this
command turns off this default action, thus speeding up the
interpretation of erroneous entries.
line console 0 Enters the line console 0 configuration mode.
allow access to the switch for remote network
management. The number of vty lines available is
dependant on the Cisco IOS Software version. Typical
values are 0-4 and 0-15 (inclusive).
logging synchronous Synchronizes unsolicited messages and debug privileged
EXEC command output with solicited device output and
prompts for a specific console port line or vty line.
show clock Displays the system clock.
show history Displays recently entered commands.
show interfaces Displays information on all of the router interfaces.
show running-config Displays the active configuration.
show terminal Displays the current settings for the terminal.
show version Displays the configuration of the router hardware and the
various software versions.
terminal history size Sets the command history buffer size.
Job Aids
Current Passwords
Switch Console Login sanjose
Switch Enable Password cisco
Switch Enable Secret Password sanfran
Switch VTY Login User ID netadmin
Switch VTY Login Password netadmin

Task 1: Explore Context-Sensitive Help
In this task, you will use context-sensitive help in both user and privileged EXEC modes to
locate commands and complete command syntax.
Activity Procedure
Step 1 Connect to your workgroup switch using the information from Lab 2-1.
Step 2 Enter the help command (?). At the user EXEC prompt, you should see a partial list
of commands available. Your output should resemble the example below.
Exec commands:
access-enable Create a temporary Access-List entry
clear Reset functions
connect Open a terminal connection
..
..Text omitted
..
set Set system parameter (not config)
show Show running system information
ssh Open a secure shell client connection
systat Display information about terminal lines
telnet Open a telnet connection
--More--
Step 3 Press the Spacebar to complete or continue the list.
Step 4 Enter privileged EXEC mode.
Step 5 Notice the prompt which indicates that the switch mode was > and is now #.
Step 6 Enter the help (?) command at the privileged EXEC mode prompt. Use help to
determine the keyword command that manages the system clock.
Step 7 Your console should be displaying a prompt of --More-- as it waits for you to
press a key before displaying more output. Enter q to terminate continuation of the
output.
Step 8 Enter the clock ? command. You should see the context-sensitive help. Your output
should resemble the example below.
SwitchX#clock ?
set Set the time and date

Step 9 Set the system clock to the current time and date. Remember to use context-sensitive
help to guide you through the process.
Step 10 At the switch# prompt, enter sh? You should see another example of the context
sensitive help. Your output should resemble the example below.
SwitchX#sh?
show

Step 11 Press the Tab key. You should see the command-completion feature in action.
When enough letters of a command or keyword have been entered, the Tab key will
complete the word and place a space so that it is ready to receive any further input.
Step 12 Enter the show clock command. Your output should reflect the changes you made
using the clock set command in Step 9. Your output should be similar to the
example below.
SwitchX#show clock
10:45:25.073 UTC Tue Jul 10 2007
You used the system help facility and the command-completion facility.
Task 2: Edit an Incorrect Command
In this task, you will use Cisco IOS Software enhanced editing features to correct command-
line errors.
Activity Procedure
Step 1 Enter the following comment line at the prompt: This command changes the
clock speed for the router. Enter the text without the quotes ().
SwitchX#This command changes the clock speed for the router.
^
% Invalid input detected at '^' marker.

Step 2 Enter the following comment line, preceded by the exclamation point (!): !ths
comand changuw the clck sped for the swch,. An exclamation point (!) before the
text line indicates that you are entering a comment.
SwitchX#!ths comand changuw the clck sped for the swch,

Step 3 Enter Ctrl-P or press the Up Arrow key to see the previous line.
Step 4 Use the editor commands Ctrl-A, Ctrl-F, Ctrl-E, and Ctrl-B to move along the line
and the Backspace key to delete unwanted characters.
Step 5 Using the editing commands, correct the comment line to read !This command
changes the clock speed for the switch.
You used the built-in editor and used those keystrokes for cursor navigation.
Task 3: Improve the Usability of the CLI
In this task, you will enter commands to improve the usability of the CLI. You will increase the
number of lines in the history buffers, increase the inactivity timer on the console port, and stop
the attempted name resolution of mistyped commands.
Activity Procedure
Step 1 Enter the command show terminal. Your output should be similar to the example
below, which has been edited to reduce unwanted lines.
SwitchX#sh terminal
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
..
..Text omitted
..
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
Step 2 The size of the history buffers is 10. You could change this by using the command
terminal history size 100. However, this value would have to be entered every time
you log out of and back into the switch. The history size can be set in the
configuration, associated with the console and vty lines.
Step 3 Enter the command config t to get to the global configuration prompt.
Step 4 Enter the command line console 0.
Step 5 Enter the command history size 100.
Step 6 While you are in the console line mode, it is a good idea to change the EXEC
timeout from the 15-minute value to 60 minutes. Enter the command exec-timeout
60.
Step 7 Enter the command logging synchronous to synchronize unsolicited messages and
debug privileged EXEC command output with the input from the CLI.
Step 8 Enter the command line vty 0 15 to configure the vty lines.
Step 9 Enter the commands to configure the history size to 100 and to synchronize the
messages.
Step 10 Enter the exit command to return to the global configuration mode.
Step 11 Enter the command no ip domain-lookup to disable the resolution for symbolic
names.
Step 12 Return to enable EXEC prompt.
Step 13 Use the history recall to enter the show terminal command. Your output should be
similar to the example below, which has been edited to reduce unwanted lines.

SwitchX#sh term
..
..Text omitted
..
Editing is enabled.
Allowed output transports are telnet ssh.

Step 14 Enter the show running-config command to confirm that the configuration changes
just made are correct.
Step 15 When you are satisfied that your running configuration reflects the changes, then
save it to startup-config.
Step 16 Close your connection(s) to your workgroup switch.
The inactivity timeout on the console line is set to 60 minutes
You have verified that the history buffer value is set to 100 lines on the console and vty
lines
You have verified that logging synchronous is configured on the console and vty lines
You have saved your configuration to starting configuration
You close any open connections to your workgroup switch

Lab 4-1: Converting Decimal to Binary and
Binary to Decimal
Complete the lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you convert decimal and binary numbers. After completing this activity, you
will be able to meet these objectives:
Convert decimal numbers to binary
Convert binary numbers to decimal
Visual Objective
Visual Objective for Lab 4-1 Converting
Decimal to Binary and Binary to Decimal

Required Resources
There are no resources for this lab activity.
Command List
There are no commands used in this lab activity.
Job Aids
There are no job aids for this lab activity.
Activity Preparation
There is no preparation for this lab activity.
Task 1: Convert from Decimal Notation to Binary Format
Activity Procedure
Complete the following table, which provides practice in converting a number from decimal
notation to binary format.
Base 2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Decimal 128 64 32 16 8 4 2 1 Binary
48 0 0 1 1 0 0 0
0
48 = 32 +16 =
00110000
146 1 0 0 1
222
119
135
60
Task 2: Convert from Binary Notation to Decimal Format
Activity Procedure
Complete the following table, which provides practice in converting a number from binary
notation to decimal format.
Base 2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Binary 128 64 32 16 8 4 2 1 Decimal
11001100 1 1 0 0 1 1 0 0 128 + 64 + 8 + 4 = 204
10101010 1 0 1 0
11100011
10110011
00110101
10010111
You have completed this lab when you attain these results:
You can accurately convert decimal format numbers to binary notation.
You can accurately convert binary notation numbers to decimal format.

Lab 4-2: Classifying Network Addressing
Activity Objective
In this activity, you classify network addresses with IPv4 and IPv6. After completing this
activity, you will be able to meet these objectives:
Convert decimal IP addresses to binary numbers
Convert binary numbers to IP addresses
Identify classes of IP addresses
Identify valid and invalid host IP addresses
Visual Objective
Convert decimal IP addresses to binary
145.32.59.24 = 10010001.00100000.__________.__________
Convert binary IP addresses to decimal
10010001.00011011.00111101.10001001 = 216.____.____.____
Identifying IP Address Classes
Classifying Network Addressing
0.124.0.0?
23.75.345.200?
255.255.255.255?

Required Resources
Command List
There are no commands used in this activity.
Job Aids
Task 1: Convert from Decimal IP Address to Binary Format
Activity Procedure
Complete the following steps:
Step 1 Complete the following table to express 145.32.59.24 in binary format.
Base 2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Decimal 128 64 32 16 8 4 2 1 Binary
145 1 0 0 1 0 0 0 1 10010001
32 0 0 1 0 0 0 0 0 00100000
59
24

Binary Format IP Address
10010001. 00100000. ___________ . ___________
Base 2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Decimal 128 64 32 16 8 4 2 1 Binary
200
42
129
16


Base 2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Decimal 128 64 32 16 8 4 2 1 Binary
14
82
19
54


Task 2: Convert from Binary Format to Decimal IP Address
Activity Procedure
Complete the following steps:
Step 1 Complete the following table to express 11011000.00011011.00111101.10001001 in
decimal IP address format.
Base 2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Binary 128 64 32 16 8 4 2 1 Decimal
11011000 1 1 0 1 1 0 0 0 216
00011011
00111101
10001001

Decimal Format IP Address
216. _____ . _____ . _____
Base 2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Binary 128 64 32 16 8 4 2 1 Decimal
11000110
00110101
10010011
00101101


Base 2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Binary 128 64 32 16 8 4 2 1 Decimal
01111011
00101101
01000011
01011001


Task 3: Identify IP Address Classes
Activity Procedure
Complete this table to identify the address class, number of bits in the network ID, and
maximum number of hosts.
Binary IP Address Decimal IP Address
Address
Class
Number of
Bits in
Network ID
Maximum
Number of
Hosts
(2
h
2)
10010001.00100000.00111011.00011000 145.32.59.24 Class B 16
11001000.00101010.10000001.00010000 200.42.129.16
00001110.01010010.00010011.00110110 14.82.19.54
11011000.00011011.00111101.10001001 216.27.61.137
10110011.00101101.01000011.01011001 179.45.67.89
11000110.00110101.10010011.00101101 198.53.147.45
Task 4: Identify Valid and Invalid Host IP Addresses
Activity Procedure
Complete the following table to identify which host IP addresses are valid and which are not
valid.
Decimal IP Address Valid or Invalid If Invalid, Indicate Reason
23.75.345.200
216.27.61.134
102.54.94
255.255.255.255
142.179.148.200
200.42.129.16
0.124.0.0
You can accurately convert decimal format IP addresses to binary format
You can accurately convert binary format IP addresses to decimal format
You can identify the address class of a given IP address
You can identify valid and invalid IP addresses
Lab 4-3: Computing Usable Subnetworks and
Hosts
Activity Objective
In this activity, you determine the number of bits to borrow from the host ID to create the
required number of subnets for a given IP address. After completing this activity, you will be
able to meet these objectives:
Determine the number of bits required to create different subnets
Determine the maximum number of host addresses available in a given subnet
Visual Objective
Given:
Class C network address of 192.168.89.0
Class B network address of 172.25.0.0
Class A network address of 10.0.0.0
How many subnets can you create?
How many hosts per subnet can you create?
Visual Objective for Lab 4-3 Computing
Usable Subnetworks and Hosts

Required Resources
Command List
Job Aids
Task 1: Determine the Number of Bits Required to Subnet a
Class C Network
Activity Procedure
Given a Class C network address of 192.168.89.0, complete the table to identify the number of
bits that are required to define the specified number of subnets for the network, and then
determine the number of hosts per subnet.
Number of
Subnets Number of Bits to Borrow Number of Hosts per Subnet (2
h
2)
2
5
12
24
40
Class B Network
Activity Procedure
Given a Class B network address of 172.25.0.0, complete the table to identify the number of
bits that are required to define the specified number of subnets for the network, and then
determine the number of hosts per subnet.
Number of
h
2)
5
8
14
20
35
Class A Network
Activity Procedure
Given a Class A network address of 10.0.0.0, complete the table to identify the number of bits
that are required to define the specified number of subnets for the network, and then determine
the number of hosts per subnet.
Number of
h
2)
10
14
20
40
80
Given a Class A, B, or C network, you can identify the number of bits to borrow to create a
given number of subnets
Given a Class A, B, or C network, you can determine the number of hosts on the network,
given a number of subnets and number of bits to borrow

Lab 4-4: Calculating Subnet Masks
Activity Objective
In this activity, you calculate subnet masks. After completing this activity, you will be able to
meet these objectives:
Given a network address, determine the number of possible network addresses and the
binary subnet mask to use
Given a network IP address and subnet mask, determine the range of subnet addresses
Identify the host addresses that can be assigned to a subnet and the associated broadcast
addresses
Visual Objective
Calculating Subnet Masks
Given a network address, determine the number of possible
network addresses and the binary subnet mask to use.
Given a network IP address and subnet mask, determine the _
range of subnets addresses.
Identify the host addresses that can be assigned to a subnet
and the associated broadcast addresses.

Required Resources
Command List
Job Aids
Task 1: Determine the Number of Possible Network Addresses
Activity Procedure
Given a Class A network and the net bits identified, complete this table to identify the subnet
mask and the number of host addresses possible for each mask.
Classful
Address Decimal Subnet Mask Binary Subnet Mask
Number of Hosts
per Subnet
(2
h
2)
/20
/21
/22
/23
/24
/25
/26
/27
/28
/29
/30
Task 2: Given a Network Address, Define Subnets
Activity Procedure
Assume that you have been assigned the 172.25.0.0 /16 network. You need to establish twelve
subnets. Complete the following questions.
1. How many bits do you need to borrow to define 12 subnets?

_________________________________________________________________________
2. Specify the classful address and subnet mask in binary and decimal that allows you to
create 12 subnets.

_________________________________________________________________________
3. Use the eight-step method to define the 12 subnets.
Step Description Example
1. Write down the octet that is being split in binary.
2. Write the mask or classful prefix length in binary.
3. Draw a line to delineate the significant bits in the
assigned IP address.
Cross out the mask so that you can view the
significant bits in the IP address.

4. Copy the significant bits four times.
5. In the first line, define the network address by
placing 0s in the remaining host bits.
6. In the last line, define the directed-broadcast
address by placing 1s in the host bits.
7. In the middle lines, define the first and last host ID
for this subnet.

8. Increment the subnet bits by one to determine the
next subnet address.
Repeat Steps 4 through 8 for all subnets.

4. Complete the following table to define each subnet.
Subnet
Number Subnet Address Range of Host Addresses
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
. . .
Task 3: Given Another Network Address, Define Subnets
Activity Procedure
Assume that you have been assigned the 192.168.1.0 /24 network.
1. How many bits do you need to borrow to define six subnets?
_________________________________________________________________________
create six subnets.
_________________________________________________________________________
3. Use the eight-step method to define the six subnets.

for this subnet.


4. Complete this table to define each subnet.
Subnet
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
Task 4: Given a Network Address and Classful Address, Define
Subnets
Activity Procedure
Assume that you have been assigned the 192.168.111.129 address in a /28 network block.
1. Specify the subnet mask in binary and decimal.
_________________________________________________________________________
2. How many subnets can you define with the specified mask?
_________________________________________________________________________
3. How many hosts will be in each subnet?
_______________________________________________________________________
4. Use the eight-step method to define the subnets.

for this subnet.


Subnet
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
Task 5: Given a Network Block and Classful Address, Define
Subnets
Activity Procedure
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

for this subnet.


Subnet
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
Subnets
Activity Procedure
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

for this subnet.


5. Complete this table to define the subnets.
Subnet
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
Given a network address, you can determine the number of possible network addresses and
the binary subnet mask to use
Given a network IP address and subnet mask, you can apply the mask to determine the
range of subnet addresses
You can apply subnet masks to identify the host addresses that can be assigned to a subnet and
the associated broadcast addresses.

Lab 4-5: Performing Initial Router Startup
Activity Objective
In this activity, you will connect to your remote workgroup router, ensure that it is
unconfigured, and examine the startup process. After completing this activity, you will be able
to meet these objectives:
Remove any existing residual router configuration
Restart the router and observe the output
Decline the initial configuration dialog request when the restart process completes
Visual Objective
Performing Initial Router Startup
10.9.9.3
10.8.8.3
10.7.7.3
10.6.6.3
10.5.5.3
10.4.4.3
10.3.3.3
10.2.2.3
Router IP
Address
255.255.255.0 RouterH
255.255.255.0 RouterG
255.255.255.0 RouterF
255.255.255.0 RouterE
255.255.255.0 RouterD
255.255.255.0 RouterC
255.255.255.0 RouterB
255.255.255.0 RouterA
Subnet Mask
Workgroup
Hostname

Required Resources
Your assigned pod access information from Lab 2-1
Command List
Router Cisco IOS Commands
Command Description
enable Enters the privileged EXEC mode command interpreter.
erase startup-config Erases the startup configuration from memory.
Reload Reboots the router to make your changes take effect.
Job Aids
Current Passwords
Router console login None
Router enable password None
Router enable secret password None
Router vty login user ID None
Router vty login password None
Switch console login sanjose
Switch vty login user ID netadmin
Switch vty login password netadmin
Task 1: Remove Any Residual Configuration from Your Router
In this task, you will start the workgroup router and verify that the router starts correctly. The
router may have the default configuration which supports initial configuration using Cisco
SDM (Router and Security Device Manager) and requires the username cisco and the password
cisco to gain access to the enable prompt.
Activity Procedure
Step 1 Connect to your workgroup router using the access information from Lab 2-1, also
refer to visual objective for IP address information.
Step 2 If prompted for a username and password, user cisco for both. If not proceed to next
step.
Step 3 If the prior step did not result in being enabled, enter the command to get to the
enable prompt.
Step 4 Enter the command erase startup-config, Confirm that you do wish to continue.
Your output should be similar to the example below.
Username: cisco
Password:
yourname#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
yourname#
*Apr 24 00:16:13.683: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
yourname#
You have erased the startup configuration
Task 2: Reload the Router and Observe the Startup Output
In this task, you will observe the output of the router. This should be similar to the output
obtained when you observed your workgroup switch being reloaded.
Activity Procedure
Step 1 Enter the command reload. Confirm the question to continue with reload using the
ENTER key. Your output should resemble the example below
yourname#reload
Proceed with reload? [confirm]
.
Step 2 Observe the output as the reload progresses. You will have to wait a few minutes for
all the output and a final prompt. Your output should be similar to the example
below, which has been edited to reduce the length of some lines.
*Apr 24 00:18:02.043: %SYS-5-RELOAD: Reload requested by cisco on console.
Reload Reason: Reload Command.

System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.

Initializing memory for ECC
.
c2811 platform with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC enabled

Upgrade ROMMON initialized
program load complete, entry point: 0x8000f000, size: 0xcb80

program load complete, entry point: 0x8000f000, size: 0x228d9f8
Self decompressing the image :
##############################################################################
########################################### [OK]

Smart Init is enabled
smart init is sizing iomem
ID MEMORY_REQ TYPE
0003E7 0X003DA000 C2811 Mainboard
0X00263F50 Onboard VPN
0X000021B8 Onboard USB
0X002C29F0 public buffer pools
0X00211000 public particle pools
TOTAL: 0X00B13AF8

If any of the above Memory Requirements are
"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Rounded IOMEM up to: 12Mb.
Using 4 percent iomem. [12Mb/256Mb]



cisco Systems, Inc.

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
Image text-base: 0x40093160, data-base: 0x42B00000



export@cisco.com.

Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.
Processor board ID FTX1108A3G8
2 Low-speed serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)


Step 3 Answer no to the question Would you like to enter the initial configuration
dialog? Wait until the output has completed before pressing the Enter key to get a
prompt.



sslinit fn

*Apr 24 00:19:27.795: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
changed to: Initialized
*Apr 24 00:19:27.799: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
changed to: Enabled
*Apr 24 00:19:29.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-
Null0, changed state to up
*Apr 24 00:19:29.059: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state
to up
to up
*Apr 24 00:19:29.063: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to
down
*Apr 24 00:19:29.063: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to
down
*Apr 24 00:19:30.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to down
Serial0/0/0, changed state to down
FastEthernet0/0, changed state to up
*Apr 24 00:29:25.479: %IP-5-WEBINST_KILL: Terminating DNS process
*Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface FastEthernet0/0, changed
state to administratively down
*Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface FastEthernet0/1, changed
state to administratively down
*Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to
administratively down
*Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface Serial0/0/1, changed state to
*Apr 24 00:29:26.991: %SYS-5-RESTART: System restarted --
*Apr 24 00:29:26.995: %SNMP-5-COLDSTART: SNMP agent on host Router is
undergoing a cold start
*Apr 24 00:29:27.203: %SYS-6-BOOTTIME: Time taken to reboot after reload =
684 seconds
*Apr 24 00:29:27.383: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
<ENTER>
Router>
You have reloaded your workgroup router
You have declined the initial configuration dialog
Lab 4-6: Performing Initial Router Configuration
Activity Objective
In this activity, you will perform the initial minimal configuration. After completing this
Use the setup command to apply a minimal configuration for router operation
Use show commands to validate your configuration
Visual Objective
Performing Initial Router Configuration
10.9.9.3
10.8.8.3
10.7.7.3
10.6.6.3
10.5.5.3
10.4.4.3
10.3.3.3
10.2.2.3
Router IP
Address
255.255.255.0 RouterH
255.255.255.0 RouterG
255.255.255.0 RouterF
255.255.255.0 RouterE
255.255.255.0 RouterD
255.255.255.0 RouterC
255.255.255.0 RouterB
255.255.255.0 RouterA
Subnet Mask
Workgroup
Hostname

Required Resources
Command List
Command Description
setup Enters the initial configuration dialog mode.
show running-config Displays the router configuration settings that are currently
in effect.
show startup-config Displays the router configuration settings that are stored in
NVRAM.
Job Aids
Current Passwords
Router console login none
Router enable password none
Router enable secret password none
Router vty login user ID none
Router vty login password none
Task 1: Enter the Initial Configuration Using the setup
Command
In this task, you will use the initial configuration dialog to enter basic router configuration.
Activity Procedure
Step 1 If you are not continuing from Lab 4-5m then connect to your workgroup router
using the access information from Lab 2-1 and refer to the visual objective for IP
address and subnet mask information.
Step 2 Enter the enable command to get into the privileged EXEC mode.
Step 3 At the enable prompt enter the command setup. This command starts the initial
configuration dialog.
Step 4 Enter yes to the question Continue with configuration dialog?
Continue with configuration dialog? [yes/no]: yes

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Step 5 Enter no to the question Would you like to enter basic management setup?
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system

Would you like to enter basic management setup? [yes/no]: no

Step 6 Enter yes to the question First, would you like to see the current interface
summary? Your output should look similar to the following display:
First, would you like to see the current interface summary? [yes]: yes

Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 unassigned YES unset administratively down down

Configuring global parameters:

Step 7 Enter your assigned workgroup router hostname at the prompt Enter host name,
where x in the example below is your workgroup letter (A, B, C, D, E, F, G or H).
Enter host name [Router]: RouterX

Step 8 Enter the enable secret password at the prompt Enter enable secret.

The enable secret is a password used to protect access to privileged EXEC and
configuration modes. This password, after entered, becomes encrypted in the
configuration.

Enter enable secret: sanfran

Step 9 Enter the enable password at the prompt Enter enable password.

The enable password is used when you do not specify an enable secret password,
with some older software versions, and some boot images.

Enter enable password: cisco

Step 10 Enter the vty password at the prompt Enter virtual terminal password.

The virtual terminal password is used to protect access to the router over a network
interface.

Enter virtual terminal password: sanjose

Step 11 Enter no to the question Configure SNMP Network Management?
Configure SNMP Network Management? [no]:no

Step 12 Enter yes to the question Configure IP?
Configure IP? [yes]:yes

Step 13 Enter no to the question Configure RIP routing?
Configure RIP routing? [yes]: no

Step 14 Enter no to the question Configure CLNS?
Configure CLNS? [no]:no

Step 15 Enter no to the question Configure bridging?
Configure bridging? [no]:no

Step 16 Enter yes to the question Do you want to configure FastEthernet0/0 interface?
Configuring interface parameters:

Do you want to configure FastEthernet0/0 interface? [no]: yes

Step 17 Enter no to the question Use the 100 Base-TX (RJ-45) connector?
Use the 100 Base-TX (RJ-45) connector? [yes]:no

Step 18 Enter no to the question Operate in full-duplex mode?
Operate in full-duplex mode? [no]:no

Step 19 Enter yes to the question Configure IP on this interface?
Configure IP on this interface? [no]: yes

Step 20 Enter the IP address of your assigned workgroup router. (See the visual objective for
this lab.)
IP address for this interface: 10.x.x.3

Step 21 Enter the subnet mask of your assigned workgroup router. Notice that the Cisco IOS
Software can calculate the IP addressing class.
Subnet mask for this interface [255.0.0.0] : 255.255.255.0
Class A network is 10.0.0.0, 24 subnet bits; mask is /24

Step 22 Enter no to the question Do you want to configure FastEthernet0/1 interface?
Do you want to configure FastEthernet0/1 interface? [no]:no

Step 23 Enter no to the question Do you want to configure Serial0/0/0 interface?
Do you want to configure Serial0/0/0 interface? [no]:no

Step 24 Enter no to the question Do you want to configure Serial0/0/1 interface?
Do you want to configure Serial0/0/1 interface? [no]:no

Step 25 Enter no to the question Would you like to go through AutoSecure configuration?
Would you like to go through AutoSecure configuration? [yes]: no
AutoSecure dialog can be started later using "auto secure" CLI

Step 26 The setup process outputs the configuration script that can be applied depending on
your answer to the question that follows. Notice that by default the router has only
five (0 to 4) vty lines preconfigured. You may recall that the switch had 16 ( 0 to
15). You will need to press the Spacebar when prompted with --More-- to get
additional output.
The following configuration command script was created:

hostname RouterX
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
line vty 0 4
password sanjose
no snmp-server
!
ip routing
no clns routing
no bridge 1
!
no shutdown
half-duplex
ip address 10.x.x.3 255.255.255.0
no mop enabled
!
shutdown
no ip address
!
interface Serial0/0/0
shutdown
no ip address
!
shutdown
no ip address
dialer-list 1 protocol ip permit
!
end

[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]:2
Step 27 Enter 2 to save this configuration to NVRAM and exit.
Step 28 Observe the output displayed. You may see that the running Cisco IOS version
announces that the hostname does not match the latest CLI standards; however, the
name is accepted.
[OK]
to up
Use the enabled mode 'configure' command to modify this configuration.

RouterX#
You have entered your workgroup router configuration information using the setup
command
You have selected the option to save and exit on completion of the configuration dialog
Task 2: Validate the Router Configuration
You will use the show commands to check that the router configuration matches your
requirements, and is saved to the startup configuration in the startup-config file.
Activity Procedure
Step 1 Enter the command show running-config. Observe the output, validate that the
passwords are set and match those you entered in Task 1, also check that the
interface FastEthernet 0/0 has the IP address assigned for your workgroup router and
does not have the shutdown command applied to the interface. Below is an excerpt
from the output; your display should be similar.
..Text omitted!
..
!
ip address 10.x.x.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
no ip address
shutdown
duplex auto
speed auto
!
..Text omitted!
Step 2 Enter the command show startup-config. Observe the output and validate that the
information you verified in Step 1 above matches. This demonstrates that the setup
command saved the configuration to both the running configuration and startup
configuration.
Your output of the show running-config command matched your input in Task 1.
Your startup configuration was the same as your running configuration.
Lab 4-7: Enhancing the Security of Initial Router
Configuration
Activity Objective
In this activity, you will increase the security of the router following its initial configuration.
After completing this activity, you will be able to meet these objectives:
Add password protection to the console line
Use the Cisco IOS configuration command to encrypt all passwords
Add a banner message to the login process
Increase the remote management security of the router by adding the SSH protocol to the
vty lines
Visual Objective
10.9.9.3
10.8.8.3
10.7.7.3
10.6.6.3
10.5.5.3
10.4.4.3
10.3.3.3
10.2.2.3
Router IP
Address
255.255.255.0 RouterH
255.255.255.0 RouterG
255.255.255.0 RouterF
255.255.255.0 RouterE
255.255.255.0 RouterD
255.255.255.0 RouterC
255.255.255.0 RouterB
255.255.255.0 RouterA
Subnet Mask
Workgroup
Hostname
Visual Objective for Lab 4-7 Enhancing
the Security of Initial Router Configuration

Required Resources
Your assigned pod access information from Lab 4.1
Command List
Command Description
banner login Allows the configuration of a message which will be displayed at
the time of the login process.
configure terminal From privileged EXEC mode, enters global configuration mode.
copy running-config startup-
config
Copies the switch running configuration file to the startup
configuration file which is held in local NVRAM.
crypto key generate rsa Generates the RSA key pairs to be used.
enable Activates the privileged EXEC mode. In privileged EXEC mode,
more commands are available. This command requires you to
enter the enable password if an enable password is configured.
end This configuration command terminates the configuration mode.
exit Exits the current configuration mode.
ip domain-name name Supplies an IP domain name, which is required by the crypto key
generation process.
ip ssh version [1 | 2] Specifies the version of Secure Shell (SSH) to be run. To disable
the version of SSH that was configured and to return to
compatibility mode, use the no form of this command.
line console 0 Specifies the console line and enters line configuration mode.
allow access to the switch for remote network management. The
number of vty line available is dependant on the Cisco IOS
Software version. Typical values are 0 to 4 and 0 to 15
(inclusive).
login Activates the login process on the console or vty lines.
login local Activates the login process on the console or vty lines to require
using the local authentication database.
logout Exits the EXEC mode requiring reauthentication (if enabled).
password Assigns a password to the console or vty lines.
service password-encryption Enable the service which will encrypt all passwords in the
running configuration.
show ip ssh Show the current settings of the SSH protocol.
show running-config Displays the router configuration settings that are currently in
effect.
transport input telnet ssh Specifies which protocols to use to connect to a specific line of
the router.
username username password
password
Creates a username and password pair, which can then be used
as a local authentication database.
Job Aids
Current Passwords
Router console login none
Router enable password cisco
Router enable secret password sanfran
Router vty login user ID none
Router vty login password sanjose
Task 1: Add Password Protection to Console Port
Following the initial configuration of the router, where passwords have been configured for the
vty lines, a potential security hole exists because the console port currently is not protected by a
password at all. Use the password sanjose for the console line unless your instructor has given
you a different password, which you should record below.

Activity Procedure
Step 1 Connect to your remote workgroup router via the console server. You will need to
use the VTY password configured earlier to get to the user EXEC mode.
Step 2 Enter the enable command and password to get to the enable EXEC prompt.
Step 3 At the enable prompt of your assigned router, enter config t.
Step 5 At the line console configuration mode, enter the command password password.
Use the same password that is set for the vty lines.
Step 6 Enter the command login, which will require a password to be supplied to access the
router via the console in future.
Step 7 Enter the end command to exit the configuration mode.
Step 8 Enter the show running-config command and observe the output to see that you
have correctly configured line console 0 and vty lines 0-4. Your output should be
similar to the example below, where the line configuration is shown in bold text.
You will observe that the passwords for both the line console and vty lines are stored
in cleartext.
RouterX#show running-config
..
..Text omitted
..
!
line con 0
password sanjose
login
line aux 0
line vty 0 4
password sanjose
login
!
end
Step 9 Test your configured password by logging out of and back into the router via the
console.
Step 10 Enter the command logout.
Step 11 Use the Enter key to get a password prompt.
Step 12 Supply the password that you just configured to get to the user EXEC prompt.
Step 13 Enter the command and password to get to the enable EXEC prompt.
Step 14 Your output for Steps 10 though 13 should be similar to the example below.
RouterX#logout

..
..

RouterX con0 is now available


..
..


Password:
RouterX>enable
Password:
RouterX#
You configured the console line to require a password
You inspected the configuration and observed that the line passwords are stored in cleartext
You tested the login process and password access to the console line successfully
Your output matches the example in Step 14
Task 2: Activate Password Encryption Service
As discussed in the previous task, some passwords are stored in cleartext. This can be a security
issue when the configurations are transmitted and stored on remote file systems. In this task
you will configure the password encryption service to secure all cleartext passwords with
encryption.
Activity Procedure
Step 1 From the enable EXEC prompt enter the command to get to global configuration
mode.
Step 2 Enter the command service password-encryption.
Step 3 Enter the command to return to the enable EXEC prompt.
Step 4 Enter the command to see the running configuration. Concentrate on the first few
lines and the last few lines of the configuration, to see that your command is now
active and the effect it has on the line passwords. Your output should be similar to
the example below, with bold text highlighting output of particular interest.
RouterX#configure terminal
RouterX(config)#service password-encryption
RouterX(config)#end
RouterX#
*Mar 16 20:19:40.509: %SYS-5-CONFIG_I: Configured from console by console

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
!
..
..Text omitted
..

!
!
line con 0
password 7 051807012B435D0C
login
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end
You have enabled the password encryption service.
You have displayed the running configuration and observed the encryption of the line
passwords.
You have saved your running configuration.
Task 3: Apply a Login Banner
As part of any security policy, it is necessary to ensure that network resources are clearly
identified as being off limits to the casual visitor, hackers have in the past used the fact that a
welcome screen was presented at login, as a (successful) legal defense. A message that
clearly states that access is restricted should be presented when an attempting to access a
network device (switch, router, and so on). The banner Cisco IOS configuration command
allows this to be done.
Activity Procedure
Step 2 Enter the command banner login %. The percent sign is the opening delimiter of
the text that will form the message.
Step 3 Enter text to form your message followed by %. Do NOT include a percent sign in
your text; it will be interpreted as the closing delimiter of your message. Below is an
example of the output of the configuration of a banner message.
RouterX#configure terminal
RouterX(config)#banner login %
Enter TEXT message. End with the character '%'.
********** Warning *************

**************************************************************^C

RouterX(config)#end
Step 4 Enter the command to display the running configuration. Your output should be
similar to the example below, which has been edited to show just the banner
configuration. Notice that your text delimiter has been replaced with a ^C, which is a
nontext control character.
!
banner login ^C
********** Warning *************

**************************************************************^C
!
Step 5 Use the logout command to end your console session. Then log back in to the enable
prompt. Observe the display to see your banner message being presented, prior to
password entry. Your output should be similar to the example below, which has
been edited to reduce space.
RouterX#logout

RouterX con0 is now available


********* Warning *************

**************************************************************


Password:
RouterX>en
Password:
RouterX#
Step 6 Enter the command to save the running configuration to NVRAM.
You have configured a login banner message which clearly states that access is restricted to
the router
You have tested the login message, and it does give a warning prior to password prompt
You have saved your configuration
Task 4: Enable SSH Protocol for Remote Management
In a previous task, you protected the passwords by using encryption. However, if the process of
remote management uses the Telnet protocol, which sends all characters in cleartext including
passwords, the potential exists for packet capture and exploitation of the information. In this
task, you will configure the Secure Shell (SSH) protocol as an alternative to Telnet. If it is
possible in your environment, it would be best to the replace Telnet with SSH.
Activity Procedure
Step 1 At the enable EXEC prompt enter the command to access the global configuration
prompt.
Step 2 The SSH protocol requires the use of a username and password pair. These have not
yet been configured, so you will do that now. Enter the command username
netadmin password netadmin. It this example, you use a simple username, but in a
real-world environment, a much stronger username and password must be used.
Step 3 Enter the command ip domain-name domain-name. The generation of a SSH
cryptographic key requires that both the hostname and domain name be configured.
The hostname is already configured, so it is necessary to configure the domain
name. Normally you would use the domain name of your organization; in the lab,
you will use cisco.com.
Step 4 Enter the command crypto key generate rsa. You are prompted for a key size; 512
is the default, but you will enter 1024. Your output should be similar to the example
below, which is edited to include only those lines pertaining to this task.
RouterX(config)#username netadmin password netadmin
RouterX(config)#ip domain-name cisco.com
RouterX(config)#crypto key generate rsa
The name for the keys will be: RouterX.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

RouterX(config)#
*Mar 16 20:32:15.613: %SSH-5-ENABLED: SSH 1.99 has been enabled
Step 5 Enter the command ip ssh version 2 to specify the required SSH version.
Step 7 Enter the command login local. This changes the login process to use the locally
configured username and password pairs.
Step 8 Enter the command transport input telnet ssh. This configures the five vty lines to
support both Telnet or SSH. Your output should be similar to the example below.
RouterX(config)#line vty 0 4
RouterX(config-line)#login local
RouterX(config-line)#transport input telnet ssh
Step 9 Enter the command to return to enable EXEC prompt.
Step 10 Enter the command show ip ssh.
RouterX#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Step 11 To test your configuration you need to make a VPN tunnel connection to the remote
lab using the method from Lab 2-1. You may get a security warning regarding the
crypto key; accept the key by clicking the Yes button in the popup window.
Step 12 On your PC, open your SSH terminal client application. Use the IP address of your
workgroup router (10.x.x.3), and the username and password pair that you
configured in Step 2 of this task.
Step 13 Below is an example of a successful connection using the PuTTY application using
SSH.

Step 14 Open the Windows Command window and enter the command telnet 10.x.x.3 (enter
the IP address of your workgroup router). Your output should be similar to the
example below.

Step 15 Enter the username and password in the new Telnet Command window that
automatically opens. Having established that Telnet is working simultaneously with
SSH, type logout at the user EXEC prompt and close your Command window by
typing exit at the Command window prompt. Your output should be similar to the
example below.

You configured the vty lines to support the SSH version 2 protocol
You successfully connected directly to your workgroup router using SSH and Telnet, thus
proving both are being supported simultaneously
You saved your configuration

Lab 4-8: Using Cisco SDM to Configure DHCP
Server Function
Activity Objective
In this activity, you will use Cisco SDM to configure DHCP server functionality on your
workgroup router. After completing this activity, you will be able to meet these objectives:
You will use Cisco SDM to configure a DHCP pool of addresses
You will use Cisco SDM to verify at least one DHCP client has received an address from
the pool just created
You will use Cisco IOS commands to locate the switch port through which the DHCP
client is attaching to your workgroup switch
Visual Objective
10.9.9.3 /24
10.8.8.3 /24
10.7.7.3 /24
10.6.6.3 /24
10.5.5.3 /24
10.4.4.3 /24
10.3.3.3 /24
10.2.2.3 /24
Router IP Address
10.9.9.11 /24 H
10.8.8.11 /24 G
10.7.7.11 /24 F
10.6.6.11 /24 E
10.5.5.11 /24 D
10.4.4.11 /24 C
10.3.3.11 /24 B
10.2.2.11 /24 A
Switch IP Address Pod
Visual Objective for Lab 4-8 Using Cisco
SDM to Configure DHCP Server Function

Required Resources
Your assigned pod access information from Lab 4.1
Command List
Router and Switch Cisco IOS Commands
Command Description
ping Used to diagnose basic network connectivity.
show mac-address-table dynamic Displays dynamic MAC address table entries only; use
the command in privileged EXEC mode.
show ip arp Used to display the ARP cache.
Job Aids
This job aid is available to help you complete the lab activity.
Table 1: DHCP Server Pool Information
Work
group
DHCP Pool
Name
DHCP Pool
Network/Mask
Starting IP Ending IP Default
Router
Lease Time
(Days:
Hrs:Mins)
A wgA_clients 10.2.2.0/24 10.2.2.150 10.2.2.199 10.2.2.3 0:0:5
B wgB_clients 10.3.3.0/24 10.3.3.150 10.3.3.199 10.3.3.3 0:0:5
C wgC_clients 10.4.4.0/24 10.4.4.150 10.4.4.199 10.4.4.3 0:0:5
D wgD_clients 10.5.5.0/24 10.5.5.150 10.5.5.199 10.5.5.3 0:0:5
E wgE_clients 10.6.6.0/24 10.6.6.150 10.6.6.199 10.6.6.3 0:0:5
F wgF_clients 10.7.7.0/24 10.7.7.150 10.7.7.199 10.7.7.3 0:0:5
G wgG_clients 10.8.8.0/24 10.8.8.150 10.8.8.199 10.8.8.3 0:0:5
H wgH_clients 10.9.9.0/24 10.9.9.150 10.9.9.199 10.9.9.3 0:0:5
Current Passwords
Router console login sanjose
Router vty login user ID netadmin
Router vty login password netadmin
Task 1: Configuring the Router to Support Web-Based
Applications, a User with Privilege 15, and Telnet and SSH
This task will provide you with practice on enabling Cisco SDM on a router that has been
configured using the Cisco IOS startup sequence or the CLI. If you erased the factory startup
configuration in order to use the Cisco IOS startup sequence, you can still use Cisco SDM. To
do so, you must configure the router to support web-based applications, configure it with a user
account defined with privilege level 15, and then configure it to support the Telnet and SSH
protocols. These changes can be made using a Telnet session or using a console connection.
Activity Procedure
Step 1 Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the enable EXEC prompt.
Step 2 The current configurations have the HTTP service already enabled. However, it is
preferable to use the secure HTTP services (HTTPS). To enable the HTTP/HTTPS
server on your workgroup router, enter the ip http secure-server command.
Router(config)# ip http secure-server
Note The ability to support the secure server depends on the Cisco IOS version running on the
router. If HTTPS were not supported, then the HTTP server could still be enabled.
Step 3 It is also necessary to configure the HTTPS services with the method to be used for
authentication. To enable the workgroup router HTTP/HTTPS server authentication
method, enter the ip http authentication local command in global configuration
mode.
Router(config)# ip http authentication local
Step 4 To modify your netadmin user account to a privilege level of 15 (full enable
privileges), enter the username netadmin privilege 15 command in global
configuration mode.
Router(config)# username netadmin privilege 15
Task 2: Use Cisco SDM to Configure a DHCP Pool
In this task, you will use Cisco SDM to configure a DHCP pool on your workgroup router.
Activity Procedure
Step 1 Open a VPN connection to your remote workgroup.
Step 2 Open a Windows Internet Explorer window and enter your workgroup router IP
address in the Address bar in the form of a URL; for example, https://10.x.x.3.

Step 3 In the new window that opens, enter your netadmin username and password.

Step 4 You may see this message. If so, click Yes to it and any subsequent security
windows.

Step 5 Eventually, you should see the screen below.

Step 6 Choose the Configure tab.

Step 7 New options will appear on the left side of the window. Choose Additional Tasks
(the bottom option).

Step 8 In the Additional Tasks pane, open the DHCP tab, and choose DHCP Pools.

Step 9 In the DHCP Pools pane, choose the Add button.

Step 10 In the Add DHCP Pool window, add the information from Table 1 for your specific
workgroup. When you have finished click the OK button.

Step 11 The Commands Delivery window opens, indicating the status of the transfer of
configuration commands to your workgroup router. When the status indicates
Configuration delivered to router, click the OK button.

Step 12 Wait a few minutes for any clients on your network to obtain an address. Then click
the DHCP Pool Status button.

Step 13 Your DHCP Pool Status should have a similar output, indicating that a client has an
address in the pool range. You may have to use the Refresh button in the main
window to get your display updated.

Step 14 Note the IP address of the DHCP client in the space below.

Step 15 Click the OK button to close the DHCP Pool Status window.
You connected to your workgroup router and opened the Cisco SDM window.
You configured your router to support a DHCP pool.
You used Cisco SDM to confirm that a client obtained an address from the pool.
You noted the actual address of the DHCP client.
Task 2: Using Tools to Correlate Network Information
When you are implementing networks, it is necessary to confirm your configuration, also
maintenance and security tasks require that you are able to find and use network information
for specific reasons. In this activity you will use addressing information you gather to
determine the attachment point of an end system to your network. Other typical reasons for
doing this would be to track down sources of duplicate addresses and trace the path of packets
through a network while troubleshooting.
Activity Procedure
Step 1 Open a SSH connection to your workgroup router.
Step 2 At the enable prompt workgroup router, enter ping IP_address_dhcp_client. Your
output should be similar to the example below.
RouterX#ping 10.10.10.150

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Step 3 Enter the show ip arp IP_address_dhcp_client command to obtain the hardware
address (MAC address) that is bound to the IP address you just pinged. Your output
RouterX#show ip arp 10.10.10.150
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.150 63 001a.6ca1.eea9 ARPA FastEthernet0/0

Step 4 Note the hardware address (MAC address) of your DHCP client in the space below.

Step 5 Open a console connection to your workgroup switch.
Step 6 At the workgroup switch enable prompt, enter the show mac-address-table
dynamic command to display only the dynamically learned entries. Your output
SwitchX#show mac-address-table dynamic
Mac Address Table
-------------------------------------------

---- ----------- -------- -----
1 001a.6ca1.eea9 DYNAMIC Fa0/11
1 001a.6ca1.eed8 DYNAMIC Fa0/2
1 001a.6dd7.1981 DYNAMIC Fa0/11
1 001a.6dfb.c401 DYNAMIC Fa0/12
Step 7 Using the MAC address from the previous step, identify the port on the switch,
which the DHCP client attaches to the network, and record it in the space below.

Step 8 You have located the switchport through which the DHCP client is entering your
network. If your network consists of any number of switches and routers, you can
use the same process to trace the physical location of any device, given its IP and
MAC (hardware address) addresses.
Step 9 You should close any open connections and the VPN tunnel.
You used the IP address of the DHCP client identified in Task 1, in a ping command.
You used the information from the output of the ping command to identify the MAC
address of that DHCP client.
You used the workgroup switch mac-address-table command to identify the port through
which the DHCP client is accessing the network.
Lab 4-9: Managing Remote Access Sessions
Activity Objective
In this activity, you will use Telnet and SSH connections to access Cisco routers and switches.
After completing this activity, you will be able to meet these objectives:
Be able to initiate, suspend, resume and close a Telnet session from a Cisco router or
switch
Be able to initiate, suspend, resume and close a SSH session from a Cisco router or switch
Visual Objective
Managing Remote Access Sessions
10.9.9.3 /24
10.8.8.3 /24
10.7.7.3 /24
10.6.6.3 /24
10.5.5.3 /24
10.4.4.3 /24
10.3.3.3 /24
10.2.2.3 /24
Router IP Address
10.9.9.11 /24 H
10.8.8.11 /24 G
10.7.7.11 /24 F
10.6.6.11 /24 E
10.5.5.11 /24 D
10.4.4.11 /24 C
10.3.3.11 /24 B
10.2.2.11 /24 A
Switch IP Address Pod

Required Resources
Command List
Cisco IOS Router and Switch Commands
Command Description
Ctrl-Shift-6 x Telnet or SSH escape sequence.
disconnect [session] Disconnect an existing network connection. Optionally a
session number can be entered.
exec-timeout mins [secs] Sets the amount of idle time that can elapse before a
connection is automatically closed.
exit The exit command in EXEC mode exits the active session
(logs off the device).
history size number Sets the number of line held in the history buffer for recall.
Two separate buffers are used, one for EXEC mode
commands and the second for configuration mode
commands.
ip domain-lookup Supplies an IP domain name, which is required by the
crypto key generation process.
line console 0 Enters the line console configuration mode.
logging synchronous Synchronizes unsolicited messages and debug privileged
EXEC command output with solicited device output and
prompts for a specific console port line or vty line.
logout Exits the EXEC mode requiring reauthentication or
reconnection.
resume Switches to another open Telnet, SSH connection.
show sessions Displays information about open Telnet, or SSH
connections.
show users Displays information about the active lines.
ssh ip_address Starts an encrypted session with a remote networking
device using the current users ID. The IP address
identifies the destination device.
telnet ip_address Establishes a Telnet protocol network connection. The IP
address identifies the destination device.
Job Aids
Task 1: Improve the Usability of the Router CLI
In this task, you will enter commands to improve the usability of the CLI as you did for your
workgroup switch. You will increase the number of lines that are stored in the history buffer,
increase the inactivity timer on the console port, and stop attempts to resolve the names of
mistyped commands.
Activity Procedure
necessary commands and passwords to get to the enable mode.
Step 2 The size of the history buffers is 20. You could change this by using the command
terminal history size 100. However, this value would have to be entered every time
you log out of and back into the switch. The history size can be set in the
configuration, associated with the vty and console lines.
Step 3 Enter the command config t to get to the global configuration prompt.
Step 5 Enter the command history size 100 to change the history buffer size.
Step 6 Enter the command exec-timeout 60 to extend the idle timeout value.
Step 7 Enter the command logging synchronous to synchronize unsolicited messages and
debug privileged EXEC command output with the input from the CLI.
Step 8 Enter the command line vty 0 4 to configure the vty lines.
Step 9 Enter the commands to configure the history size to 100 and to synchronize the
messages.
Step 10 Enter the exit command to return to the global configuration mode.
Step 11 Enter the command no ip domain-lookup to disable the resolution for symbolic
names.
Step 12 Enter the command end to return to enable EXEC prompt.
Step 13 Use the history recall to enter the show terminal command. Your output should be
similar to the example below, which has been edited to reduce unwanted lines.
RouterX#show terminal
..
..Text omitted
..
Editing is enabled.
Allowed output transports are pad telnet rlogin lapb-ta mop v120 ssh.
Step 14 Enter the show running-config command to view the running configuration to
confirm that the configuration changes you made are correct.
Step 15 When you are satisfied that your running configuration reflects the changes. save it
to startup-config.
The inactivity timeout on the console line is set to 60 minutes.
You have verified that the history buffer value is set to 100 lines on the console and vty
lines.
You have verified that logging synchronous is configured on the console and vty lines.
You have verified that IP domain lookup is disabled.
You saved your running configuration to startup-config.
Task 2: Connect to Your Remote Workgroup via VPN Tunnel
In this task you will open a VPN connection to your remote workgroup and then login to your
assigned workgroup router using the terminal emulation application. Use the username and
password netadmin. You will then increase the VTY lines automatic idle timeout to 30
minutes for the duration of this lab on your workgroup router.
Activity Procedure
Step 1 From your PC, open a VPN connection to your designated workgroup.
Step 2 From your PC, use PuTTY to connect to the IP address of your workgroup router
and get to the enable EXEC prompt. Use the username and password netadmin
during this activity.
Step 3 Get to the enable EXEC prompt and enter the command show sessions. Your output
should look similar to the following display:
login as: netadmin

********** Warning *************

**************************************************************^C
netadmin@10.10.10.3's password:

RouterX#show sessions
% No connections open
RouterX#

Step 4 Enter the command show users to see the current users connected to your
workgroup router. Your output should look similar to the following display:
RouterX#sh users
Line User Host(s) Idle Location
*322 vty 0 netadmin idle 00:00:00 10.10.10.134
Interface User Mode Idle Peer Address

Step 5 The user netadmin is associated with the address of your PC, because of the VPN
connection you made in Step 2 of this task.
Step 6 Enter the command conf t to get to the global configuration prompt.
Step 7 Enter the command line vty 0 4 to get to the VTY line configuration mode.
Step 8 Enter the command exec-timeout 30 to extend the idle timer period to 30 minutes.
Step 9 Return to the EXEC prompt by entering the command end. Your output should look
similar to the following display:
RouterX#conf t
RouterX(config-line)#exec-timeout 30
RouterX(config-line)#end
RouterX#
You connected from your PC to your remote workgroup router using PuTTY via VPN
tunnel.
You increased the idle timeout of the router vty lines to 30 minutes.
You used the show sessions command to verify that the router has no open sessions at this
time.
You used the show users command to identify that you are the only user currently
connected to your router.
Task 3: Using the Cisco IOS CLI Commands to Control Telnet
and SSH Sessions
In this task, you will practice the initiation, suspension, and resumption of Telnet and SSH
sessions from the Cisco IOS CLI. Use the username and password netadmin during this
activity. You will also increase the vty line automatic idle timeout to 30 minutes for the
duration of this activity on your workgroup switch.
Activity Procedure
Step 1 From your workgroup router, open a Telnet session to your assigned workgroup
switch, using the telnet ip_address command.
Step 2 Enter the command to get to the enable EXEC prompt. Your output should look
RouterX#telnet 10.10.10.11
Trying 10.10.10.11 ... Open

********** Warning *************

**************************************************************


Username: netadmin
Password:
SwitchX>enable
Password:
SwitchX#
Step 3 Enter the command conf t to get to the global configuration prompt.
Step 4 Enter the command line vty 0 15 to get to the VTY line configuration mode.
Step 5 Enter the command exec-timeout 30 to extend the idle timer period to 30 minutes.
Step 6 Return to the EXEC prompt by entering the command end. Your output should look
SwitchX#conf t
SwitchX(config-line)#exec-timeout 30
SwitchX(config-line)#end
SwitchX#
Step 7 Enter the escape sequence Ctrl-Shift-6, x to suspend the session and get the
RouterX# prompt.
Step 8 Enter the command show sessions to display the currently active sessions. Your
output should look similar to the following display with the exception that the
escape sequence has been indicated in bold text:
SwitchX#<cntrl+shift+6,x>
Conn Host Address Byte Idle Conn Name
* 1 10.10.10.11 10.10.10.11 0 0 10.10.10.11

RouterX#
Step 9 Enter the command ssh ip_address to open a second connection to your workgroup
switch using the SSH protocol.

Note: You need to enter the password associated with the username netadmin.

Your output should look similar to the following display:
RouterX#ssh 10.10.10.11

********** Warning *************

**************************************************************
Password:

SwitchX>
Step 10 Enter the escape sequence Ctrl-Shift-6, x to suspend the session and get the
RouterX# prompt.
Step 11 Enter the command show sessions to display the currently active sessions. Your
output should look similar to the following display with the exception that the
escape sequence has been indicated in bold text:
SwitchX><ctrl+shift+6,x>
1 10.10.10.11 10.10.10.11 0 4 10.10.10.11
* 2 10.10.10.11 10.10.10.11 0 0

RouterX#
Step 12 Enter the command resume 1 to resume your first connection to the workgroup
switch. Notice that this session has the enable prompt.
<ENTER>
RouterX#resume 1
[Resuming connection 1 to 10.10.10.11 ... ]
<ENTER>
SwitchX#show users
Line User Host(s) Idle Location
* 1 vty 0 netadmin idle 00:00:00 10.10.10.3
2 vty 1 netadmin idle 00:00:22 10.10.10.3

Interface User Mode Idle Peer Address

SwitchX#
Step 13 From your switch, Telnet to your workgroup router without prefixing the address
with Telnet, and notice that you were automatically enabled on the router. Your
output should look similar to the following display:
SwitchX#10.10.10.3
Trying 10.10.10.3 ... Open

********** Warning *************

**************************************************************^C


Username: netadmin
Password:
RouterX#
Step 14 Enter the command show sessions to display any sessions associated with this
connection. Your output should look similar to the following display:
% No connections open
RouterX#
Note At this point in the activity, you have established a Telnet connection from the router to the
switch and a Telnet connection from the switch to the router. Also, you have an SSH
connection from the router to the switch.
Step 15 Your current view is at the router user EXEC via your initial Telnet connection
through the switch. If at this point you use a single escape sequence, you will return
to the Router# prompt (session 1). However, if you use two escape sequences
followed by pressing x, you will return to the switch.
Step 16 Enter the sequence Ctrl-Shift-6, Ctrl-Shift-6, x, and notice that the x is used only
once at the end. You are returned to your switch. Your output should look similar to
the following display:
RouterX#<ctrl-shift-6, ctrl-shift-6, x>
SwitchX#sh sessions
* 1 10.10.10.3 10.10.10.3 0 0 10.10.10.3

SwitchX#
Step 17 Enter the escape sequence Ctrl-Shift-6, x, to suspend the original session initiated
from the router and get the RouterX# prompt. Your output should look similar to the
following display:
SwitchX#<ctrl-shift-6, x>
RouterX#sh sessions
* 1 10.10.10.11 10.10.10.11 0 0 10.10.10.11
2 10.10.10.11 10.10.10.11 0 7

Step 18 Observe the output. The asterisk (*) is by the number 1. This indicates that this is the
active session. If you press the Enter key without adding any other text, the session
will automatically be resumed.
Step 19 Press the Enter key twice. The first resumes the connection to the switch, and the
second is interpreted at the switch to resume its session to the router. You will need
to press Enter a third time to get the router prompt. Your output should look similar
to the following display:
RouterX#<ENTER>
<ENTER>
<ENTER>
RouterX#

Step 20 Enter the sequence Ctrl-Shift-6, Ctrl-Shift-6, x, to return to your switch. Your
RouterX#<ctrl-shift-6, ctrl-shift-6, x>
SwitchX#
Step 21 Close the connection to the router by using the disconnect command. Entering the
command without any numerical value is interpreted as closing the last created
connection. You will need to confirm your requested action. Your output should
look similar to the following display:
SwitchX#disconnect
Closing connection to 10.10.10.3 [confirm]
SwitchX#
Step 22 Remove the modification to the EXEC timeout value by setting it back to its default
value of 10 minutes. Your output should look similar to the following display:
SwitchX#conf t
SwitchX(config-line)#exec-timeout 10
SwitchX(config-line)#end
SwitchX#
Step 23 Use the sequence Ctrl-Shift-6, x, to return to your router and enter the show
sessions command. Your output should look similar to the following display:
SwitchX#<ctrl-shift-6, x>
* 1 10.10.10.11 10.10.10.11 0 1 10.10.10.11
2 10.10.10.11 10.10.10.11 0 39
Step 24 Use the disconnect command to close both connections to the switch. Your output
RouterX#disconnect 1
RouterX#disconnect 2
RouterX#
Step 25 Remove the modification to the EXEC timeout value by setting it back to its default
value of 10 minutes. Your output should look similar to the following display:
RouterX#conf t
RouterX(config-line)#exec-timeout 10
RouterX(config-line)#end
RouterX#
Step 26 Close your SSH connection to your workgroup router by using the logout command.
Then close your VPN connection.
You initiated Telnet connections between your workgroup router and switch.
You initiated SSH connection between your workgroup router and switch.
You used the show sessions command to identify current connections and their values
including active session and session numbers.
You used the show users command to identify currently connected users to your
workgroup router and switch.
You used the escape sequence to suspend the connection (session) that you were using
(active).
You used the resume command to choose which of your open connections (sessions) you
would use.
You returned the exec-timeout command value to 10 minutes on your workgroup router
and switch.
You used disconnect and logout to close all connections.
You terminated the VPN tunnel from your PC to your remote workgroup.
Lab 5-1: Connecting to the Internet
Activity Objective
In this activity, you will be able to configure your WAN Ethernet interface to use a DHCP
obtained IP address, and will provide PAT. After completing this activity, you will be able to
meet these objectives:
Using Cisco SDM to configure the WAN Ethernet interface to use a DHCP obtained IP
address
Using Cisco SDM to configure the router to support PAT of the inside Ethernet interface to
through the WAN Ethernet interface
Using Cisco SDM to verify that the configuration matches the requirements of the lab
Using the CLI to test and observe that PAT is taking place through the WAN Ethernet
interface
Visual Objective
Connecting to the Internet

Required Resources
Command List
Command Description
clear ip nat translation * Uses clear dynamic NAT translations from the translation
table.
ping ip_address Common tool used to troubleshoot the accessibility of
devices. It uses ICMP path echo requests and ICMP
path echo replies to determine whether a remote host is
active. The ping command also measures the amount of
time it takes to receive the echo reply.
show dhcp lease Displays the DHCP addresses leased from a server.
show ip nat translations Displays active NAT translations.
Job Aids
Task 1: Use Cisco SDM to Configure the Ethernet Connection
to the Internet
In this task you will use the Cisco SDM tool to configure your WAN Ethernet connection to
use DHCP to obtain its IP address. This interface will also be used in the NAT port address
translation mode.
Activity Procedure
Step 1 Open a VPN connection to your remote workgroup.
Step 2 Open an Internet Explorer window and enter your workgroup router IP address in
the Address field in the form of a URL; for example, https://10.x.x.3.

Step 3 In the new window that opens, enter your username netadmin and password
netadmin.

Step 4 You may see this window; if so, click Yes to it and any subsequent security
windows.

Step 5 Eventually, you should see the screen below.

Step 6 Choose the Configure tab.

Step 7 Choose the Create Connection tab, and click the Ethernet PPPoE or
Unencapsulated Routing radio button.

Step 8 Click the Create New Connection button at the bottom of the pane.

Step 9 At the Welcome to the Ethernet WAN Configuration Wizard window, click the Next
button at the bottom of the pane.

Step 10 At the Encapsulation window, make no choices. Click the Next button at the bottom
of the pane to proceed.

Step 11 At the IP address window, make no choices. Only the Dynamic (DHCP Client)
radio button should be set. Click Next to proceed.

Step 12 At the Advanced Options window, check the Port Address Translation check box,
You should see FastEthernet0/0 appear automatically in the LAN Interface to Be
Translated box. Click the Next button at the bottom of the pane to proceed.

Step 13 Review the information in the Summary window. Click the Finish button to finalize
the wizard.

Step 14 The configuration commands are transferred. Click the OK button to close the
Commands Delivery Status window.

Step 15 In the Edit Interface/Connection tab that opened up following the previous step,
choose FastEthernet0/1 .

Step 16 Observe that the IP address is set and that it has (DHCP) following the value. Notice
also that in the lower pane, NAT has a value of Outside.
Note You may need to click the Refresh button to force an update of the display.
Step 17 Close both your Cisco SDM session and your VPN connection.
You have verified that the FastEthernet0/1 interface has an address obtained using DHCP.
You have verified in Step 15 that your FastEthernet0/0 interface has been identified as
being an inside interface in the PAT configuration.
You have verified in Step 15 that your FastEthernet0/1 interface has been identified as
being an outside interface in the PAT configuration.
Task 2: Use the CLI to Verify and Observe the Operation of PAT
on Your Workgroup Router
In this task you will connect to your workgroup via the SSH connection. You will use CLI
commands to ping the DHCP provided default gateway IP address. Then observe the PAT
information stored by the workgroup router by using the clear and show ip nat translations
commands.
Activity Procedure
Step 1 Using the SSH-capable terminal emulation application, connect to your assigned
workgroup router.
Step 2 At the enable prompt, enter the show dhcp lease command. Your output should look
similar to the following display, but will be different for each pod.
RouterX#show dhcp lease
Temp IP addr: 172.20.21.5 for peer on Interface: FastEthernet0/1
Temp sub net mask: 255.255.255.0
DHCP Lease server: 172.20.21.254, state: 3 Bound
DHCP transaction id: 1F7E
Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs
Temp default-gateway addr: 172.20.21.254
Next timer fires after: 11:53:31
Retry count: 0 Client-ID: 001a.6ca1.eed9
Client-ID hex dump: 001A6CA1EED9
Hostname: RouterX
RouterX#
Step 3 Use the clear ip nat translation * command to clear any residual NAT information
before proceeding to the next step.
Step 4 Use the show ip nat translations command to verify that there is no data to display.
RouterX#clear ip nat translation *
RouterX#show ip nat translations

RouterX#
Step 5 Using the IP address of the default router obtained in your output, use the ping
command to test connectivity.
Step 6 Use the show ip nat translations command to observe if any translation was made.

RouterX#
Caution You may be surprised that no entry was made for the ping that you just successfully
completed. The reason for this is in the behavior of the ping process, which uses the IP
address of the outgoing interface as the source IP address in the packets it uses. For the
test that you just did, the outgoing interface (FastEthernet0/1) has the IP address
172.20.x.254, which does not need to be translated. In order to test this, you need to go to
your workgroup switch and repeat the ping command, then return to your router to view the
translation entry.
Step 7 At your workgroup switch user EXEC prompt enter the ping command to the
default router IP address you used in Step 5. Your output should look similar to the
following display:
SwitchX>ping 172.20.21.254

!!!!!
SwitchX>
Step 8 Return to your workgroup router and enter the show ip nat translations command.
Pro Inside global Inside local Outside local Outside global
icmp 172.20.21.5:33 10.10.10.11:33 172.20.21.254:33 172.20.21.254:33
Step 9 Observe that in your output, the inside local IP address was your workgroup switch,
and the inside global IP address was your FastEthernet0/1 interface.
You were able to get the DHCP obtained IP address of the default gateway.
You tested the operation of PAT, using a ping locally generated on your workgroup router.
The show ip nat translation command failed to show any translation because of the
behavior of the ping packets (use of source IP addresses).
You retested the ping, from your workgroup switch and using the show ip nat translation
command. This sequence of packets did generate a translation.

Lab 5-2: Connecting to the Main Office
Activity Objective
In this activity, you will configure the serial connection and configure a static route. After
Configure your serial interface to use PPP
Configure a static route to a given IP network which can be reached via the serial interface
Visual Objective
Connecting to the Main Office

Required Resources
Command List
Command Description
description description Allows descriptive text to be associated with an interface.
interface serial 0/0/0 Enters the interface configuration mode of the interface
specified.
encapsulation ppp Sets PPP as the encapsulation method used by a serial
interface.
ip address ip_address mask Sets the IP address and mask of the interface.
ip route net-prefix prefix-mask
next_hop_ip_address
Establishes a static route to destination.
shutdown
no shutdown
Disables and enables an interface.
ping ip_address Uses ICMP path echo requests and ICMP path echo
replies to determine whether a remote host is active.
show ip route Displays the current state of the routing table.
traceroute ip_addess Discovers the IP routes that packets will actually take
when traveling to their destination.
Job Aids
This job aid is available to help you complete the lab activity.
Table 1: Serial WAN Information
Workg
roup
WAN Interface
s0/0/0 IP Address
Mask 255.255.255.0
Remote WAN
interface IP address
(Next-Hop Router)
Remote Network
Reachable via s0/0/0
Remote Host
Reachable via s0/0/0
A 10.140.1.2 10.140.1.1 192.168.21.0 192.168.21.200
B 10.140.2.2 10.140.2.1 192.168.22.0 192.168.22.200
C 10.140.3.2 10.140.3.1 192.168.23.0 192.168.23.200
D 10.140.4.2 10.140.4.1 192.168.24.0 192.168.24.200
E 10.140.5.2 10.140.5.1 192.168.25.0 192.168.25.200
F 10.140.6.2 10.140.6.1 192.168.26.0 192.168.26.200
G 10.140.7.2 10.140.7.1 192.168.27.0 192.168.27.200
H 10.140.8.2 10.140.8.1 192.168.28.0 192.168.28.200

Current Passwords
Router console login sanjose
Router vty login user ID netadmin
Router vty login password netadmin
Task 1: Configure Your Workgroup Router Serial 0/0/0
In this task you will configure your first serial interface with its assigned IP address. Also, you
will configure the interface to support PPP encapsulation.
Activity Procedure
Step 1 Connect to your assigned workgroup router console port, and get to the EXEC
enable prompt.
Step 2 Enter the command config terminal to get to the global configuration prompt.
Step 3 Enter the command interface s0/0/0 to get to the interface configuration mode of
your first serial interface.
Step 4 Enter the command encapsulation ppp to enable the use of PPP instead of the
default encapsulation of HDLC.
Step 5 Enter the command ip address ip_address 255.255.255.0, where you supply your
WAN IP address from Table 1 at the beginning of this lab.
Step 6 Enter the command description Link to Main Office to associate text with the
interface.
Step 7 Enter the command no shutdown to bring the interface up.
Step 8 Wait a few moments for the status messages to stop. Then enter the command end to
exit to EXEC prompt.
Step 9 Your output for Steps 3 through 8 should look similar to the following display:
RouterX(config)#int s0/0/0
RouterX(config-if)#encapsulation ppp
RouterX(config-if)#ip address 10.140.10.2 255.255.255.0
RouterX(config-if)#description Link to Main Office
RouterX(config-if)#no shutdown
*Mar 26 21:10:35.451: %SYS-5-CONFIG_I: Configured from console by console
RouterX#
*Mar 26 21:10:35.983: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
RouterX#
*Mar 26 21:10:37.015: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0,
changed state to up
RouterX(config-if)#end
Step 10 Enter the command show interface s0/0/0 to display the current status of your serial
interface.
Step 11 Notice the bolded lines in the example below, which should be similar to your
output.
RouterX#show interface s0/0/0
Serial0/0/0 is up, line protocol is up
Hardware is GT96K Serial
Description: Link to Main Office
Internet address is 10.140.10.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, loopback not set
Keepalive set (10 sec)
..
Text omitted
Step 12 If your serial interface line protocol is NOT up, then recheck that you entered your
information correctly.
You have correctly configured a username and password pair for PPP to use.
You have configured your interface to use the assigned IP address from Table 1 in this Lab.
You have verified using the show interface command that your serial interface is up, with
the line protocol up.
Task 2: Test Connectivity to Your Assigned Remote Network
You will unsuccessfully test with the ping command the connectivity to your given remote
network, which can only be reached through the serial interface you just configured. You will
then use various Cisco IOS commands to investigate the reason why you cannot reach the
network.
Activity Procedure
Step 1 Enter the ping remote_host command using the assigned IP address of the remote
host from Table 1 above. Your output should look similar to the following display:

U.U.U
Success rate is 0 percent (0/5)
Step 2 Enter the traceroute remote_host command, using the same IP address you used in
Step 1 above. Your output should look similar to the following display:
RouterX#traceroute 192.168.21.200

Tracing the route to 192.168.21.200

1 172.20.21.254 0 msec 4 msec 0 msec
2 172.20.21.254 !H * !H
Step 3 The output should indicate that the packets are being sent to the Internet IP
address via FastEthernet 0/1.
Step 4 Enter the command show ip route to view the current information held in the route
table. Your output should look similar to the following display:
RouterX#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.20.21.254 to network 0.0.0.0

172.20.0.0/24 is subnetted, 1 subnets
C 172.20.21.0 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
C 10.140.10.1/32 is directly connected, Serial0/0/0
S* 0.0.0.0/0 [254/0] via 172.20.21.254
Step 5 Notice in the example the two lines that are bolded. These indicate that the only
place that the router can send packets with destination addresses that are not found
on directly connected networks is via the default route. Recall that the default route
is indicated using 0.0.0.0.
You observed using the traceroute command where your packets were being sent.
You observed using the show ip route commands that there is no entry in the routing table
that matches the network you were trying to reach. Also, the routing table has an entry for
forward unknown destinations, known as the gateway of last resort.
Task 3: Add a Static Route Entry for Your Remote Network
You have determined that the reason for the problem in reaching your remote network is that
there is no routing table entry for that network. In this task, you will correct this problem by
adding a static route entry to the configuration. You will then test that this action has corrected
the problem. You should note that in order for your static route to correct this issue, there needs
to be a reciprocal static entry in the distant router pointing back to your workgroup. You can
assume that this has already been done by the administrator of the that router.
Activity Procedure
Step 1 At the enable EXEC prompt, enter the command conf t to get to global
configuration mode.
Step 2 Enter the command ip route remote_network remote_network_mask
IP_next_hop_router, where the information to complete this can be obtained from
Table 1. Your output should look similar to the following display:
RouterX(config)#ip route 192.168.2x.0 255.255.255.0 10.140.x.1
Step 3 Enter the command end to exit the configuration mode and return to the EXEC
prompt.
Step 4 Enter the command show ip route to view the current information held in the route
table. Your output should look similar to the following display:
..
..Text omitted
..

S 192.168.21.0/24 [1/0] via 10.140.10.1
S* 0.0.0.0/0 [254/0] via 172.20.21.254
RouterX#
Step 5 Enter the command ping remote_network_host to test reachability to the remote
network. Your output should look similar to the following display:

!!!!!
RouterX#
Step 6 Enter the command traceroute remote_network_host to display the path taken by
packets going to your remote network. Your output should look similar to the
following display:


1 10.140.10.1 12 msec * 12 msec
Step 7 Notice that because the remote network is only one hop away, there is only one line
in the traceroute output.
You configured a static route entry pointing to the next hop router IP address of your serial
0/0/0 interface in the configuration of your workgroup router.
You used the show ip route command to verify that there is now an entry to your remote
network.
You successfully tested reachability using the ping command.
You used the traceroute command to verify that the path taken was through the IP subnet
used on the serial 0/0/0 interface.
Lab 5-3: Enabling Dynamic Routing to the Main
Office
Activity Objective
In this activity, you will enable the use of the dynamic routing protocol RIP. After completing
Configure RIP on your workgroup router
Verify that RIP is operating
Remove the now unnecessary static route to an adjacent network
Visual Objective
Visual Objective for Lab 5-3 Enabling
Dynamic Routing to the Main Office

Required Resources
Command List
Commands
Command Description
end Terminates the configuration mode.
[no] ip route Removes a previously configured static route.
network network_prefix Specifies a list of networks for the RIP routing process will
use. RIP will send and listen for routing update on
interfaces whose IP address matches the network
specified.
router rip Activates the RIP routing process.
show ip protocol Displays the currently configured values for various
properties of enabled routing protocols.
show ip route Displays the current state of the routing table.
traceroute ip_address Discovers the IP routes that packets will actually take when
traveling to their destination.
version {1 | 2} Specifies the RIP version used globally by the router.
Job Aids
Table 1: Remote Host Information
Workgr
oup
Remote Host IP Address on Networks Reachable via s0/0/0
A 192.168.21.200 192.168.121.200 192.168.221.200
B 192.168.22.200 192.168.122.200 192.168.222.200
C 192.168.23.200 192.168.123.200 192.168.223.200
D 192.168.24.200 192.168.124.200 192.168.224.200
E 192.168.25.200 192.168.125.200 192.168.225.200
F 192.168.26.200 192.168.126.200 192.168.226.200
G 192.168.27.200 192.168.127.200 192.168.227.200
H 192.168.28.200 192.168.128.200 192.168.228.200
These addresses can be used as destination addresses in the ping or traceroute commands.
These are valid only for the workgroup specified.
Task 1: Configure RIP Routing Protocol on Your Workgroup
Router
In this task you configure the RIP routing protocol operation on your workgroup router. You
will then use Cisco IOS commands to verify its operation.
Activity Procedure
Step 1 At the EXEC prompt, enter the show ip route command to display the current route
table entries. Your output should look similar to the following display:
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route


S 192.168.21.0/24 [1/0] via 10.140.10.1
S* 0.0.0.0/0 [254/0] via 172.20.21.254
Step 2 Enter the configure terminal command to get to the global configuration mode.
Step 3 Enter the command router rip to configure the RIP routing protocol.
Step 4 Enter the network 10.0.0.0 command to enable RIP on interfaces whose IP address
matches the network address, in this case network 10.0.0.0.
Step 5 Enter the command end to exit the configuration mode. Your output should look
RouterX#config terminal
RouterX(config)#router rip
RouterX(config-router)#network 10.0.0.0
RouterX(config-router)#end
Step 6 Enter the show ip protocol command to display information about IP routing
protocols configured on your router. Your output should look similar to the
following display:
RouterX#show ip protocol
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 0 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 1 1 2
Serial0/0/0 1 1 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
Step 7 Notice that the output indicates that this router will send version 1 updates, but
will recognize and use version 1 and 2 updates.
Step 8 Enter the commands necessary to configure RIP to use version 2. Your output
RouterX#conf t
RouterX(config)#router rip
RouterX(config-router)#version 2
RouterX(config-router)#end
Step 9 Enter the show ip protocol command to display information about IP routing
protocols configured on your router. Your output should look similar to the
following display:
RouterX#show ip protocol
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 28 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Serial0/0/0 2 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
10.140.10.1 120 00:00:01
Distance: (default is 120)
Step 10 Notice that RIP will now send and receive only version 2 updates.
You enabled the RIP routing protocol.
You used show ip protocol to verify that it was operational.
You modified your configuration to use only RIP version 2 updates.
You used show ip protocol to verify this change was implemented.
Task 2: Replace the Existing Static Route and Test Connectivity
In this task, you will remove the static route configured in a prior lab. You will also test
connectivity to a remote network leaned via the RIP routing protocol.
Activity Procedure
Step 1 Enter the show ip route command to via the current route table entries. Your output
RouterX#sh ip route
..
..Text omitted
..


R 192.168.121.0/24 [120/1] via 10.140.10.1, 00:00:12, Serial0/0/0
R 192.168.131.0/24 [120/1] via 10.140.10.1, 00:00:12, Serial0/0/0
S 192.168.21.0/24 [1/0] via 10.140.10.1
R 192.168.221.0/24 [120/2] via 10.140.10.1, 00:00:13, Serial0/0/0
S* 0.0.0.0/0 [254/0] via 172.20.21.254
Step 2 Notice that there are more network entries learned via RIP updates. These are
indicated in the display with an R. However a static route is still being used as the
entry for the route to 192.168.2x.0 (where x represents your pod number) network.
This is indicated with an S. This route therefore does not take advantage of the
dynamic updates available using RIP. Recall that the routing table uses the
administrative distance to determine which route should populate the route table.
The value for RIP is 120 and for a static route is 1.
Step 3 Enter the conf terminal command to enter the global configuration mode.
Step 4 Enter the command no ip route 192.168.2x.0 255.255.255.0 10.140.10.1 to remove
the static route entry from the configuration.
Step 5 Enter the end command to exit the configuration mode.
Step 6 Enter the show ip route 192.168.2x.0 command to display only the information for
the route specified. Your output should look similar to the following display:
RouterX#sh ip route 192.168.21.0
Routing entry for 192.168.21.0/24
Known via "rip", distance 120, metric 1
Redistributing via rip
Last update from 10.140.10.1 on Serial0/0/0, 00:00:13 ago
Routing Descriptor Blocks:
* 10.140.10.1, from 10.140.10.1, 00:00:13 ago, via Serial0/0/0
Route metric is 1, traffic share count is 1
Step 7 Enter the traceroute 192.168.22x.200 command to use the ICMP protocol to follow
the path taken to reach the host on the network. Your output should look similar to


1 10.140.10.1 16 msec 12 msec 12 msec
2 192.168.131.253 16 msec * 12 msec
You removed the static route configured in a prior lab.
You verified the removal using show ip route command.
You validated reachability to the network by using traceroute command.
Lab 6-1: Using Cisco Discovery Protocol
Activity Objective
In this activity, you will use Cisco Discovery Protocol to obtain information about directly
attached Cisco devices, also you will disable Cisco Discovery Protocol from running on
selected interfaces. After completing this activity, you will be able to meet these objectives:
Verify that Cisco Discovery Protocol is running on your workgroup router and switch
Display information about neighboring Cisco devices
Limit which interfaces run Cisco Discovery Protocol as a security measure
Verify your changes
Visual Objective
Using Cisco Discovery Protocol

Required Resources
Command List
Command Description
[no] cdp enable Enables Cisco Discovery Protocol on an interface, no
form of the command disables Cisco Discovery Protocol
on an interface.
[no] cdp run Enables Cisco Discovery Protocol globally on a router or
switch, the no form disable Cisco Discovery Protocol
globally.
interface range interface
interfacenumber - interfacenumber
Allows the grouping of interfaces, such that following
interface configuration commands will be applied to all the
interfaces specified simultaneously.
show cdp Displays global Cisco Discovery Protocol information,
including timer and hold-time information
show cdp entry * Displays information about a specific neighboring device
discovered using Cisco Discovery Protocol, the * matches
all current entries.
show cdp interfaces Displays information about the interfaces on which Cisco
Discovery Protocol is enabled.
show cdp neighbors [detail] Displays detailed information about neighboring devices
discovered using Cisco Discovery Protocol.
show cdp traffic Displays information about traffic between devices
gathered using Cisco Discovery Protocol
Job Aids
There are no job aids are available for this lab activity.
Task 1: Use and Control Cisco Discovery Protocol on Your
Workgroup Router
In this task, you will use Cisco Discovery Protocol to obtain information about directly
connected Cisco devices. You will also control which interfaces run Cisco Discovery Protocol,
because the information supplied by Cisco Discovery Protocol can be used by a hacker to
obtain information for launching a security exploit.
Activity Procedure
necessary commands and passwords to get to the EXEC enable prompt.
Step 2 Enter the show cdp command to verify that Cisco Discovery Protocol is enabled
and to display global information.
RouterX#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
Step 3 Enter the show cdp interface command to display the interfaces that are running
Cisco Discovery Protocol. Your output should look similar to the following display:
RouterX#show cdp interface
FastEthernet0/0 is up, line protocol is up
Encapsulation ARPA
Holdtime is 180 seconds
Encapsulation ARPA
Encapsulation PPP
Serial0/0/1 is administratively down, line protocol is down
Encapsulation HDLC
Step 4 Enter the show cdp neighbors command to display any known Cisco devices. Your
RouterX#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
MainRouter Ser 0/0/0 167 R S I 2811 Ser 1/0
SwitchX.cisco.com
Fas 0/0 137 S I WS-C2960- Fas 0/2
Step 5 Using the information gathered in the previous step, enter the show cdp entry
MainRouter command to view the detailed Cisco Discovery Protocol information
of the Cisco router learned through the serial interface. Your output should look
RouterX#show cdp entry MainRouter
-------------------------
Device ID: MainRouter
Entry address(es):
IP address: 10.140.10.1
Platform: Cisco 2811, Capabilities: Router Switch IGMP
Interface: Serial0/0/0, Port ID (outgoing port): Serial1/0
Holdtime : 150 sec

Version :

advertisement version: 2
VTP Management Domain: ''
Step 6 Observe in your display that the IP address of the remote device is output, as is the
router platform and software information.
Step 7 Using the IP address from your output in Step 5, you could attempt to log in to
router MainRouter; however, this would be unsuccessful because MainRouter has an
ACL preventing unauthorized access.
Step 8 Enter the show cdp neighbors detail command to display the same information that
show cdp entry did. However, the neighbors detail command will display all
known neighbors without requiring any other parameters. Your output should look
RouterX#show cdp neighbors detail
-------------------------
Device ID: MainRouter
Entry address(es):
IP address: 10.140.10.1
Platform: Cisco 2811, Capabilities: Router Switch IGMP
Interface: Serial0/0/0, Port ID (outgoing port): Serial1/0
Holdtime : 167 sec

Version :


-------------------------
Device ID: SwitchX.cisco.com
Entry address(es):
IP address: 10.10.10.11
Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/2
Holdtime : 135 sec

Version :
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2,
RELEASE SOFTWARE (fc1)

Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27,
value=00000000FFFFFFFF010221FF000000000000001A6D446C80FF0000
Native VLAN: 1
Duplex: half
Step 9 From the output of the cdp commands or by knowing the topology, you can
determine which interfaces connect to your network infrastructure. Any interfaces
that do not connect to the infrastructure should have Cisco Discovery Protocol
disabled because it offers the potential for assisting hackers to gain knowledge of
your network. From the perspective of the workgroup routers perspective, interfaces
fa0/1 and serial 0/0/1 should have Cisco Discovery Protocol disabled.
Step 10 At the global configuration mode, enter interface fa0/1 and then enter the no cdp
enable command to disable Cisco Discovery Protocol only on this interface.
Step 11 Enter the same sequence of commands to disable Cisco Discovery Protocol on your
serial 0/0/1 interface, then return to the enable EXEC prompt.
Step 12 Enter the show cdp interface command to verify that only Fa0/0 and s0/0/0 are
running Cisco Discovery Protocol at this time. Your output should look similar to
RouterX#show cdp interface
Encapsulation ARPA
Encapsulation PPP
Step 13 Having verified your configuration changes, save your configuration to startup-
config.
You observed the Cisco Discovery Protocol output for your directly attached Cisco
neighbors.
You disabled Cisco Discovery Protocol on the interfaces that do not connect to your
network infrastructure.
You saved your workgroup router configuration to startup-config.
Task 2: Use and Control Cisco Discovery Protocol on Your
Workgroup Switch
In this task you will use Cisco Discovery Protocol to obtain information about directly
connected Cisco devices to your workgroup switch. For the same security reasons, you will
control which interfaces run Cisco Discovery Protocol. In fact, a switch is more likely to be the
first network device to confront a potential hacker.
Activity Procedure
Step 1 Connect to your remote workgroup switch via the console server, and enter the
Step 2 Enter the show cdp command to verify that Cisco Discovery Protocol is enabled and
also to display global information. Your output should look similar to the following
display with the exception that some text has been omitted to save space.
SwitchX#show cdp interface
Encapsulation ARPA
Encapsulation ARPA
FastEthernet0/3 is administratively down, line protocol is down
Encapsulation ARPA
FastEthernet0/4 is administratively down, line protocol is down
Encapsulation ARPA
..
..Text omitted
..
GigabitEthernet0/2 is administratively down, line protocol is down
Encapsulation ARPA
Step 3 Enter the show cdp neighbor command to view directly connected Cisco devices.
SwitchX#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
RouterX.cisco.com
Fas 0/2 150 R S I 2811 Fas 0/0
Step 4 Notice that the only neighbor found is your workgroup router. This confirms your
network diagram as the only interface that should run Cisco Discovery Protocol is
Fa0/2.
Step 5 Enter the necessary commands to have only interface fa0/2 running Cisco Discovery
Protocol. Your output should look similar to the following display:
SwitchX#conf t
SwitchX(config)#interface range fa0/1 - 24, gi0/1 - 2
SwitchX(config-if-range)#no cdp enable
SwitchX(config-if-range)#interface fa0/2
% Command exited out of interface range and its sub-modes.
Not executing the command for second and later interfaces
SwitchX(config-if)#cdp enable
SwitchX(config-if)#end
Step 6 Enter the show cdp interface command to verify your changes have been
implemented. Your output should look similar to the following display:
SwitchX#sh cdp interface
Encapsulation ARPA
Step 7 Enter the show cdp traffic command to view information regarding the nature of the
Cisco Discovery Protocol updates being sent and received. This can be useful should
you suspect that there are some problems with the Cisco Discovery Protocol process.
SwitchX#sh cdp traffic
CDP counters :
Total packets output: 645, Input: 164
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0, Fragmented: 0
CDP version 1 advertisements output: 0, Input: 0
CDP version 2 advertisements output: 645, Input: 164
Step 8 Having verified the operation and also your configuration changes, save your
configuration to startup-config.
You observed the cdp command output on your workgroup switch for your directly
attached Cisco neighbors.
You disabled Cisco Discovery Protocol on the interfaces that do not connect to your
network infrastructure.
You used the show cdp traffic command and verified that there were no errors in the Cisco
Discovery Protocol update process.
Lab 6-2: Managing Router Startup Options
Activity Objective
In this activity, you will be able to make changes to control your router startup behavior. After
Display the configuration register, modify it to a specified value, and return it to its original
value
Validate by inspection of output whether a displayed configuration is from the running
configuration or the startup configuration in the startup-config file.
Modify the sequence of Cisco IOS file loaded at startup, using a sequenced list of boot
system commands
Observe a reload and verify which of the boot statements was processed to obtain the
running Cisco IOS binary file
Visual Objective
Managing Router Startup Options

Required Resources
Command List
Command Description
boot system flash [filename] Specifies the system image that the router loads at
startup is obtained from flash memory with the given
filename.
boot system tftp filename server_ip Specifies the system image that the router loads at
startup is obtained from a TFTP server using the given
filename at the IP address specified by the server_ip
option..
config-register value Changes the configuration register settings, where value
is a hexadecimal number.
show flash Displays the layout and contents of a flash memory file
system.
show running-config Displays the currently running configuration.
show startup-config Displays the contents of the configuration that is held in
NVRAM and that will be used following a reload of the
router.
show version Displays information about the currently loaded software
version along with hardware and device information.
Job Aids
The following job aid is available to help you complete the lab activity.
Address
Address
A 10.2.2.1 E 10.6.6.1
B 10.3.3.1 F 10.7.7.1
C 10.4.4.1 G 10.8.8.1
D 10.5.5.1 H 10.9.9.1
Task 1: Modify the Configuration Register
In this task, you will change the value of the configuration register and observe how this is
displayed. You will then restore the configuration register to the value it had at the start of this
task.
Activity Procedure
Step 2 Enter the show version command and press the Spacebar to complete the output.
RouterX#show version

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

RouterX uptime is 2 minutes
System returned to ROM by reload at 23:05:39 UTC Fri Mar 30 2007
System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"

..
..Text omitted
..
Processor board ID FTX1050A3Q6
2 Serial(sync/async) interfaces

Configuration register is 0x2102
Step 3 Write down the value of the configuration register (exactly as it appears) in the line
below.

Step 4 In the global configuration mode, enter the config-register 0x2104 command to
modify the configuration setting.
RouterX#conf t
RouterX(config)#config-register 0x2104
Step 5 Exit the global configuration mode and enter the show version command to display
the new value. Your output should look similar to the following display:
RouterX(config)#^Z
RouterX#
RouterX#show version


RouterX uptime is 8 minutes
System returned to ROM by reload at 23:05:39 UTC Fri Mar 30 2007
..
..Text omitted
..

Configuration register is 0x2102 (will be 0x2104 at next reload)

RouterX#
Step 6 You will see that your new value will not be active until the next reload.
Step 7 You can (optionally) enter the show running-config command to look for the
config-register parameter; however, it will not be displayed as it is NOT part of the
Step 8 Enter the commands necessary to restore your configuration register to the value you
recorded in Step 3. When you have done this, you should enter the show version
command and verify that the configuration register has been restored to its original
value.
Step 9 It can sometimes seem confusing when viewing output to distinguish which display
is the running configuration and which is the startup configuration.
Step 10 Enter the show running-config command and use q to quit the output after the first
screen is displayed. Your output should look similar to the following display:

!
version 12.4
..
..Text omitted
..
--More--q
Step 11 Notice that the output starts with the words Building configuration. This is
because the running configuration is NOT a file. It is the stored parameter values
within the executing Cisco IOS program.
Step 12 Enter the show startup-config command and use q to quit the output after the first
screen is displayed. Your output should look similar to the following display:
RouterX#sh startup-config
Using 2170 out of 245752 bytes
!
version 12.4
..
..Text omitted
..
--More--q
Step 13 Notice that the output in the example displayed has the words Using 2170 out of
245752 bytes, which indicates that a certain amount of the NVRAM is being used
to hold the configuration file.
You observed and recorded the current value of the configuration register.
You modified the configuration register value, displayed the output of the show version
command, and identified that it had been changed but that this change would not be active
until after the router was restarted.
You then returned the configuration register to its original value.
You displayed and identified the differences in the output between showing the running
configuration and the startup configuration when using the show commands.
Task 2: Observe the Flash File System and Add Boot System
Commands
In this task you will determine the Cisco IOS system file being used. You will then add three
boot system commands that modify the default behavior of file choice at startup. Changes to
the booting process flow should be used with extreme caution, as errors may leave your router
potentially unreachable over the network. This is why usually this process is done only by
senior network administrators.
Activity Procedure
Step 1 Enter the show flash: command to output the files that are currently stored in the
flash memory. Your output should look similar to the following display:
RouterX#show flash:
-#- --length-- -----date/time------ path
1 36232088 Mar 28 2007 17:27:46 +00:00 c2800nm-advipservicesk9-mz.124-12.bin
2 1823 Dec 14 2006 08:25:40 +00:00 sdmconfig-2811.cfg
3 4734464 Dec 14 2006 08:26:10 +00:00 sdm.tar
4 833024 Dec 14 2006 08:26:26 +00:00 es.tar
5 1052160 Dec 14 2006 08:26:46 +00:00 common.tar
6 1038 Dec 14 2006 08:27:02 +00:00 home.shtml
7 102400 Dec 14 2006 08:27:24 +00:00 home.tar
8 491213 Dec 14 2006 08:27:48 +00:00 128MB.sdf

20557824 bytes available (43458560 bytes used)

Step 2 You should note that the Cisco IOS binary file is identified with a .bin extension.
The other files (in the example display above) are related to the Cisco SDM
configuration program. It is possible to have multiple Cisco IOS images in flash
memory. Write the file name of Cisco IOS binary file in the space below; in the
example, it is c2800nm-advipservicesk9-mz.124-12.bin.

Step 3 The first found binary file in flash determines the Cisco IOS image loaded at a
restart. This order can be modified by using the boot system flash filename.bin
configuration commands.
Caution Extreme care should be taken when using boot system commands because an error may
leave the router unable to start, which can lead to significant downtime while the boot
process is restored. For this reason, only senior network administrators usually modify the
Cisco IOS flash files and modify the boot sequence.
Step 4 At the global configuration prompt, enter the boot system tftp filename
tftp_address, where filename is the name you noted in Step 2 and tftp_address is the
IP address of your workgroup TFTP server, which can be found in Table 1. By
entering this command first, the router on reload attempts to locate and load its
Cisco IOS file from the TFTP server specified. Your output should look similar to
RouterX(config)#boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.x.x.1
Step 5 Enter boot system flash filename, where filename is the name you copied in Step 2.
If this command is processed, the router will attempt to load the Cisco IOS file from
flash memory using the filename specified. Your output should look similar to the
following display:
RouterX(config)#boot system flash c2800nm-advipservicesk9-mz.124-12.bin
Step 6 Enter boot system flash. No filename is necessary. This command, if processed,
will load the router with the first Cisco IOS file found in flash memory Your output
RouterX(config)#boot system flash
Step 7 Enter the command to leave the configuration mode.
Step 8 Enter show run command, and observe the output to verify that your boot system
commands are accurately entered. Your output should look similar to the following
display but should show your workgroup hostname and filenames:
..
..Text omitted
..
hostname RouterX
!
boot-start-marker
boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.x.x.1
boot system flash c2800nm-advipservicesk9-mz.124-12.bin
boot system flash
boot-end-marker
!
Step 9 Make any corrections necessary before proceeding to next step.
Step 10 Enter copy run start command to save your running configuration to NVRAM.
Note The reload process will take a variable amount of time, with the low end being approximately
5 to 8 minutes, depending on router hardware and the performance of the TFTP server. A
reload from flash memory takes 2 to 3 minutes for same router hardware.
Step 11 Enter and confirm the reload command. Observe the output displayed during the
reload. In the space below, write the location that you believe provided the Cisco
IOS file to load.

Step 12 Your output should look similar to the following display:
RouterX#reload
Proceed with reload? [confirm]<ENTER>

*Apr 6 18:17:24.619: %SYS-5-RELOAD: Reload requested by console. Reload
Reason: Reload Command.


..
..Text omitted
..
<ENTER><ENTER>
********** Warning *************

**************************************************************^


Password:
Step 13 When your router has finished reloading, press Enter twice to ensure that you are at
a login prompt. Enter the information to get to the privileged EXEC mode.
Step 14 Enter show version command and observe the display to confirm the location of the
Cisco IOS file. Your output should look similar to the following display:
RouterX#sh version


RouterX uptime is 1 minute
System returned to ROM by reload at 18:17:24 UTC Fri Apr 6 2007
System image file is "tftp://10.x.x.1/c2800nm-advipservicesk9-mz.124-12.bin"

..
..TEXT omitted
..
--More--q
Step 15 If there was a problem with the TFTP download, then you may have the following
line in the show version command display:
System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"
You observed and recorded the current Cisco IOS binary file stored in flash memory.
You added three boot systems commands to modify the startup behavior of the router on
reload in the following order:
First, attempt to locate a specified Cisco IOS file via a TFTP server.
If unsuccessful, attempt to locate a specified Cisco IOS file from flash memory.
Finally, locate the first found Cisco IOS file from flash memory.
You reloaded your router and observed the output to determine which of the boot system
commands resulted in the system file used at startup.
You used the show version command to verify which method was actually being used.
Lab 6-3: Managing Cisco Devices
Activity Objective
In this activity, you will use Cisco IOS copy and debug commands. After completing this
Save your running configuration on a remote TFTP server
Upload and download configuration files
Copy and delete files to local flash memory
Ensure that the router is lightly loaded before using debugging commands
Turn debugging on and off
Visual Objective
Managing Cisco Devices

Required Resources
Command List
Command Description
copy running-config tftp A multiline command that copies the running configuration
file to a TFTP server.
copy tftp flash A multiline command that copies from a TFTP server
configuration file to flash memory.
copy tftp running-config A multiline command that copies from a TFTP server
configuration file to the running configuration.
copy tftp startup-config A multiline command that copies from a TFTP server
configuration file to the startup-config file, also known as
NVRAM.
debug ip icmp Displays debug information on ICMP transactions
debug ip rip Displays debug information on RIP routing protocol
transactions
no debug all Turns off all debugging operations.
delete flash:filename Removes the specified file from flash memory.
more flash:filename Displays as text the contents of the file in flash memory.
ping ip_address Common tool used to troubleshoot the accessibility of
devices. It uses ICMP path echo requests and ICMP path
echo replies to determine whether a remote host is active.
The ping command also measures the amount of time it
takes to receive the echo reply.
show debugging Displays information about the types of debugging that are
enabled on your router.
show flash Displays the layout and contents of a flash memory file
system.
show processes Displays information about the active processes, including
the CPU loading.
show running-config interface
interface_id
Displays only the current configuration of the specified
interface.
show startup-config Displays the configuration settings of the startup
configuration file in NVRAM.
Job Aids
These following job aid is available to help you complete the lab activity.
Work
group
TFTP Server IP
Address
Work
group
TFTP Server IP
Address
A 10.2.2.1 E 10.6.6.1
B 10.3.3.1 F 10.7.7.1
C 10.4.4.1 G 10.8.8.1
D 10.5.5.1 H 10.9.9.1
Task 1: Copy Configuration Files
You will use Cisco IOS commands to save and modify your configuration by uploading and
downloading configuration files to and from a TFTP server.
Activity Procedure
necessary commands and passwords to get to the user EXEC prompt.
Step 2 Enter the command to get to the enable EXEC prompt.
Step 3 Before attempting to save or copy a configuration from a TFTP server, it is a very
good idea to test that the server is reachable. Enter the command to ping your
workgroup TFTP server; refer to Table 1 for the address. Your output should look

.!!!!
Step 4 Enter the command copy running tftp.
Step 5 At the prompt, enter your workgroup assigned TFTP server IP address from Table 1.
Step 6 At the prompt, accept the default name based on your router hostname by using the
Enter key.
Step 7 Your output from these steps should look similar to the following display:
RouterX#copy running tftp
Address or name of remote host []? 10.x.x.1
Destination filename [RouterX-confg]?
.!!
2140 bytes copied in 4.760 secs (450 bytes/sec)
Step 8 Enter the show run int s0/0/0 to display only the configuration for your serial
interface. Your output should look similar to the following display:
RouterX#show run int s0/0/0

!
description Link to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
end
Step 9 Enter the copy tftp run command to copy from the TFTP server to your running
configuration.
Step 10 Use the IP address of your workgroup TFTP server when prompted for the address.
Step 11 Use the filename descript-confg when prompted for the source filename.
Step 12 Accept the default destination filename.
RouterX#copy tftp run
Address or name of remote host []? 10.10.10.1
Source filename []? descript-confg
Destination filename [running-config]?
Accessing tftp://10.10.10.1/descript-confg...
Loading descript-confg from 10.10.10.1 (via FastEthernet0/0): !
[OK - 289 bytes]

Step 14 Enter the show run int s0/0/0 to display only the configuration for your serial
interface. Your output should look similar to the following display:
RouterX#show run int s0/0/0

!
description Connection to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
end
Step 15 Your display should show that a description statement has overwritten the prior
description on the serial interface.
Step 16 Enter the copy tftp flash command to copy from the TFTP server to your local flash
memory.
Step 17 Enter the IP address of your workgroup TFTP server when prompted for the address.
Step 18 Enter the filename descript-confg when prompted for the source filename.
Step 19 Accept the default destination filename.
RouterX#copy tftp flash:
Address or name of remote host [10.x.x.1]?
Source filename [descript-confg]?
Destination filename [descript-confg]?
Accessing tftp://10.x.x.1/descript-confg...
Loading descript-confg from 10.x.x.1 (via FastEthernet0/0): !
[OK - 289 bytes]

Step 21 Enter the show flash command to display the files stored in flash memory.
Step 22 You should see the filename of the file you just uploaded displayed.
Step 23 Enter more flash:descript-confg to display as text the contents of the file.
RouterX#more flash:descript-confg
! This file demonstrates the way the IOS removes remarks
! from configuration files
! and allows parts of a configuration to be updated
!*********************[
interface serial 0/0/0
description Unused Interface
end
Step 25 Notice that the file contains only a small number of configuration commands that
were added to (or merged with) the existing running configuration. Also notice that
the file contains comments. These comments are ignored and not stored in the
Step 26 Enter the delete flash:descript-confg command to remove the file that you just
uploaded from flash memory. Your output should look similar to the following
display:
RouterX#delete flash:descript-confg
Delete filename [descript-confg]?
Delete flash:descript-confg? [confirm]

Step 27 Enter the command and subsequent parameters to copy the file descript-confg to
startup-config. Your output should look similar to the following display:
RouterX#copy tftp start
RouterX#copy tftp startup-config
Address or name of remote host [10.x.x.1]?10.x.x.1
Source filename [descript-confg]?descript-confg
Destination filename [startup-config]?
Accessing tftp://10.x.x.1/descript-confg...
Loading descript-confg from 10.x.x.1 (via FastEthernet0/0): !
[OK - 289 bytes]
[OK]
Step 28 Enter the show startup command to display the contents of the startup-config file.
RouterX#show startup
Using 289 out of 245752 bytes! This file demonstrates the way the IOS removes
remarks
! from configuration files
! and allows parts of a configuration to be updated
!*********************[
description Unused Interface
end
Step 29 Notice that your starting configuration has been completely replaced by the small
configuration file. This demonstrates that copying to the startup file is a replacement
(or overwrite) operation. If your router were to restart now, it would not have any
functioning interfaces!
Step 30 Enter the command to save your running configuration to startup-config.
Step 31 Use show startup to verify that the partial configuration in your startup-config file
has been replaced by the full configuration from the running configuration.
You saved your running configuration to your assigned TFTP server.
You uploaded a small configuration file to your running configuration.
You uploaded the configuration file to flash memory, and used the more command to
output the file as text.
You removed the uploaded file from flash memory.
You uploaded the configuration file to the startup-config file and verified that it had
overwritten all previous configuration entries.
Your copied your running configuration to startup-config, replacing the partial
configuration with the full running configuration.
Task 2: Use debug Commands
In this task, you will use show and debug commands to selectively display chosen dynamic
events, while guarding against causing performance problems.
Activity Procedure
Step 1 In a nontraining environment, prior to issuing a debug command, you should check
how heavily loaded the CPU is because this affects router performance. The debug
commands are given the highest priority and can cause a router to restart. This may
happen because software timers are not serviced, causing a fatal error to be inferred.
Step 2 Enter the command show processes to display information about the CPU
utilization. Quit the display after the first page is output. Your output should look
RouterX#show processes
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
1 Cwe 400A7A2C 0 4 0 5456/6000 0 Chunk Manager
2 Csp 4008C430 4 1614 2 2528/3000 0 Load Meter
3 M* 0 7832 379196 20 7200/12000 0 Exec
..
..Text omitted
..
Step 3 You should review the first line of the output, which indicates the CPU utilization
over three time periods. This is bolded text in the example above. Your display
should indicate a very low value also.
Step 4 Enter the show debugging command to verify that no other debug commands are
active. Your output should indicate that there are is no active debugging taking
place.
Step 5 Enter the debug ip icmp command to turn on debugging of ICMP messages. Your
RouterX#debug ip icmp
ICMP packet debugging is on
Step 6 Repeat Step 4; your display should look something like the following:
RouterX#sh debugging
Generic IP:
Step 7 Enter ping 10.x.x.1 to send ICMP echo request packets to your assigned TFTP
server IP address. Your output should look similar to the following display:

!!!!!
RouterX#
*Apr 3 19:44:43.699: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
Step 8 Enter the debug ip rip command to turn on the debugging of RIP routing packets.
Step 9 Wait a few minutes to observe some RIP routing protocol updates being sent and
received. Your output should look similar to the following display:
RouterX#
*Apr 3 20:12:01.355: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0
(10.10.10.3)
*Apr 3 20:12:01.355: RIP: build update entries
*Apr 3 20:12:01.355: 10.140.10.0/24 via 0.0.0.0, metric 1, tag 0
RouterX#
*Apr 3 20:12:06.083: RIP: sending v2 update to 224.0.0.9 via Serial0/0/0 (10.140.10.2)
*Apr 3 20:12:06.083: RIP: build update entries
RouterX#
*Apr 3 20:12:27.295: RIP: received v2 update from 10.140.10.1 on Serial0/0/0
*Apr 3 20:12:27.295: 192.168.21.0/24 via 0.0.0.0 in 1 hops
*Apr 3 20:12:27.295: 192.168.121.0/24 via 0.0.0.0 in 1 hops
*Apr 3 20:12:27.295: 192.168.131.0/24 via 0.0.0.0 in 1 hops
*Apr 3 20:12:27.295: 192.168.221.0/24 via 0.0.0.0 in 2 hops
RouterX#
Step 10 Enter the command to display how many debug commands are active. Your output
RouterX#show debugging
Generic IP:
IP routing:
RIP protocol debugging is on

Step 11 Although it is possible to individually turn off each debug command, it is quicker
and more certain to turn off all debugging using a single command. Enter the no
debug all command to remove all active debugging from the router.
RouterX#no debug all
All possible debugging has been turned off
You observed that your router had a very low CPU utilization using the show processes
command.
You used debug commands to observe the output of ICMP packets and RIP routing
protocol updates.
You used the show debug command to verify which, if any, debug commands were active
on your router.
You turned off all debugging operations using a single command.

Lab 6-4: Confirming the Reconfiguration of the
Branch Network
Activity Objective
In this activity, you will assume that you are taking over the reconfiguration of a branch
network from an administrator who has not completed the configuration. In fact, there may be
misconfiguration of some of the settings. You will use the knowledge and experience gained
from the earlier labs to complete the reconfiguration, correction, and testing. After completing
Complete the configuration of your assigned workgroup switch using information provided
in checklist below
Complete the configuration of your workgroup router using information provided in the
checklists below
See the routes indicated in the visual objective after enabling dynamic routing on your
workgroup router
Perform tests to validate that your final configuration meets the new topology information
Visual Objective
Visual Objective for Lab 6-4 Confirming
the Reconfiguration of the Branch Network

Required Resources
Your new assigned pod access information for this lab provided in the Job Aids section
Command Lists
Refer to the command lists associated with the prior lab associated with the task you are
completing.
Job Aids
Visual objective for this lab
Switch tasks worksheet
Router tasks worksheet
Table containing the addressing information for each workgroup
Table 1: Workgroup Address Information
Workgroup Switch
Hostname
VLAN 1
IP Address Mask /24
Router
Hostname
Fa0/0
IP Address Mask /24
AA SwitchAA 10.22.22.11 RouterAA 10.22.22.3
BB SwitchBB 10.33.33.11 RouterBB 10.33.33.3
CC SwitchCC 10.44.44.11 RouterCC 10.44.44.3
DD SwitchDD 10.55.55.11 RouterDD 10.55.55.3
EE SwitchEE 10.66.66.11 RouterEE 10.66.66.3
FF SwitchFF 10.77.77.11 RouterFF 10.77.77.3
GG SwitchGG 10.88.88.11 RouterGG 10.88.88.3
HH SwitchHH 10.99.99.11 RouterHH 10.99.99.3
Table 2: Router s0/0/0 Address Information
Workgroup s0/0/0 IP Address
Mask /24
Workgroup s0/0/0 IP Address
Mask /24
AA 10.140.11.2 EE 10.140.55.2
BB 10.140.22.2 FF 10.140.66.2
CC 10.140.33.2 GG 10.140.77.2
DD 10.140.44.2 HH 10.140.88.2
Switch Task Worksheet
Done Switch Task Worksheet Workgroup:
Task and Property (Lab) Information and Configuration Hint
1) Basic Configuration (Labs 2-2, 2-3)
Hostname (workgroup AA through HH) hostname SwitchXX
Interface vlan 1
IP address and subnet mask ip address ip_address mask
IP default gateway ip default-gateway ip_address
Enable password cisco
Enable secret sanfran
Use password encryption service password-encryption
Username and password for console and vty lines.
Netadmin has privilege level 15
username netadmin privilege 15 password
netadmin
Vty lines line vty 0 15
Login uses local username and passwords login local
Console line line console 0
Login password required login
Console password sanjose
Login banner with suitable security message banner login % message %
Verify
2) Configure to Use SSH ONLY (Lab 2-3, Task 4)
Username and password netadmin
netadmin
IP domain-name cisco.com
Generate crypto key RSA 1024 bit
SSH version 2
Limit protocols supported transport input ssh
Verify show run
3) Configure Port Security (Lab 2-3, Task 5)
Interface fa0/1
Switchport mode switchport mode access
Maximum number of addresses switchport port-security max 2
Violation action restrict switchport port-security violation restrict
MAC address learning = sticky switchport port-security mac-address
sticky
Enable port security switchport port-security
Verify show port-security interface

Done Router Task Worksheet Workgroup:
4) Secure Switch (Lab 2-3, Task 6, Lab 6-1, Task 2)
Shut down unused ports fa0/3-10, fa0/13-24, gi0/1-2
Limit Cisco Discovery Protocol to interface connected to router no cdp enable
Verify
Router Task Worsheet

1) Basic Configuration (Lab 4-6)

Hostname (workgroup AA through HH) hostname RouterXX

Interface interface fa0/0

IP Address and subnet mask ip address ip_address mask

Enable password enable password cisco

Enable secret enable secret sanfran

Verify

2) Enhanced Configuration (Lab 4-7, Lab 6-1, Task 1)

Use password encryption service password-encryption

Username and password for console and vty lines.
User has privilege level 15
username netadmin privilege level
password netadmin


Login uses local username and passwords login local

Console line line console 0

Login uses password login

Console password password sanjose

Login banner with suitable security message banner login % message %

Limit Cisco Discovery Protocol to interface connected to switch no cdp enable

Verify

3) Configure to Use SSH ONLY (Lab 4-7, Task 4)

IP domain name cisco.com

Generate crypto key RSA 1024 bit

Use version SSH v2 ip ssh version 2


Limit protocols supported transport input ssh

Verify



4) Configure to Support Cisco SDM (Lab 4-8, Task 1)

Allows connection via HTTP ip http server

Allows connection via HTTPS ip http secure-server

Authentication uses local username and passwords ip http authentication local

5) Configure DHCP Server (Lab 4-8, Task 2) Support clients on Fa0/0 interface

Pool name Branchxx-clients

Starting IP address .150 150

Ending IP address .199 199

Lease time: 5 minutes 0 0 5

Default router: this router 10.xx.xx.3

Verify

6) Configure Internet Access (Lab 5-1)

Interface fa0/1

IP address uses DHCP Dynamic (DHCP Client)

PAT outside interface fa0/1

PAT inside interface fa0/0

Verify

7) Configure Connection to Main Office (Lab 5-2)

Interface s0/0/0

IP address of serial 0/0/0 see table 2 ip address address mask

Encapsulation encapsulation ppp

Verify

8) Configure RIPv2 Routing (Lab 5-3)

Routing protocol router rip

RIP version 2 version 2

Protocol runs on interfaces network 10.0.0.0

Verify

9) Configure Boot Startup (Lab 6-2)

TFTP server address is .1 host on your local network. 10.nn.nn.1

Boot order should be specified as: Cisco IOS file in flash; Cisco
IOS file from TFTP server; first found Cisco IOS file in flash
boot system flash filename
boot system tftp filename address
boot system flash

Verify

Task 1: Connect to the Remote Lab
Activity Procedure
You will connect to your newly assigned workgroup using the same menus that you used for
the previous labs. Your new workgroup is identified using double letters. For example, if you
are assigned to workgroup AA in this lab, then you use menu A, or if you are assigned to BB,
use menu B, and so on.
In order to connect via a VPN tunnel to use Cisco SDM to perform configuration tasks on your
workgroup router, you will need to use a different VPN client configuration profile. This
profile will ensure that you are attached to the correct subnet to match your new workgroup
subnet address.

You have connected to the remote lab and attached to your workgroup devices using the
same menus used in previous labs.
You have connected to the remote lab using the new VPN client profile to support using
Cisco SDM for configuration of your workgroup router.
Task 2: Prepare to Verify Your Configuration
Activity Procedure
In order to verify that your branch is configured correctly, you will need to ensure that discrete
parameters are configured in accordance with the values given for both your switch and router.
You will use Cisco IOS commands to test that the overall branch configuration works
appropriately. It is suggested that you perform this in three phases, and you may repeat the
phases to reach a final working configuration.
In phase 1, gather together the necessary information regarding your assigned workgroup
switch and router.
In phase 2, inspect your switch and router to ensure that the configuration matches the values
you collected in phase 1. You may have to perform corrective action on the configuration,
replacing missing or incorrect values. It may be necessary to use either Cisco SDM or the CLI
for this phase. Reference to prior labs will provide you with the correct syntax and procedure to
implement your configuration.
In phase 3, use Cisco IOS commands to test the functionality of the switch and router working
together to support the overall configuration. These may be ping commands or explicit show
commands that demonstrate that, for example, that a DHCP client has received an address. If
you encounter problems in this phase, you will have to consider where to look to remedy the
problem. You should assume that the network around you is correctly configured and will work
if your configuration matches the values supplied in the job aids and tables. If you have tried to
fix your problems without success, ask your instructor for assistance.
Use the information provided in the Tables 1 and 2 and transfer it to the visual objective so that
you have your IP addressing information ready to reference as you proceed through the switch
and router task sheets.
You have read through the instructions and have prepared the necessary reference
information ready to proceed to the next task.
Task 3: Verify Your Configuration
Activity Procedure
Use the information provided in the Tables 1 and 2 and transfer it to the visual objective so that
you have your IP addressing information ready to reference as you proceed through the switch
and router worksheet sheet tasks.
Use the check boxes as you work through the worksheet. You may need to refer to the labs that
you completed earlier for more detailed information on completing or verifying your
configuration.
No detailed steps are provided here, because all the information that you need is in either this
lab or a prior lab. If you need any further guidance, you should discuss this with your
instructor.
You have completed this task when you attain these results for your branch:
Your basic switch configuration properties match those assigned to your workgroup.
Your switch has a banner message with suitable warning text.
Your switch SSH configuration properties match those assigned to your workgroup.
Your switch port security configuration properties match those assigned to your
workgroup.
You secured your switch to match the properties assigned to your workgroup.
Your basic router configuration properties match those assigned to your workgroup.
Your router has a banner message with suitable warning text.
Your router password configuration properties match those assigned to your workgroup.
Your router SSH configuration properties match those assigned to your workgroup.
Your router DHCP server configuration properties match those assigned to your
workgroup.
Your router Internet access configuration properties match those assigned to your
workgroup.
Your router main office connection configuration properties match those assigned to your
workgroup.
Your router dynamic routing configuration properties match those assigned to your
workgroup.
Your router boot system configuration properties match those assigned to your workgroup.
You tested your branch for successful connectivity, routing, and DHCP server services.

Answer Key
The correct answers and expected solutions for the activities that are described in this guide
appear here.
Labs 1-1, 1-2, 1-3, and 2-1 contained their answers within the labs and resulted in no
configuration changes.
Lab 2-2 Answer Key: Performing Switch Startup
and Initial Configuration
When you complete this activity, your workgroup switch configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
version 12.2
no service pad
no service password-encryption
!
hostname SwitchX
!
enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr.
!
no aaa new-model
ip subnet-zero
!
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.3
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 0 4
password sanjose
no login
line vty 5 15
password sanjose
no login
!
end
Lab 2-3 Answer Key: Enhancing the Security of
Initial Switch Configuration
!
version 12.2
no service pad
!
hostname SwitchX
!
enable password 7 05080F1C2243
!
username netadmin password 7 030A5E1F070B2C4540
no aaa new-model
ip subnet-zero
!
ip domain-name cisco.com
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-1833200768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1833200768
revocation-check none
rsakeypair TP-self-signed-1833200768
!
!
crypto ca certificate chain TP-self-signed-1833200768
certificate self-signed 01
3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886 F70D0109
02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033 30313030
30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603 55040313
26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313833
33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73 775F612E
63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A 41932329
8FB4A8EE 142FAEC4 744CB8BE 021BDAE5 BF005CA6 99D0BDC7 68C4A873 25A2F06C
E460FAE5 1435B900 43505E02 3F0F5E4B D61D6787 59B6AE32 13558C75 561A6BB0
42C15C96 D078A449 669E4B58 CD5857D0 1B570F43 008B811F 45CD05B0 50D144BA
F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63 6F6D301F
0603551D 23041830 16801414 679B7C0E C82E65FB 8953EC84 1FC9DD49 E672A630
1D060355 1D0E0416 04141467 9B7C0EC8 2E65FB89 53EC841F C9DD49E6 72A6300D
06092A86 4886F70D 01010405 00038181 006C7E92 A7F96199 D1D81ADA FA16C868
0660013D 4A91A319 6D6DBD61 B5147AAA FF0FCF26 3DF20CA7 9694B3B8 24ABBEAC
F8942F5F E53466BB 04E12200 25432AFE A09DDFCF A07A5A4A 145BE58D 4040040A
5B085A4E 895C45BC 4DF264BC BFE32124 F4AA3BDB B9CF2CC2 35F3B42A B16BFD69
44531337 B03B7055 48A0B320 0A6C3173 C0
quit
!
!
no file verify auto
!
!
!
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
!
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip http server
!
control-plane
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
password 7 111A180B1D1D1809
login
line vty 0 4
login local
line vty 5 15
login local
!
end

Lab 2-4 Answer Key: Operating and Configuring
a Cisco IOS Device
!
version 12.2
no service pad
!
hostname SwitchX
!
!
no aaa new-model
ip subnet-zero
!
ip ssh version 2
!
!
!
!
3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886 F70D0109
02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033 30313030
30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603 55040313
26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313833
33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73 775F612E
63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A 41932329
F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63 6F6D301F
44531337 B03B7055 48A0B320 0A6C3173 C0
quit
!
!
no file verify auto
!
!
!
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
!
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
shutdown
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip http server
!
control-plane
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
login
line vty 0 4
login local
line vty 5 15
login local
!
end
Lab 4-1 Answer Key: Converting Decimal to
Binary and Binary to Decimal
When you complete this activity, your results will match the results here.
Task 1: Convert from Decimal Notation to Binary Format
Base-2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Decimal 128 64 32 16 8 4 2 1 Binary
48 0 0 1 1 0 0 0 0 48 = 32+16 = 00110000
146 1 0 0 1 0 0 1
0
146 = 128+16+2
= 10010010
222 1 1 0 1 1 1 1 0 222 = 128+64+16+8+4+2
= 1101110
119 0 1 1 1 0 1 1 1 119 = 64+32+16+4+2+1
= 01110111
135 1 0 0 0 0 1 1 1 135 = 128+4+2+1
= 10000111
60 0 0 1 1 1 1 0 0 60 = 32+16+8+4
= 00111100
Task 2: Convert from Binary Notation to Decimal Format
Base-2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Binary 128 64 32 16 8 4 2 1 Decimal
11001100 1 1 0 0 1 1 0 0 128+64+8+4 = 204
10101010 1 0 1 0 1 0 1 0 128+32+8+2 = 170
11100011 1 1 1 0 0 0 1 1 128+64+32+2+1 = 227
10110011 1 0 1 1 0 0 1 1 128+32+16+2+1 = 179
00110101 0 0 1 1 0 1 0 1 32+16+4+1 = 53
10010111 1 0 0 1 0 1 1 1 128+16+4+2+1 = 151

Lab 4-2 Answer Key: Classifying Network
Addressing
Task 1: Convert from Decimal IP Address to Binary Format
The table to express 145.32.59.24 in binary format is shown here.
Base-2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Decimal 128 64 32 16 8 4 2 1 Binary
145 1 0 0 1 0 0 0 1 10010001
32 0 0 1 0 0 0 0 0 00100000
59 0 0 1 1 1 0 1 1 00111011
24 0 0 0 1 1 0 0 0 00011000

10010001.00100000.00111011.00011000
Step 1 The table to express 200.42.129.16 in binary format is shown here.
Base-2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Decimal 128 64 32 16 8 4 2 1 Binary
200 1 1 0 0 1 0 0 0 11001000
42 0 0 1 0 1 0 1 0 00101010
129 1 0 0 0 0 0 0 1 10000001
16 0 0 0 1 0 0 0 0 00010000

11001000.00101010.10000001.00010000
Step 2 The table to express 14.82.19.54 in binary format is shown here.
Base-2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Decimal 128 64 32 16 8 4 2 1 Binary
14 0 0 0 0 1 1 1 0 00001110
82 0 1 0 1 0 0 1 0 01010010
19 0 0 0 1 0 0 1 1 00010011
54 0 0 1 1 0 1 1 0 00110110

00001110.01010010.00010011.00110110
Task 2: Convert from Binary Format to Decimal IP Address
Step 1 The table to express 11011000.00011011.00111101.10001001 in decimal IP address
format is shown here.
Base-2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Binary 128 64 32 16 8 4 2 1 Decimal
11011000 1 1 0 1 1 0 0 0 216
00011011 0 0 0 1 1 0 1 1 27
00111101 0 0 1 1 1 1 0 1 61
10001001 1 0 0 0 1 0 0 1 137

216.27.61.137
Base-2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Binary 128 64 32 16 8 4 2 1 Decimal
11000110 1 1 0 0 0 1 1 0 198
00110101 0 0 1 1 0 1 0 1 53
10010011 1 0 0 1 0 0 1 1 147
00101101 0 0 1 0 1 1 0 1 45

198.53.147.45
Base-2 2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0

Binary 128 64 32 16 8 4 2 1 Decimal
01111011 0 1 1 1 1 0 1 1 123
00101101 0 0 1 0 1 1 0 1 45
01000011 0 1 0 0 0 0 1 1 67
01011001 0 1 0 1 1 0 0 1 89

123.45.67.89
Task 3: Identify IP Address Classes
Binary IP Address Decimal IP Address
Address
Class
Number of
Bits in
Network ID
Maximum
Number of
Hosts
(2
h
-2)
10010001.00100000.00111011.00011000 145.32.59.24 Class B 16 2
16
-2 =
65,534
11001000.00101010.10000001.00010000 200.42.129.16 Class C 24 2
8
-2 = 254
00001110.01010010.00010011.00110110 14.82.19.54 Class A 8 2
24
-2 =
16,777,214
11011000.00011011.00111101.10001001 216.27.61.137 Class C 24 2
8
-2 = 254
10110011.00101101.01000011.01011001 179.45.67.89 Class B 16 2
16
-2 =
65,534
11000110.00110101.10010011.00101101 198.53.147.45 Class C 24 2
8
-2 = 254
Task 4: Identify Valid and Invalid Host IP Addresses
Decimal IP Address Valid or Invalid If Invalid, Indicate Reason
23.75.345.200 Invalid 345 exceeds an 8-bit value (maximum = 255)
216.27.61.134 Valid
102.54.94 Invalid One octet is missing
255.255.255.255 Invalid Valid number but is an administrative number that should not
be assigned to a host
142.179.148.200 Valid
200.42.129.16 Valid
0.124.0.0 Invalid A Class A address cannot use 0 as the first octet

Lab 4-3 Answer Key: Computing Usable
Subnetworks and Hosts
Class C Network
Given a Class C network address of 192.168.89.0, the completed table is shown here.
Number of
h
2)
2 1 2
7
-2 = 126
5 3 2
5
-2 = 30
12 4 2
4
-2 = 14
24 5 2
3
-2 = 6
40 6 2
2
-2 = 2
Class B Network
Given a Class B network address of 172.25.0.0, the completed table is shown here.
Number of
h
2)
5 3 2
13
-2 = 8,190
8 3 2
13
-2 = 8,190
14 4 2
12
-2 = 4,094
20 5 2
11
-2 = 2,046
35 6 2
10
-2 = 1,022
Class A Network
Given a Class A network address of 10.0.0.0, the completed table is shown here.
Number of
h
2)
10 4 2
20
2 = 1,048,574
14 4 2
20
2 = 1,048,574
20 5 2
19
2 = 524,286
40 6 2
18
2 = 262,142
80 7 2
17
2 = 131,070

Lab 4-4: Answer Key
Task 1: Determine the Number of Possible Network Addresses
Classful
Address Decimal Subnet Mask Binary Subnet Mask
Number of
Hosts per
Subnet
(2
h
2)
/20 255.255.240.0 11111111.11111111.11110000.00000000 4,094
/21 255.255.248.0 11111111.11111111.11111000.00000000 2,046
/22 255.255.252.0 11111111.11111111.11111100.00000000 1,022
/23 255.255.254.0 11111111.11111111.11111110.00000000 510
/24 255.255.255.0 11111111.11111111.11111111.00000000 254
/25 255.255.255.128 11111111.11111111.11111111.10000000 126
/26 255.255.255.192 11111111.11111111.11111111.11000000 62
/27 255.255.255.224 11111111.11111111.11111111.11100000 30
/28 255.255.255.240 11111111.11111111.11111111.11110000 14
/29 255.255.255.248 11111111.11111111.11111111.11111000 6
/30 255.255.255.252 11111111.11111111.11111111.11111100 2
Task 2: Given a Network Block, Define Subnets
Assume that you have been assigned the 172.25.0.0 /16 network block. You need to establish
eight subnets. Complete the following questions.
1. How many bits do you need to borrow to define 12 subnets? 4
create 12 subnets.
Classful address: /20
Subnet mask (binary): 11111111.11111111.11110000.00000000
Subnet mask (decimal): 255.255.240.0
3. Use the eight-step method to define the 12 subnets.
1. Write down the octet that is being split in binary. 00000000
2. Write the mask or classful prefix length in binary. 11110000
0000 0000
1111 0000
for this subnet.
0000 0000 (first subnet)
0000 0001 (first host address)
0000 1110 (last host address)
0000 1111 (broadcast address)
0001 0000 (next subnet)
Subnet
Directed-Broadcast
Address
0 172.25.0.0 172.25.1.0 to 172.25.14.0 172.25.15.0
1 172.25.16.0 172.25.17.0 to 172.25.30.0 172.25.31.0
2 172.25.32.0 172.25.33.0 to 172.25.46.0 172.25.47.0
3 172.25.48.0 172.25.49.0 to 172.25.62.0 172.25.63.0
4 172.25.64.0 172.25.65.0 to 172.25.78.0 172.25.79.0
5 172.25.80.0 172.25.81.0 to 172.25.92.0 172.25.95.0
6 172.25.94.0 172.25.95 to 172.25.108.0 172.25.109.0
7 172.25.110.0 172.25.111.0 to 172.25.124.0 172.25.125.0

Task 3: Given Another Network Block, Define Subnets
Assume that you have been assigned the 192.168.1.0 /24 network block.
1. How many bits do you need to borrow to define six subnets? 3
create six subnets.
Classful address: /27
3. Use the eight-step method to define the six subnets.
000 00000
111 00000
for this subnet.
Subnet
Directed-Broadcast
Address
0 192.168.1.0 192.168.1.1 to 192.168.1.30 192.168.1.31
1 192.168.1.32 192.168.1.33 to 192.168.1.62 192.168.1.63
2 192.168.1.64 192.168.1.65 to 192.168.1.94 192.168.1.95
3 192.168.1.96 192.168.1.97 to 192.168.1.126 192.168.1.127
4 192.168.1.128 192.168.1.129 to 192.168.1.158 192.168.1.159
5 192.168.1.160 192.168.1.161 to 192.168.1.190 192.168.1.191
Subnets
2. How many subnets can you define with the specified mask? 16
3. How many hosts will be in each subnet? 14
1000 0001
1111 0000
for this subnet.
Subnet
Directed-Broadcast
Address
0 192.168.111.0 192.168.111.1 to 192.168.111.126 192.168.111.127
1 192.168.111.128 192.168.111.129 to 192.168.111.142 192.168.111.143
2 192.168.111.144 192.168.111.145 to 192.168.111.158 192.168.111.159
3 192.168.111.160 192.168.111.161 to 192.168.111.174 192.168.111.175
4 192.168.111.176 192.168.111.177 to 192.168.111.190 192.168.111.191
5 192.168.111.192 192.168.111.193 to 192.168.111.206 192.168.111.207
6 192.168.111.208 192.168.111.209 to 192.168.111.222 192.168.111.223
Subnets
126
510
1. Write down the octet that is being split in binary. 01110000.00000000
2. Write the mask or classful prefix length in binary. 11111110.00000000
0111000 0.00000000
1111111 0.00000000
for this subnet.
0111000 0.00000000 (first subnet)
0111000 0.00000001 (first host address)
0111000 1.11111110 (last host address)
0111000 1.11111111 (broadcast
address)
0111001 0.00000000 (next subnet)
Subnet
Directed-Broadcast
Address
0 172.25.0.0 172.25.0.1 to 172.25.1.254 172.25.1.255
1 172.25.2.0 172.25.2.1 to 172.25.3.254 172.25.3.255
2 172.25.4.0 172.25.4.1 to 172.25.5.254 172.25.5.255
3 172.25.6.0 172.25.6.1 to 172.25.7.254 172.25.7.255
4 172.25.8.0 172.25.8.1 to 172.25.9.254 172.25.9.255
. . .
Subnets
510
126
1. Write down the octet that is being split in binary. 00000000.10000001
2. Write the mask or classful prefix length in binary. 11111111.10000000
1 0000001
1 0000000
for this subnet.
00000000.10000000 (first subnet)
00000000.10000001 (first host address)
00000000.11111110 (last host address)
00000000.11111111 (broadcast
address)
00000001.10000000 (next subnet)
Subnet
Directed-Broadcast
Address
0 172.20.0.0 172.20.0.1 to 172.20.0.126 172.20.0.127
1 172.20.0.128 172.20.0.129 to 172.20.0.254 172.20.0.255
2 172.20.1.0 172.20.1.1 to 172.20.1.126 172.20.1.127
3 172.20.1.128 172.20.1.129 to 172.20.1.254 172.20.1.255
4 172.20.2.0 172.20.2.1 to 172.20.2.126 172.20.2.127
5 172.20.2.128 172.20.2.129 to 172.20.2.254 172.20.2.255
. . .

Lab 4-5 Answer Key: Performing Initial Router
Startup
When you complete this activity, your workgroup switch will have no configuration. Displayed
here is the output of the erase startup-config command. Remember that the username and
password cisco and cisco come from the default Cisco SDM configuration. Your output
will be similar to the results here:
Username: cisco
Password:
yourname#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
yourname#
*Mar 13 17:28:00.003: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
yourname#reload
Proceed with reload? [confirm]

*Mar 13 17:28:07.939: %SYS-5-RELOAD: Reload requested by console. Reload Reason:
Reload Command.

Copyright (c) 2006 by cisco Systems, Inc.

Initializing memory for ECC
.
c2811 platform with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC enabled

Upgrade ROMMON initialized

program load complete, entry point: 0x8000f000, size: 0x228d9f8
Self decompressing the image :
################################################################################
################################################################################
####################################### [OK]

Smart Init is enabled
smart init is sizing iomem
ID MEMORY_REQ TYPE
0003E7 0X003DA000 C2811 Mainboard
0X00263F50 Onboard VPN
0X000021B8 Onboard USB
0X002C29F0 public buffer pools
0X00211000 public particle pools
TOTAL: 0X00B13AF8

If any of the above Memory Requirements are
"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Rounded IOMEM up to: 12Mb.
Using 4 percent iomem. [12Mb/256Mb]



cisco Systems, Inc.

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12),
Image text-base: 0x40093160, data-base: 0x42B00000



export@cisco.com.

Processor board ID FTX1050A3Q6
2 Serial(sync/async) interfaces




sslinit fn

*Mar 13 17:29:36.819: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
changed to: Initialized
*Mar 13 17:29:36.819: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
changed to: Enabled
*Mar 13 17:29:38.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-
Null0, changed state to up
*Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state
to up
*Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state
to up
*Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to
down
*Mar 13 17:29:39.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/0, changed state to up
Serial0/0/0, changed state to up
*Mar 13 17:31:44.471: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state
to administratively down
*Mar 13 17:31:44.471: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state
to administratively down
*Mar 13 17:31:44.471: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to
*Mar 13 17:31:44.475: %LINK-5-CHANGED: Interface Serial0/0/1, changed state to
*Mar 13 17:31:44.491: %IP-5-WEBINST_KILL: Terminating DNS process
*Mar 13 17:31:46.007: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12),
*Mar 13 17:31:46.011: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing
a cold start
*Mar 13 17:31:46.219: %SYS-6-BOOTTIME: Time taken to reboot after reload = 216
seconds
*Mar 13 17:31:46.399: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Lab 4-6 Answer Key: Performing Initial Router
Configuration
When you complete this activity, your workgroup router configuration will be similar to the
!
version 12.4
!
no service password-encryption
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
no ip address
shutdown
duplex auto
speed auto
!
no ip address
shutdown
no fair-queue
!
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password sanjose
login
!
!
end

Lab 4-7 Answer Key: Enhancing the Security of
Initial Router Configuration
!
!
version 12.4
!
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
enable password 7 14141B180F0B
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username netadmin password 7 082F495A081D081E1C
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
no ip address
shutdown
duplex auto
speed auto
!
no ip address
shutdown
no fair-queue
!
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
password 7 14041305060B392E
login
line aux 0
line vty 0 4
password 7 071C204244060A00
login local
transport input telnet ssh
!
!
end
Lab 4-8 Answer Key: Using Cisco SDM to
Configure DHCP Server Function
!
!
version 12.4
!
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.149
!
ip dhcp pool wgA_clients
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki certificate chain TP-self-signed-3715519608
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
no ip address
shutdown
duplex auto
speed auto
!
no ip address
shutdown
no fair-queue
!
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
ip http authentication local
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
password 7 14041305060B392E
login
line aux 0
line vty 0 4
password 7 071C204244060A00
login local
!
!
end
Lab 4-9 Answer Key: Managing Remote Access
Sessions
!
!
version 12.4
!
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
1C07F960 64CCE156 F65330FE 02
quit
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
no ip address
shutdown
duplex auto
speed auto
!
no ip address
shutdown
no fair-queue
!
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
!
!
end
Lab 5-1 Answer Key: Connecting to the Internet
!
!
version 12.4
!
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
1C07F960 64CCE156 F65330FE 02
quit
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
no ip address
shutdown
duplex auto
speed auto
!
no ip address
shutdown
no fair-queue
!
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
!
!
end
Lab 5-2 Answer Key: Connecting to the Main
Office
!
!
version 12.4
!
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
1C07F960 64CCE156 F65330FE 02
quit
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
duplex auto
speed auto
!
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
no ip address
shutdown
clock rate 2000000
!
ip route 192.168.21.0 255.255.255.0 10.140.10.1
!
!
ip http server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
!
!
end
Lab 5-3 Answer Key: Enabling Dynamic Routing
to the Main Office
!
!
version 12.4
!
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
1C07F960 64CCE156 F65330FE 02
quit
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
ip nat inside
duplex half
speed auto
no mop enabled
!
ip nat outside
duplex auto
speed auto
!
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 10.0.0.0
!
!
!
ip http server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
!
!
end
Lab 6-1 Answer Key: Using Cisco Discovery
Protocol
!
version 12.4
!
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
1C07F960 64CCE156 F65330FE 02
quit
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
ip nat inside
duplex half
speed auto
no mop enabled
!
ip nat outside
duplex auto
speed auto
no cdp enable
!
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 10.0.0.0
!
!
!
ip http server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
!
!
end

!
version 12.2
no service pad
!
hostname SwitchX
!
!
no aaa new-model
ip subnet-zero
!
no ip domain-lookup
ip ssh version 2
!
!
!
!
3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886 F70D0109
02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033 30313030
30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603 55040313
26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313833
33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73 775F612E
63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A 41932329
F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63 6F6D301F
44531337 B03B7055 48A0B320 0A6C3173 C0
quit
!
!
no file verify auto
!
!
!
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
no cdp enable
!
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip http server
!
control-plane
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
exec-timeout 60 0
logging synchronous
login
history size 100
line vty 0 4
logging synchronous
login local
history size 100
line vty 5 15
logging synchronous
login local
history size 100
!
end
Lab 6-2 Answer Key: Managing Router Startup
Options
!
version 12.4
!
hostname RouterX
!
boot-start-marker
boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.10.10.1
boot system flash
boot-end-marker
!
no logging buffered
enable secret 5 $1$X.GH$OkseupwTuqqjGp4oP4Fdg0
enable password 7 121A0C041104
!
no aaa new-model
!
!
ip cef
!
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.3
lease 0 0 5
!
!
no ip domain lookup
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 0208014F0A02022842
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
ip nat inside
duplex half
speed auto
no mop enabled
!
ip nat outside
duplex auto
speed auto
no cdp enable
!
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 10.0.0.0
!
!
!
ip http server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************

**************************************************************^C
!
line con 0
exec-timeout 60 0
logging synchronous
login
history size 100
line aux 0
line vty 0 4
logging synchronous
login local
history size 100
!
!
end
Lab 6-3 Answer Key: Managing Cisco Devices
There were no overall changes to the configuration.!
Lab 6-4 Answer Key: Confirming the
Reconfiguration of the Branch Network
!
version 12.4
!
hostname RouterXX
!
boot-start-marker
boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.10.10.1
boot system flash
boot-end-marker
!
enable secret 5 $1$t7tb$L8Par/.s/MaoshaZH1cLq0
enable password 7 0822455D0A16
!
no aaa new-model
!
!
ip cef
!
ip dhcp pool branchXX-clients
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.3
lease 0 0 5
!
!
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353735 36303131 3833301E 170D3037 30353034 32313439
31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35373536
30313138 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E3CA 6B4F5C16 545F1796 C3600BE9 433F7C87 CB676A33 D42BF42A A6433BAF
25582787 6028AE73 F3EAFD24 EA37AFEE CF6F101D 14EF2CCF 8EF4085C 2ED0E54B
E1758915 13A5499E 378275C7 3BBE4F32 009DB10E 5039EB40 2C43D4EA 1407B634
A0EFEB26 23E4045E EAFE99BE 88C4DA01 357684AC 65572494 ABDC6A99 AA85D645
D8530203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 74657258 301F0603 551D2304 18301680 14E0035D
916FE499 69EDA5C0 C15FDB83 17F62591 45301D06 03551D0E 04160414 E0035D91
6FE49969 EDA5C0C1 5FDB8317 F6259145 300D0609 2A864886 F70D0101 04050003
81810070 7B5F8CB1 BB014CBA 3E317573 C2303187 3534E5C7 71FDDDE5 EC4D6331
A0498B71 49FE6A9A 5A5F6703 091EBDDC B828F955 4851F005 B214B407 4A0E67C0
87AC8E94 52F130E9 73E28BD9 EC4A028B 6424BCF2 EF0A993C 1BA75BED E3E0D217
E1129982 E1A40C9C 98F43F91 363474F2 97E3BBFF E60A7AA5 01327A27 EA69FCE6 0C4D36
quit
username netadmin privilege 15 password 7 0505031B2048430017
!
!
!
!
!
!
ip address 10.10.10.3 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat outside
duplex auto
speed auto
no cdp enable
!
ip address 10.140.100.2 255.255.255.0
encapsulation ppp
no cdp enable
!
no ip address
shutdown
no cdp enable
!
router rip
version 2
network 10.0.0.0
!
!
!
ip http server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login
************* Warning **********************
**************************************************************
!
line con 0
exec-timeout 60 0
password 7 08324D4003161612
logging synchronous
login
history size 100
line aux 0
line vty 0 4
logging synchronous
login local
history size 100
transport input ssh
!
!
end

!
version 12.2
no service pad
!
hostname SwitchXX
!
enable secret 5 $1$LLvt$3gBuRQzm6eAcGfQjsgHC01
enable password 7 01100F175804
!
username netadmin privilege 15 password 7 1419171F0D0027222A
no aaa new-model
ip subnet-zero
!
no ip domain-lookup
ip ssh version 2
!
!
!
!
3082028B 308201F4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
52312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38303930 32343736 38312030 1E06092A 864886F7 0D010902
16115377 69746368 582E6369 73636F2E 636F6D30 1E170D39 33303330 31303030
3130305A 170D3230 30313031 30303030 30305A30 52312E30 2C060355 04031325
494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 38303930
32343736 38312030 1E06092A 864886F7 0D010902 16115377 69746368 582E6369
73636F2E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
02818100 D2D79D92 1395A6CB 46CAAD3C 6873B3D3 75B1B226 1E4EC5BC 87906C24
DAC40D83 6380CE06 C04AE1DE B6DBD7A4 5941D5E5 C2FA7464 DC6135A6 EFED87E4
966DC533 6BB18EDF 213503E7 B5B0E919 99C666B9 89AB8988 553288C0 400D6821
912B2908 B076FE8D 4645B79C 1FDEEBEF 83DBB7AF 3C92B363 52F68131 E2BEEDC3
4E0CC8FB 02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C
0603551D 11041530 13821153 77697463 68582E63 6973636F 2E636F6D 301F0603
551D2304 18301680 14B5A18A 31CE43E7 9D9704B4 815246B1 3D601AB8 A7301D06
03551D0E 04160414 B5A18A31 CE43E79D 9704B481 5246B13D 601AB8A7 300D0609
2A864886 F70D0101 04050003 81810007 16DD332F F2711854 434842FA 026C6F29
82718220 8249778B 4CDFFE66 1B52B55E AA6BC328 CF0CD466 E9DE6464 CF1836A3
F62723B8 14D8A873 535C205E BDC26BAC E73C448D 0E0B8194 402C6A67 CD6EFA78
CDD0A83A 0335EB3E 9ADCA41E 768FA332 572AE050 1121207E D4E79437 894E3588
65E3D60A 57150B63 9206A35B C71BB9
quit
!
!
no file verify auto
!
!
switchport port-security mac-address sticky 0017.5a78.be0f
no cdp enable
!
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
no cdp enable
!
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
shutdown
no cdp enable
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip http server
!
control-plane
!
banner login
********** Warning *************

**************************************************************
!
line con 0
exec-timeout 60 0
password 7 04480A08052E5F4B
logging synchronous
login
history size 100
line vty 0 4
password 7 03175A01091C24
logging synchronous
login local
history size 100
transport input ssh
line vty 5 15
password 7 001712080E541803
logging synchronous
login local
history size 100
transport input ssh
!
end


Icnd110 LG Secured

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Icnd110 LG Secured

Enviado por

Direitos autorais:

Formatos disponíveis

ICND1

Você também pode gostar