Interconnecting Cisco Networking Devices Part 1ccnav4.wikispaces.com/file/view/ICND+I+Lab+Guide.pdfInterconnecting Cisco Networking Devices Part 1 Version 1.0 Lab Guide Editorial,

ICND1

Interconnecting Cisco Networking Devices Part 1 Version 1.0

Lab Guide

Editorial, Production, and Web Services: 07.25.07

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in commercial training, and may not be distributed for purposes other than individual self-study.

DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.


Table of Contents Lab Guide 1

Overview 1 Outline 1

Lab 1-1: Using Windows Applications as Network Tools 3 Activity Objective 3 Visual Objective 3 Required Resources 3 Command List 4 Job Aids 4 Task 1: Obtain the Current IP Address Information 4 Task 2: View the Network Properties of the PC Ethernet Adapter 6 Task 3: Test Connectivity to the Default Gateway Router 8 Task 4: View the ARP Bindings of IP Address to MAC Address 9

Lab 1-2: Observing the TCP Three-Way Handshake 10 Activity Objective 10 Visual Objective 10 Required Resources 10 Command List 11 Job Aids 11 Task 1: Prepare the Sniffer Software to Capture a TCP Flow 11 Task 2: Generate the TCP Flow to Be Captured 13 Task 3: Inspect the TCP Initialization Sequence 16

Lab 1-3: Observing Extended PC Network Information 19 Activity Objective 19 Visual Objective 19 Required Resources 19 Command List 20 Job Aids 20 Task 1: Obtain the Full Current IP Addressing Information 20 Task 2: Test Connectivity to the DNS Server 21 Task 3: Tracing Connectivity to the DNS Server 22

Lab 2-1: Connecting to Remote Lab Equipment 24 Activity Objective 24 Visual Objective 24 Required Resources 25 Command List 25 Job Aid 25 Task 1: Connect to Remote Console Server 26 Task 2: Connect to Remote VPN Router 30

Lab 2-2: Performing Switch Startup and Initial Configuration 34 Activity Objective 34 Visual Objective 34 Required Resources 34 Command List 34 Job Aids 35 Task 1: Connect to Your Assigned Workgroup Switch 36 Task 2: Verify That Switch Is Unconfigured and Reload 37 Task 3: Use System Configuration Dialog to Produce an Initial Configuration 41 Task 4: Add Default Gateway to Initial Configuration 45

Lab 2-3: Enhancing the Security of Initial Switch Configuration 46 Activity Objective 46 Visual Objective 46 Required Resources 47 Command List 47 Job Aids 49 Task 1: Add Password Protection to Console Port and Vty Lines 49 Task 2: Activate Password Encryption Service 51 Task 3: Apply a Login Banner 52


ii Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.

Task 4: Enable SSH Protocol for Remote Management 53 Task 5: Configure Port Security on a Switch 56 Task 6: Disable Unused Ports and Place All Ports in Access Mode 60

Lab 2-4: Operating and Configuring a Cisco IOS Device 62 Activity Objective 62 Visual Objective 62 Required Resources 62 Command List 63 Job Aids 64 Task 1: Explore Context-Sensitive Help 64 Task 2: Edit an Incorrect Command 65 Task 3: Improve the Usability of the CLI 66

Lab 4-1: Converting Decimal to Binary and Binary to Decimal 68 Activity Objective 68 Visual Objective 68 Required Resources 68 Command List 68 Job Aids 68 Activity Preparation 69 Task 1: Convert from Decimal Notation to Binary Format 69 Task 2: Convert from Binary Notation to Decimal Format 69

Lab 4-2: Classifying Network Addressing 70 Activity Objective 70 Visual Objective 70 Required Resources 70 Command List 70 Job Aids 70 Activity Preparation 71 Task 1: Convert from Decimal IP Address to Binary Format 71 Task 2: Convert from Binary Format to Decimal IP Address 72 Task 3: Identify IP Address Classes 73 Task 4: Identify Valid and Invalid Host IP Addresses 73

Lab 4-3: Computing Usable Subnetworks and Hosts 74 Activity Objective 74 Visual Objective 74 Required Resources 74 Command List 74 Job Aids 74 Activity Preparation 75 Task 1: Determine the Number of Bits Required to Subnet a Class C Network 75 Task 2: Determine the Number of Bits Required to Subnet a Class B Network 75 Task 3: Determine the Number of Bits Required to Subnet a Class A Network 76

Lab 4-4: Calculating Subnet Masks 77 Activity Objective 77 Visual Objective 77 Required Resources 77 Command List 77 Job Aids 78 Activity Preparation 78 Task 1: Determine the Number of Possible Network Addresses 78 Task 2: Given a Network Address, Define Subnets 78 Task 3: Given Another Network Address, Define Subnets 79 Task 4: Given a Network Address and Classful Address, Define Subnets 80 Task 5: Given a Network Block and Classful Address, Define Subnets 81 Task 6: Given a Network Block and Classful Address, Define Subnets 83

Lab 4-5: Performing Initial Router Startup 85 Activity Objective 85 Visual Objective 85 Required Resources 85 Command List 85


© 2007 Cisco Systems, Inc. Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 iii

Job Aids 86 Task 1: Remove Any Residual Configuration from Your Router 86 Task 2: Reload the Router and Observe the Startup Output 87

Lab 4-6: Performing Initial Router Configuration 90 Activity Objective 90 Visual Objective 90 Required Resources 90 Command List 90 Job Aids 91 Task 1: Enter the Initial Configuration Using the setup Command 91 Task 2: Validate the Router Configuration 95

Lab 4-7: Enhancing the Security of Initial Router Configuration 96 Activity Objective 96 Visual Objective 96 Required Resources 96 Command List 97 Job Aids 98 Task 1: Add Password Protection to Console Port 98 Task 2: Activate Password Encryption Service 100 Task 3: Apply a Login Banner 101 Task 4: Enable SSH Protocol for Remote Management 102

Lab 4-8: Using Cisco SDM to Configure DHCP Server Function 105 Activity Objective 105 Visual Objective 105 Required Resources 105 Command List 106 Job Aids 106 Task 1: Configuring the Router to Support Web-Based Applications, a User with Privilege 15, and Telnet and SSH 107 Task 2: Use Cisco SDM to Configure a DHCP Pool 108 Task 2: Using Tools to Correlate Network Information 112

Lab 4-9: Managing Remote Access Sessions 114 Activity Objective 114 Visual Objective 114 Required Resources 114 Command List 114 Job Aids 115 Task 1: Improve the Usability of the Router CLI 115 Task 2: Connect to Your Remote Workgroup via VPN Tunnel 117 Task 3: Using the Cisco IOS CLI Commands to Control Telnet and SSH Sessions 118

Lab 5-1: Connecting to the Internet 123 Activity Objective 123 Visual Objective 123 Required Resources 123 Command List 124 Job Aids 124 Task 1: Use Cisco SDM to Configure the Ethernet Connection to the Internet 124 Task 2: Use the CLI to Verify and Observe the Operation of PAT on Your Workgroup Router 130

Lab 5-2: Connecting to the Main Office 133 Activity Objective 133 Visual Objective 133 Required Resources 133 Command List 134 Job Aids 134 Task 1: Configure Your Workgroup Router Serial 0/0/0 135 Task 2: Test Connectivity to Your Assigned Remote Network 136 Task 3: Add a Static Route Entry for Your Remote Network 137


iv Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.

Lab 5-3: Enabling Dynamic Routing to the Main Office 139 Activity Objective 139 Visual Objective 139 Required Resources 139 Command List 140 Job Aids 140 Task 1: Configure RIP Routing Protocol on Your Workgroup Router 140 Task 2: Replace the Existing Static Route and Test Connectivity 142

Lab 6-1: Using Cisco Discovery Protocol 144 Activity Objective 144 Visual Objective 144 Required Resources 144 Command List 145 Job Aids 145 Task 1: Use and Control Cisco Discovery Protocol on Your Workgroup Router 145 Task 2: Use and Control Cisco Discovery Protocol on Your Workgroup Switch 148

Lab 6-2: Managing Router Startup Options 150 Activity Objective 150 Visual Objective 150 Required Resources 150 Command List 151 Job Aids 151 Task 1: Modify the Configuration Register 151 Task 2: Observe the Flash File System and Add Boot System Commands 154

Lab 6-3: Managing Cisco Devices 157 Activity Objective 157 Visual Objective 157 Required Resources 157 Command List 158 Job Aids 159 Task 1: Copy Configuration Files 159 Task 2: Use debug Commands 162

Lab 6-4: Confirming the Reconfiguration of the Branch Network 165 Activity Objective 165 Visual Objective 165 Required Resources 166 Command Lists 166 Job Aids 166 Task 1: Connect to the Remote Lab 170 Task 2: Prepare to Verify Your Configuration 170 Task 3: Verify Your Configuration 171

Answer Key 173 Lab 2-2 Answer Key: Performing Switch Startup and Initial Configuration 173 Lab 2-3 Answer Key: Enhancing the Security of Initial Switch Configuration 175 Lab 2-4 Answer Key: Operating and Configuring a Cisco IOS Device 179 Lab 4-1 Answer Key: Converting Decimal to Binary and Binary to Decimal 183

Task 1: Convert from Decimal Notation to Binary Format 183 Task 2: Convert from Binary Notation to Decimal Format 183

Lab 4-2 Answer Key: Classifying Network Addressing 184 Task 1: Convert from Decimal IP Address to Binary Format 184 Task 2: Convert from Binary Format to Decimal IP Address 185 Task 3: Identify IP Address Classes 186 Task 4: Identify Valid and Invalid Host IP Addresses 186

Lab 4-3 Answer Key: Computing Usable Subnetworks and Hosts 187 Task 1: Determine the Number of Bits Required to Subnet a Class C Network 187 Task 2: Determine the Number of Bits Required to Subnet a Class B Network 187 Task 3: Determine the Number of Bits Required to Subnet a Class A Network 187

Lab 4-4: Answer Key 188 Task 1: Determine the Number of Possible Network Addresses 188 Task 2: Given a Network Block, Define Subnets 188


© 2007 Cisco Systems, Inc. Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 v

Task 3: Given Another Network Block, Define Subnets 189 Task 4: Given a Network Block and Classful Address, Define Subnets 190 Task 5: Given a Network Block and Classful Address, Define Subnets 191 Task 6: Given a Network Block and Classful Address, Define Subnets 192

Lab 4-5 Answer Key: Performing Initial Router Startup 194 Lab 4-6 Answer Key: Performing Initial Router Configuration 197 Lab 4-7 Answer Key: Enhancing the Security of Initial Router Configuration 199 Lab 4-8 Answer Key: Using Cisco SDM to Configure DHCP Server Function 201 Lab 4-9 Answer Key: Managing Remote Access Sessions 204 Lab 5-1 Answer Key: Connecting to the Internet 207 Lab 5-2 Answer Key: Connecting to the Main Office 210 Lab 5-3 Answer Key: Enabling Dynamic Routing to the Main Office 213 Lab 6-1 Answer Key: Using Cisco Discovery Protocol 216 Lab 6-2 Answer Key: Managing Router Startup Options 223 Lab 6-3 Answer Key: Managing Cisco Devices 226 Lab 6-4 Answer Key: Confirming the Reconfiguration of the Branch Network 227


vi Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.


ICND1

Lab Guide

Overview This guide presents instructions and other information concerning the lab activities for this course. You can find the solutions in the lab activity Answer Key.

Outline This guide includes these activities:

Lab 1-1: Using Windows Applications as Network Tools

Lab 1-2: Observing the TCP Three-Way Handshake

Lab 1-3: Observing Extended PC Network Information

Lab 2-1: Connecting to Remote Lab Equipment

Lab 2-2: Performing Switch Startup and Initial Configuration

Lab 2-3: Enhancing the Security of Initial Switch Configuration

Lab 2-4: Operating and Configuring a Cisco IOS Device

Lab 4-1: Converting Decimal to Binary and Binary to Decimal

Lab 4-2: Classifying Network Addressing

Lab 4-3: Computing Usable Subnetworks and Hosts

Lab 4-4: Calculating Subnet Masks

Lab 4-5: Performing Initial Router Startup

Lab 4-6: Performing Initial Router Configuration

Lab 4-7: Enhancing the Security of Initial Router Configuration

Lab 4-8: Using Cisco SDM to Configure DHCP Server Function

Lab 4-9: Managing Remote Access Sessions

Lab 5-1: Connecting to the Internet

Lab 5-2: Connecting to the Main Office

Lab 5-3: Enabling Dynamic Routing to the Main Office


2 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.

Lab 6-1: Using Cisco Discovery Protocol

Lab 6-2: Managing Router Startup Options

Lab 6-3: Managing Cisco Devices

Lab 6-4: Confirming the Reconfiguration of the Branch Network

Answer Key


© 2007 Cisco Systems, Inc. Lab Guide 3

Lab 1-1: Using Windows Applications as Network Tools

Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will be able to use Windows applications and commands to investigate the IP configuration of your PC, and your local network. After completing this activity, you will be able to meet these objectives:

Using the Windows command ipconfig, determine the current network addressing information of a PC.

Using the Windows command ping, determine test connectivity to the default gateway router.

Using the Windows command arp –a, view the ARP table of the local PC and determine the association between the IP address and the MAC address of the default-gateway

Visual Objective The figure illustrates what you will accomplish in this activity.

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—3

Visual Objective for Lab 1-1Using Windows Applications as Network Tools

Required Resources These are the resources and equipment that are required to complete this activity:

A PC connected to a functioning network, with connectivity to the Internet



Command List The table describes the commands that are used in this activity.

Windows Commands

Command Description

arp -a This command with the –a parameter obtains the output of the ARP table. It should be remembered that the entries to the ARP table are removed after 5 minutes of inactivity.

ipconfig This command outputs the current IP address, network mask, and default gateway IP address.

ping ping (-t)

Job Aids These job aids are available to help you complete the lab activity.

There are no job aids for this lab.

Task 1: Obtain the Current IP Address Information In order to obtain the current IP address information, it is necessary to use the Windows ipconfig command. To access Windows commands it is necessary to open a Command window.

Activity Procedure Complete these steps:

Step 1 From the Windows desktop, click start.

Step 2 Choose run, and enter cmd in the Run window dialog box. Click OK to continue.

Step 3 From the Command window prompt, enter ipconfig. It is not necessary to capitalize the command.

Step 4 Your output should resemble one of the four examples below.

Nonworking example 1: The output indicates no connectivity; probably the Ethernet cable is not physically connected. C:\Documents and Settings>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Media State . . . . . . . . . . . : Media disconnected

Nonworking example 2: The output indicates the PC is waiting to obtain its IP address information automatically. This will be a transient output; it will either successfully get an address or retry the ipconfig command periodically until it changes to one of the remaining examples below.



C:\Documents and Settings>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 0.0.0.0 Subnet Mask . . . . . . . . . . . : 0.0.0.0 Default Gateway . . . . . . . . . :

Nonworking example 3: The output indicates the PC network adapter was unable to obtain an IP address automatically, so the PC will use a generated link local address. Getting an address may seem like success, but it really indicates that there is no connectivity to an IP address server. This address will not be useful for network connectivity. If you see an IP address beginning with 169.254.x.x, you do not have a valid address. C:\Documents and Settings>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Autoconfiguration IP Address. . . : 169.254.249.221 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . :

Working example 1: The output indicates that the PC either has a preconfigured IP address or it successfully obtained its IP address automatically. Your IP address, subnet mask, or default gateway will most likely be different than what is shown. C:\Documents and Settings>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : cisco.com IP Address. . . . . . . . . . . . : 192.168.1.105 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1

Step 1 If you have a problem, ask your instructor for assistance. Continue only if you have a valid IP address.

Step 2 Write the values you obtained from the ipconfig command in the spaces below, as you will be using them in later tasks:

PC IP address

IP default gateway address



Activity Verification You have completed this task when you attain this result:

You obtained valid IP address information from the ipconfig command.

Task 2: View the Network Properties of the PC Ethernet Adapter

Use the Windows operating system Network Properties dialog window. In this task you will only view the configuration, but the same process would be followed should it be necessary to modify or supply new IP network address values.


Step 1 From the Windows desktop, click the Local Area Connection shortcut on your desktop.

Step 2 From the Local Area Connection status window, click the Properties button.



Step 3 At the Local Area Connection Properties window scroll down to the bottom and left-click the Internet Protocol(TCP/IP) to highlight it. Then click the Properties button.

Step 4 At the Internet Protocol (TCP/IP) Properties window, you might find the Obtain an

IP Address Automatically radio button already set, with all the fields blank, as shown below.

Step 5 Alternatively, you might see the Use the Following IP Address radio button chosen,

and the fields configured with IP address information matching the output you obtained from the ipconfig command.

Note Below is an example only. Do not change your settings.

Step 6 Close all the dialog boxes and return to the Windows desktop.

Activity Verification You have completed this task when you attain these results:

You used the Windows TCP/IP properties to view the current configuration for the local area connection.

The values set in the TCP/IP properties were consistent with the information you obtained using the ipconfig command.



Task 3: Test Connectivity to the Default Gateway Router Using the Windows command ping allows you to test the connectivity of the network. Its output demonstrates success or failure and gives an indication of the round-trip time taken.


Step 1 From the Command window prompt, enter ping followed by the address of your default gateway that you obtained in Task 1.

Step 2 The first example below is an unsuccessful ping. Should you get this output you should ask your instructor for assistance.

Nonworking example: The output indicates that no reply was received from the target IP address. C:\Documents and Settings>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Working example: This indicates successful receipt of replies from the target IP address. C:\Documents and Settings>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Reply from 192.168.1.1: bytes=32 time<1ms TTL=255 Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

Step 3 Notice that by default the Windows command sends four ping packets (ICMP echo requests).


You used the Windows ping command to test the connectivity to your default gateway router.

The round trip time should be very low.



Task 4: View the ARP Bindings of IP Address to MAC Address The Windows command arp –a allows you to view the binding of the logical IP address and the physical MAC address.


Step 1 From the Command window prompt, enter arp –a. It is necessary to use the –a parameter to get the output of the ARP table.

C:\Documents and Settings>arp -a Interface: 192.168.1.125 --- 0x2 Internet Address Physical Address Type 192.168.1.1 00-00-0c-07-ac-04 dynamic

Step 2 Your output should resemble the output in Step 1. If you did not get any values, it may be that the ARP table has timed-out the entry and you need to repeat Step 1 of the previous task.

Step 3 Close your open Command window by typing exit at the prompt.


You were able to view the binding of the IP address to the MAC address.



Lab 1-2: Observing the TCP Three-Way Handshake


Activity Objective In this activity, you will use a packet sniffer software application to view the TCP initial three-way handshake. After completing this activity, you will be able to meet these objectives:

Start the packet sniffer software application, to monitor the appropriate Ethernet interface for recording the packet flow

Generate a TCP connection using a web browser

Observe the initial packets of the TCP flow, especially the SYN packet, SYN ACK packet, and finally the ACK packet



Visual Objective for Lab 1-2Observing the TCP Three-Way Handshake


A PC with access to the Internet

The Wireshark packet sniffer Windows application

Student Guide Module 1, Lesson 1



Command List The table describes the applications that are used in this activity.

PC Applications

Windows Application Description

Internet Explorer Web browser, provides access to rich media content.

Wireshark A packet sniffer application.

Caution Installing and or using a packet sniffer application may be considered a breach of an organization’s security policy, leading to serious legal and financial consequences. It is recommended that before downloading, installing, or running such an application, you obtain permission to do so.



Task 1: Prepare the Sniffer Software to Capture a TCP Flow In this task you will open the Wireshark application and apply the packet capture to your active Ethernet interface.


Step 1 Open the Wireshark application by double-clicking its icon, which should be visible on your desktop.



Step 2 Choose Capture, then choose Interfaces from the drop-down menu.

Step 3 Choose your local network Ethernet interface adapter. If this process is unclear, ask your

instructor for assistance. Click the Start button associated with the chosen interface. Make a note of the IP address associated with your chosen Ethernet adapter, because it will be the source IP address you will look for when examining captured packets.

Note your IP address here: _______________________________



Step 4 The capture windows will now be active.

Step 5 You will look more closely at the capture windows after you have captured the TCP flow.

Step 6 You may see some packets filling up the uppermost window. This will depend on the level of background activity on the network you are attached to.


You have an open packet-capture window, associated with the Ethernet interface connected to your default router.

Task 2: Generate the TCP Flow to Be Captured You will use a web browser (Internet Explorer) to connect to a web server. The actual web server chosen is not really important. The HTTP data that is used to carry web page text and graphics uses TCP transport for reliability. The alternative best-effort protocol, you will recall, would be UDP. All you are interested in is the initial exchange done by TCP to set up the connection.


Step 1 At the PC desktop double-click the Internet Explorer icon to launch the web browser.

Step 2 Enter the destination name or address. Your instructor may provide you with a name or address different from “www.cisco.com.” If so, write down this information in the space provided: ___________________________________________________



Step 3 Return to the already open Wireshark application and choose Capture > Stop from

the drop-down menu.

Step 4 If you have many TCP packets that are unrelated to your TCP connection, you may

need to use the filter capability of Wireshark.

Step 5 To use a preconfigured filter, click the Analyze tab. Then click Display Filters.

Step 6 In the Wireshark: Display Filter window, click TCP only then click the OK button.



Step 7 In the top window of the Wireshark application, use the scroll bar to place the first captured TCP packet at the top of the window. This should be the first packet in the flow.

Step 8 Observe the Info column of the captured packets in the top window; look for three

packets similar to those shown below. Two groups of three packets are shown highlighted as an example.

Step 9 Note the first packet number in the sequence you have identified in your capture window. There is no need to find more than one sequence of packets. In the example above, packet 1 and packet 12 both begin a sequence. You will observe the contents of these packets in detail in the next task.

Write down the packet number of first packet in TCP sequence in the space provided: ________________________________________________________________________

Step 10 If necessary, return to Step 4 in this task.




You have identified that you have captured the packet sequence described in Step 8.

You have noted the first packet in the sequence to be inspected in detail.

Task 3: Inspect the TCP Initialization Sequence You will use the Packet Details window of the Wireshark application to view the TCP parameters exchanged during the initial startup sequence, often referred to as the “three-way handshake.”


Step 1 In the top window of the Wireshark application click (anywhere) on the line containing the first packet identified in the previous task. This will highlight the line and make the two lower windows fill with the decoded information from that packet.

Step 2 In the example that follows. the Wireshark windows were adjusted to allow the information to be viewed in a compact size. The middle window contains the detailed decoding of the packet.

Step 3 Clicking the “+” icon on the left side will expand the view of the TCP information. The view can be contracted by clicking the “–” icon.

Step 4 Notice in this example that the (forward) sequence number is set to zero, and the SYN bit is 1 (set) in the Flags field.



Step 5 Click the next packet in the sequence (top window) and the detailed information will change to match the new values.

Step 6 Notice in the reply packet that the (backward) sequence number is set to 0, and that the acknowledgment number appears and is set to 1. Also in the Flags field, the acknowledgment bit and the SYN bit are 1 (set).

Step 7 Click the next packet in the sequence (top window) and the detailed information will change to match the new values.



Step 8 In the third and final packet in the exchange, notice that the (forward) sequence number is now set to 1, the acknowledgment number is set to 1, and in the Flags field, only the acknowledgment bit is 1 (set). At this point, the TCP connection is said to be “established,” as both ends have synchronized their sequence and acknowledgment numbers, as well as other parameters not discussed.

Step 9 Close the Wireshark application and all other open windows.


You have selected and decoded your three identified captured packets, and the values match those shown and discussed in the examples within the task.



Lab 1-3: Observing Extended PC Network Information


Activity Objective In this activity, you will use PC tools to gather network-related information. After completing this activity, you will be able to meet these objectives:

Using the Windows command ipconfig /all, determine IP addresses of the DNS servers available to your PC

Using the IP address of one of the DNS servers from Task 1, test connectivity to the DNS servers using the Windows ping command

Using the Windows command tracert /d, obtain the IP addresses of the routers traversed to reach the DNS server tested in Task 2



Visual Objective for Lab 1-3Observing Extended PC Network Information


A PC connected to a functioning network, with connectivity to the Internet




Windows Commands

Command Description

ipconfig /all This command outputs all the current IP network information.

ping ping (-t)

tracert /d <ip Address> Displays the IP address of the router at each hop as a packet traverses the network towards the destination IP address.



Task 1: Obtain the Full Current IP Addressing Information In order to obtain the full current IP address information on your PC, it is necessary to use the Windows ipconfig /all command. To access Windows commands it is necessary to open a Command window.


Step 1 From the Windows desktop, click start.

Step 2 Choose run, and enter cmd in the run window dialog box; click OK to continue.

Step 3 From the Command window prompt, enter ipconfig /all. It is necessary to add the /all to get the full output.



Step 4 You will see from your own output that some extra, useful information is now visible.

Step 5 Note the IP address of the first DNS server from the output of the prior step in the space provided.

_________________________________________________________________


You have obtained the IP address of a DNS server from the output of the ipconfig /all command on your PC.

Task 2: Test Connectivity to the DNS Server In this task you will use the ping command to test the connectivity that you noted in the previous task.


Step 1 From the Command window prompt, enter ping <DNS IP Address>. Your output should be similar to the example below (which uses a fictitious IP address).

Step 2 A successful ping indicates both that the packets are being received and that the

return packets are being routed back to your PC successfully.

Step 3 The implications of an unsuccessful ping sequence require more investigation. If you assume the ping attempts were unsuccessful, then the next step would be to try to see where in the network the problem was occurring.


You have used the Windows ping command to successfully test connectivity to the IP address of the DNS server you noted in Task 1.



Task 3: Tracing Connectivity to the DNS Server In this task you will use the tracert /d command to trace the path to your DNS server that you noted in the previous task. The /d parameter in the command stops the attempt to use DNS to look up the IP addresses discovered along the path and put them in the output. In this scenario, DNS is not working, so attempting a lookup would waste time. You will use tracert without /d to see what the output would look like when DNS is able to resolve the some or all of the IP addresses.


Step 1 Below is an example of an unsuccessful trace attempt to the DNS server. The sequence would have continued until 30 hops had been tried. You will see that ^C <ctrl-C> was used to terminate the command earlier than the default number.

Step 2 From the Command window prompt, enter tracert /d <DNS IP Address>. Your

output should be similar to the example below (which uses fictitious IP addresses).



Step 3 Now that you have seen that the route to the DNS server is working, use the command without the /d parameter to see what the output looks like when symbolic names are available. Your output should be similar to the example below (which uses fictitious IP addresses).

Step 4 Close the Command window by clicking the X button in the top right corner.


You have used the tracert /d command on your PC to suppress DNS lookup during the trace to the destination address.

You have used the tracert command without the /d parameter on your PC to display the symbolic names associated with specific IP addresses discovered during the trace to the destination address.



Lab 2-1: Connecting to Remote Lab Equipment Complete this lab activity to test the connectivity in your pod and to practice the methods for both connection to the console server and connecting using the VPN client.

Activity Objective In this activity, you will begin preparations for subsequent labs by testing and practicing the connectivity for your assigned workgroup equipment, which you will use for the remaining lab practice exercises in the course. After completing this activity, you will be able to meet these objectives:

Connect to your assigned workgroup equipment using a console (terminal) server so that switches and routers may be configured via the console ports.

Connect to your assigned workgroup equipment using the VPN client software so your PC will be connected through an interface on your workgroup switch. This will allow the configuration of your workgroup router using Cisco Router and Security Device Manager (SDM).

Visual Objective The figures illustrate what you will accomplish in this activity.


Visual Objective for Lab 2-1Connecting to Remote Lab Equipment

Your lab equipment is located remotely and will be accessed in two distinct ways.

The first method is by connecting using SSH connectivity. This provides access to a console server (also known as a terminal server). The console server has serial connections to the console ports of the Cisco switches and routers used in the labs. This first method sends packets across the Internet. In these packets, the data is individually protected by encryption.



The second method is by connecting using a VPN. This provides access via a VPN router to the same network that your workgroup switch is connected to. This second method sends packets via an encrypted tunnel across the Internet.

Required Resources These are the resources and equipment required to complete this activity:

Lab topology configured for the this course

Student pod consisting of one Cisco Catalyst 2960 switch and one Cisco 2811 router (or functionally equivalent Cisco devices)

Classroom reference materials as follows:

Lab Guide

Student PC or workstation with SSH and VPN client access to workstation pod devices

Command List The table describes the applications and command used in this activity.

PC Application

Windows Applications Description

Putty SSH Client Terminal emulation application which supports SSH protocol

Cisco VPN Client VPN client software application

Windows Command

ipconfig /all Command that outputs all the current IP network information

Job Aid This job aid is available to help you complete the lab activity:

Fill in this table of class-dependent network and connection information, using the values provided by your instructor.

Table 1: Network and Connection Information

Information Instructor-Assigned Value

Your assigned workgroup (letter)

IP address of the console server

Username and password for SSH

IP address of the VPN-RTR (if different from above)

VPN Client Connection Entry name

Username and Password for VPN (if different from SSH)

SSH terminal emulation application



Table 2: TFTP Server IP Address Information

Workgroup TFTP Server IP Address


A 10.2.2.1 E 10.6.6.1

B 10.3.3.1 F 10.7.7.1

C 10.4.4.1 G 10.8.8.1

D 10.5.5.1 H 10.9.9.1

Task 1: Connect to Remote Console Server In this task you will use an SSH-capable terminal emulation application. This terminal emulator will enable you to configure and control the Cisco remote network devices via their “console” port.


Step 1 From the desktop of your PC, double-click the icon of the terminal emulator. In the example, PuTTY is being used.



Step 2 Ensure that the SSH radio button is selected. Enter the IP address of the console server in the Host Name field and click Open.

Step 3 Enter the SSH login name and password at the prompts, using those you have noted

in Table 1. You may see a PuTTY security warning if PuTTY does not have the host key cached; answer Yes to proceed.



Step 4 A banner message followed by a table showing item numbers used to connect to the workgroups is displayed. Read the information regarding the escape sequence used to return from a switch or router connection to the menus. To do this, press the following keys simultaneously: Ctrl-Shift-6. Then release them and press x (lowercase).

Step 5 Select your workgroup by entering its associated item number.



Step 6 You are now at the Workgroup menu. Your choices are to choose 1 to connect to the router, 2 to connect to the switch type, or exit to return to the previous menu. Type exit to return to the previous menu. Type exit followed by the Enter key.

Step 7 Now type exit followed by the Enter key to end the SSH session.

Step 8 Depending on the terminal emulator used, the window may close, go blank, or

appear unchanged. However, the session has ended, and any keystrokes will be ignored.

Step 9 Close the terminal emulation application, if it did not close automatically.


You were able to access the remote console server using the information provided in Table 1.



You were able to access the Workgroup menu of your assigned pod.

You were able to navigate back to the main menu, end the terminal session, and close the application.

Task 2: Connect to Remote VPN Router In this task you will use the Cisco VPN client software to access the remote lab. Once there you will observe the changes to your local PC IP addressing and discuss the changes to the packet forwarding behavior.


Step 1 From your PC desktop, open the Cisco VPN client by clicking the VPN Client icon.

Step 2 Choose the connection entry associated with your assigned workgroup.

Step 3 Click the Connect icon on top left of the application window.



Step 4 The Connect icon changes and a User Authentication window opens.

Step 5 Type the VPN username and password you recorded in Table 1, and press Enter. After a momentary pause, the VPN windows close. A small Padlock icon that was placed in the system tray at the bottom right side of the screen goes from an open padlock to a closed padlock. If the window does NOT close, manually minimize it.

Step 6 In order to view the changes to the IP addressing of the PC, it is necessary to open a

Command window and use the IPCONFIG command.

Step 7 When you do this you will observe that a second Ethernet adapter now has an IP

address and mask. Your output may be different, however this address and mask is specific to the workgroup addressing used in the labs which follow. The VPN adapter does NOT have a default gateway specified, as the packet forwarding behavior has been modified such that networks that have been configured on the VPN router will be forwarded through the tunnel. This will occur automatically, and any not matching will be sent to the configured default gateway associated with the other Ethernet adapter.

Step 8 You should be able to ping successfully the address 10.x.x.1, where x = 2 for WG A, 3 for WG B, and so forth, with x = 9 for WG H. If you are unsuccessful, you should ask your instructor for assistance. Your output should be similar to the example below.

C:\Documents and Settings>ping 10.10.10.1 Pinging 10.10.10.1 with 32 bytes of data: Reply from 10.10.10.1: bytes=32 time=9ms TTL=127 Reply from 10.10.10.1: bytes=32 time=8ms TTL=127 Reply from 10.10.10.1: bytes=32 time=9ms TTL=127 Reply from 10.10.10.1: bytes=32 time=8ms TTL=127 Ping statistics for 10.10.10.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 8ms, Maximum = 9ms, Average = 8ms



Step 9 In later labs you will use the VPN tunnel to allow the connection of a browser to your workgroup router.

Step 10 In order to terminate your VPN connection, double-click the system tray Padlock icon, which will open the VPN application window. You can also right-click the padlock icon and choose Disconnect.

Step 11 Click the Disconnect icon in the top right of the VPN application window. This will

close the tunnel connection and remove the IP addressing changes to the PC.

Step 12 Close the VPN application window.

Step 13 Confirm that the PC has its original network IP address by using the IPCONFIG command in the Command window.

Step 14 Having confirmed that the connection information has been removed, close any

remaining Windows applications.




You were able to access the remote lab network, using the VPN client application and the information recorded in Table 1.

You were able to confirm access using ping and web connectivity.



Lab 2-2: Performing Switch Startup and Initial Configuration


Activity Objective In this activity, you will connect to your workgroup switch and complete the initial device configuration. After completing this activity, you will be able to meet these objectives:

Restart the switch and verify the initial configuration messages

Complete the initial configuration of the Cisco Catalyst switch



10.9.9.1110.8.8.1110.7.7.1110.6.6.1110.5.5.1110.4.4.1110.3.3.1110.2.2.11

Switch IP Address

255.255.255.0SwitchH255.255.255.0SwitchG255.255.255.0SwitchF255.255.255.0SwitchE255.255.255.0SwitchD255.255.255.0SwitchC255.255.255.0SwitchB255.255.255.0SwitchASubnet Mask

Workgroup Hostname

Visual Objective for Lab 2-2 Performing Switch Startup and Initial Configuration

Required Resources These resources and equipment are required to complete this activity:

PC with connectivity to the remote lab

An SSH-capable terminal emulation application

Your assigned pod information from Lab 2-1




Switch Cisco IOS Commands

Command Description

configure terminal Activates the configuration mode from the terminal.

copy running-config destination

Copies the switch running configuration file to another destination. A typical destination is the startup configuration.

enable Activates the privileged EXEC mode. In privileged EXEC mode, more commands are available. This command requires you to enter the enable password if an enable password is configured.

enable password password The enable password protects access to the enable mode. However this password is stored in cleartext in the configuration.

enable secret secret_password The encrypted enable password protects access to the enable mode. An enable secret password overrides the cleartext enable password, should both be configured.

end This configuration command terminates the configuration mode.

erase startup-config Erases the startup configuration stored in nonvolatile memory.

hostname hostname Sets the system name, which forms part of the prompt.

interface vlan 1 Enters the interface configuration mode for VLAN 1 to set the switch management IP address.

ip address ip-address mask Sets the IP address and mask of the interface.

ip default-gateway ip-address Sets the default gateway of the switch. The default gateway is the router, which will forward IP packets that are not destined for the local network.

line vty 0 15 Enters the virtual terminal line configuration mode. Vty lines allow access to the switch for remote network management. The number of vty line available is dependant on the Cisco IOS Software version. Typical values are 0-4 and 0-15 (inclusive).

login This configuration line command applies a login process requiring a username and password for access.

password line password Assigns a password to the console or vty ports.

reload Restarts the switch and reloads the Cisco IOS operating system and configuration.

show interface vlan 1 Displays the switch IP address information (Cisco Catalyst 2950).

[no] shutdown Use the shutdown interface configuration command to disable an interface. Use the no form of this command to restart a disabled interface.

Job Aids These job aids are available to help you complete the lab activity. The table contains the required information to be entered during initial switch configuration.



Table 1: Password Information

Configuration Parameter Value

Enable password cisco

Enable secret password sanfran

Hostname Refer to Table 2

IP address and subnet mask Refer to Table 2

IP default gateway 10.x.x.3 (where x.x is your workgroup’s second- and third-octet address)

vty password sanjose

Table 2: Switch IP Address Information

Workgroup Hostname Switch IP Address Mask

A SwitchA 10.2.2.11 255.255.255.0

B SwitchB 10.3.3.11 255.255.255.0

C SwitchC 10.4.4.11 255.255.255.0

D SwitchD 10.5.5.11 255.255.255.0

E SwitchE 10.6.6.11 255.255.255.0

F SwitchF 10.7.7.11 255.255.255.0

G SwitchG 10.8.8.11 255.255.255.0

H SwitchH 10.9.9.11 255.255.255.0

Task 1: Connect to Your Assigned Workgroup Switch In this task you will connect to your assigned workgroup using the information and procedure from Lab 2-1.


Step 1 Connect via SSH to your workgroup switch using the information from Lab 2-1.

Step 2 At the first menu enter the item number that corresponds to your assigned workgroup. This will be a number from between 1 and 8.

Step 3 At the workgroup menu, enter cls2. When you are prompted to confirm, press the Enter key. This clears any previous open connection; you may need to do this in later labs if your connection is terminated unexpectedly. Your display should be similar to the example below.



************************ ICND WG_Z ************************** ************************ MENU ************************** To exit ssh session and return to the menu press <CTRL>+<SHFT>+<6> then <X>. To clear a connection to begin a new console session type cls# (where # = the menu item number) Type "exit" to return to main menu. ***************************************************************** ITEM# DEVICE NAME ----------------------------------------------------------------- 1 WorkGroup Z Router 2 WorkGroup Z Switch exit Return to main menu Please enter selection: cls2 [confirm]<ENTER> [OK]

Step 4 Connect to your workgroup switch by entering the menu number 2 and then pressing Enter. Your display should be similar to this example.

************************ ICND WG_Z ************************** ************************ MENU ************************** To exit ssh session and return to the menu press <CTRL>+<SHFT>+<6> then <X>. To clear a connection to begin a new console session type cls# (where # = the menu item number) Type "exit" to return to main menu. ***************************************************************** ITEM# DEVICE NAME ----------------------------------------------------------------- 1 WorkGroup Z Router 2 WorkGroup Z Switch exit Return to main menu Please enter selection: 2 Trying swa (10.10.10.12, 2067)... Open


You were able to access your assigned workgroup switch on the remote lab network, using the SSH client application and the information recorded in Table 1 of Lab 2-1.

Task 2: Verify That Switch Is Unconfigured and Reload In this task, you will use the erase startup-config command to ensure that the switch has no prior configuration saved to the startup-config file stored in NVRAM (nonvolatile memory). You will then reload the switch software and observe the output generated during the reload.


Step 1 You will need to press Enter several times to get the switch to display the prompt. If you see the output “Switch>” proceed to Step 3. If not, proceed to Step 2.



Step 2 If your output resembles that displayed below, answer Yes to the question shown. Press Enter twice.

Would you like to terminate autoinstall? [yes]: yes --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]: no Switch> Switch>

Step 3 You are currently in the user mode. To see the effect of entering a privileged command in the user mode, enter the command erase startup-config. Your display should be similar to the example below.

Switch>erase startup-config ^ % Invalid input detected at '^' marker.

Step 4 The output is the response to entering a privileged EXEC command when in user mode. Enter the command enable. Your display should be similar to the example below.

Switch>enable Switch#

Step 5 Notice that the switch prompt changed from Switch> to Switch#. This indicates that you are in enable EXEC mode. When you now enter the erase startup-config command, it is accepted. Press the Enter key to confirm and press Enter again to get the switch prompt. Your display should be similar to the example below.

Switch#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]<ENTER> [OK] Erase of nvram: complete 00:18:46: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram <ENTER> Switch#

Step 6 Enter the reload command. The switch will prompt for confirmation. Confirm that you want to proceed with the reload. You will then be presented with a lot of output, giving the status of the switch during the reload process. Your display should be similar to the example below. Some repeating text has been omitted to reduce the output length.

Switch#reload Proceed with reload? [confirm]<ENTER> 00:21:00: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. Base ethernet MAC Address: 00:1a:6d:44:6c:80 Xmodem file system is available. The password-recovery mechanism is enabled. Initializing Flash... flashfs[0]: 597 files, 19 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 32514048 flashfs[0]: Bytes used: 8208384 flashfs[0]: Bytes available: 24305664 flashfs[0]: flashfs fsck took 9 seconds. ...done Initializing Flash.



Boot Sector Filesystem (bs) installed, fsid: 3 done. Loading "flash:c2960-lanbasek9-mz.122-25.SEE2/c2960-lanbasek9-mz.122-25.SEE2.bin"...@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .. .. text omitted .. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ File "flash:c2960-lanbasek9-mz.122-25.SEE2/c2960-lanbasek9-mz.122-25.SEE2.bin" uncompressed and installed, entry point: 0x3000 executing... Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 28-Jul-06 11:57 by yenanh Image text-base: 0x00003000, data-base: 0x00BB7944 Initializing flashfs... flashfs[1]: 597 files, 19 directories flashfs[1]: 0 orphaned files, 0 orphaned directories flashfs[1]: Total bytes: 32514048 flashfs[1]: Bytes used: 8208384 flashfs[1]: Bytes available: 24305664 flashfs[1]: flashfs fsck took 1 seconds. flashfs[1]: Initialization complete....done Initializing flashfs. POST: CPU MIC register Tests : Begin POST: CPU MIC register Tests : End, Status Passed POST: PortASIC Memory Tests : Begin POST: PortASIC Memory Tests : End, Status Passed POST: CPU MIC PortASIC interface Loopback Tests : Begin POST: CPU MIC PortASIC interface Loopback Tests : End, Status Passed POST: PortASIC RingLoopback Tests : Begin POST: PortASIC RingLoopback Tests : End, Status Passed POST: PortASIC CAM Subsystem Tests : Begin POST: PortASIC CAM Subsystem Tests : End, Status Passed POST: PortASIC Port Loopback Tests : Begin POST: PortASIC Port Loopback Tests : End, Status Passed Waiting for Port download...Complete This product contains cryptographic features and is subject to United



States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. cisco WS-C2960-24TT-L (PowerPC405) processor (revision B0) with 61440K/4088K bytes of memory. Processor board ID FOC1048ZE27 Last reset from power-on 1 Virtual Ethernet interface 24 FastEthernet interfaces 2 Gigabit Ethernet interfaces The password-recovery mechanism is enabled. 64K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address : 00:1A:6D:44:6C:80 Motherboard assembly number : 73-10390-03 Power supply part number : 341-0097-02 Motherboard serial number : FOC10483A1C Power supply serial number : DCA104382KM Model revision number : B0 Motherboard revision number : C0 Model number : WS-C2960-24TT-L System serial number : FOC1048ZE27 Top Assembly Part Number : 800-27221-02 Top Assembly Revision Number : C0 Version ID : V02 CLEI Code Number : COM3L00BRA Hardware Board Revision Number : 0x01 Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 26 WS-C2960-24TT-L 12.2(25)SEE2 C2960-LANBASEK9-M Press RETURN to get started! 00:00:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down 00:00:40: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan 00:01:01: %SYS-5-RESTART: System restarted -- Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 28-Jul-06 11:57 by yenanh 00:01:03: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up 00:01:03: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up 00:01:03: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up 00:01:03: %LINK-3-UPDOWN: Interface FastEthernet0/12, changed state to up 00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up 00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up 00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to up



00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to up 00:01:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Step 7 At the prompt, to terminate AutoInstall, press Enter to accept the default, which is yes—you do want to terminate AutoInstall.

Would you like to terminate autoinstall? [yes]:<ENTER>

Step 8 Now you are at the prompt to enter the initial configuration dialog. At this point you have completed this task. Note that you will answer the question in Step 1 of next task.

--- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]:


You were able to erase any existing configuration.

You were able to obtain the output similar that that given in Steps 6 through 8.

Task 3: Use System Configuration Dialog to Produce an Initial Configuration

Continuing the process started in the last task, you will choose the initial configuration dialog and will see the System Configuration Dialog displayed. You will then enter basic values for your switch. This configuration mode is also known as “setup,” from the command-line method to activate it.


Step 1 You are ready to complete the initial configuration. At the prompt (from the last step of the previous task repeated below), Enter yes and then press Enter. To continue with the switch configuration. Throughout the following configuration, your entries are shown in bolded text.

--- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]:yes

Step 2 Decline entering basic management setup by entering no. At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: no

Step 3 Decline the review of interfaces by entering no to this question. First, would you like to see the current interface summary? [yes]: no



Step 4 Enter the hostname for your assigned switch (for example SwitchJ ). Configuring global parameters: Enter host name [Switch]: SwitchX

Step 5 Enter all the passwords using the information in Lab 2-2, Table 1. The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.

Enter enable secret: sanfran

Step 6 The enable password is used when you do not specify an enable secret password, with some older software versions and some boot images.

Enter enable password: cisco

Step 7 The virtual terminal password is used to protect access to the router over a network interface.

Enter virtual terminal password: sanjose

Step 8 Answer no to the Configure SNMP Network Management prompt. Configure SNMP Network Management? [no]: no

Step 9 Answer yes to “Do You Want to Configure Vlan1 Interface?” Your IP address information can be obtained Table 2.

Configuring interface parameters: Do you want to configure Vlan1 interface? [no]: yes Configure IP on this interface? [no]: yes IP address for this interface: 10.x.x.11 Subnet mask for this interface [255.0.0.0] : 255.255.255.0 Class A network is 10.0.0.0, 24 subnet bits; mask is /24

Step 10 Answer no to all the remaining Configure Interface prompts. Do you want to configure FastEthernet0/1 interface? [yes]: no Do you want to configure FastEthernet0/2 interface? [yes]: no Do you want to configure FastEthernet0/3 interface? [yes]: no Do you want to configure FastEthernet0/4 interface? [yes]: no Do you want to configure FastEthernet0/5 interface? [yes]: no Do you want to configure FastEthernet0/6 interface? [yes]: no Do you want to configure FastEthernet0/7 interface? [yes]: no Do you want to configure FastEthernet0/8 interface? [yes]: no Do you want to configure FastEthernet0/9 interface? [yes]: no Do you want to configure FastEthernet0/10 interface? [yes]: no



Do you want to configure FastEthernet0/11 interface? [yes]: no Do you want to configure FastEthernet0/12 interface? [yes]: no Do you want to configure FastEthernet0/13 interface? [yes]: no Do you want to configure FastEthernet0/14 interface? [yes]: no Do you want to configure FastEthernet0/15 interface? [yes]: no Do you want to configure FastEthernet0/16 interface? [yes]: no Do you want to configure FastEthernet0/17 interface? [yes]: no Do you want to configure FastEthernet0/18 interface? [yes]: no Do you want to configure FastEthernet0/19 interface? [yes]: no Do you want to configure FastEthernet0/20 interface? [yes]: no Do you want to configure FastEthernet0/21 interface? [yes]: no Do you want to configure FastEthernet0/22 interface? [yes]: no Do you want to configure FastEthernet0/23 interface? [yes]: no Do you want to configure FastEthernet0/24 interface? [yes]: no Do you want to configure GigabitEthernet0/1 interface? [yes]: no Do you want to configure GigabitEthernet0/2 interface? [yes]: no

Step 11 Answer no to the Enable as a Cluster Command Switch prompt. Would you like to enable as a cluster command switch? [yes/no]: no

Step 12 The setup process now outputs the Cisco IOS commands, which you should verify are correct. Press the Spacebar when prompted with --More-- to get additional output.

The following configuration command script was created: hostname SwitchX enable secret 5 $1$3PTL$CG2pEpzgAJO3pkB7If4P9. enable password cisco line vty 0 15 password sanjose no snmp-server ! ! interface Vlan1 no shutdown ip address 10.10.10.11 255.255.255.0 ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 !



interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! end

Step 13 If the initial configuration displayed is correct, enter 2 to save this configuration to the startup configuration in NVRAM and exit the setup mode.

[0] Go to the IOS command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration to nvram and exit. Enter your selection [2]: 2 Building configuration... [OK] Use the enabled mode 'configure' command to modify this configuration.


Your initial configuration output accurately matched the values assigned to your workgroup switch.

You chose option 2 to save to NVRAM and exit the setup mode.



Task 4: Add Default Gateway to Initial Configuration Having used the setup mode to configure your switch, it is necessary to add the IP of the default gateway router. The default gateway will be used when packets need to be forwarded via the Vlan 1 management interface to a non-directly-connected network. You will be configuring the router in a later lab.


Step 1 To go from user EXEC mode to enable mode, enter the enable command. Then enter the password when prompted.

Note Remember that you set the enable password to “sanfran” in the previous task.

Step 2 From the enable mode, enter configure terminal command. This command is often abbreviated to conf t. Your display should be similar to the example below.

SwitchX#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SwitchX(config)#

Step 3 Enter the command ip default-gateway 10.x.x.3, where x.x represents the second and third octets of the address assigned to your switch interface VLAN 1. Your display should be similar to the example below.

SwitchX(config)#ip default-gateway 10.10.10.3 SwitchX(config)#

Step 4 Leave the configuration mode by entering the command end. Your display should be similar to the example below.

SwitchX(config)#end SwitchX# 1d00h: %SYS-5-CONFIG_I: Configured from console by console

Step 5 Enter the command copy running-config startup-config to save the running configuration to NVRAM. You will be prompted to confirm the destination filename. Confirm it by pressing the Enter key. Your display should be similar to the example below.

SwitchX#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] SwitchX#

Note A common shorthand entry for copy running-config startup-config is copy run start.


You have added the default gateway IP address to the running configuration

You saved the running configuration to the startup-config file



Lab 2-3: Enhancing the Security of Initial Switch Configuration


Activity Objective In this activity, you will increase the security of the initial switch configuration. After completing this activity, you will be able to meet these objectives:

Add password protection to the console and vty lines

Use the Cisco IOS configuration command to encrypt all passwords

Add a banner message to the login process

Increase the security of remote management of the switch by adding the SSH protocol to the vty lines

Increase the security of the physical interfaces by configuring various methods of MAC address security

Disable unused interfaces



10.9.9.1110.8.8.1110.7.7.1110.6.6.1110.5.5.1110.4.4.1110.3.3.1110.2.2.11

Switch IP Address


Workgroup Hostname

Visual Objective for Lab 2-3 Enhancing the Security of Switch Configuration







Successful completion of Lab 2-2



Command Description

? or help In user EXEC mode, Cisco IOS Software lists the subset of commands available at that privilege level.

banner login Allows the configuration of a message which will be displayed at the time of the login process.

clear mac-address-table dynamic interface int-id

Clears the dynamically learned MAC addresses associated with the interface specified.

clear port-security sticky interface int-id access

Clears the secure MAC addresses associated with the interface specified. The access parameter ensures that trunk ports are not affected.


copy running-config destination Copies the switch running configuration file to another destination. Typical destination is the startup configuration.

copy running-config startup-config

Copies the switch running configuration file to the startup configuration file that is held in local NVRAM.

crypto key generate rsa Generates the RSA key pairs to be used.



interface int-id Enters interface configuration mode.

interface range int-id - last-port-number

Allows the grouping of interfaces, such that following interface configuration commands will be applied to all the interfaces specified simultaneously.

ip domain-name name Supplies an IP domain name, which is required by the crypto key generation process.

ip ssh version [1 | 2] Specifies the version of SSH to be run. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command.

line console 0 Enters the line console 0 configuration mode.



line vty 0 15 Enters the virtual terminal line configuration mode. Vty lines allow access to the switch for remote network management. The number of vty lines available depends on the Cisco IOS Software version. Typical values are 0 to 4 and 0 to 15 (inclusive).

login Activates the login process on the console or vty lines.

login local Activates the login process on the console or vty lines to require using the local authentication database

logout Exits the EXEC mode, requiring reauthentication (if enabled).

password Assigns a password to the console or vty lines.

ping ip-address Common tool used to troubleshoot the accessibility of devices. It uses ICMP path echo requests and ICMP path echo replies to determine whether a remote host is active. The ping command also measures the amount of time it takes to receive the echo reply.

reload Restarts the switch, reloads the Cisco IOS operating system

service password-encryption Enable the service which will encrypt all passwords in the running configuration.

show ip arp Display the IP address resolution table, which hold the binding between IP addresses and their respective MAC addresses.

show ip ssh Shows the current settings of the SSH protocol.

show mac-address-table dynamic

Displays only the dynamically learned MAC addresses in the table.

show mac-address-table interface int-id

Displays only the MAC addresses in the table associated with the specified interface.

show port-security interface int-id Displays all administrative and operational status of all secure ports on a switch. Optionally displays specific interface security settings or all secure MAC addresses.

show running-config Displays the active configuration.

show running-config interface int-id

Displays the running configuration of the interface specified in the command.

shutdown no shutdown

Disables and enables an interface.

switchport mode access Sets the port to access mode. Use the no version of this command to reset default values.

switchport port-security Enables port security on an interface. Entered without keywords.

switchport port-security mac-address sticky

Sets the secure MAC addresses associated with an interface to be learned dynamically.

switchport port-security maximum [number]

Sets the maximum number of secure MAC addresses for the interface. Use the no version of this command to remove it.

switchport port-security violation violation mode

Sets the action to be taken when a security violation occurs. Protect, restrict, and shutdown are the three valid modes.

transport input telnet ssh Specifies which protocols to use to connect to a specific line of the switch.

username username password password

Creates a username and password pair, which can then be used as a local authentication database.




Refer to Lab 2-1 for information regarding connection.

Table 1: Current Passwords

Switch console login none

Switch enable password cisco

Switch enable secret password sanfran

Switch vty login password sanjose

Task 1: Add Password Protection to Console Port and Vty Lines

Following the initial configuration of the switch, where passwords have been configured for the vty lines, two potential security holes exist. First, a security breach is possible when the vty lines have the login process deactivated and the password is too simple. Second, security can be breached when the console port currently is not protected by a password at all.


Step 1 Connect to your remote workgroup switch via the console server, and enter the necessary commands and passwords to get to the enable EXEC prompt.

Step 2 At the user EXEC prompt, enter the command enable, followed by the enable password for your switch.

Step 3 At the privileged EXEC prompt (sometimes called the “enable prompt”) of your assigned switch, enter config t.

Step 4 Access the console port configuration by entering the command line console 0.

Step 5 At the line console configuration mode, use the password “sanjose” for the console line. Enter the command password sanjose.

Step 6 Enter the command login, which will require a password to be supplied to access the switch via the console in the future.

Step 7 Enter the command line vty 0 15.

Step 8 Enter the command login, which will be applied to all 16 lines (0 through 15).

Step 9 Enter the command end, which will return you to the enable EXEC prompt.

Step 10 Enter the show running-config command and observe the output to see that you have correctly configured line console 0 and vty lines 0 through 15. Your output should be similar to the example below, where the line configuration is shown in bold text. You will observe that the passwords for both the line console and vty lines are stored in cleartext.



SwitchX#show running-config .. ..Text omitted .. ! line con 0 password sanjose login line vty 0 4 password sanjose login line vty 5 15 password sanjose login ! end

Step 11 You will now test your configured password by logging out of and back into the switch via the console.

Step 12 Enter the command logout.

Step 13 Press the Enter key to get a password prompt.

Step 14 Supply the password the you just configured to get to the user EXEC prompt.

Step 15 Enter the command and password to get to the enable EXEC prompt.

Step 16 Your output for Steps 12 though 15 should be similar to the example below. SwitchX#logout .. ..empty lines omitted .. SwitchX con0 is now available Press RETURN to get started. .. ..empty lines omitted .. User Access Verification Password: SwitchX>enable Password: SwitchX#


You configured the console and vty lines to require a password.

You inspected the configuration and observed that the line passwords are stored in cleartext.

You tested the login process and password access to the console line successfully.

Your output matches the example in Step 14.



Task 2: Activate Password Encryption Service As discussed in the previous task, some passwords are stored in cleartext. This can be a security issue when the configurations are transmitted and stored on remote file systems. In this task, you will configure the password encryption service to secure all cleartext passwords with encryption.


Step 1 From the enable EXEC prompt, enter the command to get to global configuration mode.

Step 2 Enter the command service password-encryption.

Step 3 Enter the command to return to the enable EXEC prompt.

Step 4 Enter the command to see the running configuration. Concentrate on the first few lines and the last few lines of the configuration to see that the service password-encryption command is now active and the effect it has on the line passwords. Your output should be similar to the example below, with the bold text highlighting output of particular interest.

SwitchX#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SwitchX(config)#service password-encryption SwitchX(config)#end SwitchX# 00:38:45: %SYS-5-CONFIG_I: Configured from console by console SwitchX#show running-config Building configuration... Current configuration : 1453 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! .. ..Text omitted .. ! ! line con 0 password 7 14041305060B392E login line vty 0 4 password 7 14041305060B392E login line vty 5 15 password 7 120A041918041F01 login ! end

Step 5 Enter the command to save the running configuration to startup-config.




You have enabled the password encryption service

You have displayed the running configuration and observed the encryption of the line passwords

You have saved your running configuration

Task 3: Apply a Login Banner As part of any security policy it is necessary to ensure that network resources are clearly identified as being off limits to the casual visitor. Hackers have in the past successfully used the fact that a “welcome” screen was presented at login as a legal defense for forced entry into the network. A message that clearly states that access is restricted should be presented when a user is attempting to access a network device (switch, router, and so on). The banner Cisco IOS configuration command allows this to be done.


Step 1 Enter the command to access the global configuration prompt.

Step 2 Enter the command banner login % and press the Enter key. The percent symbol (%) is the opening delimiter of the text that will form the message.

Step 3 Enter text to form your message followed by %.

Note Do NOT use percent symbols as part of your banner message text—they will be interpreted as the closing delimiter of your message.

Step 4 Below is an example of the output of the configuration of a banner message. SwitchX#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SwitchX(config)#banner login % Enter TEXT message. End with the character '%'. ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************% SwitchX(config)#

Step 5 Enter the command to return to the EXEC mode.

Step 6 Enter the command to display the running configuration. Your output should be similar to the example below, which has been edited to show just the banner configuration. Notice that your text delimiter has been replaced with a ^C, which is a nontext control character.



! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C !

Step 7 Use the logout command to end your console session. Then log back in to the enable prompt. Observe the display to see your banner message being presented, prior to password entry. Your output should be similar to the example below, which has been edited to reduce space.

SwitchX#logout SwitchX con0 is now available Press RETURN to get started. ********* Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. ************************************************************** User Access Verification Password: SwitchX>en Password: SwitchX#



You have configured a login banner message that clearly states that access to the switch is restricted.

You have tested the login message, and it does give a warning prior to password prompt.

You have saved your configuration.

Task 4: Enable SSH Protocol for Remote Management In a previous task, you protected passwords by using encryption. However, if the process of remote management uses the Telnet protocol, which sends all characters in cleartext including passwords, the potential exists for packet capture and exploitation of that information. In this task you will configure the SSH protocol as an alternative to Telnet. If it is possible in your environment, it would be best to replace Telnet with SSH. To operate, SSH requires the following:

A username and password

A defined hostname

A defined IP domain

An RSA encryption key




Step 1 At the enable EXEC prompt, enter the command to access the global configuration prompt.

Step 2 The SSH protocol requires the use of a username and password pair. As this has not yet been configured, you must configure it now. Enter the command username username password password. In this example, you will use “netadmin” for both. Obviously, in the real-world environment, a much stronger username and password pair should be used.

Step 3 The generation of a SSH cryptographic key requires that both the hostname and domain name be configured. You have configured the hostname, so it is necessary to configure the domain name. Normally you would use your organization domain name, but in the lab you will use “cisco.com.”

Step 4 Enter the command ip domain-name domain name.

Step 5 Enter the command crypto key generate rsa. You will be prompted for a key size; 512 is the default, but you will enter 1024 to produce a more secure key. Your output should be similar to the example below, which is edited to include only the lines pertaining to this task.

SwitchX(config)#username netadmin password netadmin SwitchX(config)#ip domain-name cisco.com SwitchX(config)#crypto key generate rsa The name for the keys will be: SwitchX.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] 01:26:52: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step 6 Enter the command ip ssh version 2 to enable the required SSH version.


Step 8 Enter the command login local. This changes the login process to use the locally configured username and password pairs.

Step 9 Enter the command transport input telnet ssh. This configures the 16 vty lines to support both Telnet or SSH. Your output should be similar to the example below.

SwitchX(config)#line vty 0 15 SwitchX(config-line)#login local SwitchX(config-line)#transport input telnet ssh

Step 10 Enter the command to return to enable EXEC prompt.

Step 11 Enter the command show ip ssh. SwitchX#sh ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3



Step 12 To test your configuration, you need to make a VPN tunnel connection to the remote lab using the method from Lab 2-1, Task 2. On your PC, open your SSH terminal client application. Use the IP address of your workgroup switch and the username and password pair that you configured in Step 2 of this task.

Step 13 Below is an example of a successful connection with the PuTTY application and using SSH.

Step 14 Enter the logout command to exit the PuTTY connection.

Step 15 Open the Windows Command window and enter the command telnet 10.x.x.11 (your workgroup switch IP address). Your output should be similar to the example below.

Step 16 Enter the username and password in the new Telnet Command window that automatically opens. Having established that Telnet is working simultaneously with SSH, type logout at the user EXEC prompt and close your Command window by typing exit at the Command window prompt. Your output should be similar to the example below.



Step 17 Enter the command to save your configuration to startup-config.


You configured the vty lines to support the SSH version 2 protocol.

You successfully directly connected to your workgroup switch using SSH and Telnet, thus proving that both are being supported simultaneously.

You saved your configuration.

Task 5: Configure Port Security on a Switch In this task, you will configure the switch to permit only a defined number of MAC addresses on the first access port, and also specify the action to take should this number be exceeded. You will determine how many addresses are being learned dynamically, then modify the interface to permit one less than this number, so that a MAC violation will occur. You will use show commands to observe the status and behavior of the switch before finally setting the secure number of addresses back to a viable non-error-producing value.

Activity Procedure Access your SwitchX console port, where x identifies your pod. Complete the following steps to configure port security on the workgroup switch:

Caution You should have saved the current running configuration at the end of the previous lab. If you are in doubt then save your running configuration to startup-config prior to reloading.

Step 1 Enter the commands to reload your switch.

Step 2 Enter the commands to get to the enable EXEC prompt.

Step 3 Enter the command ping to test connectivity to the IP address in the table below. You will complete the table in Steps 4 and 5.

MAC Address Table

Device IP address MAC address

10.x.x.100

Unmanaged device

Step 4 Enter the command show ip arp. This will display the bindings between the IP address and the MAC address. Enter the corresponding MAC address in the table above. Your output should be similar to the example below.

SwitchX#show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.x.x.11 - 001a.6d44.6cc0 ARPA Vlan1 Internet 10.x.x.100 0 001a.2fe7.3089 ARPA Vlan1



Step 5 Enter the command show mac-address-table int fa0/1. There should be one MAC not associated with the IP address you just pinged. This is the MAC address of the unmanaged device. Use this to complete the table from Step 3 above. Your output should be similar to the example below.

SwitchX#show mac-address-table int fa0/1 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0017.5a78.be01 DYNAMIC Fa0/1 1 001a.2fe7.3089 DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 2

Step 6 Before you configure port security, you need to clear the dynamically learned MAC address entries. Enter the command clear mac-address-table dynamic int fa0/1.

Step 7 Wait at least 10 seconds before entering the show mac-address-table int fa0/1 to see the effect of this command. You will see that the MAC address of the unmanaged device is still in the MAC address table. This is because this device is periodically sending Layer 2 frames. Other Ethernet interfaces may be set to periodically send keep-alive frames. However, you should see only the MAC addresses being learned at this time. Your output should be similar to the example below.

SwitchX#show mac-address-table int fa0/1 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0017.5a78.be0f DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 1

Step 8 Enter the command configure t.

Step 9 Enter the command interface fa0/1.

Step 10 Disable the interface by entering the shutdown command.

Step 11 Before port security features can be applied to an switchport, it has to be in non-auto-negotiation mode. Enter the command switchport mode access.

Step 12 Before activating port security, it is necessary to set the maximum number of MAC addresses to an appropriate value if there are more than the default of 1. However, as the intention is to trigger a MAC address violation, and in Step 5 you saw there were two MAC addresses associated with this interface, no action is necessary.

Step 13 Another parameter that should be set before the activation of port security is what action to take when more MAC addresses attempt to use the interface than have been configured. This is known as the violation action. The default action is shutdown, which will error-disable the interface. Initially you will use this default value, so that you get experience resetting the interface.

Step 14 Enter the command switchport port-security mac-address sticky. This will cause MAC addresses that are learned to be saved in the running configuration. If the configuration is subsequently saved to startup-config, they will be remembered upon a restart.



Step 15 Enter the command switchport port-security. Entering the command without any parameters activates port security. If this is not done, then port-security remains disabled.

Step 16 Enter the command no shutdown to re-enable the switchport.

Step 17 Enter the command end to leave configuration mode and return to the enable EXEC prompt.

Step 18 Wait for 20 seconds before entering the command show running-config int fa0/1 to display the portion of the running configuration for interface fa0/1. Your output should be similar to the example below, which has some lines shown in bold for emphasis.

SwitchX#show running-config int fa0/1 Building configuration... Current configuration : 128 bytes ! interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 0017.5a78.be0f end

Step 19 Enter the show port-security int fa0/1 command to display the current port security settings.

SwitchX#show port-security int fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0017.5a78.be01:1 Security Violation Count : 0

Step 20 Enter the command show mac-address dynamic int fa0/1 to show the dynamic MAC table entries for int fa0/1 only. You should not see any entries, because they would have been converted to static (sticky) entries. Your output should be similar to the example below.

SwitchX#show mac-address dynamic int fa0/1 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- -----

Step 21 Use the ping command to create a port-security violation, ping 10.x.x.100. Your output should be similar to the example below.

23:07:41: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state 23:07:41: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001a.2fe7.3089 on port FastEthernet0/1. 23:07:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down. 23:07:43: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down.... Success rate is 0 percent (0/5) SwitchX#



Step 22 Enter the show port-security interface fa0/1 command to display the current port security settings.

SwitchX#show port-security int fa0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 001a.2fe7.3089:1 Security Violation Count : 1

Step 23 It is now necessary to modify the maximum value of allowable MAC addresses to two. It is also necessary to change the violation action to restrict and then return the interface from error disable state to administratively up.

Step 24 Before you attempt to modify the port security setting, it is best to clear the MAC table entries.

Step 25 Enter the command clear port-security sticky int fa0/1 access. Note: By restricting the action of the clear command to only the interface that you are currently dealing with, you avoid the risk of inadvertently impacting other interfaces.

Step 26 Enter the command configure t.

Step 27 Enter the command int fa0/1.

Step 28 Enter the command switchport port-security maximum 2.

Step 29 Enter the command switchport port-security violation restrict. The restrict violation action does not shut down the interface; instead it blocks the frames, generates a local message, and increments the security violation count. This violation action is appropriate for a low-security environment.

Step 30 To return the interface to administratively up from error disable, it is necessary to first enter the command shutdown and then enter the command no shutdown to bring the interface back up.

Step 31 Enter the command end to leave configuration mode and return to the enable EXEC prompt.

Step 32 Wait 20 seconds before you test your configuration by using the ping command to 10.x.x.100.

Step 33 The example below shows the output of the show running-config int fa0/1 command. Your output should be similar.

SwitchX#show running-config int fa0/1 Building configuration... Current configuration : 329 bytes ! interface FastEthernet0/1 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0017.5a78.be01



switchport port-security mac-address sticky 001a.2fe7.3089 end

Step 34 The example below shows the output of the show port-security int fa0/1 command. SwitchX#show port-security int fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 0 Sticky MAC Addresses : 2 Last Source Address:Vlan : 001a.2fe7.3089:1 Security Violation Count : 0

Step 35 Compare the bolded text with the output of Step 22, which should show that the port is up and that the violation mode is now to Restrict rather than Shutdown the interface.

Step 36 Save your running configuration to startup-config.


The switch was configured to permit one dynamically learned MAC addresses on the first access port (fa0/1)

The port was forced into a port-security violation resulting in it being error disabled

The configuration was then changed to support two dynamically learned addresses, and the violation action was modified to restrict access and not shutdown the port

The port was returned from error disable to administratively up state

The port was retested and no port-security violations were triggered

The running configuration was saved to startup-config

Task 6: Disable Unused Ports and Place All Ports in Access Mode

In this task, you will shut down all unused ports. You will also move all switchports from auto negotiation to fixed in access mode. This action makes the switch more resilient to security attacks from devices which have direct connection to the switch. In this task, it is given that the following ports are currently not in use: Fa0/3 through Fa0/10, Fa0/13 through fa0/24, and Gi0/1 through Gi0/2.


Step 1 At the enable EXEC prompt enter the command to access the global configuration prompt.

Step 2 Enter the command interface range fa0/3 - 10. All the commands that follow will be applied to the ports specified.



Step 3 Enter the command shutdown.

Step 4 Enter the command interface range fa0/13 - 24 to replace the previous range command.


Step 6 Enter the command interface range gi0/1 - 2 to replace the previous range command.


Step 8 Return to the enable EXEC prompt.

Step 9 Enter the command to display the running configuration to confirm that only the intended interfaces were shut down.


Step 11 Enter the command interface range fa0/1 - 24, gi0/1 - 2 to include all ports in the range. Notice in this instance the interface ranges have been grouped into a single command by using the , (comma) as a separator.

Step 12 Enter the command switchport mode access.

Step 13 Return to the enable EXEC prompt.

Step 14 Enter the command to display the running configuration to confirm that all the interfaces were placed into access mode.

Step 15 When you are certain that all ports are in access mode, and all ports with the exception of fa0/1, fa0/2, fa0/11, and fa0/12 are shut down, save your running configuration to startup-config.


Configured the given range of unused ports to be shut down

Configured all ports to be in access mode

Saved the running configuration to startup-config



Lab 2-4: Operating and Configuring a Cisco IOS Device


Activity Objective In this activity, you will demonstrate and practice the use of the CLI features of your workgroup switch. After completing this activity, you will be able to meet these objectives:

Explore context-sensitive help

Edit incorrect CLI commands on the switch

Examine the switch status using show commands



Visual Objective for Lab 2-4Operating and Configuring a Cisco IOS Device

10.9.9.1110.8.8.1110.7.7.1110.6.6.1110.5.5.1110.4.4.1110.3.3.1110.2.2.11

Switch IP Address


Workgroup Hostname









Command Description

? or help

In user mode, Cisco IOS Software lists a subset of the available commands.

After you enter enable and enter your enable password for privileged mode, a much larger list of available commands is displayed.

clock set Manages the system clock.


enable Activates privileged mode. In privileged mode, more commands are available.

This command requires you to enter the enable password if an enable password is configured. If an enable secret password is also configured, the enable secret password overrides the enable password.

exec time-out Sets the inactivity time allowed before a session will be automatically logged out.

history size Sets the number of lines held in the history buffer for recall. Two separate buffers are used, one for EXEC mode commands and the other for configuration mode commands.

[no] ip domain-lookup The command-line interpreter by default tries, when receiving a command it does not recognize, to interpret it as a symbolic name for an IP address. The no form of this command turns off this default action, thus speeding up the interpretation of erroneous entries.

line console 0 Enters the line console 0 configuration mode.

line vty 0 15 Enters the virtual terminal line configuration mode. Vty lines allow access to the switch for remote network management. The number of vty lines available is dependant on the Cisco IOS Software version. Typical values are 0-4 and 0-15 (inclusive).

logging synchronous Synchronizes unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or vty line.

show clock Displays the system clock.

show history Displays recently entered commands.

show interfaces Displays information on all of the router interfaces.

show running-config Displays the active configuration.

show terminal Displays the current settings for the terminal.

show version Displays the configuration of the router hardware and the various software versions.

terminal history size Sets the command history buffer size.




Current Passwords

Switch Console Login sanjose

Switch Enable Password cisco

Switch Enable Secret Password sanfran

Switch VTY Login User ID netadmin

Switch VTY Login Password netadmin

Task 1: Explore Context-Sensitive Help In this task, you will use context-sensitive help in both user and privileged EXEC modes to locate commands and complete command syntax.


Step 1 Connect to your workgroup switch using the information from Lab 2-1.

Step 2 Enter the help command (?). At the user EXEC prompt, you should see a partial list of commands available. Your output should resemble the example below.

Exec commands: access-enable Create a temporary Access-List entry clear Reset functions connect Open a terminal connection .. ..Text omitted .. set Set system parameter (not config) show Show running system information ssh Open a secure shell client connection systat Display information about terminal lines telnet Open a telnet connection --More--

Step 3 Press the Spacebar to complete or continue the list.

Step 4 Enter privileged EXEC mode.

Step 5 Notice the prompt which indicates that the switch mode was “>” and is now “#.”

Step 6 Enter the help (?) command at the privileged EXEC mode prompt. Use help to determine the keyword command that manages the system clock.

Step 7 Your console should be displaying a prompt of “--More--“ as it waits for you to press a key before displaying more output. Enter q to terminate continuation of the output.

Step 8 Enter the clock ? command. You should see the context-sensitive help. Your output should resemble the example below.

SwitchX#clock ? set Set the time and date



Step 9 Set the system clock to the current time and date. Remember to use context-sensitive help to guide you through the process.

Step 10 At the switch# prompt, enter sh? You should see another example of the context sensitive help. Your output should resemble the example below.

SwitchX#sh? show

Step 11 Press the Tab key. You should see the command-completion feature in action. When enough letters of a command or keyword have been entered, the Tab key will complete the word and place a space so that it is ready to receive any further input.

Step 12 Enter the show clock command. Your output should reflect the changes you made using the clock set command in Step 9. Your output should be similar to the example below.

SwitchX#show clock 10:45:25.073 UTC Tue Jul 10 2007


You used the system help facility and the command-completion facility.

Task 2: Edit an Incorrect Command In this task, you will use Cisco IOS Software enhanced editing features to correct command-line errors.


Step 1 Enter the following comment line at the prompt: “This command changes the clock speed for the router”. Enter the text without the quotes (“).

SwitchX#This command changes the clock speed for the router. ^ % Invalid input detected at '^' marker.

Step 2 Enter the following comment line, preceded by the exclamation point (!): !ths comand changuw the clck sped for the swch,. An exclamation point (!) before the text line indicates that you are entering a comment.

SwitchX#!ths comand changuw the clck sped for the swch,

Step 3 Enter Ctrl-P or press the Up Arrow key to see the previous line.

Step 4 Use the editor commands Ctrl-A, Ctrl-F, Ctrl-E, and Ctrl-B to move along the line and the Backspace key to delete unwanted characters.

Step 5 Using the editing commands, correct the comment line to read !This command changes the clock speed for the switch.


You used the built-in editor and used those keystrokes for cursor navigation.



Task 3: Improve the Usability of the CLI In this task, you will enter commands to improve the usability of the CLI. You will increase the number of lines in the history buffers, increase the inactivity timer on the console port, and stop the attempted name resolution of mistyped commands.


Step 1 Enter the command show terminal. Your output should be similar to the example below, which has been edited to reduce unwanted lines.

SwitchX#sh terminal Line 0, Location: "", Type: "" Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits .. ..Text omitted .. Editing is enabled. History is enabled, history size is 10. DNS resolution in show commands is enabled Full user help is disabled Allowed input transports are none. Allowed output transports are telnet ssh. Preferred transport is telnet. No output characters are padded No special data dispatching characters

Step 2 The size of the history buffers is 10. You could change this by using the command terminal history size 100. However, this value would have to be entered every time you log out of and back into the switch. The history size can be set in the configuration, associated with the console and vty lines.

Step 3 Enter the command config t to get to the global configuration prompt.

Step 4 Enter the command line console 0.

Step 5 Enter the command history size 100.

Step 6 While you are in the console line mode, it is a good idea to change the EXEC timeout from the 15-minute value to 60 minutes. Enter the command exec-timeout 60.

Step 7 Enter the command logging synchronous to synchronize unsolicited messages and debug privileged EXEC command output with the input from the CLI.

Step 8 Enter the command line vty 0 15 to configure the vty lines.

Step 9 Enter the commands to configure the history size to 100 and to synchronize the messages.

Step 10 Enter the exit command to return to the global configuration mode.

Step 11 Enter the command no ip domain-lookup to disable the resolution for symbolic names.

Step 12 Return to enable EXEC prompt.



Step 13 Use the history recall to enter the show terminal command. Your output should be similar to the example below, which has been edited to reduce unwanted lines.

SwitchX#sh term Line 0, Location: "", Type: "" Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits .. ..Text omitted .. Editing is enabled. History is enabled, history size is 100. DNS resolution in show commands is enabled Full user help is disabled Allowed input transports are none. Allowed output transports are telnet ssh. Preferred transport is telnet. No output characters are padded No special data dispatching characters

Step 14 Enter the show running-config command to confirm that the configuration changes just made are correct.

Step 15 When you are satisfied that your running configuration reflects the changes, then save it to startup-config.

Step 16 Close your connection(s) to your workgroup switch.


The inactivity timeout on the console line is set to 60 minutes

You have verified that the history buffer value is set to 100 lines on the console and vty lines

You have verified that logging synchronous is configured on the console and vty lines

You have saved your configuration to starting configuration

You close any open connections to your workgroup switch



Lab 4-1: Converting Decimal to Binary and Binary to Decimal

Complete the lab activity to practice what you learned in the related module.

Activity Objective In this activity, you convert decimal and binary numbers. After completing this activity, you will be able to meet these objectives:

Convert decimal numbers to binary

Convert binary numbers to decimal



Visual Objective for Lab 4-1 Converting Decimal to Binary and Binary to Decimal

Required Resources There are no resources for this lab activity.

Command List There are no commands used in this lab activity.

Job Aids There are no job aids for this lab activity.



Activity Preparation There is no preparation for this lab activity.

Task 1: Convert from Decimal Notation to Binary Format Activity Procedure

Complete the following table, which provides practice in converting a number from decimal notation to binary format.

Base 2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

48 0 0 1 1 0 0 0 0 48 = 32 +16 = 00110000

146 1 0 0 1

222

119

135

60

Task 2: Convert from Binary Notation to Decimal Format Activity Procedure

Complete the following table, which provides practice in converting a number from binary notation to decimal format.

Base 2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11001100 1 1 0 0 1 1 0 0 128 + 64 + 8 + 4 = 204

10101010 1 0 1 0

11100011

10110011

00110101

10010111

Activity Verification You have completed this lab when you attain these results:

You can accurately convert decimal format numbers to binary notation.

You can accurately convert binary notation numbers to decimal format.



Lab 4-2: Classifying Network Addressing Complete the lab activity to practice what you learned in the related module.

Activity Objective In this activity, you classify network addresses with IPv4 and IPv6. After completing this activity, you will be able to meet these objectives:

Convert decimal IP addresses to binary numbers

Convert binary numbers to IP addresses

Identify classes of IP addresses

Identify valid and invalid host IP addresses



Convert decimal IP addresses to binary145.32.59.24 = 10010001.00100000.__________.__________

Convert binary IP addresses to decimal10010001.00011011.00111101.10001001 = 216.____.____.____

Identifying IP Address Classes

Visual Objective for Lab 4-2 Classifying Network Addressing

0.124.0.0?23.75.345.200? 255.255.255.255?


Command List There are no commands used in this activity.





Task 1: Convert from Decimal IP Address to Binary Format Activity Procedure

Complete the following steps:

Step 1 Complete the following table to express 145.32.59.24 in binary format.

Base 2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

145 1 0 0 1 0 0 0 1 10010001

32 0 0 1 0 0 0 0 0 00100000

59

24

Binary Format IP Address 10010001. 00100000. ___________ . ___________


Base 2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

200

42

129

16

Binary Format IP Address


Base 2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

14

82

19

54

Binary Format IP Address



Task 2: Convert from Binary Format to Decimal IP Address Activity Procedure

Complete the following steps:

Step 1 Complete the following table to express 11011000.00011011.00111101.10001001 in decimal IP address format.

Base 2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11011000 1 1 0 1 1 0 0 0 216

00011011

00111101

10001001

Decimal Format IP Address 216. _____ . _____ . _____


Base 2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11000110

00110101

10010011

00101101

Decimal Format IP Address


Base 2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

01111011

00101101

01000011

01011001

Decimal Format IP Address



Task 3: Identify IP Address Classes Activity Procedure

Complete this table to identify the address class, number of bits in the network ID, and maximum number of hosts.

Binary IP Address Decimal IP Address Address

Class

Number of Bits in

Network ID

Maximum Number of

Hosts (2h – 2)

10010001.00100000.00111011.00011000 145.32.59.24 Class B 16

11001000.00101010.10000001.00010000 200.42.129.16

00001110.01010010.00010011.00110110 14.82.19.54

11011000.00011011.00111101.10001001 216.27.61.137

10110011.00101101.01000011.01011001 179.45.67.89

11000110.00110101.10010011.00101101 198.53.147.45

Task 4: Identify Valid and Invalid Host IP Addresses Activity Procedure

Complete the following table to identify which host IP addresses are valid and which are not valid.

Decimal IP Address Valid or Invalid If Invalid, Indicate Reason

23.75.345.200

216.27.61.134

102.54.94

255.255.255.255

142.179.148.200

200.42.129.16

0.124.0.0


You can accurately convert decimal format IP addresses to binary format

You can accurately convert binary format IP addresses to decimal format

You can identify the address class of a given IP address

You can identify valid and invalid IP addresses



Lab 4-3: Computing Usable Subnetworks and Hosts

Complete the lab activity to practice what you learned in the related module.

Activity Objective In this activity, you determine the number of bits to borrow from the host ID to create the required number of subnets for a given IP address. After completing this activity, you will be able to meet these objectives:

Determine the number of bits required to create different subnets

Determine the maximum number of host addresses available in a given subnet



Given:Class C network address of 192.168.89.0Class B network address of 172.25.0.0Class A network address of 10.0.0.0

How many subnets can you create?How many hosts per subnet can you create?

Visual Objective for Lab 4-3 Computing Usable Subnetworks and Hosts







Task 1: Determine the Number of Bits Required to Subnet a Class C Network Activity Procedure

Given a Class C network address of 192.168.89.0, complete the table to identify the number of bits that are required to define the specified number of subnets for the network, and then determine the number of hosts per subnet.

Number of Subnets Number of Bits to Borrow Number of Hosts per Subnet (2h – 2)

2

5

12

24

40

Task 2: Determine the Number of Bits Required to Subnet a Class B Network Activity Procedure

Given a Class B network address of 172.25.0.0, complete the table to identify the number of bits that are required to define the specified number of subnets for the network, and then determine the number of hosts per subnet.


5

8

14

20

35



Task 3: Determine the Number of Bits Required to Subnet a Class A Network Activity Procedure

Given a Class A network address of 10.0.0.0, complete the table to identify the number of bits that are required to define the specified number of subnets for the network, and then determine the number of hosts per subnet.


10

14

20

40

80


Given a Class A, B, or C network, you can identify the number of bits to borrow to create a given number of subnets

Given a Class A, B, or C network, you can determine the number of hosts on the network, given a number of subnets and number of bits to borrow



Lab 4-4: Calculating Subnet Masks Complete the lab activity to practice what you learned in the related module.

Activity Objective In this activity, you calculate subnet masks. After completing this activity, you will be able to meet these objectives:

Given a network address, determine the number of possible network addresses and the binary subnet mask to use

Given a network IP address and subnet mask, determine the range of subnet addresses

Identify the host addresses that can be assigned to a subnet and the associated broadcast addresses



Visual Objective for Lab 4-4 Calculating Subnet Masks

Given a network address, determine the number of possible network addresses and the binary subnet mask to use.Given a network IP address and subnet mask, determine the _range of subnets addresses.Identify the host addresses that can be assigned to a subnet and the associated broadcast addresses.







Task 1: Determine the Number of Possible Network Addresses Activity Procedure

Given a Class A network and the net bits identified, complete this table to identify the subnet mask and the number of host addresses possible for each mask.

Classful Address Decimal Subnet Mask Binary Subnet Mask

Number of Hosts per Subnet

(2h – 2)

/20

/21

/22

/23

/24

/25

/26

/27

/28

/29

/30

Task 2: Given a Network Address, Define Subnets Activity Procedure

Assume that you have been assigned the 172.25.0.0 /16 network. You need to establish twelve subnets. Complete the following questions.

1. How many bits do you need to borrow to define 12 subnets? _________________________________________________________________________

2. Specify the classful address and subnet mask in binary and decimal that allows you to create 12 subnets. _________________________________________________________________________

3. Use the eight-step method to define the 12 subnets.



Step Description Example

1. Write down the octet that is being split in binary.

2. Write the mask or classful prefix length in binary.

3. Draw a line to delineate the significant bits in the assigned IP address.

Cross out the mask so that you can view the significant bits in the IP address.

4. Copy the significant bits four times.

5. In the first line, define the network address by placing 0s in the remaining host bits.

6. In the last line, define the directed-broadcast address by placing 1s in the host bits.

7. In the middle lines, define the first and last host ID for this subnet.

8. Increment the subnet bits by one to determine the next subnet address.

Repeat Steps 4 through 8 for all subnets.

4. Complete the following table to define each subnet.

Subnet Number Subnet Address Range of Host Addresses

Directed-Broadcast Address

0

1

2

3

4

5

6

7

. . .

Task 3: Given Another Network Address, Define Subnets Activity Procedure

Assume that you have been assigned the 192.168.1.0 /24 network.

1. How many bits do you need to borrow to define six subnets?

_________________________________________________________________________

2. Specify the classful address and subnet mask in binary and decimal that allows you to create six subnets.

_________________________________________________________________________



3. Use the eight-step method to define the six subnets.












4. Complete this table to define each subnet.



0

1

2

3

4

5

6

7

Task 4: Given a Network Address and Classful Address, Define Subnets Activity Procedure

Assume that you have been assigned the 192.168.111.129 address in a /28 network block.

1. Specify the subnet mask in binary and decimal.

_________________________________________________________________________

2. How many subnets can you define with the specified mask?

_________________________________________________________________________



3. How many hosts will be in each subnet? _______________________________________________________________________

4. Use the eight-step method to define the subnets.















0

1

2

3

4

5

6

7

Task 5: Given a Network Block and Classful Address, Define Subnets Activity Procedure



_________________________________________________________________________




_________________________________________________________________________

3. How many hosts will be in each subnet?

_________________________________________________________________________
















0

1

2

3

4

5

6

7



Task 6: Given a Network Block and Classful Address, Define Subnets Activity Procedure



_________________________________________________________________________


_________________________________________________________________________

3. How many hosts will be in each subnet?

_________________________________________________________________________













5. Complete this table to define the subnets.





0

1

2

3

4

5

6

7


Given a network address, you can determine the number of possible network addresses and the binary subnet mask to use

Given a network IP address and subnet mask, you can apply the mask to determine the range of subnet addresses

You can apply subnet masks to identify the host addresses that can be assigned to a subnet and the associated broadcast addresses.



Lab 4-5: Performing Initial Router Startup Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will connect to your remote workgroup router, ensure that it is unconfigured, and examine the startup process. After completing this activity, you will be able to meet these objectives:

Remove any existing residual router configuration

Restart the router and observe the output

Decline the initial configuration dialog request when the restart process completes



Visual Objective for Lab 4-5Performing Initial Router Startup

10.9.9.310.8.8.310.7.7.310.6.6.310.5.5.310.4.4.310.3.3.310.2.2.3

Router IP Address

255.255.255.0RouterH255.255.255.0RouterG255.255.255.0RouterF255.255.255.0RouterE255.255.255.0RouterD255.255.255.0RouterC255.255.255.0RouterB255.255.255.0RouterASubnet Mask

Workgroup Hostname




Your assigned pod access information from Lab 2-1




Router Cisco IOS Commands

Command Description

enable Enters the privileged EXEC mode command interpreter.

erase startup-config Erases the startup configuration from memory.

Reload Reboots the router to make your changes take effect.


Current Passwords

Router console login None

Router enable password None

Router enable secret password None

Router vty login user ID None

Router vty login password None

Switch console login sanjose



Switch vty login user ID netadmin

Switch vty login password netadmin

Task 1: Remove Any Residual Configuration from Your Router In this task, you will start the workgroup router and verify that the router starts correctly. The router may have the default configuration which supports initial configuration using Cisco SDM (Router and Security Device Manager) and requires the username cisco and the password cisco to gain access to the enable prompt.


Step 1 Connect to your workgroup router using the access information from Lab 2-1, also refer to visual objective for IP address information.

Step 2 If prompted for a username and password, user cisco for both. If not proceed to next step.

Step 3 If the prior step did not result in being enabled, enter the command to get to the enable prompt.

Step 4 Enter the command erase startup-config, Confirm that you do wish to continue. Your output should be similar to the example below.

Username: cisco Password: yourname#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK]



Erase of nvram: complete yourname# *Apr 24 00:16:13.683: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram yourname#


You have erased the startup configuration

Task 2: Reload the Router and Observe the Startup Output In this task, you will observe the output of the router. This should be similar to the output obtained when you observed your workgroup switch being reloaded.


Step 1 Enter the command reload. Confirm the question to continue with reload using the ENTER key. Your output should resemble the example below

yourname#reload Proceed with reload? [confirm] .

Step 2 Observe the output as the reload progresses. You will have to wait a few minutes for all the output and a final prompt. Your output should be similar to the example below, which has been edited to reduce the length of some lines.

*Apr 24 00:18:02.043: %SYS-5-RELOAD: Reload requested by cisco on console. Reload Reason: Reload Command. System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Initializing memory for ECC . c2811 platform with 262144 Kbytes of main memory Main memory is configured to 64 bit mode with ECC enabled Upgrade ROMMON initialized program load complete, entry point: 0x8000f000, size: 0xcb80 program load complete, entry point: 0x8000f000, size: 0xcb80 program load complete, entry point: 0x8000f000, size: 0x228d9f8 Self decompressing the image : ######################################################################################################################### [OK] Smart Init is enabled smart init is sizing iomem ID MEMORY_REQ TYPE 0003E7 0X003DA000 C2811 Mainboard 0X00263F50 Onboard VPN 0X000021B8 Onboard USB 0X002C29F0 public buffer pools 0X00211000 public particle pools TOTAL: 0X00B13AF8 If any of the above Memory Requirements are "UNKNOWN", you may be using an unsupported configuration or there is a software problem and



system operation may be compromised. Rounded IOMEM up to: 12Mb. Using 4 percent iomem. [12Mb/256Mb] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team Image text-base: 0x40093160, data-base: 0x42B00000 This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory. Processor board ID FTX1108A3G8 2 FastEthernet interfaces 2 Low-speed serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) --- System Configuration Dialog ---

Step 3 Answer no to the question “Would you like to enter the initial configuration dialog?” Wait until the output has completed before pressing the Enter key to get a prompt.

Would you like to enter the initial configuration dialog? [yes/no]: no Press RETURN to get started! sslinit fn *Apr 24 00:19:27.795: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized



*Apr 24 00:19:27.799: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Enabled *Apr 24 00:19:29.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up *Apr 24 00:19:29.059: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Apr 24 00:19:29.063: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up *Apr 24 00:19:29.063: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down *Apr 24 00:19:29.063: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down *Apr 24 00:19:30.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down *Apr 24 00:19:30.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down *Apr 24 00:19:30.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down *Apr 24 00:19:30.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down *Apr 24 00:19:32.295: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up *Apr 24 00:19:32.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up *Apr 24 00:29:25.479: %IP-5-WEBINST_KILL: Terminating DNS process *Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down *Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down *Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to administratively down *Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface Serial0/0/1, changed state to administratively down *Apr 24 00:29:26.991: %SYS-5-RESTART: System restarted -- Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team *Apr 24 00:29:26.995: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start *Apr 24 00:29:27.203: %SYS-6-BOOTTIME: Time taken to reboot after reload = 684 seconds *Apr 24 00:29:27.383: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF *Apr 24 00:29:27.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down *Apr 24 00:29:27.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down <ENTER> Router>


You have reloaded your workgroup router

You have declined the initial configuration dialog



Lab 4-6: Performing Initial Router Configuration Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will perform the initial minimal configuration. After completing this activity, you will be able to meet these objectives:

Use the setup command to apply a minimal configuration for router operation

Use show commands to validate your configuration



Visual Objective for Lab 4-6Performing Initial Router Configuration

10.9.9.310.8.8.310.7.7.310.6.6.310.5.5.310.4.4.310.3.3.310.2.2.3

Router IP Address


Workgroup Hostname










Command Description


setup Enters the initial configuration dialog mode.

show running-config Displays the router configuration settings that are currently in effect.

show startup-config Displays the router configuration settings that are stored in NVRAM.


Current Passwords

Router console login none

Router enable password none

Router enable secret password none

Router vty login user ID none

Router vty login password none






Task 1: Enter the Initial Configuration Using the setup Command

In this task, you will use the initial configuration dialog to enter basic router configuration.


Step 1 If you are not continuing from Lab 4-5m then connect to your workgroup router using the access information from Lab 2-1 and refer to the visual objective for IP address and subnet mask information.

Step 2 Enter the enable command to get into the privileged EXEC mode.

Step 3 At the enable prompt enter the command setup. This command starts the initial configuration dialog.

Step 4 Enter yes to the question “Continue with configuration dialog?” Continue with configuration dialog? [yes/no]: yes At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt.



Default settings are in square brackets '[]'.

Step 5 Enter no to the question “Would you like to enter basic management setup?” Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: no

Step 6 Enter yes to the question “First, would you like to see the current interface summary?” Your output should look similar to the following display:

First, would you like to see the current interface summary? [yes]: yes Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down Serial0/0/0 unassigned YES unset administratively down down Serial0/0/1 unassigned YES unset administratively down down

Configuring global parameters:

Step 7 Enter your assigned workgroup router hostname at the prompt “Enter host name,” where x in the example below is your workgroup letter (A, B, C, D, E, F, G or H).

Enter host name [Router]: RouterX

Step 8 Enter the enable secret password at the prompt “Enter enable secret.” The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.

Enter enable secret: sanfran

Step 9 Enter the enable password at the prompt “Enter enable password.” The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images.

Enter enable password: cisco

Step 10 Enter the vty password at the prompt “Enter virtual terminal password.” The virtual terminal password is used to protect access to the router over a network interface.

Enter virtual terminal password: sanjose

Step 11 Enter no to the question “Configure SNMP Network Management?” Configure SNMP Network Management? [no]:no

Step 12 Enter yes to the question “Configure IP?” Configure IP? [yes]:yes



Step 13 Enter no to the question “Configure RIP routing?” Configure RIP routing? [yes]: no

Step 14 Enter no to the question “Configure CLNS?” Configure CLNS? [no]:no

Step 15 Enter no to the question “Configure bridging?” Configure bridging? [no]:no

Step 16 Enter yes to the question “Do you want to configure FastEthernet0/0 interface?” Configuring interface parameters: Do you want to configure FastEthernet0/0 interface? [no]: yes

Step 17 Enter no to the question “Use the 100 Base-TX (RJ-45) connector?” Use the 100 Base-TX (RJ-45) connector? [yes]:no

Step 18 Enter no to the question “Operate in full-duplex mode?” Operate in full-duplex mode? [no]:no

Step 19 Enter yes to the question “Configure IP on this interface?” Configure IP on this interface? [no]: yes

Step 20 Enter the IP address of your assigned workgroup router. (See the visual objective for this lab.)

IP address for this interface: 10.x.x.3

Step 21 Enter the subnet mask of your assigned workgroup router. Notice that the Cisco IOS Software can calculate the IP addressing class.

Subnet mask for this interface [255.0.0.0] : 255.255.255.0 Class A network is 10.0.0.0, 24 subnet bits; mask is /24

Step 22 Enter no to the question “Do you want to configure FastEthernet0/1 interface?” Do you want to configure FastEthernet0/1 interface? [no]:no

Step 23 Enter no to the question “Do you want to configure Serial0/0/0 interface?” Do you want to configure Serial0/0/0 interface? [no]:no

Step 24 Enter no to the question “Do you want to configure Serial0/0/1 interface?” Do you want to configure Serial0/0/1 interface? [no]:no

Step 25 Enter no to the question “Would you like to go through AutoSecure configuration?” Would you like to go through AutoSecure configuration? [yes]: no AutoSecure dialog can be started later using "auto secure" CLI

Step 26 The setup process outputs the configuration script that can be applied depending on your answer to the question that follows. Notice that by default the router has only five (0 to 4) vty lines preconfigured. You may recall that the switch had 16 ( 0 to 15). You will need to press the Spacebar when prompted with --More-- to get additional output.



The following configuration command script was created: hostname RouterX enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c. enable password cisco line vty 0 4 password sanjose no snmp-server ! ip routing no clns routing no bridge 1 ! interface FastEthernet0/0 no shutdown half-duplex ip address 10.x.x.3 255.255.255.0 no mop enabled ! interface FastEthernet0/1 shutdown no ip address ! interface Serial0/0/0 shutdown no ip address ! interface Serial0/0/1 shutdown no ip address dialer-list 1 protocol ip permit ! end [0] Go to the IOS command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration to nvram and exit. Enter your selection [2]:2

Step 27 Enter 2 to save this configuration to NVRAM and exit.

Step 28 Observe the output displayed. You may see that the running Cisco IOS version announces that the hostname does not match the latest CLI standards; however, the name is accepted.

Building configuration... [OK] *Apr 24 00:37:02.203: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up Use the enabled mode 'configure' command to modify this configuration. RouterX# *Apr 24 00:37:04.867: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up


You have entered your workgroup router configuration information using the setup command

You have selected the option to save and exit on completion of the configuration dialog



Task 2: Validate the Router Configuration You will use the show commands to check that the router configuration matches your requirements, and is saved to the startup configuration in the startup-config file.


Step 1 Enter the command show running-config. Observe the output, validate that the passwords are set and match those you entered in Task 1, also check that the interface FastEthernet 0/0 has the IP address assigned for your workgroup router and does not have the shutdown command applied to the interface. Below is an excerpt from the output; your display should be similar.

..Text omitted!

.. ! interface FastEthernet0/0 ip address 10.x.x.3 255.255.255.0 duplex half speed auto no mop enabled ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ..Text omitted!

Step 2 Enter the command show startup-config. Observe the output and validate that the information you verified in Step 1 above matches. This demonstrates that the setup command saved the configuration to both the running configuration and startup configuration.


Your output of the show running-config command matched your input in Task 1.

Your startup configuration was the same as your running configuration.



Lab 4-7: Enhancing the Security of Initial Router Configuration


Activity Objective In this activity, you will increase the security of the router following its initial configuration. After completing this activity, you will be able to meet these objectives:

Add password protection to the console line

Use the Cisco IOS configuration command to encrypt all passwords

Add a banner message to the login process

Increase the remote management security of the router by adding the SSH protocol to the vty lines



10.9.9.310.8.8.310.7.7.310.6.6.310.5.5.310.4.4.310.3.3.310.2.2.3

Router IP Address


Workgroup Hostname

Visual Objective for Lab 4-7 Enhancing the Security of Initial Router Configuration






Your assigned pod access information from Lab 4.1



Command Description

banner login Allows the configuration of a message which will be displayed at the time of the login process.

configure terminal From privileged EXEC mode, enters global configuration mode.

copy running-config startup-config

Copies the switch running configuration file to the startup configuration file which is held in local NVRAM.

crypto key generate rsa Generates the RSA key pairs to be used.



exit Exits the current configuration mode.

ip domain-name name Supplies an IP domain name, which is required by the crypto key generation process.

ip ssh version [1 | 2] Specifies the version of Secure Shell (SSH) to be run. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command.

line console 0 Specifies the console line and enters line configuration mode.

line vty 0 4 Enters the virtual terminal line configuration mode. Vty lines allow access to the switch for remote network management. The number of vty line available is dependant on the Cisco IOS Software version. Typical values are 0 to 4 and 0 to 15 (inclusive).

login Activates the login process on the console or vty lines.

login local Activates the login process on the console or vty lines to require using the local authentication database.

logout Exits the EXEC mode requiring reauthentication (if enabled).

password Assigns a password to the console or vty lines.

service password-encryption Enable the service which will encrypt all passwords in the running configuration.

show ip ssh Show the current settings of the SSH protocol.

show running-config Displays the router configuration settings that are currently in effect.

transport input telnet ssh Specifies which protocols to use to connect to a specific line of the router.

username username password password

Creates a username and password pair, which can then be used as a local authentication database.




Current Passwords

Router console login none

Router enable password cisco

Router enable secret password sanfran

Router vty login user ID none

Router vty login password sanjose






Task 1: Add Password Protection to Console Port Following the initial configuration of the router, where passwords have been configured for the vty lines, a potential security hole exists because the console port currently is not protected by a password at all. Use the password sanjose for the console line unless your instructor has given you a different password, which you should record below.


Step 1 Connect to your remote workgroup router via the console server. You will need to use the VTY password configured earlier to get to the user EXEC mode.

Step 2 Enter the enable command and password to get to the enable EXEC prompt.

Step 3 At the enable prompt of your assigned router, enter config t.


Step 5 At the line console configuration mode, enter the command password password. Use the same password that is set for the vty lines.

Step 6 Enter the command login, which will require a password to be supplied to access the router via the console in future.

Step 7 Enter the end command to exit the configuration mode.

Step 8 Enter the show running-config command and observe the output to see that you have correctly configured line console 0 and vty lines 0-4. Your output should be similar to the example below, where the line configuration is shown in bold text. You will observe that the passwords for both the line console and vty lines are stored in cleartext.



RouterX#show running-config .. ..Text omitted .. ! line con 0 password sanjose login line aux 0 line vty 0 4 password sanjose login ! end

Step 9 Test your configured password by logging out of and back into the router via the console.

Step 10 Enter the command logout.

Step 11 Use the Enter key to get a password prompt.

Step 12 Supply the password that you just configured to get to the user EXEC prompt.

Step 13 Enter the command and password to get to the enable EXEC prompt.

Step 14 Your output for Steps 10 though 13 should be similar to the example below. RouterX#logout .. ..empty lines omitted .. RouterX con0 is now available Press RETURN to get started. .. ..empty lines omitted .. User Access Verification Password: RouterX>enable Password: RouterX#


You configured the console line to require a password

You inspected the configuration and observed that the line passwords are stored in cleartext

You tested the login process and password access to the console line successfully

Your output matches the example in Step 14



Task 2: Activate Password Encryption Service As discussed in the previous task, some passwords are stored in cleartext. This can be a security issue when the configurations are transmitted and stored on remote file systems. In this task you will configure the password encryption service to secure all cleartext passwords with encryption.


Step 1 From the enable EXEC prompt enter the command to get to global configuration mode.

Step 2 Enter the command service password-encryption.

Step 3 Enter the command to return to the enable EXEC prompt.

Step 4 Enter the command to see the running configuration. Concentrate on the first few lines and the last few lines of the configuration, to see that your command is now active and the effect it has on the line passwords. Your output should be similar to the example below, with bold text highlighting output of particular interest.

RouterX#configure terminal Enter configuration commands, one per line. End with CNTL/Z. RouterX(config)#service password-encryption RouterX(config)#end RouterX# *Mar 16 20:19:40.509: %SYS-5-CONFIG_I: Configured from console by console RouterX#show running-config Building configuration... Current configuration : 940 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! .. ..Text omitted .. ! ! line con 0 password 7 051807012B435D0C login line aux 0 line vty 0 4 password 7 051807012B435D0C login ! scheduler allocate 20000 1000 ! end





You have enabled the password encryption service.

You have displayed the running configuration and observed the encryption of the line passwords.

You have saved your running configuration.

Task 3: Apply a Login Banner As part of any security policy, it is necessary to ensure that network resources are clearly identified as being off limits to the casual visitor, hackers have in the past used the fact that a “welcome” screen was presented at login, as a (successful) legal defense. A message that clearly states that access is restricted should be presented when an attempting to access a network device (switch, router, and so on). The banner Cisco IOS configuration command allows this to be done.



Step 2 Enter the command banner login %. The percent sign is the opening delimiter of the text that will form the message.

Step 3 Enter text to form your message followed by %. Do NOT include a percent sign in your text; it will be interpreted as the closing delimiter of your message. Below is an example of the output of the configuration of a banner message.

RouterX#configure terminal Enter configuration commands, one per line. End with CNTL/Z. RouterX(config)#banner login % Enter TEXT message. End with the character '%'. ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C RouterX(config)#end

Step 4 Enter the command to display the running configuration. Your output should be similar to the example below, which has been edited to show just the banner configuration. Notice that your text delimiter has been replaced with a ^C, which is a nontext control character.

! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C !

Step 5 Use the logout command to end your console session. Then log back in to the enable prompt. Observe the display to see your banner message being presented, prior to password entry. Your output should be similar to the example below, which has been edited to reduce space.



RouterX#logout RouterX con0 is now available Press RETURN to get started. ********* Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. ************************************************************** User Access Verification Password: RouterX>en Password: RouterX#

Step 6 Enter the command to save the running configuration to NVRAM.


You have configured a login banner message which clearly states that access is restricted to the router

You have tested the login message, and it does give a warning prior to password prompt

You have saved your configuration

Task 4: Enable SSH Protocol for Remote Management In a previous task, you protected the passwords by using encryption. However, if the process of remote management uses the Telnet protocol, which sends all characters in cleartext including passwords, the potential exists for packet capture and exploitation of the information. In this task, you will configure the Secure Shell (SSH) protocol as an alternative to Telnet. If it is possible in your environment, it would be best to the replace Telnet with SSH.


Step 1 At the enable EXEC prompt enter the command to access the global configuration prompt.

Step 2 The SSH protocol requires the use of a username and password pair. These have not yet been configured, so you will do that now. Enter the command username netadmin password netadmin. It this example, you use a simple username, but in a real-world environment, a much stronger username and password must be used.

Step 3 Enter the command ip domain-name domain-name. The generation of a SSH cryptographic key requires that both the hostname and domain name be configured. The hostname is already configured, so it is necessary to configure the domain name. Normally you would use the domain name of your organization; in the lab, you will use cisco.com.



Step 4 Enter the command crypto key generate rsa. You are prompted for a key size; 512 is the default, but you will enter 1024. Your output should be similar to the example below, which is edited to include only those lines pertaining to this task.

RouterX(config)#username netadmin password netadmin RouterX(config)#ip domain-name cisco.com RouterX(config)#crypto key generate rsa The name for the keys will be: RouterX.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] RouterX(config)# *Mar 16 20:32:15.613: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step 5 Enter the command ip ssh version 2 to specify the required SSH version.


Step 7 Enter the command login local. This changes the login process to use the locally configured username and password pairs.

Step 8 Enter the command transport input telnet ssh. This configures the five vty lines to support both Telnet or SSH. Your output should be similar to the example below.

RouterX(config)#line vty 0 4 RouterX(config-line)#login local RouterX(config-line)#transport input telnet ssh

Step 9 Enter the command to return to enable EXEC prompt.

Step 10 Enter the command show ip ssh. RouterX#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3

Step 11 To test your configuration you need to make a VPN tunnel connection to the remote lab using the method from Lab 2-1. You may get a security warning regarding the crypto key; accept the key by clicking the Yes button in the popup window.

Step 12 On your PC, open your SSH terminal client application. Use the IP address of your workgroup router (10.x.x.3), and the username and password pair that you configured in Step 2 of this task.

Step 13 Below is an example of a successful connection using the PuTTY application using SSH.



Step 14 Open the Windows Command window and enter the command telnet 10.x.x.3 (enter the IP address of your workgroup router). Your output should be similar to the example below.

Step 15 Enter the username and password in the new Telnet Command window that automatically opens. Having established that Telnet is working simultaneously with SSH, type logout at the user EXEC prompt and close your Command window by typing exit at the Command window prompt. Your output should be similar to the example below.



You configured the vty lines to support the SSH version 2 protocol

You successfully connected directly to your workgroup router using SSH and Telnet, thus proving both are being supported simultaneously

You saved your configuration



Lab 4-8: Using Cisco SDM to Configure DHCP Server Function


Activity Objective In this activity, you will use Cisco SDM to configure DHCP server functionality on your workgroup router. After completing this activity, you will be able to meet these objectives:

You will use Cisco SDM to configure a DHCP pool of addresses

You will use Cisco SDM to verify at least one DHCP client has received an address from the pool just created

You will use Cisco IOS commands to locate the switch port through which the DHCP client is attaching to your workgroup switch



10.9.9.3 /2410.8.8.3 /2410.7.7.3 /2410.6.6.3 /2410.5.5.3 /2410.4.4.3 /2410.3.3.3 /2410.2.2.3 /24

Router IP Address

10.9.9.11 /24H10.8.8.11 /24G10.7.7.11 /24F10.6.6.11 /24E10.5.5.11 /24D10.4.4.11 /24C10.3.3.11 /24B10.2.2.11 /24A

Switch IP AddressPod

Visual Objective for Lab 4-8 Using Cisco SDM to Configure DHCP Server Function






Your assigned pod access information from Lab 4.1



Router and Switch Cisco IOS Commands

Command Description

ping Used to diagnose basic network connectivity.

show mac-address-table dynamic Displays dynamic MAC address table entries only; use the command in privileged EXEC mode.

show ip arp Used to display the ARP cache.

Job Aids This job aid is available to help you complete the lab activity.

Table 1: DHCP Server Pool Information

Work group

DHCP Pool Name

DHCP Pool Network/Mask

Starting IP Ending IP Default Router

Lease Time (Days:

Hrs:Mins)

A wgA_clients 10.2.2.0/24 10.2.2.150 10.2.2.199 10.2.2.3 0:0:5

B wgB_clients 10.3.3.0/24 10.3.3.150 10.3.3.199 10.3.3.3 0:0:5

C wgC_clients 10.4.4.0/24 10.4.4.150 10.4.4.199 10.4.4.3 0:0:5

D wgD_clients 10.5.5.0/24 10.5.5.150 10.5.5.199 10.5.5.3 0:0:5

E wgE_clients 10.6.6.0/24 10.6.6.150 10.6.6.199 10.6.6.3 0:0:5

F wgF_clients 10.7.7.0/24 10.7.7.150 10.7.7.199 10.7.7.3 0:0:5

G wgG_clients 10.8.8.0/24 10.8.8.150 10.8.8.199 10.8.8.3 0:0:5

H wgH_clients 10.9.9.0/24 10.9.9.150 10.9.9.199 10.9.9.3 0:0:5



Current Passwords

Router console login sanjose



Router vty login user ID netadmin

Router vty login password netadmin






Task 1: Configuring the Router to Support Web-Based Applications, a User with Privilege 15, and Telnet and SSH

This task will provide you with practice on enabling Cisco SDM on a router that has been configured using the Cisco IOS startup sequence or the CLI. If you erased the factory startup configuration in order to use the Cisco IOS startup sequence, you can still use Cisco SDM. To do so, you must configure the router to support web-based applications, configure it with a user account defined with privilege level 15, and then configure it to support the Telnet and SSH protocols. These changes can be made using a Telnet session or using a console connection.


Step 1 Connect to your remote workgroup router via the console server, and enter the necessary commands and passwords to get to the enable EXEC prompt.

Step 2 The current configurations have the HTTP service already enabled. However, it is preferable to use the secure HTTP services (HTTPS). To enable the HTTP/HTTPS server on your workgroup router, enter the ip http secure-server command.

Router(config)# ip http secure-server

Note The ability to support the secure server depends on the Cisco IOS version running on the router. If HTTPS were not supported, then the HTTP server could still be enabled.

Step 3 It is also necessary to configure the HTTPS services with the method to be used for authentication. To enable the workgroup router HTTP/HTTPS server authentication method, enter the ip http authentication local command in global configuration mode.

Router(config)# ip http authentication local

Step 4 To modify your netadmin user account to a privilege level of 15 (full enable privileges), enter the username netadmin privilege 15 command in global configuration mode.

Router(config)# username netadmin privilege 15



Task 2: Use Cisco SDM to Configure a DHCP Pool In this task, you will use Cisco SDM to configure a DHCP pool on your workgroup router.


Step 1 Open a VPN connection to your remote workgroup.

Step 2 Open a Windows Internet Explorer window and enter your workgroup router IP address in the Address bar in the form of a URL; for example, https://10.x.x.3.

Step 3 In the new window that opens, enter your netadmin username and password.

Step 4 You may see this message. If so, click Yes to it and any subsequent security windows.



Step 5 Eventually, you should see the screen below.

Step 6 Choose the Configure tab.

Step 7 New options will appear on the left side of the window. Choose Additional Tasks

(the bottom option).



Step 8 In the Additional Tasks pane, open the DHCP tab, and choose DHCP Pools.

Step 9 In the DHCP Pools pane, choose the Add button.



Step 10 In the Add DHCP Pool window, add the information from Table 1 for your specific workgroup. When you have finished click the OK button.

Step 11 The Commands Delivery window opens, indicating the status of the transfer of

configuration commands to your workgroup router. When the status indicates “Configuration delivered to router,” click the OK button.

Step 12 Wait a few minutes for any clients on your network to obtain an address. Then click

the DHCP Pool Status button.



Step 13 Your DHCP Pool Status should have a similar output, indicating that a client has an address in the pool range. You may have to use the Refresh button in the main window to get your display updated.

Step 14 Note the IP address of the DHCP client in the space below.

Step 15 Click the OK button to close the DHCP Pool Status window.


You connected to your workgroup router and opened the Cisco SDM window.

You configured your router to support a DHCP pool.

You used Cisco SDM to confirm that a client obtained an address from the pool.

You noted the actual address of the DHCP client.

Task 2: Using Tools to Correlate Network Information When you are implementing networks, it is necessary to confirm your configuration, also maintenance and security tasks require that you are able to find and use network information for specific reasons. In this activity you will use addressing information you gather to determine the attachment point of an end system to your network. Other typical reasons for doing this would be to track down sources of duplicate addresses and trace the path of packets through a network while troubleshooting.


Step 1 Open a SSH connection to your workgroup router.

Step 2 At the enable prompt workgroup router, enter ping IP_address_dhcp_client. Your output should be similar to the example below.

RouterX#ping 10.10.10.150 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.150, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms



Step 3 Enter the show ip arp IP_address_dhcp_client command to obtain the hardware address (MAC address) that is bound to the IP address you just pinged. Your output should be similar to the example below.

RouterX#show ip arp 10.10.10.150 Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.10.150 63 001a.6ca1.eea9 ARPA FastEthernet0/0

Step 4 Note the hardware address (MAC address) of your DHCP client in the space below.

Step 5 Open a console connection to your workgroup switch.

Step 6 At the workgroup switch enable prompt, enter the show mac-address-table dynamic command to display only the dynamically learned entries. Your output should be similar to the example below.

SwitchX#show mac-address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 001a.6ca1.eea9 DYNAMIC Fa0/11 1 001a.6ca1.eed8 DYNAMIC Fa0/2 1 001a.6dd7.1981 DYNAMIC Fa0/11 1 001a.6dfb.c401 DYNAMIC Fa0/12 Total Mac Addresses for this criterion: 4

Step 7 Using the MAC address from the previous step, identify the port on the switch, which the DHCP client attaches to the network, and record it in the space below.

Step 8 You have located the switchport through which the DHCP client is entering your network. If your network consists of any number of switches and routers, you can use the same process to trace the physical location of any device, given its IP and MAC (hardware address) addresses.

Step 9 You should close any open connections and the VPN tunnel.


You used the IP address of the DHCP client identified in Task 1, in a ping command.

You used the information from the output of the ping command to identify the MAC address of that DHCP client.

You used the workgroup switch mac-address-table command to identify the port through which the DHCP client is accessing the network.



Lab 4-9: Managing Remote Access Sessions Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will use Telnet and SSH connections to access Cisco routers and switches. After completing this activity, you will be able to meet these objectives:

Be able to initiate, suspend, resume and close a Telnet session from a Cisco router or switch

Be able to initiate, suspend, resume and close a SSH session from a Cisco router or switch



Visual Objective for Lab 4-9Managing Remote Access Sessions

10.9.9.3 /2410.8.8.3 /2410.7.7.3 /2410.6.6.3 /2410.5.5.3 /2410.4.4.3 /2410.3.3.3 /2410.2.2.3 /24

Router IP Address

10.9.9.11 /24H10.8.8.11 /24G10.7.7.11 /24F10.6.6.11 /24E10.5.5.11 /24D10.4.4.11 /24C10.3.3.11 /24B10.2.2.11 /24A

Switch IP AddressPod









Cisco IOS Router and Switch Commands

Command Description

Ctrl-Shift-6 x Telnet or SSH escape sequence.

disconnect [session] Disconnect an existing network connection. Optionally a session number can be entered.

exec-timeout mins [secs] Sets the amount of idle time that can elapse before a connection is automatically closed.

exit The exit command in EXEC mode exits the active session (logs off the device).

history size number Sets the number of line held in the history buffer for recall. Two separate buffers are used, one for EXEC mode commands and the second for configuration mode commands.

ip domain-lookup Supplies an IP domain name, which is required by the crypto key generation process.

line console 0 Enters the line console configuration mode.

logging synchronous Synchronizes unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or vty line.

logout Exits the EXEC mode requiring reauthentication or reconnection.

resume Switches to another open Telnet, SSH connection.

show sessions Displays information about open Telnet, or SSH connections.

show users Displays information about the active lines.

ssh ip_address Starts an encrypted session with a remote networking device using the current user’s ID. The IP address identifies the destination device.

telnet ip_address Establishes a Telnet protocol network connection. The IP address identifies the destination device.


Task 1: Improve the Usability of the Router CLI In this task, you will enter commands to improve the usability of the CLI as you did for your workgroup switch. You will increase the number of lines that are stored in the history buffer, increase the inactivity timer on the console port, and stop attempts to resolve the names of mistyped commands.


Step 1 Connect to your remote workgroup router via the console server, and enter the necessary commands and passwords to get to the enable mode.



Step 2 The size of the history buffers is 20. You could change this by using the command terminal history size 100. However, this value would have to be entered every time you log out of and back into the switch. The history size can be set in the configuration, associated with the vty and console lines.

Step 3 Enter the command config t to get to the global configuration prompt.


Step 5 Enter the command history size 100 to change the history buffer size.

Step 6 Enter the command exec-timeout 60 to extend the idle timeout value.

Step 7 Enter the command logging synchronous to synchronize unsolicited messages and debug privileged EXEC command output with the input from the CLI.

Step 8 Enter the command line vty 0 4 to configure the vty lines.

Step 9 Enter the commands to configure the history size to 100 and to synchronize the messages.

Step 10 Enter the exit command to return to the global configuration mode.

Step 11 Enter the command no ip domain-lookup to disable the resolution for symbolic names.

Step 12 Enter the command end to return to enable EXEC prompt.

Step 13 Use the history recall to enter the show terminal command. Your output should be similar to the example below, which has been edited to reduce unwanted lines.

RouterX#show terminal Line 0, Location: "", Type: "" Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits .. ..Text omitted .. Editing is enabled. History is enabled, history size is 100. DNS resolution in show commands is enabled Full user help is disabled Allowed input transports are none. Allowed output transports are pad telnet rlogin lapb-ta mop v120 ssh. Preferred transport is telnet. No output characters are padded No special data dispatching characters

Step 14 Enter the show running-config command to view the running configuration to confirm that the configuration changes you made are correct.

Step 15 When you are satisfied that your running configuration reflects the changes. save it to startup-config.


The inactivity timeout on the console line is set to 60 minutes.

You have verified that the history buffer value is set to 100 lines on the console and vty lines.



You have verified that logging synchronous is configured on the console and vty lines.

You have verified that IP domain lookup is disabled.

You saved your running configuration to startup-config.

Task 2: Connect to Your Remote Workgroup via VPN Tunnel In this task you will open a VPN connection to your remote workgroup and then login to your assigned workgroup router using the terminal emulation application. Use the username and password netadmin. You will then increase the VTY lines automatic idle timeout to 30 minutes for the duration of this lab on your workgroup router.


Step 1 From your PC, open a VPN connection to your designated workgroup.

Step 2 From your PC, use PuTTY to connect to the IP address of your workgroup router and get to the enable EXEC prompt. Use the username and password netadmin during this activity.

Step 3 Get to the enable EXEC prompt and enter the command show sessions. Your output should look similar to the following display:

login as: netadmin ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C [email protected]'s password: RouterX#show sessions % No connections open RouterX#

Step 4 Enter the command show users to see the current users connected to your workgroup router. Your output should look similar to the following display:

RouterX#sh users Line User Host(s) Idle Location *322 vty 0 netadmin idle 00:00:00 10.10.10.134 Interface User Mode Idle Peer Address

Step 5 The user “netadmin” is associated with the address of your PC, because of the VPN connection you made in Step 2 of this task.

Step 6 Enter the command conf t to get to the global configuration prompt.

Step 7 Enter the command line vty 0 4 to get to the VTY line configuration mode.

Step 8 Enter the command exec-timeout 30 to extend the idle timer period to 30 minutes.

Step 9 Return to the EXEC prompt by entering the command end. Your output should look similar to the following display:



RouterX#conf t Enter configuration commands, one per line. End with CNTL/Z. RouterX(config)#line vty 0 4 RouterX(config-line)#exec-timeout 30 RouterX(config-line)#end RouterX#


You connected from your PC to your remote workgroup router using PuTTY via VPN tunnel.

You increased the idle timeout of the router vty lines to 30 minutes.

You used the show sessions command to verify that the router has no open sessions at this time.

You used the show users command to identify that you are the only user currently connected to your router.

Task 3: Using the Cisco IOS CLI Commands to Control Telnet and SSH Sessions

In this task, you will practice the initiation, suspension, and resumption of Telnet and SSH sessions from the Cisco IOS CLI. Use the username and password netadmin during this activity. You will also increase the vty line automatic idle timeout to 30 minutes for the duration of this activity on your workgroup switch.


Step 1 From your workgroup router, open a Telnet session to your assigned workgroup switch, using the telnet ip_address command.

Step 2 Enter the command to get to the enable EXEC prompt. Your output should look similar to the following display:

RouterX#telnet 10.10.10.11 Trying 10.10.10.11 ... Open ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. ************************************************************** User Access Verification Username: netadmin Password: SwitchX>enable Password: SwitchX#

Step 3 Enter the command conf t to get to the global configuration prompt.

Step 4 Enter the command line vty 0 15 to get to the VTY line configuration mode.

Step 5 Enter the command exec-timeout 30 to extend the idle timer period to 30 minutes.



Step 6 Return to the EXEC prompt by entering the command end. Your output should look similar to the following display:

SwitchX#conf t Enter configuration commands, one per line. End with CNTL/Z. SwitchX(config)#line vty 0 15 SwitchX(config-line)#exec-timeout 30 SwitchX(config-line)#end SwitchX#

Step 7 Enter the escape sequence Ctrl-Shift-6, x to suspend the session and get the RouterX# prompt.

Step 8 Enter the command show sessions to display the currently active sessions. Your output should look similar to the following display with the exception that the escape sequence has been indicated in bold text:

SwitchX#<cntrl+shift+6,x> RouterX#show sessions Conn Host Address Byte Idle Conn Name * 1 10.10.10.11 10.10.10.11 0 0 10.10.10.11 RouterX#

Step 9 Enter the command ssh ip_address to open a second connection to your workgroup switch using the SSH protocol. Note: You need to enter the password associated with the username “netadmin.” Your output should look similar to the following display:

RouterX#ssh 10.10.10.11 ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. ************************************************************** Password: SwitchX>

Step 10 Enter the escape sequence Ctrl-Shift-6, x to suspend the session and get the RouterX# prompt.

Step 11 Enter the command show sessions to display the currently active sessions. Your output should look similar to the following display with the exception that the escape sequence has been indicated in bold text:

SwitchX><ctrl+shift+6,x> RouterX#show sessions Conn Host Address Byte Idle Conn Name 1 10.10.10.11 10.10.10.11 0 4 10.10.10.11 * 2 10.10.10.11 10.10.10.11 0 0 RouterX#

Step 12 Enter the command resume 1 to resume your first connection to the workgroup switch. Notice that this session has the enable prompt.

<ENTER> RouterX#resume 1 [Resuming connection 1 to 10.10.10.11 ... ] <ENTER> SwitchX#show users Line User Host(s) Idle Location * 1 vty 0 netadmin idle 00:00:00 10.10.10.3 2 vty 1 netadmin idle 00:00:22 10.10.10.3



Interface User Mode Idle Peer Address SwitchX#

Step 13 From your switch, Telnet to your workgroup router without prefixing the address with “Telnet,” and notice that you were automatically enabled on the router. Your output should look similar to the following display:

SwitchX#10.10.10.3 Trying 10.10.10.3 ... Open ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C User Access Verification Username: netadmin Password: RouterX#

Step 14 Enter the command show sessions to display any sessions associated with this connection. Your output should look similar to the following display:

RouterX#show sessions % No connections open RouterX#

Note At this point in the activity, you have established a Telnet connection from the router to the switch and a Telnet connection from the switch to the router. Also, you have an SSH connection from the router to the switch.

Step 15 Your current view is at the router user EXEC via your initial Telnet connection through the switch. If at this point you use a single escape sequence, you will return to the Router# prompt (session 1). However, if you use two escape sequences followed by pressing x, you will return to the switch.

Step 16 Enter the sequence Ctrl-Shift-6, Ctrl-Shift-6, x, and notice that the x is used only once at the end. You are returned to your switch. Your output should look similar to the following display:

RouterX#<ctrl-shift-6, ctrl-shift-6, x> SwitchX#sh sessions Conn Host Address Byte Idle Conn Name * 1 10.10.10.3 10.10.10.3 0 0 10.10.10.3 SwitchX#

Step 17 Enter the escape sequence Ctrl-Shift-6, x, to suspend the original session initiated from the router and get the RouterX# prompt. Your output should look similar to the following display:

SwitchX#<ctrl-shift-6, x> RouterX#sh sessions Conn Host Address Byte Idle Conn Name * 1 10.10.10.11 10.10.10.11 0 0 10.10.10.11 2 10.10.10.11 10.10.10.11 0 7

Step 18 Observe the output. The asterisk (*) is by the number 1. This indicates that this is the active session. If you press the Enter key without adding any other text, the session will automatically be resumed.



Step 19 Press the Enter key twice. The first resumes the connection to the switch, and the second is interpreted at the switch to resume its session to the router. You will need to press Enter a third time to get the router prompt. Your output should look similar to the following display:

RouterX#<ENTER> [Resuming connection 1 to 10.10.10.11 ... ] <ENTER> [Resuming connection 1 to 10.10.10.3 ... ] <ENTER> RouterX#

Step 20 Enter the sequence Ctrl-Shift-6, Ctrl-Shift-6, x, to return to your switch. Your output should look similar to the following display:

RouterX#<ctrl-shift-6, ctrl-shift-6, x> SwitchX#

Step 21 Close the connection to the router by using the disconnect command. Entering the command without any numerical value is interpreted as closing the last created connection. You will need to confirm your requested action. Your output should look similar to the following display:

SwitchX#disconnect Closing connection to 10.10.10.3 [confirm] SwitchX#

Step 22 Remove the modification to the EXEC timeout value by setting it back to its default value of 10 minutes. Your output should look similar to the following display:

SwitchX#conf t Enter configuration commands, one per line. End with CNTL/Z. SwitchX(config)#line vty 0 15 SwitchX(config-line)#exec-timeout 10 SwitchX(config-line)#end SwitchX#

Step 23 Use the sequence Ctrl-Shift-6, x, to return to your router and enter the show sessions command. Your output should look similar to the following display:

SwitchX#<ctrl-shift-6, x> RouterX#show sessions Conn Host Address Byte Idle Conn Name * 1 10.10.10.11 10.10.10.11 0 1 10.10.10.11 2 10.10.10.11 10.10.10.11 0 39

Step 24 Use the disconnect command to close both connections to the switch. Your output should look similar to the following display:

RouterX#disconnect 1 Closing connection to 10.10.10.11 [confirm] RouterX#disconnect 2 Closing connection to 10.10.10.11 [confirm] RouterX#

Step 25 Remove the modification to the EXEC timeout value by setting it back to its default value of 10 minutes. Your output should look similar to the following display:

RouterX#conf t Enter configuration commands, one per line. End with CNTL/Z. RouterX(config)#line vty 0 4 RouterX(config-line)#exec-timeout 10 RouterX(config-line)#end RouterX#

Step 26 Close your SSH connection to your workgroup router by using the logout command. Then close your VPN connection.




You initiated Telnet connections between your workgroup router and switch.

You initiated SSH connection between your workgroup router and switch.

You used the show sessions command to identify current connections and their values including active session and session numbers.

You used the show users command to identify currently connected users to your workgroup router and switch.

You used the escape sequence to suspend the connection (session) that you were using (active).

You used the resume command to choose which of your open connections (sessions) you would use.

You returned the exec-timeout command value to 10 minutes on your workgroup router and switch.

You used disconnect and logout to close all connections.

You terminated the VPN tunnel from your PC to your remote workgroup.



Lab 5-1: Connecting to the Internet Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will be able to configure your WAN Ethernet interface to use a DHCP obtained IP address, and will provide PAT. After completing this activity, you will be able to meet these objectives:

Using Cisco SDM to configure the WAN Ethernet interface to use a DHCP obtained IP address

Using Cisco SDM to configure the router to support PAT of the inside Ethernet interface to through the WAN Ethernet interface

Using Cisco SDM to verify that the configuration matches the requirements of the lab

Using the CLI to test and observe that PAT is taking place through the WAN Ethernet interface



Visual Objective for Lab 5-1Connecting to the Internet










Command Description

clear ip nat translation * Uses clear dynamic NAT translations from the translation table.

ping ip_address Common tool used to troubleshoot the accessibility of devices. It uses ICMP path echo requests and ICMP path echo replies to determine whether a remote host is active. The ping command also measures the amount of time it takes to receive the echo reply.

show dhcp lease Displays the DHCP addresses leased from a server.

show ip nat translations Displays active NAT translations.


Task 1: Use Cisco SDM to Configure the Ethernet Connection to the Internet

In this task you will use the Cisco SDM tool to configure your WAN Ethernet connection to use DHCP to obtain its IP address. This interface will also be used in the NAT port address translation mode.


Step 1 Open a VPN connection to your remote workgroup.

Step 2 Open an Internet Explorer window and enter your workgroup router IP address in the Address field in the form of a URL; for example, https://10.x.x.3.



Step 3 In the new window that opens, enter your username netadmin and password netadmin.

Step 4 You may see this window; if so, click Yes to it and any subsequent security

windows.



Step 5 Eventually, you should see the screen below.

Step 6 Choose the Configure tab.



Step 7 Choose the Create Connection tab, and click the Ethernet PPPoE or Unencapsulated Routing radio button.

Step 8 Click the Create New Connection button at the bottom of the pane.

Step 9 At the Welcome to the Ethernet WAN Configuration Wizard window, click the Next

button at the bottom of the pane.

Step 10 At the Encapsulation window, make no choices. Click the Next button at the bottom

of the pane to proceed.



Step 11 At the IP address window, make no choices. Only the Dynamic (DHCP Client) radio button should be set. Click Next to proceed.

Step 12 At the Advanced Options window, check the Port Address Translation check box,

You should see “FastEthernet0/0” appear automatically in the LAN Interface to Be Translated box. Click the Next button at the bottom of the pane to proceed.



Step 13 Review the information in the Summary window. Click the Finish button to finalize the wizard.

Step 14 The configuration commands are transferred. Click the OK button to close the

Commands Delivery Status window.



Step 15 In the Edit Interface/Connection tab that opened up following the previous step, choose FastEthernet0/1 .

Step 16 Observe that the IP address is set and that it has (DHCP) following the value. Notice

also that in the lower pane, NAT has a value of Outside.

Note You may need to click the Refresh button to force an update of the display.

Step 17 Close both your Cisco SDM session and your VPN connection.


You have verified that the FastEthernet0/1 interface has an address obtained using DHCP.

You have verified in Step 15 that your FastEthernet0/0 interface has been identified as being an inside interface in the PAT configuration.

You have verified in Step 15 that your FastEthernet0/1 interface has been identified as being an outside interface in the PAT configuration.

Task 2: Use the CLI to Verify and Observe the Operation of PAT on Your Workgroup Router

In this task you will connect to your workgroup via the SSH connection. You will use CLI commands to ping the DHCP provided default gateway IP address. Then observe the PAT information stored by the workgroup router by using the clear and show ip nat translations commands.




Step 1 Using the SSH-capable terminal emulation application, connect to your assigned workgroup router.

Step 2 At the enable prompt, enter the show dhcp lease command. Your output should look similar to the following display, but will be different for each pod.

RouterX#show dhcp lease Temp IP addr: 172.20.21.5 for peer on Interface: FastEthernet0/1 Temp sub net mask: 255.255.255.0 DHCP Lease server: 172.20.21.254, state: 3 Bound DHCP transaction id: 1F7E Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs Temp default-gateway addr: 172.20.21.254 Next timer fires after: 11:53:31 Retry count: 0 Client-ID: 001a.6ca1.eed9 Client-ID hex dump: 001A6CA1EED9 Hostname: RouterX RouterX#

Step 3 Use the clear ip nat translation * command to clear any residual NAT information before proceeding to the next step.

Step 4 Use the show ip nat translations command to verify that there is no data to display. RouterX#clear ip nat translation * RouterX#show ip nat translations RouterX#

Step 5 Using the IP address of the default router obtained in your output, use the ping command to test connectivity.

Step 6 Use the show ip nat translations command to observe if any translation was made. Your output should look similar to the following display:

RouterX#show ip nat translations RouterX#

Caution You may be surprised that no entry was made for the ping that you just successfully completed. The reason for this is in the behavior of the ping process, which uses the IP address of the outgoing interface as the source IP address in the packets it uses. For the test that you just did, the outgoing interface (FastEthernet0/1) has the IP address 172.20.x.254, which does not need to be translated. In order to test this, you need to go to your workgroup switch and repeat the ping command, then return to your router to view the translation entry.

Step 7 At your workgroup switch user EXEC prompt enter the ping command to the default router IP address you used in Step 5. Your output should look similar to the following display:

SwitchX>ping 172.20.21.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.20.21.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms SwitchX>



Step 8 Return to your workgroup router and enter the show ip nat translations command. RouterX#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 172.20.21.5:33 10.10.10.11:33 172.20.21.254:33 172.20.21.254:33

Step 9 Observe that in your output, the inside local IP address was your workgroup switch, and the inside global IP address was your FastEthernet0/1 interface.



You were able to get the DHCP obtained IP address of the default gateway.

You tested the operation of PAT, using a ping locally generated on your workgroup router. The show ip nat translation command failed to show any translation because of the behavior of the ping packets (use of source IP addresses).

You retested the ping, from your workgroup switch and using the show ip nat translation command. This sequence of packets did generate a translation.




Lab 5-2: Connecting to the Main Office Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will configure the serial connection and configure a static route. After completing this activity, you will be able to meet these objectives:

Configure your serial interface to use PPP

Configure a static route to a given IP network which can be reached via the serial interface



Visual Objective for Lab 5-2Connecting to the Main Office










Command Description

description description Allows descriptive text to be associated with an interface.

interface serial 0/0/0 Enters the interface configuration mode of the interface specified.

encapsulation ppp Sets PPP as the encapsulation method used by a serial interface.

ip address ip_address mask Sets the IP address and mask of the interface.

ip route net-prefix prefix-mask next_hop_ip_address

Establishes a static route to destination.

shutdown no shutdown

Disables and enables an interface.

ping ip_address Uses ICMP path echo requests and ICMP path echo replies to determine whether a remote host is active.

show ip route Displays the current state of the routing table.

traceroute ip_addess Discovers the IP routes that packets will actually take when traveling to their destination.

Job Aids This job aid is available to help you complete the lab activity.

Table 1: Serial WAN Information

Workgroup

WAN Interface s0/0/0 IP Address

Mask 255.255.255.0

Remote WAN interface IP address (Next-Hop Router)

Remote Network Reachable via s0/0/0

Remote Host Reachable via s0/0/0

A 10.140.1.2 10.140.1.1 192.168.21.0 192.168.21.200

B 10.140.2.2 10.140.2.1 192.168.22.0 192.168.22.200

C 10.140.3.2 10.140.3.1 192.168.23.0 192.168.23.200

D 10.140.4.2 10.140.4.1 192.168.24.0 192.168.24.200

E 10.140.5.2 10.140.5.1 192.168.25.0 192.168.25.200

F 10.140.6.2 10.140.6.1 192.168.26.0 192.168.26.200

G 10.140.7.2 10.140.7.1 192.168.27.0 192.168.27.200

H 10.140.8.2 10.140.8.1 192.168.28.0 192.168.28.200



Current Passwords

Router console login sanjose



Router vty login user ID netadmin

Router vty login password netadmin






Task 1: Configure Your Workgroup Router Serial 0/0/0 In this task you will configure your first serial interface with its assigned IP address. Also, you will configure the interface to support PPP encapsulation.


Step 1 Connect to your assigned workgroup router console port, and get to the EXEC enable prompt.

Step 2 Enter the command config terminal to get to the global configuration prompt.

Step 3 Enter the command interface s0/0/0 to get to the interface configuration mode of your first serial interface.

Step 4 Enter the command encapsulation ppp to enable the use of PPP instead of the default encapsulation of HDLC.

Step 5 Enter the command ip address ip_address 255.255.255.0, where you supply your WAN IP address from Table 1 at the beginning of this lab.

Step 6 Enter the command description Link to Main Office to associate text with the interface.

Step 7 Enter the command no shutdown to bring the interface up.

Step 8 Wait a few moments for the status messages to stop. Then enter the command end to exit to EXEC prompt.

Step 9 Your output for Steps 3 through 8 should look similar to the following display: RouterX(config)#int s0/0/0 RouterX(config-if)#encapsulation ppp RouterX(config-if)#ip address 10.140.10.2 255.255.255.0 RouterX(config-if)#description Link to Main Office RouterX(config-if)#no shutdown *Mar 26 21:10:35.451: %SYS-5-CONFIG_I: Configured from console by console RouterX# *Mar 26 21:10:35.983: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up RouterX#



*Mar 26 21:10:37.015: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up RouterX(config-if)#end

Step 10 Enter the command show interface s0/0/0 to display the current status of your serial interface.

Step 11 Notice the bolded lines in the example below, which should be similar to your output.

RouterX#show interface s0/0/0 Serial0/0/0 is up, line protocol is up Hardware is GT96K Serial Description: Link to Main Office Internet address is 10.140.10.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: IPCP, CDPCP, loopback not set Keepalive set (10 sec) .. Text omitted

Step 12 If your serial interface line protocol is NOT up, then recheck that you entered your information correctly.


You have correctly configured a username and password pair for PPP to use.

You have configured your interface to use the assigned IP address from Table 1 in this Lab.

You have verified using the show interface command that your serial interface is up, with the line protocol up.

Task 2: Test Connectivity to Your Assigned Remote Network You will unsuccessfully test with the ping command the connectivity to your given remote network, which can only be reached through the serial interface you just configured. You will then use various Cisco IOS commands to investigate the reason why you cannot reach the network.


Step 1 Enter the ping remote_host command using the assigned IP address of the remote host from Table 1 above. Your output should look similar to the following display:

RouterX#ping 192.168.21.200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.21.200, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)

Step 2 Enter the traceroute remote_host command, using the same IP address you used in Step 1 above. Your output should look similar to the following display:

RouterX#traceroute 192.168.21.200 Type escape sequence to abort. Tracing the route to 192.168.21.200



1 172.20.21.254 0 msec 4 msec 0 msec 2 172.20.21.254 !H * !H

Step 3 The output should indicate that the packets are being sent to the “Internet” IP address via FastEthernet 0/1.

Step 4 Enter the command show ip route to view the current information held in the route table. Your output should look similar to the following display:

RouterX#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.20.21.254 to network 0.0.0.0 172.20.0.0/24 is subnetted, 1 subnets C 172.20.21.0 is directly connected, FastEthernet0/1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.10.10.0/24 is directly connected, FastEthernet0/0 C 10.140.10.1/32 is directly connected, Serial0/0/0 C 10.140.10.0/24 is directly connected, Serial0/0/0 S* 0.0.0.0/0 [254/0] via 172.20.21.254

Step 5 Notice in the example the two lines that are bolded. These indicate that the only place that the router can send packets with destination addresses that are not found on directly connected networks is via the default route. Recall that the default route is indicated using 0.0.0.0.


You observed using the traceroute command where your packets were being sent.

You observed using the show ip route commands that there is no entry in the routing table that matches the network you were trying to reach. Also, the routing table has an entry for forward “unknown” destinations, known as the gateway of last resort.

Task 3: Add a Static Route Entry for Your Remote Network You have determined that the reason for the problem in reaching your remote network is that there is no routing table entry for that network. In this task, you will correct this problem by adding a static route entry to the configuration. You will then test that this action has corrected the problem. You should note that in order for your static route to correct this issue, there needs to be a reciprocal static entry in the distant router pointing back to your workgroup. You can assume that this has already been done by the administrator of the that router.


Step 1 At the enable EXEC prompt, enter the command conf t to get to global configuration mode.

Step 2 Enter the command ip route remote_network remote_network_mask IP_next_hop_router, where the information to complete this can be obtained from Table 1. Your output should look similar to the following display:



RouterX(config)#ip route 192.168.2x.0 255.255.255.0 10.140.x.1

Step 3 Enter the command end to exit the configuration mode and return to the EXEC prompt.

Step 4 Enter the command show ip route to view the current information held in the route table. Your output should look similar to the following display:

RouterX#show ip route .. ..Text omitted .. Gateway of last resort is 172.20.21.254 to network 0.0.0.0 172.20.0.0/24 is subnetted, 1 subnets C 172.20.21.0 is directly connected, FastEthernet0/1 S 192.168.21.0/24 [1/0] via 10.140.10.1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.10.10.0/24 is directly connected, FastEthernet0/0 C 10.140.10.1/32 is directly connected, Serial0/0/0 C 10.140.10.0/24 is directly connected, Serial0/0/0 S* 0.0.0.0/0 [254/0] via 172.20.21.254 RouterX#

Step 5 Enter the command ping remote_network_host to test reachability to the remote network. Your output should look similar to the following display:

RouterX#ping 192.168.21.200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.21.200, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms RouterX#

Step 6 Enter the command traceroute remote_network_host to display the path taken by packets going to your remote network. Your output should look similar to the following display:

RouterX#traceroute 192.168.21.200 Type escape sequence to abort. Tracing the route to 192.168.21.200 1 10.140.10.1 12 msec * 12 msec

Step 7 Notice that because the remote network is only one hop away, there is only one line in the traceroute output.



You configured a static route entry pointing to the next hop router IP address of your serial 0/0/0 interface in the configuration of your workgroup router.

You used the show ip route command to verify that there is now an entry to your remote network.

You successfully tested reachability using the ping command.

You used the traceroute command to verify that the path taken was through the IP subnet used on the serial 0/0/0 interface.




Lab 5-3: Enabling Dynamic Routing to the Main Office


Activity Objective In this activity, you will enable the use of the dynamic routing protocol RIP. After completing this activity, you will be able to meet these objectives:

Configure RIP on your workgroup router

Verify that RIP is operating

Remove the now unnecessary static route to an adjacent network



Visual Objective for Lab 5-3 Enabling Dynamic Routing to the Main Office









Commands

Command Description


end Terminates the configuration mode.

[no] ip route Removes a previously configured static route.

network network_prefix Specifies a list of networks for the RIP routing process will use. RIP will send and listen for routing update on interfaces whose IP address matches the network specified.

router rip Activates the RIP routing process.

show ip protocol Displays the currently configured values for various properties of enabled routing protocols.

show ip route Displays the current state of the routing table.

traceroute ip_address Discovers the IP routes that packets will actually take when traveling to their destination.

version {1 | 2} Specifies the RIP version used globally by the router.

Job Aids Table 1: Remote Host Information

Workgroup

Remote Host IP Address on Networks Reachable via s0/0/0

A 192.168.21.200 192.168.121.200 192.168.221.200

B 192.168.22.200 192.168.122.200 192.168.222.200

C 192.168.23.200 192.168.123.200 192.168.223.200

D 192.168.24.200 192.168.124.200 192.168.224.200

E 192.168.25.200 192.168.125.200 192.168.225.200

F 192.168.26.200 192.168.126.200 192.168.226.200

G 192.168.27.200 192.168.127.200 192.168.227.200

H 192.168.28.200 192.168.128.200 192.168.228.200

These addresses can be used as destination addresses in the ping or traceroute commands. These are valid only for the workgroup specified.

Task 1: Configure RIP Routing Protocol on Your Workgroup Router

In this task you configure the RIP routing protocol operation on your workgroup router. You will then use Cisco IOS commands to verify its operation.




Step 1 At the EXEC prompt, enter the show ip route command to display the current route table entries. Your output should look similar to the following display:

RouterX#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.20.21.254 to network 0.0.0.0 172.20.0.0/24 is subnetted, 1 subnets C 172.20.21.0 is directly connected, FastEthernet0/1 S 192.168.21.0/24 [1/0] via 10.140.10.1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.10.10.0/24 is directly connected, FastEthernet0/0 C 10.140.10.1/32 is directly connected, Serial0/0/0 C 10.140.10.0/24 is directly connected, Serial0/0/0 S* 0.0.0.0/0 [254/0] via 172.20.21.254

Step 2 Enter the configure terminal command to get to the global configuration mode.

Step 3 Enter the command router rip to configure the RIP routing protocol.

Step 4 Enter the network 10.0.0.0 command to enable RIP on interfaces whose IP address matches the network address, in this case network 10.0.0.0.

Step 5 Enter the command end to exit the configuration mode. Your output should look similar to the following display:

RouterX#config terminal Enter configuration commands, one per line. End with CNTL/Z. RouterX(config)#router rip RouterX(config-router)#network 10.0.0.0 RouterX(config-router)#end

Step 6 Enter the show ip protocol command to display information about IP routing protocols configured on your router. Your output should look similar to the following display:

RouterX#show ip protocol Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 0 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 1 1 2 Serial0/0/0 1 1 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 10.0.0.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120)

Step 7 Notice that the output indicates that this router will send version 1 updates, but will recognize and use version 1 and 2 updates.



Step 8 Enter the commands necessary to configure RIP to use version 2. Your output should look similar to the following display:

RouterX#conf t Enter configuration commands, one per line. End with CNTL/Z. RouterX(config)#router rip RouterX(config-router)#version 2 RouterX(config-router)#end

Step 9 Enter the show ip protocol command to display information about IP routing protocols configured on your router. Your output should look similar to the following display:

RouterX#show ip protocol Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 28 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 Serial0/0/0 2 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 10.0.0.0 Routing Information Sources: Gateway Distance Last Update 10.140.10.1 120 00:00:01 Distance: (default is 120)

Step 10 Notice that RIP will now send and receive only version 2 updates.


You enabled the RIP routing protocol.

You used show ip protocol to verify that it was operational.

You modified your configuration to use only RIP version 2 updates.

You used show ip protocol to verify this change was implemented.

Task 2: Replace the Existing Static Route and Test Connectivity In this task, you will remove the static route configured in a prior lab. You will also test connectivity to a remote network leaned via the RIP routing protocol.


Step 1 Enter the show ip route command to via the current route table entries. Your output should look similar to the following display:

RouterX#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area .. ..Text omitted ..



Gateway of last resort is 172.20.21.254 to network 0.0.0.0 R 192.168.121.0/24 [120/1] via 10.140.10.1, 00:00:12, Serial0/0/0 172.20.0.0/24 is subnetted, 1 subnets C 172.20.21.0 is directly connected, FastEthernet0/1 R 192.168.131.0/24 [120/1] via 10.140.10.1, 00:00:12, Serial0/0/0 S 192.168.21.0/24 [1/0] via 10.140.10.1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.10.10.0/24 is directly connected, FastEthernet0/0 C 10.140.10.1/32 is directly connected, Serial0/0/0 C 10.140.10.0/24 is directly connected, Serial0/0/0 R 192.168.221.0/24 [120/2] via 10.140.10.1, 00:00:13, Serial0/0/0 S* 0.0.0.0/0 [254/0] via 172.20.21.254

Step 2 Notice that there are more network entries learned via RIP updates. These are indicated in the display with an “R.” However a static route is still being used as the entry for the route to 192.168.2x.0 (where x represents your pod number) network. This is indicated with an “S.” This route therefore does not take advantage of the dynamic updates available using RIP. Recall that the routing table uses the administrative distance to determine which route should populate the route table. The value for RIP is 120 and for a static route is 1.

Step 3 Enter the conf terminal command to enter the global configuration mode.

Step 4 Enter the command no ip route 192.168.2x.0 255.255.255.0 10.140.10.1 to remove the static route entry from the configuration.

Step 5 Enter the end command to exit the configuration mode.

Step 6 Enter the show ip route 192.168.2x.0 command to display only the information for the route specified. Your output should look similar to the following display:

RouterX#sh ip route 192.168.21.0 Routing entry for 192.168.21.0/24 Known via "rip", distance 120, metric 1 Redistributing via rip Last update from 10.140.10.1 on Serial0/0/0, 00:00:13 ago Routing Descriptor Blocks: * 10.140.10.1, from 10.140.10.1, 00:00:13 ago, via Serial0/0/0 Route metric is 1, traffic share count is 1

Step 7 Enter the traceroute 192.168.22x.200 command to use the ICMP protocol to follow the path taken to reach the host on the network. Your output should look similar to the following display:

RouterX#traceroute 192.168.221.200 Type escape sequence to abort. Tracing the route to 192.168.221.200 1 10.140.10.1 16 msec 12 msec 12 msec 2 192.168.131.253 16 msec * 12 msec



You removed the static route configured in a prior lab.

You verified the removal using show ip route command.

You validated reachability to the network by using traceroute command.




Lab 6-1: Using Cisco Discovery Protocol Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will use Cisco Discovery Protocol to obtain information about directly attached Cisco devices, also you will disable Cisco Discovery Protocol from running on selected interfaces. After completing this activity, you will be able to meet these objectives:

Verify that Cisco Discovery Protocol is running on your workgroup router and switch

Display information about neighboring Cisco devices

Limit which interfaces run Cisco Discovery Protocol as a security measure

Verify your changes



Visual Objective for Lab 6-1Using Cisco Discovery Protocol










Command Description

[no] cdp enable Enables Cisco Discovery Protocol on an interface, no form of the command disables Cisco Discovery Protocol on an interface.

[no] cdp run Enables Cisco Discovery Protocol globally on a router or switch, the no form disable Cisco Discovery Protocol globally.

interface range interface interfacenumber - interfacenumber

Allows the grouping of interfaces, such that following interface configuration commands will be applied to all the interfaces specified simultaneously.

show cdp Displays global Cisco Discovery Protocol information, including timer and hold-time information

show cdp entry * Displays information about a specific neighboring device discovered using Cisco Discovery Protocol, the * matches all current entries.

show cdp interfaces Displays information about the interfaces on which Cisco Discovery Protocol is enabled.

show cdp neighbors [detail] Displays detailed information about neighboring devices discovered using Cisco Discovery Protocol.

show cdp traffic Displays information about traffic between devices gathered using Cisco Discovery Protocol

Job Aids There are no job aids are available for this lab activity.

Task 1: Use and Control Cisco Discovery Protocol on Your Workgroup Router

In this task, you will use Cisco Discovery Protocol to obtain information about directly connected Cisco devices. You will also control which interfaces run Cisco Discovery Protocol, because the information supplied by Cisco Discovery Protocol can be used by a hacker to obtain information for launching a security exploit.


Step 1 Connect to your remote workgroup router via the console server, and enter the necessary commands and passwords to get to the EXEC enable prompt.

Step 2 Enter the show cdp command to verify that Cisco Discovery Protocol is enabled and to display global information.

RouterX#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled



Step 3 Enter the show cdp interface command to display the interfaces that are running Cisco Discovery Protocol. Your output should look similar to the following display:

RouterX#show cdp interface FastEthernet0/0 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Serial0/0/0 is up, line protocol is up Encapsulation PPP Sending CDP packets every 60 seconds Holdtime is 180 seconds Serial0/0/1 is administratively down, line protocol is down Encapsulation HDLC Sending CDP packets every 60 seconds Holdtime is 180 seconds

Step 4 Enter the show cdp neighbors command to display any known Cisco devices. Your output should look similar to the following display:

RouterX#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID MainRouter Ser 0/0/0 167 R S I 2811 Ser 1/0 SwitchX.cisco.com Fas 0/0 137 S I WS-C2960- Fas 0/2

Step 5 Using the information gathered in the previous step, enter the show cdp entry MainRouter command to view the detailed Cisco Discovery Protocol information of the Cisco router learned through the serial interface. Your output should look similar to the following display:

RouterX#show cdp entry MainRouter ------------------------- Device ID: MainRouter Entry address(es): IP address: 10.140.10.1 Platform: Cisco 2811, Capabilities: Router Switch IGMP Interface: Serial0/0/0, Port ID (outgoing port): Serial1/0 Holdtime : 150 sec Version : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team advertisement version: 2 VTP Management Domain: ''

Step 6 Observe in your display that the IP address of the remote device is output, as is the router platform and software information.

Step 7 Using the IP address from your output in Step 5, you could attempt to log in to router MainRouter; however, this would be unsuccessful because MainRouter has an ACL preventing unauthorized access.

Step 8 Enter the show cdp neighbors detail command to display the same information that show cdp entry did. However, the neighbors detail command will display all



known neighbors without requiring any other parameters. Your output should look similar to the following display:

RouterX#show cdp neighbors detail ------------------------- Device ID: MainRouter Entry address(es): IP address: 10.140.10.1 Platform: Cisco 2811, Capabilities: Router Switch IGMP Interface: Serial0/0/0, Port ID (outgoing port): Serial1/0 Holdtime : 167 sec Version : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team advertisement version: 2 VTP Management Domain: '' ------------------------- Device ID: SwitchX.cisco.com Entry address(es): IP address: 10.10.10.11 Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/2 Holdtime : 135 sec Version : Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 28-Jul-06 11:57 by yenanh advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000001A6D446C80FF0000 VTP Management Domain: '' Native VLAN: 1 Duplex: half

Step 9 From the output of the cdp commands or by knowing the topology, you can determine which interfaces connect to your network infrastructure. Any interfaces that do not connect to the infrastructure should have Cisco Discovery Protocol disabled because it offers the potential for assisting hackers to gain knowledge of your network. From the perspective of the workgroup routers perspective, interfaces fa0/1 and serial 0/0/1 should have Cisco Discovery Protocol disabled.

Step 10 At the global configuration mode, enter interface fa0/1 and then enter the no cdp enable command to disable Cisco Discovery Protocol only on this interface.

Step 11 Enter the same sequence of commands to disable Cisco Discovery Protocol on your serial 0/0/1 interface, then return to the enable EXEC prompt.

Step 12 Enter the show cdp interface command to verify that only Fa0/0 and s0/0/0 are running Cisco Discovery Protocol at this time. Your output should look similar to the following display:

RouterX#show cdp interface FastEthernet0/0 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Serial0/0/0 is up, line protocol is up



Encapsulation PPP Sending CDP packets every 60 seconds Holdtime is 180 seconds

Step 13 Having verified your configuration changes, save your configuration to startup-config.


You observed the Cisco Discovery Protocol output for your directly attached Cisco neighbors.

You disabled Cisco Discovery Protocol on the interfaces that do not connect to your network infrastructure.

You saved your workgroup router configuration to startup-config.

Task 2: Use and Control Cisco Discovery Protocol on Your Workgroup Switch

In this task you will use Cisco Discovery Protocol to obtain information about directly connected Cisco devices to your workgroup switch. For the same security reasons, you will control which interfaces run Cisco Discovery Protocol. In fact, a switch is more likely to be the first network device to confront a potential hacker.


Step 1 Connect to your remote workgroup switch via the console server, and enter the necessary commands and passwords to get to the EXEC enable prompt.

Step 2 Enter the show cdp command to verify that Cisco Discovery Protocol is enabled and also to display global information. Your output should look similar to the following display with the exception that some text has been omitted to save space.

SwitchX#show cdp interface FastEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthernet0/2 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthernet0/3 is administratively down, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds FastEthernet0/4 is administratively down, line protocol is down Encapsulation ARPA .. ..Text omitted .. GigabitEthernet0/2 is administratively down, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds



Step 3 Enter the show cdp neighbor command to view directly connected Cisco devices. Your output should look similar to the following display:

SwitchX#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Local Intrfce Holdtme Capability Platform Port ID RouterX.cisco.com Fas 0/2 150 R S I 2811 Fas 0/0

Step 4 Notice that the only neighbor found is your workgroup router. This confirms your network diagram as the only interface that should run Cisco Discovery Protocol is Fa0/2.

Step 5 Enter the necessary commands to have only interface fa0/2 running Cisco Discovery Protocol. Your output should look similar to the following display:

SwitchX#conf t Enter configuration commands, one per line. End with CNTL/Z. SwitchX(config)#interface range fa0/1 - 24, gi0/1 - 2 SwitchX(config-if-range)#no cdp enable SwitchX(config-if-range)#interface fa0/2 % Command exited out of interface range and its sub-modes. Not executing the command for second and later interfaces SwitchX(config-if)#cdp enable SwitchX(config-if)#end

Step 6 Enter the show cdp interface command to verify your changes have been implemented. Your output should look similar to the following display:

SwitchX#sh cdp interface FastEthernet0/2 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds

Step 7 Enter the show cdp traffic command to view information regarding the nature of the Cisco Discovery Protocol updates being sent and received. This can be useful should you suspect that there are some problems with the Cisco Discovery Protocol process. Your output should look similar to the following display:

SwitchX#sh cdp traffic CDP counters : Total packets output: 645, Input: 164 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 645, Input: 164

Step 8 Having verified the operation and also your configuration changes, save your configuration to startup-config.


You observed the cdp command output on your workgroup switch for your directly attached Cisco neighbors.

You disabled Cisco Discovery Protocol on the interfaces that do not connect to your network infrastructure.

You used the show cdp traffic command and verified that there were no errors in the Cisco Discovery Protocol update process.




Lab 6-2: Managing Router Startup Options Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will be able to make changes to control your router startup behavior. After completing this activity, you will be able to meet these objectives:

Display the configuration register, modify it to a specified value, and return it to its original value

Validate by inspection of output whether a displayed configuration is from the running configuration or the startup configuration in the startup-config file.

Modify the sequence of Cisco IOS file loaded at startup, using a sequenced list of boot system commands

Observe a reload and verify which of the boot statements was processed to obtain the running Cisco IOS binary file



Visual Objective for Lab 6-2Managing Router Startup Options










Command Description

boot system flash [filename] Specifies the system image that the router loads at startup is obtained from flash memory with the given filename.

boot system tftp filename server_ip Specifies the system image that the router loads at startup is obtained from a TFTP server using the given filename at the IP address specified by the server_ip option..

config-register value Changes the configuration register settings, where value is a hexadecimal number.

show flash Displays the layout and contents of a flash memory file system.

show running-config Displays the currently running configuration.

show startup-config Displays the contents of the configuration that is held in NVRAM and that will be used following a reload of the router.

show version Displays information about the currently loaded software version along with hardware and device information.

Job Aids The following job aid is available to help you complete the lab activity.




A 10.2.2.1 E 10.6.6.1

B 10.3.3.1 F 10.7.7.1

C 10.4.4.1 G 10.8.8.1

D 10.5.5.1 H 10.9.9.1

Task 1: Modify the Configuration Register In this task, you will change the value of the configuration register and observe how this is displayed. You will then restore the configuration register to the value it had at the start of this task.




Step 1 Connect to your remote workgroup router via the console server, and enter the necessary commands and passwords to get to the EXEC enable prompt.

Step 2 Enter the show version command and press the Spacebar to complete the output. Your output should look similar to the following display:

RouterX#show version Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) RouterX uptime is 2 minutes System returned to ROM by reload at 23:05:39 UTC Fri Mar 30 2007 System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin" This product contains cryptographic features and is subject to United .. ..Text omitted .. Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory. Processor board ID FTX1050A3Q6 2 FastEthernet interfaces 2 Serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102

Step 3 Write down the value of the configuration register (exactly as it appears) in the line below.

Step 4 In the global configuration mode, enter the config-register 0x2104 command to modify the configuration setting.

RouterX#conf t Enter configuration commands, one per line. End with CNTL/Z. RouterX(config)#config-register 0x2104

Step 5 Exit the global configuration mode and enter the show version command to display the new value. Your output should look similar to the following display:

RouterX(config)#^Z RouterX# RouterX#show version Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) RouterX uptime is 8 minutes System returned to ROM by reload at 23:05:39 UTC Fri Mar 30 2007 ..



..Text omitted

.. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 (will be 0x2104 at next reload) RouterX#

Step 6 You will see that your new value will not be active until the next reload.

Step 7 You can (optionally) enter the show running-config command to look for the config-register parameter; however, it will not be displayed as it is NOT part of the running configuration.

Step 8 Enter the commands necessary to restore your configuration register to the value you recorded in Step 3. When you have done this, you should enter the show version command and verify that the configuration register has been restored to its original value.

Step 9 It can sometimes seem confusing when viewing output to distinguish which display is the running configuration and which is the startup configuration.

Step 10 Enter the show running-config command and use q to quit the output after the first screen is displayed. Your output should look similar to the following display:

RouterX#show running-config Building configuration... Current configuration : 2170 bytes ! version 12.4 .. ..Text omitted .. --More--q

Step 11 Notice that the output starts with the words “Building configuration.” This is because the running configuration is NOT a file. It is the stored parameter values within the executing Cisco IOS program.

Step 12 Enter the show startup-config command and use q to quit the output after the first screen is displayed. Your output should look similar to the following display:

RouterX#sh startup-config Using 2170 out of 245752 bytes ! version 12.4 .. ..Text omitted .. --More--q

Step 13 Notice that the output in the example displayed has the words “Using 2170 out of 245752 bytes,” which indicates that a certain amount of the NVRAM is being used to hold the configuration file.


You observed and recorded the current value of the configuration register.



You modified the configuration register value, displayed the output of the show version command, and identified that it had been changed but that this change would not be active until after the router was restarted.

You then returned the configuration register to its original value.

You displayed and identified the differences in the output between showing the running configuration and the startup configuration when using the show commands.

Task 2: Observe the Flash File System and Add Boot System Commands

In this task you will determine the Cisco IOS system file being used. You will then add three boot system commands that modify the default behavior of file choice at startup. Changes to the booting process flow should be used with extreme caution, as errors may leave your router potentially unreachable over the network. This is why usually this process is done only by senior network administrators.


Step 1 Enter the show flash: command to output the files that are currently stored in the flash memory. Your output should look similar to the following display:

RouterX#show flash: -#- --length-- -----date/time------ path 1 36232088 Mar 28 2007 17:27:46 +00:00 c2800nm-advipservicesk9-mz.124-12.bin 2 1823 Dec 14 2006 08:25:40 +00:00 sdmconfig-2811.cfg 3 4734464 Dec 14 2006 08:26:10 +00:00 sdm.tar 4 833024 Dec 14 2006 08:26:26 +00:00 es.tar 5 1052160 Dec 14 2006 08:26:46 +00:00 common.tar 6 1038 Dec 14 2006 08:27:02 +00:00 home.shtml 7 102400 Dec 14 2006 08:27:24 +00:00 home.tar 8 491213 Dec 14 2006 08:27:48 +00:00 128MB.sdf 20557824 bytes available (43458560 bytes used)

Step 2 You should note that the Cisco IOS binary file is identified with a .bin extension. The other files (in the example display above) are related to the Cisco SDM configuration program. It is possible to have multiple Cisco IOS images in flash memory. Write the file name of Cisco IOS binary file in the space below; in the example, it is c2800nm-advipservicesk9-mz.124-12.bin.

Step 3 The first found binary file in flash determines the Cisco IOS image loaded at a restart. This order can be modified by using the boot system flash filename.bin configuration commands.

Caution Extreme care should be taken when using boot system commands because an error may leave the router unable to start, which can lead to significant downtime while the boot process is restored. For this reason, only senior network administrators usually modify the Cisco IOS flash files and modify the boot sequence.



Step 4 At the global configuration prompt, enter the boot system tftp filename tftp_address, where filename is the name you noted in Step 2 and tftp_address is the IP address of your workgroup TFTP server, which can be found in Table 1. By entering this command first, the router on reload attempts to locate and load its Cisco IOS file from the TFTP server specified. Your output should look similar to the following display:

RouterX(config)#boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.x.x.1

Step 5 Enter boot system flash filename, where filename is the name you copied in Step 2. If this command is processed, the router will attempt to load the Cisco IOS file from flash memory using the filename specified. Your output should look similar to the following display:

RouterX(config)#boot system flash c2800nm-advipservicesk9-mz.124-12.bin

Step 6 Enter boot system flash. No filename is necessary. This command, if processed, will load the router with the first Cisco IOS file found in flash memory Your output should look similar to the following display:

RouterX(config)#boot system flash

Step 7 Enter the command to leave the configuration mode.

Step 8 Enter show run command, and observe the output to verify that your boot system commands are accurately entered. Your output should look similar to the following display but should show your workgroup hostname and filenames:

..

..Text omitted

.. hostname RouterX ! boot-start-marker boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.x.x.1 boot system flash c2800nm-advipservicesk9-mz.124-12.bin boot system flash boot-end-marker !

Step 9 Make any corrections necessary before proceeding to next step.

Step 10 Enter copy run start command to save your running configuration to NVRAM.

Note The reload process will take a variable amount of time, with the low end being approximately 5 to 8 minutes, depending on router hardware and the performance of the TFTP server. A reload from flash memory takes 2 to 3 minutes for same router hardware.

Step 11 Enter and confirm the reload command. Observe the output displayed during the reload. In the space below, write the location that you believe provided the Cisco IOS file to load.

Step 12 Your output should look similar to the following display: RouterX#reload Proceed with reload? [confirm]<ENTER> *Apr 6 18:17:24.619: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)



.. ..Text omitted .. <ENTER><ENTER> *Apr 6 18:22:16.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^ User Access Verification Password:

Step 13 When your router has finished reloading, press Enter twice to ensure that you are at a login prompt. Enter the information to get to the privileged EXEC mode.

Step 14 Enter show version command and observe the display to confirm the location of the Cisco IOS file. Your output should look similar to the following display:

RouterX#sh version Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) RouterX uptime is 1 minute System returned to ROM by reload at 18:17:24 UTC Fri Apr 6 2007 System image file is "tftp://10.x.x.1/c2800nm-advipservicesk9-mz.124-12.bin" .. ..TEXT omitted .. --More--q

Step 15 If there was a problem with the TFTP download, then you may have the following line in the show version command display:

System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"


You observed and recorded the current Cisco IOS binary file stored in flash memory.

You added three boot systems commands to modify the startup behavior of the router on reload in the following order:

— First, attempt to locate a specified Cisco IOS file via a TFTP server.

— If unsuccessful, attempt to locate a specified Cisco IOS file from flash memory.

— Finally, locate the first found Cisco IOS file from flash memory.

You reloaded your router and observed the output to determine which of the boot system commands resulted in the system file used at startup.

You used the show version command to verify which method was actually being used.



Lab 6-3: Managing Cisco Devices Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will use Cisco IOS copy and debug commands. After completing this activity, you will be able to meet these objectives:

Save your running configuration on a remote TFTP server

Upload and download configuration files

Copy and delete files to local flash memory

Ensure that the router is lightly loaded before using debugging commands

Turn debugging on and off



Visual Objective for Lab 6-3Managing Cisco Devices










Command Description

copy running-config tftp A multiline command that copies the running configuration file to a TFTP server.

copy tftp flash A multiline command that copies from a TFTP server configuration file to flash memory.

copy tftp running-config A multiline command that copies from a TFTP server configuration file to the running configuration.

copy tftp startup-config A multiline command that copies from a TFTP server configuration file to the startup-config file, also known as NVRAM.

debug ip icmp Displays debug information on ICMP transactions

debug ip rip Displays debug information on RIP routing protocol transactions

no debug all Turns off all debugging operations.

delete flash:filename Removes the specified file from flash memory.

more flash:filename Displays as text the contents of the file in flash memory.

ping ip_address Common tool used to troubleshoot the accessibility of devices. It uses ICMP path echo requests and ICMP path echo replies to determine whether a remote host is active. The ping command also measures the amount of time it takes to receive the echo reply.

show debugging Displays information about the types of debugging that are enabled on your router.

show flash Displays the layout and contents of a flash memory file system.

show processes Displays information about the active processes, including the CPU loading.

show running-config interface interface_id

Displays only the current configuration of the specified interface.

show startup-config Displays the configuration settings of the startup configuration file in NVRAM.



Job Aids These following job aid is available to help you complete the lab activity.


Work group

TFTP Server IP Address

Work group

TFTP Server IP Address

A 10.2.2.1 E 10.6.6.1

B 10.3.3.1 F 10.7.7.1

C 10.4.4.1 G 10.8.8.1

D 10.5.5.1 H 10.9.9.1

Task 1: Copy Configuration Files You will use Cisco IOS commands to save and modify your configuration by uploading and downloading configuration files to and from a TFTP server.


Step 1 Connect to your remote workgroup router via the console server, and enter the necessary commands and passwords to get to the user EXEC prompt.

Step 2 Enter the command to get to the enable EXEC prompt.

Step 3 Before attempting to save or copy a configuration from a TFTP server, it is a very good idea to test that the server is reachable. Enter the command to ping your workgroup TFTP server; refer to Table 1 for the address. Your output should look similar to the following display:

RouterX#ping 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

Step 4 Enter the command copy running tftp.

Step 5 At the prompt, enter your workgroup assigned TFTP server IP address from Table 1.

Step 6 At the prompt, accept the default name based on your router hostname by using the Enter key.

Step 7 Your output from these steps should look similar to the following display: RouterX#copy running tftp Address or name of remote host []? 10.x.x.1 Destination filename [RouterX-confg]? .!! 2140 bytes copied in 4.760 secs (450 bytes/sec)



Step 8 Enter the show run int s0/0/0 to display only the configuration for your serial interface. Your output should look similar to the following display:

RouterX#show run int s0/0/0 Building configuration... Current configuration : 125 bytes ! interface Serial0/0/0 description Link to Main Office ip address 10.140.10.2 255.255.255.0 encapsulation ppp no fair-queue end

Step 9 Enter the copy tftp run command to copy from the TFTP server to your running configuration.

Step 10 Use the IP address of your workgroup TFTP server when prompted for the address.

Step 11 Use the filename “descript-confg” when prompted for the source filename.

Step 12 Accept the default destination filename.

Step 13 Your output from these steps should look similar to the following display: RouterX#copy tftp run Address or name of remote host []? 10.10.10.1 Source filename []? descript-confg Destination filename [running-config]? Accessing tftp://10.10.10.1/descript-confg... Loading descript-confg from 10.10.10.1 (via FastEthernet0/0): ! [OK - 289 bytes] 289 bytes copied in 2.024 secs (143 bytes/sec)

Step 14 Enter the show run int s0/0/0 to display only the configuration for your serial interface. Your output should look similar to the following display:

RouterX#show run int s0/0/0 Building configuration... Current configuration : 164 bytes ! interface Serial0/0/0 description Connection to Main Office ip address 10.140.10.2 255.255.255.0 encapsulation ppp no fair-queue end

Step 15 Your display should show that a description statement has overwritten the prior description on the serial interface.

Step 16 Enter the copy tftp flash command to copy from the TFTP server to your local flash memory.

Step 17 Enter the IP address of your workgroup TFTP server when prompted for the address.

Step 18 Enter the filename “descript-confg” when prompted for the source filename.

Step 19 Accept the default destination filename.



Step 20 Your output from these steps should look similar to the following display: RouterX#copy tftp flash: Address or name of remote host [10.x.x.1]? Source filename [descript-confg]? Destination filename [descript-confg]? Accessing tftp://10.x.x.1/descript-confg... Loading descript-confg from 10.x.x.1 (via FastEthernet0/0): ! [OK - 289 bytes] 289 bytes copied in 2.228 secs (130 bytes/sec)

Step 21 Enter the show flash command to display the files stored in flash memory.

Step 22 You should see the filename of the file you just uploaded displayed.

Step 23 Enter more flash:descript-confg to display as text the contents of the file.

Step 24 Your output from these steps should look similar to the following display: RouterX#more flash:descript-confg ! This file demonstrates the way the IOS removes remarks ! from configuration files ! and allows parts of a configuration to be updated !*********************[ interface serial 0/0/0 description Connection to Main Office interface serial 0/0/1 description Unused Interface end

Step 25 Notice that the file contains only a small number of configuration commands that were added to (or merged with) the existing running configuration. Also notice that the file contains comments. These comments are ignored and not stored in the running configuration.

Step 26 Enter the delete flash:descript-confg command to remove the file that you just uploaded from flash memory. Your output should look similar to the following display:

RouterX#delete flash:descript-confg Delete filename [descript-confg]? Delete flash:descript-confg? [confirm]

Step 27 Enter the command and subsequent parameters to copy the file descript-confg to startup-config. Your output should look similar to the following display:

RouterX#copy tftp start RouterX#copy tftp startup-config Address or name of remote host [10.x.x.1]?10.x.x.1 Source filename [descript-confg]?descript-confg Destination filename [startup-config]? Accessing tftp://10.x.x.1/descript-confg... Loading descript-confg from 10.x.x.1 (via FastEthernet0/0): ! [OK - 289 bytes] [OK] 289 bytes copied in 3.348 secs (86 bytes/sec)

Step 28 Enter the show startup command to display the contents of the startup-config file. Your output should look similar to the following display:

RouterX#show startup Using 289 out of 245752 bytes! This file demonstrates the way the IOS removes remarks ! from configuration files ! and allows parts of a configuration to be updated !*********************[ interface serial 0/0/0



description Connection to Main Office interface serial 0/0/1 description Unused Interface end

Step 29 Notice that your starting configuration has been completely replaced by the small configuration file. This demonstrates that copying to the startup file is a replacement (or overwrite) operation. If your router were to restart now, it would not have any functioning interfaces!

Step 30 Enter the command to save your running configuration to startup-config.

Step 31 Use show startup to verify that the partial configuration in your startup-config file has been replaced by the full configuration from the running configuration.


You saved your running configuration to your assigned TFTP server.

You uploaded a small configuration file to your running configuration.

You uploaded the configuration file to flash memory, and used the more command to output the file as text.

You removed the uploaded file from flash memory.

You uploaded the configuration file to the startup-config file and verified that it had overwritten all previous configuration entries.

Your copied your running configuration to startup-config, replacing the partial configuration with the full running configuration.

Task 2: Use debug Commands In this task, you will use show and debug commands to selectively display chosen dynamic events, while guarding against causing performance problems.


Step 1 In a nontraining environment, prior to issuing a debug command, you should check how heavily loaded the CPU is because this affects router performance. The debug commands are given the highest priority and can cause a router to restart. This may happen because software timers are not serviced, causing a fatal error to be inferred.

Step 2 Enter the command show processes to display information about the CPU utilization. Quit the display after the first page is output. Your output should look similar to the following display:

RouterX#show processes CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process 1 Cwe 400A7A2C 0 4 0 5456/6000 0 Chunk Manager 2 Csp 4008C430 4 1614 2 2528/3000 0 Load Meter 3 M* 0 7832 379196 20 7200/12000 0 Exec .. ..Text omitted ..



Step 3 You should review the first line of the output, which indicates the CPU utilization over three time periods. This is bolded text in the example above. Your display should indicate a very low value also.

Step 4 Enter the show debugging command to verify that no other debug commands are active. Your output should indicate that there are is no active debugging taking place.

Step 5 Enter the debug ip icmp command to turn on debugging of ICMP messages. Your output should look similar to the following display:

RouterX#debug ip icmp ICMP packet debugging is on

Step 6 Repeat Step 4; your display should look something like the following: RouterX#sh debugging Generic IP: ICMP packet debugging is on

Step 7 Enter ping 10.x.x.1 to send ICMP echo request packets to your assigned TFTP server IP address. Your output should look similar to the following display:

RouterX#ping 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms RouterX# *Apr 3 19:44:43.699: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3 *Apr 3 19:44:43.703: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3 *Apr 3 19:44:43.703: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3 *Apr 3 19:44:43.703: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3 *Apr 3 19:44:43.707: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3

Step 8 Enter the debug ip rip command to turn on the debugging of RIP routing packets.

Step 9 Wait a few minutes to observe some RIP routing protocol updates being sent and received. Your output should look similar to the following display:

RouterX# *Apr 3 20:12:01.355: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (10.10.10.3) *Apr 3 20:12:01.355: RIP: build update entries *Apr 3 20:12:01.355: 10.140.10.0/24 via 0.0.0.0, metric 1, tag 0 *Apr 3 20:12:01.355: 10.140.10.1/32 via 0.0.0.0, metric 1, tag 0 *Apr 3 20:12:01.355: 192.168.21.0/24 via 0.0.0.0, metric 1, tag 0 *Apr 3 20:12:01.355: 192.168.121.0/24 via 0.0.0.0, metric 1, tag 0 *Apr 3 20:12:01.355: 192.168.131.0/24 via 0.0.0.0, metric 1, tag 0 *Apr 3 20:12:01.355: 192.168.221.0/24 via 0.0.0.0, metric 3, tag 0 RouterX# *Apr 3 20:12:06.083: RIP: sending v2 update to 224.0.0.9 via Serial0/0/0 (10.140.10.2) *Apr 3 20:12:06.083: RIP: build update entries *Apr 3 20:12:06.083: 10.10.10.0/24 via 0.0.0.0, metric 1, tag 0 RouterX# *Apr 3 20:12:27.295: RIP: received v2 update from 10.140.10.1 on Serial0/0/0 *Apr 3 20:12:27.295: 192.168.21.0/24 via 0.0.0.0 in 1 hops *Apr 3 20:12:27.295: 192.168.121.0/24 via 0.0.0.0 in 1 hops *Apr 3 20:12:27.295: 192.168.131.0/24 via 0.0.0.0 in 1 hops *Apr 3 20:12:27.295: 192.168.221.0/24 via 0.0.0.0 in 2 hops RouterX#



Step 10 Enter the command to display how many debug commands are active. Your output should look similar to the following display:

RouterX#show debugging Generic IP: ICMP packet debugging is on IP routing: RIP protocol debugging is on

Step 11 Although it is possible to individually turn off each debug command, it is quicker and more certain to turn off all debugging using a single command. Enter the no debug all command to remove all active debugging from the router.

RouterX#no debug all All possible debugging has been turned off


You observed that your router had a very low CPU utilization using the show processes command.

You used debug commands to observe the output of ICMP packets and RIP routing protocol updates.

You used the show debug command to verify which, if any, debug commands were active on your router.

You turned off all debugging operations using a single command.



Lab 6-4: Confirming the Reconfiguration of the Branch Network


Activity Objective In this activity, you will assume that you are taking over the reconfiguration of a branch network from an administrator who has not completed the configuration. In fact, there may be misconfiguration of some of the settings. You will use the knowledge and experience gained from the earlier labs to complete the reconfiguration, correction, and testing. After completing this activity, you will be able to meet these objectives:

Complete the configuration of your assigned workgroup switch using information provided in checklist below

Complete the configuration of your workgroup router using information provided in the checklists below

See the routes indicated in the visual objective after enabling dynamic routing on your workgroup router

Perform tests to validate that your final configuration meets the new topology information



Visual Objective for Lab 6-4 Confirming the Reconfiguration of the Branch Network






Your new assigned pod access information for this lab provided in the Job Aids section

Command Lists Refer to the command lists associated with the prior lab associated with the task you are completing.


Visual objective for this lab

Switch tasks worksheet

Router tasks worksheet

Table containing the addressing information for each workgroup

Table 1: Workgroup Address Information

Workgroup Switch Hostname

VLAN 1 IP Address Mask /24

Router Hostname

Fa0/0 IP Address Mask /24

AA SwitchAA 10.22.22.11 RouterAA 10.22.22.3

BB SwitchBB 10.33.33.11 RouterBB 10.33.33.3

CC SwitchCC 10.44.44.11 RouterCC 10.44.44.3

DD SwitchDD 10.55.55.11 RouterDD 10.55.55.3

EE SwitchEE 10.66.66.11 RouterEE 10.66.66.3

FF SwitchFF 10.77.77.11 RouterFF 10.77.77.3

GG SwitchGG 10.88.88.11 RouterGG 10.88.88.3

HH SwitchHH 10.99.99.11 RouterHH 10.99.99.3

Table 2: Router s0/0/0 Address Information

Workgroup s0/0/0 IP Address Mask /24

Workgroup s0/0/0 IP Address Mask /24

AA 10.140.11.2 EE 10.140.55.2

BB 10.140.22.2 FF 10.140.66.2

CC 10.140.33.2 GG 10.140.77.2

DD 10.140.44.2 HH 10.140.88.2



Switch Task Worksheet

Done Switch Task Worksheet Workgroup:

Task and Property (Lab) Information and Configuration Hint

1) Basic Configuration (Labs 2-2, 2-3)

Hostname (workgroup AA through HH) hostname SwitchXX

Interface vlan 1

IP address and subnet mask ip address ip_address mask

IP default gateway ip default-gateway ip_address

Enable password cisco

Enable secret sanfran

Use password encryption service password-encryption

Username and password for console and vty lines.

Netadmin has privilege level 15

username netadmin privilege 15 password netadmin

Vty lines line vty 0 15

Login uses local username and passwords login local

Console line line console 0

Login password required login

Console password sanjose

Login banner with suitable security message banner login % message %

Verify

2) Configure to Use SSH ONLY (Lab 2-3, Task 4)

Username and password netadmin netadmin

IP domain-name cisco.com

Generate crypto key RSA – 1024 bit

SSH version 2


Limit protocols supported transport input ssh

Verify show run

3) Configure Port Security (Lab 2-3, Task 5)

Interface fa0/1

Switchport mode switchport mode access

Maximum number of addresses switchport port-security max 2

Violation action restrict switchport port-security violation restrict

MAC address learning = sticky switchport port-security mac-address sticky

Enable port security switchport port-security

Verify show port-security interface



Done Router Task Worksheet Workgroup:


4) Secure Switch (Lab 2-3, Task 6, Lab 6-1, Task 2)

Shut down unused ports fa0/3-10, fa0/13-24, gi0/1-2

Limit Cisco Discovery Protocol to interface connected to router no cdp enable

Verify

Router Task Worsheet



1) Basic Configuration (Lab 4-6)

Hostname (workgroup AA through HH) hostname RouterXX

Interface interface fa0/0

IP Address and subnet mask ip address ip_address mask

Enable password enable password cisco

Enable secret enable secret sanfran

Verify

2) Enhanced Configuration (Lab 4-7, Lab 6-1, Task 1)

Use password encryption service password-encryption

Username and password for console and vty lines.

User has privilege level 15

username netadmin privilege level password netadmin


Login uses local username and passwords login local

Console line line console 0

Login uses password login

Console password password sanjose

Login banner with suitable security message banner login % message %

Limit Cisco Discovery Protocol to interface connected to switch no cdp enable

Verify

3) Configure to Use SSH ONLY (Lab 4-7, Task 4)

IP domain name cisco.com

Generate crypto key RSA – 1024 bit

Use version SSH v2 ip ssh version 2


Limit protocols supported transport input ssh

Verify





4) Configure to Support Cisco SDM (Lab 4-8, Task 1)

Allows connection via HTTP ip http server

Allows connection via HTTPS ip http secure-server

Authentication uses local username and passwords ip http authentication local

5) Configure DHCP Server (Lab 4-8, Task 2) Support clients on Fa0/0 interface

Pool name Branchxx-clients

Starting IP address .150 150

Ending IP address .199 199

Lease time: 5 minutes 0 0 5

Default router: this router 10.xx.xx.3

Verify

6) Configure Internet Access (Lab 5-1)

Interface fa0/1

IP address uses DHCP Dynamic (DHCP Client)

PAT outside interface fa0/1

PAT inside interface fa0/0

Verify

7) Configure Connection to Main Office (Lab 5-2)

Interface s0/0/0

IP address of serial 0/0/0 – see table 2 ip address address mask

Encapsulation encapsulation ppp

Verify

8) Configure RIPv2 Routing (Lab 5-3)

Routing protocol router rip

RIP version 2 version 2

Protocol runs on interfaces network 10.0.0.0

Verify

9) Configure Boot Startup (Lab 6-2)

TFTP server address is .1 host on your local network. 10.nn.nn.1

Boot order should be specified as: Cisco IOS file in flash; Cisco IOS file from TFTP server; first found Cisco IOS file in flash

boot system flash filename

boot system tftp filename address

boot system flash

Verify



Task 1: Connect to the Remote Lab Activity Procedure

You will connect to your newly assigned workgroup using the same menus that you used for the previous labs. Your new workgroup is identified using double letters. For example, if you are assigned to workgroup AA in this lab, then you use menu A, or if you are assigned to BB, use menu B, and so on.

In order to connect via a VPN tunnel to use Cisco SDM to perform configuration tasks on your workgroup router, you will need to use a different VPN client configuration profile. This profile will ensure that you are attached to the correct subnet to match your new workgroup subnet address.


You have connected to the remote lab and attached to your workgroup devices using the same menus used in previous labs.

You have connected to the remote lab using the new VPN client profile to support using Cisco SDM for configuration of your workgroup router.

Task 2: Prepare to Verify Your Configuration Activity Procedure

In order to verify that your branch is configured correctly, you will need to ensure that discrete parameters are configured in accordance with the values given for both your switch and router. You will use Cisco IOS commands to test that the overall branch configuration works appropriately. It is suggested that you perform this in three phases, and you may repeat the phases to reach a final working configuration.

In phase 1, gather together the necessary information regarding your assigned workgroup switch and router.

In phase 2, inspect your switch and router to ensure that the configuration matches the values you collected in phase 1. You may have to perform corrective action on the configuration, replacing missing or incorrect values. It may be necessary to use either Cisco SDM or the CLI for this phase. Reference to prior labs will provide you with the correct syntax and procedure to implement your configuration.



In phase 3, use Cisco IOS commands to test the functionality of the switch and router working together to support the overall configuration. These may be ping commands or explicit show commands that demonstrate that, for example, that a DHCP client has received an address. If you encounter problems in this phase, you will have to consider where to look to remedy the problem. You should assume that the network around you is correctly configured and will work if your configuration matches the values supplied in the job aids and tables. If you have tried to fix your problems without success, ask your instructor for assistance.

Use the information provided in the Tables 1 and 2 and transfer it to the visual objective so that you have your IP addressing information ready to reference as you proceed through the switch and router task sheets.


You have read through the instructions and have prepared the necessary reference information ready to proceed to the next task.

Task 3: Verify Your Configuration Activity Procedure

Use the information provided in the Tables 1 and 2 and transfer it to the visual objective so that you have your IP addressing information ready to reference as you proceed through the switch and router worksheet sheet tasks.

Use the check boxes as you work through the worksheet. You may need to refer to the labs that you completed earlier for more detailed information on completing or verifying your configuration.

No detailed steps are provided here, because all the information that you need is in either this lab or a prior lab. If you need any further guidance, you should discuss this with your instructor.

Activity Verification You have completed this task when you attain these results for your branch:

Your basic switch configuration properties match those assigned to your workgroup.

Your switch has a banner message with suitable warning text.

Your switch SSH configuration properties match those assigned to your workgroup.

Your switch port security configuration properties match those assigned to your workgroup.

You secured your switch to match the properties assigned to your workgroup.

Your basic router configuration properties match those assigned to your workgroup.

Your router has a banner message with suitable warning text.

Your router password configuration properties match those assigned to your workgroup.

Your router SSH configuration properties match those assigned to your workgroup.

Your router DHCP server configuration properties match those assigned to your workgroup.



Your router Internet access configuration properties match those assigned to your workgroup.

Your router main office connection configuration properties match those assigned to your workgroup.

Your router dynamic routing configuration properties match those assigned to your workgroup.

Your router boot system configuration properties match those assigned to your workgroup.

You tested your branch for successful connectivity, routing, and DHCP server services.



Answer Key The correct answers and expected solutions for the activities that are described in this guide appear here.

Labs 1-1, 1-2, 1-3, and 2-1 contained their answers within the labs and resulted in no configuration changes.

Lab 2-2 Answer Key: Performing Switch Startup and Initial Configuration

When you complete this activity, your workgroup switch configuration will be similar to the results here, with differences that are specific to your device or workgroup: ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname SwitchX ! enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr. enable password cisco ! no aaa new-model ip subnet-zero ! ! ! ! ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9



! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 10.10.10.11 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.10.3 ip http server ip http secure-server ! control-plane ! ! line con 0 line vty 0 4 password sanjose no login line vty 5 15 password sanjose no login ! end



Lab 2-3 Answer Key: Enhancing the Security of Initial Switch Configuration

When you complete this activity, your workgroup switch configuration will be similar to the results here, with differences that are specific to your device or workgroup:

! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname SwitchX ! enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr. enable password 7 05080F1C2243 ! username netadmin password 7 030A5E1F070B2C4540 no aaa new-model ip subnet-zero ! ip domain-name cisco.com ip ssh version 2 ! ! crypto pki trustpoint TP-self-signed-1833200768 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1833200768 revocation-check none rsakeypair TP-self-signed-1833200768 ! ! crypto ca certificate chain TP-self-signed-1833200768 certificate self-signed 01 3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886 F70D0109 02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033 30313030 30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603 55040313 26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313833 33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73 775F612E 63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A 41932329 8FB4A8EE 142FAEC4 744CB8BE 021BDAE5 BF005CA6 99D0BDC7 68C4A873 25A2F06C E460FAE5 1435B900 43505E02 3F0F5E4B D61D6787 59B6AE32 13558C75 561A6BB0 42C15C96 D078A449 669E4B58 CD5857D0 1B570F43 008B811F 45CD05B0 50D144BA F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 16801414 679B7C0E C82E65FB 8953EC84 1FC9DD49 E672A630 1D060355 1D0E0416 04141467 9B7C0EC8 2E65FB89 53EC841F C9DD49E6 72A6300D 06092A86 4886F70D 01010405 00038181 006C7E92 A7F96199 D1D81ADA FA16C868 0660013D 4A91A319 6D6DBD61 B5147AAA FF0FCF26 3DF20CA7 9694B3B8 24ABBEAC F8942F5F E53466BB 04E12200 25432AFE A09DDFCF A07A5A4A 145BE58D 4040040A 5B085A4E 895C45BC 4DF264BC BFE32124 F4AA3BDB B9CF2CC2 35F3B42A B16BFD69 44531337 B03B7055 48A0B320 0A6C3173 C0 quit ! !



no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0017.5a78.be01 switchport port-security mac-address sticky 001a.2fe7.3089 ! interface FastEthernet0/2 switchport mode access ! interface FastEthernet0/3 switchport mode access shutdown ! interface FastEthernet0/4 switchport mode access shutdown ! interface FastEthernet0/5 switchport mode access shutdown ! interface FastEthernet0/6 switchport mode access shutdown ! interface FastEthernet0/7 switchport mode access shutdown ! interface FastEthernet0/8 switchport mode access shutdown ! interface FastEthernet0/9 switchport mode access shutdown ! interface FastEthernet0/10 switchport mode access shutdown ! interface FastEthernet0/11 switchport mode access ! interface FastEthernet0/12 switchport mode access ! interface FastEthernet0/13 switchport mode access shutdown ! interface FastEthernet0/14



switchport mode access shutdown ! interface FastEthernet0/15 switchport mode access shutdown ! interface FastEthernet0/16 switchport mode access shutdown ! interface FastEthernet0/17 switchport mode access shutdown ! interface FastEthernet0/18 switchport mode access shutdown ! interface FastEthernet0/19 switchport mode access shutdown ! interface FastEthernet0/20 switchport mode access shutdown ! interface FastEthernet0/21 switchport mode access shutdown ! interface FastEthernet0/22 switchport mode access shutdown ! interface FastEthernet0/23 switchport mode access shutdown ! interface FastEthernet0/24 switchport mode access shutdown ! interface GigabitEthernet0/1 switchport mode access shutdown ! interface GigabitEthernet0/2 switchport mode access shutdown ! interface Vlan1 ip address 10.10.10.11 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.10.3 ip http server ip http secure-server ! control-plane !



banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 password 7 111A180B1D1D1809 login line vty 0 4 password 7 111A180B1D1D1809 login local line vty 5 15 password 7 111A180B1D1D1809 login local ! end



Lab 2-4 Answer Key: Operating and Configuring a Cisco IOS Device

When you complete this activity, your workgroup switch configuration will be similar to the results here, with differences that are specific to your device or workgroup:

! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname SwitchX ! enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr. enable password 7 05080F1C2243 ! username netadmin password 7 030A5E1F070B2C4540 no aaa new-model ip subnet-zero ! ip domain-name cisco.com ip ssh version 2 ! ! crypto pki trustpoint TP-self-signed-1833200768 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1833200768 revocation-check none rsakeypair TP-self-signed-1833200768 ! ! crypto ca certificate chain TP-self-signed-1833200768 certificate self-signed 01 3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886 F70D0109 02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033 30313030 30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603 55040313 26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313833 33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73 775F612E 63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A 41932329 8FB4A8EE 142FAEC4 744CB8BE 021BDAE5 BF005CA6 99D0BDC7 68C4A873 25A2F06C E460FAE5 1435B900 43505E02 3F0F5E4B D61D6787 59B6AE32 13558C75 561A6BB0 42C15C96 D078A449 669E4B58 CD5857D0 1B570F43 008B811F 45CD05B0 50D144BA F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 16801414 679B7C0E C82E65FB 8953EC84 1FC9DD49 E672A630 1D060355 1D0E0416 04141467 9B7C0EC8 2E65FB89 53EC841F C9DD49E6 72A6300D 06092A86 4886F70D 01010405 00038181 006C7E92 A7F96199 D1D81ADA FA16C868 0660013D 4A91A319 6D6DBD61 B5147AAA FF0FCF26 3DF20CA7 9694B3B8 24ABBEAC F8942F5F E53466BB 04E12200 25432AFE A09DDFCF A07A5A4A 145BE58D 4040040A 5B085A4E 895C45BC 4DF264BC BFE32124 F4AA3BDB B9CF2CC2 35F3B42A B16BFD69 44531337 B03B7055 48A0B320 0A6C3173 C0 quit ! !



no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0017.5a78.be01 switchport port-security mac-address sticky 001a.2fe7.3089 ! interface FastEthernet0/2 switchport mode access ! interface FastEthernet0/3 switchport mode access shutdown ! interface FastEthernet0/4 switchport mode access shutdown ! interface FastEthernet0/5 switchport mode access shutdown ! interface FastEthernet0/6 switchport mode access shutdown ! interface FastEthernet0/7 switchport mode access shutdown ! interface FastEthernet0/8 switchport mode access shutdown ! interface FastEthernet0/9 switchport mode access shutdown ! interface FastEthernet0/10 switchport mode access shutdown ! interface FastEthernet0/11 switchport mode access ! interface FastEthernet0/12 switchport mode access ! interface FastEthernet0/13 switchport mode access shutdown ! interface FastEthernet0/14



switchport mode access shutdown ! interface FastEthernet0/15 switchport mode access shutdown ! interface FastEthernet0/16 switchport mode access shutdown ! interface FastEthernet0/17 switchport mode access shutdown ! interface FastEthernet0/18 switchport mode access shutdown ! interface FastEthernet0/19 switchport mode access shutdown ! interface FastEthernet0/20 switchport mode access shutdown ! interface FastEthernet0/21 switchport mode access shutdown ! interface FastEthernet0/22 switchport mode access shutdown ! interface FastEthernet0/23 switchport mode access shutdown ! interface FastEthernet0/24 switchport mode access shutdown ! interface GigabitEthernet0/1 switchport mode access shutdown ! interface GigabitEthernet0/2 switchport mode access shutdown ! interface Vlan1 ip address 10.10.10.11 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.10.3 ip http server ip http secure-server ! control-plane !



banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 password 7 111A180B1D1D1809 login line vty 0 4 password 7 111A180B1D1D1809 login local line vty 5 15 password 7 111A180B1D1D1809 login local ! end



Lab 4-1 Answer Key: Converting Decimal to Binary and Binary to Decimal

When you complete this activity, your results will match the results here.

Task 1: Convert from Decimal Notation to Binary Format Base-2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

48 0 0 1 1 0 0 0 0 48 = 32+16 = 00110000

146 1 0 0 1 0 0 1 0 146 = 128+16+2 = 10010010

222 1 1 0 1 1 1 1 0 222 = 128+64+16+8+4+2 = 1101110

119 0 1 1 1 0 1 1 1 119 = 64+32+16+4+2+1 = 01110111

135 1 0 0 0 0 1 1 1 135 = 128+4+2+1 = 10000111

60 0 0 1 1 1 1 0 0 60 = 32+16+8+4 = 00111100

Task 2: Convert from Binary Notation to Decimal Format Base-2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11001100 1 1 0 0 1 1 0 0 128+64+8+4 = 204

10101010 1 0 1 0 1 0 1 0 128+32+8+2 = 170

11100011 1 1 1 0 0 0 1 1 128+64+32+2+1 = 227

10110011 1 0 1 1 0 0 1 1 128+32+16+2+1 = 179

00110101 0 0 1 1 0 1 0 1 32+16+4+1 = 53

10010111 1 0 0 1 0 1 1 1 128+16+4+2+1 = 151



Lab 4-2 Answer Key: Classifying Network Addressing


Task 1: Convert from Decimal IP Address to Binary Format The table to express 145.32.59.24 in binary format is shown here.

Base-2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

145 1 0 0 1 0 0 0 1 10010001

32 0 0 1 0 0 0 0 0 00100000

59 0 0 1 1 1 0 1 1 00111011

24 0 0 0 1 1 0 0 0 00011000

Binary Format IP Address 10010001.00100000.00111011.00011000

Step 1 The table to express 200.42.129.16 in binary format is shown here.

Base-2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

200 1 1 0 0 1 0 0 0 11001000

42 0 0 1 0 1 0 1 0 00101010

129 1 0 0 0 0 0 0 1 10000001

16 0 0 0 1 0 0 0 0 00010000


Step 2 The table to express 14.82.19.54 in binary format is shown here.

Base-2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

14 0 0 0 0 1 1 1 0 00001110

82 0 1 0 1 0 0 1 0 01010010

19 0 0 0 1 0 0 1 1 00010011

54 0 0 1 1 0 1 1 0 00110110




Task 2: Convert from Binary Format to Decimal IP Address Step 1 The table to express 11011000.00011011.00111101.10001001 in decimal IP address

format is shown here.

Base-2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11011000 1 1 0 1 1 0 0 0 216

00011011 0 0 0 1 1 0 1 1 27

00111101 0 0 1 1 1 1 0 1 61

10001001 1 0 0 0 1 0 0 1 137

Decimal Format IP Address 216.27.61.137

Step 2 The table to express 11000110.00110101.10010011.00101101 in decimal IP address format is shown here.

Base-2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11000110 1 1 0 0 0 1 1 0 198

00110101 0 0 1 1 0 1 0 1 53

10010011 1 0 0 1 0 0 1 1 147

00101101 0 0 1 0 1 1 0 1 45


Step 3 The table to express 01111011.00101101.01000011.01011001 in decimal IP address format is shown here.

Base-2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

01111011 0 1 1 1 1 0 1 1 123

00101101 0 0 1 0 1 1 0 1 45

01000011 0 1 0 0 0 0 1 1 67

01011001 0 1 0 1 1 0 0 1 89




Task 3: Identify IP Address Classes

Binary IP Address Decimal IP Address Address

Class

Number of Bits in

Network ID

Maximum Number of

Hosts (2h-2)

10010001.00100000.00111011.00011000 145.32.59.24 Class B 16 216-2 = 65,534

11001000.00101010.10000001.00010000 200.42.129.16 Class C 24 28-2 = 254

00001110.01010010.00010011.00110110 14.82.19.54 Class A 8 224-2 = 16,777,214

11011000.00011011.00111101.10001001 216.27.61.137 Class C 24 28-2 = 254

10110011.00101101.01000011.01011001 179.45.67.89 Class B 16 216-2 = 65,534

11000110.00110101.10010011.00101101 198.53.147.45 Class C 24 28-2 = 254

Task 4: Identify Valid and Invalid Host IP Addresses Decimal IP Address Valid or Invalid If Invalid, Indicate Reason

23.75.345.200 Invalid 345 exceeds an 8-bit value (maximum = 255)

216.27.61.134 Valid

102.54.94 Invalid One octet is missing

255.255.255.255 Invalid Valid number but is an administrative number that should not be assigned to a host

142.179.148.200 Valid

200.42.129.16 Valid

0.124.0.0 Invalid A Class A address cannot use 0 as the first octet



Lab 4-3 Answer Key: Computing Usable Subnetworks and Hosts


Task 1: Determine the Number of Bits Required to Subnet a Class C Network

Given a Class C network address of 192.168.89.0, the completed table is shown here.


2 1 27-2 = 126

5 3 25-2 = 30

12 4 24-2 = 14

24 5 23-2 = 6

40 6 22-2 = 2

Task 2: Determine the Number of Bits Required to Subnet a Class B Network

Given a Class B network address of 172.25.0.0, the completed table is shown here.


5 3 213-2 = 8,190

8 3 213-2 = 8,190

14 4 212-2 = 4,094

20 5 211-2 = 2,046

35 6 210-2 = 1,022

Task 3: Determine the Number of Bits Required to Subnet a Class A Network

Given a Class A network address of 10.0.0.0, the completed table is shown here.


10 4 220 – 2 = 1,048,574

14 4 220 – 2 = 1,048,574

20 5 219 – 2 = 524,286

40 6 218 – 2 = 262,142

80 7 217 – 2 = 131,070



Lab 4-4: Answer Key When you complete this activity, your results will match the results here.

Task 1: Determine the Number of Possible Network Addresses

Classful Address Decimal Subnet Mask Binary Subnet Mask

Number of Hosts per

Subnet (2h – 2)

/20 255.255.240.0 11111111.11111111.11110000.00000000 4,094

/21 255.255.248.0 11111111.11111111.11111000.00000000 2,046

/22 255.255.252.0 11111111.11111111.11111100.00000000 1,022

/23 255.255.254.0 11111111.11111111.11111110.00000000 510

/24 255.255.255.0 11111111.11111111.11111111.00000000 254

/25 255.255.255.128 11111111.11111111.11111111.10000000 126

/26 255.255.255.192 11111111.11111111.11111111.11000000 62

/27 255.255.255.224 11111111.11111111.11111111.11100000 30

/28 255.255.255.240 11111111.11111111.11111111.11110000 14

/29 255.255.255.248 11111111.11111111.11111111.11111000 6

/30 255.255.255.252 11111111.11111111.11111111.11111100 2

Task 2: Given a Network Block, Define Subnets Assume that you have been assigned the 172.25.0.0 /16 network block. You need to establish eight subnets. Complete the following questions.

1. How many bits do you need to borrow to define 12 subnets? 4

2. Specify the classful address and subnet mask in binary and decimal that allows you to create 12 subnets. Classful address: /20 Subnet mask (binary): 11111111.11111111.11110000.00000000 Subnet mask (decimal): 255.255.240.0

3. Use the eight-step method to define the 12 subnets.


1. Write down the octet that is being split in binary. 00000000

2. Write the mask or classful prefix length in binary. 11110000



0000 0000

1111 0000








0000 0000 (first subnet)

0000 0001 (first host address)

0000 1110 (last host address)

0000 1111 (broadcast address)



0001 0000 (next subnet)




0 172.25.0.0 172.25.1.0 to 172.25.14.0 172.25.15.0

1 172.25.16.0 172.25.17.0 to 172.25.30.0 172.25.31.0

2 172.25.32.0 172.25.33.0 to 172.25.46.0 172.25.47.0

3 172.25.48.0 172.25.49.0 to 172.25.62.0 172.25.63.0

4 172.25.64.0 172.25.65.0 to 172.25.78.0 172.25.79.0

5 172.25.80.0 172.25.81.0 to 172.25.92.0 172.25.95.0

6 172.25.94.0 172.25.95 to 172.25.108.0 172.25.109.0

7 172.25.110.0 172.25.111.0 to 172.25.124.0 172.25.125.0

Task 3: Given Another Network Block, Define Subnets Assume that you have been assigned the 192.168.1.0 /24 network block.

1. How many bits do you need to borrow to define six subnets? 3

2. Specify the classful address and subnet mask in binary and decimal that allows you to create six subnets. Classful address: /27 Subnet mask (binary): 11111111.11111111.11111111.11100000 Subnet mask (decimal): 255.255.255.224

3. Use the eight-step method to define the six subnets.





000 00000





111 00000















0 192.168.1.0 192.168.1.1 to 192.168.1.30 192.168.1.31

1 192.168.1.32 192.168.1.33 to 192.168.1.62 192.168.1.63

2 192.168.1.64 192.168.1.65 to 192.168.1.94 192.168.1.95

3 192.168.1.96 192.168.1.97 to 192.168.1.126 192.168.1.127

4 192.168.1.128 192.168.1.129 to 192.168.1.158 192.168.1.159

5 192.168.1.160 192.168.1.161 to 192.168.1.190 192.168.1.191

Task 4: Given a Network Block and Classful Address, Define Subnets

Assume that you have been assigned the 192.168.111.0 /28 network block.

1. Specify the subnet mask in binary and decimal. Subnet mask (binary): 11111111.11111111.11111111.11110000 Subnet mask (decimal): 255.255.255.240

2. How many subnets can you define with the specified mask? 16

3. How many hosts will be in each subnet? 14







1000 0001

1111 0000


















0 192.168.111.0 192.168.111.1 to 192.168.111.126 192.168.111.127

1 192.168.111.128 192.168.111.129 to 192.168.111.142 192.168.111.143

2 192.168.111.144 192.168.111.145 to 192.168.111.158 192.168.111.159

3 192.168.111.160 192.168.111.161 to 192.168.111.174 192.168.111.175

4 192.168.111.176 192.168.111.177 to 192.168.111.190 192.168.111.191

5 192.168.111.192 192.168.111.193 to 192.168.111.206 192.168.111.207

6 192.168.111.208 192.168.111.209 to 192.168.111.222 192.168.111.223








1. Write down the octet that is being split in binary. 01110000.00000000

2. Write the mask or classful prefix length in binary. 11111110.00000000






0111000 0.00000000

1111111 0.00000000





0111000 0.00000000 (first subnet)

0111000 0.00000001 (first host address)

0111000 1.11111110 (last host address)

0111000 1.11111111 (broadcast address)



0111001 0.00000000 (next subnet)




0 172.25.0.0 172.25.0.1 to 172.25.1.254 172.25.1.255

1 172.25.2.0 172.25.2.1 to 172.25.3.254 172.25.3.255

2 172.25.4.0 172.25.4.1 to 172.25.5.254 172.25.5.255

3 172.25.6.0 172.25.6.1 to 172.25.7.254 172.25.7.255

4 172.25.8.0 172.25.8.1 to 172.25.9.254 172.25.9.255

. . .










1. Write down the octet that is being split in binary. 00000000.10000001

2. Write the mask or classful prefix length in binary. 11111111.10000000



1 0000001

1 0000000





00000000.10000000 (first subnet)

00000000.10000001 (first host address)

00000000.11111110 (last host address)

00000000.11111111 (broadcast address)



00000001.10000000 (next subnet)




0 172.20.0.0 172.20.0.1 to 172.20.0.126 172.20.0.127

1 172.20.0.128 172.20.0.129 to 172.20.0.254 172.20.0.255

2 172.20.1.0 172.20.1.1 to 172.20.1.126 172.20.1.127

3 172.20.1.128 172.20.1.129 to 172.20.1.254 172.20.1.255

4 172.20.2.0 172.20.2.1 to 172.20.2.126 172.20.2.127

5 172.20.2.128 172.20.2.129 to 172.20.2.254 172.20.2.255

. . .



Lab 4-5 Answer Key: Performing Initial Router Startup

When you complete this activity, your workgroup switch will have no configuration. Displayed here is the output of the erase startup-config command. Remember that the username and password “cisco” and “cisco” come from the default Cisco SDM configuration. Your output will be similar to the results here:

Username: cisco Password: yourname#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete yourname# *Mar 13 17:28:00.003: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram yourname#reload Proceed with reload? [confirm] *Mar 13 17:28:07.939: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Initializing memory for ECC . c2811 platform with 262144 Kbytes of main memory Main memory is configured to 64 bit mode with ECC enabled Upgrade ROMMON initialized program load complete, entry point: 0x8000f000, size: 0xcb80 program load complete, entry point: 0x8000f000, size: 0xcb80 program load complete, entry point: 0x8000f000, size: 0x228d9f8 Self decompressing the image : ####################################################################################################################################################################################################### [OK] Smart Init is enabled smart init is sizing iomem ID MEMORY_REQ TYPE 0003E7 0X003DA000 C2811 Mainboard 0X00263F50 Onboard VPN 0X000021B8 Onboard USB 0X002C29F0 public buffer pools 0X00211000 public particle pools TOTAL: 0X00B13AF8 If any of the above Memory Requirements are "UNKNOWN", you may be using an unsupported configuration or there is a software problem and system operation may be compromised. Rounded IOMEM up to: 12Mb.



Using 4 percent iomem. [12Mb/256Mb] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team Image text-base: 0x40093160, data-base: 0x42B00000 This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory. Processor board ID FTX1050A3Q6 2 FastEthernet interfaces 2 Serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]: no Press RETURN to get started! sslinit fn *Mar 13 17:29:36.819: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized



*Mar 13 17:29:36.819: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Enabled *Mar 13 17:29:38.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up *Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up *Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up *Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down *Mar 13 17:29:39.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down *Mar 13 17:29:39.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down *Mar 13 17:29:39.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up *Mar 13 17:29:39.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down *Mar 13 17:29:41.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up *Mar 13 17:29:41.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up *Mar 13 17:30:04.463: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down *Mar 13 17:30:07.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up *Mar 13 17:31:02.663: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down *Mar 13 17:31:44.471: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down *Mar 13 17:31:44.471: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down *Mar 13 17:31:44.471: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to administratively down *Mar 13 17:31:44.475: %LINK-5-CHANGED: Interface Serial0/0/1, changed state to administratively down *Mar 13 17:31:44.491: %IP-5-WEBINST_KILL: Terminating DNS process *Mar 13 17:31:45.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down *Mar 13 17:31:45.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down *Mar 13 17:31:46.007: %SYS-5-RESTART: System restarted -- Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team *Mar 13 17:31:46.011: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start *Mar 13 17:31:46.219: %SYS-6-BOOTTIME: Time taken to reboot after reload = 216 seconds *Mar 13 17:31:46.399: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF



Lab 4-6 Answer Key: Performing Initial Router Configuration

When you complete this activity, your workgroup router configuration will be similar to the results here, with differences that are specific to your device or workgroup:

! version 12.4 ! service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RouterX ! boot-start-marker boot-end-marker ! enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c. enable password cisco ! no aaa new-model ! ! ip cef ! ! ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 duplex half speed auto no mop enabled ! interface FastEthernet0/1 no ip address



shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown no fair-queue ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! ! ! ip http server no ip http secure-server ! dialer-list 1 protocol ip permit ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password sanjose login ! scheduler allocate 20000 1000 ! end



Lab 4-7 Answer Key: Enhancing the Security of Initial Router Configuration


! ! version 12.4 ! service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname RouterX ! boot-start-marker boot-end-marker ! enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c. enable password 7 14141B180F0B ! no aaa new-model ! ! ip cef ! ! no ip domain lookup ip domain name cisco.com ip ssh version 2 ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! username netadmin password 7 082F495A081D081E1C ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 duplex half



speed auto no mop enabled ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown no fair-queue ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! ! ! ip http server no ip http secure-server ! dialer-list 1 protocol ip permit ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 password 7 14041305060B392E login line aux 0 line vty 0 4 password 7 071C204244060A00 login local transport input telnet ssh ! scheduler allocate 20000 1000 ! end



Lab 4-8 Answer Key: Using Cisco SDM to Configure DHCP Server Function


! ! version 12.4 ! service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname RouterX ! boot-start-marker boot-end-marker ! enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c. enable password 7 14141B180F0B ! no aaa new-model ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 10.10.10.149 ip dhcp excluded-address 10.10.10.200 10.10.10.254 ! ip dhcp pool wgA_clients import all network 10.10.10.0 255.255.255.0 lease 0 0 5 ! ! no ip domain lookup ip domain name cisco.com ip ssh version 2 ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-3715519608 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3715519608



revocation-check none rsakeypair TP-self-signed-3715519608 ! ! crypto pki certificate chain TP-self-signed-3715519608 certificate self-signed 01 30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135 30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535 31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852 E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3 73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC 355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824 D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355 1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86 4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52 46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1 1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5 388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC 1C07F960 64CCE156 F65330FE 02 quit username netadmin privilege 15 password 7 082F495A081D081E1C ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 duplex half speed auto no mop enabled ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown no fair-queue ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! ! ! ip http server ip http authentication local ip http secure-server !



dialer-list 1 protocol ip permit ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 password 7 14041305060B392E login line aux 0 line vty 0 4 password 7 071C204244060A00 login local transport input telnet ssh ! scheduler allocate 20000 1000 ! end



Lab 4-9 Answer Key: Managing Remote Access Sessions





revocation-check none rsakeypair TP-self-signed-3715519608 ! ! crypto pki certificate chain TP-self-signed-3715519608 certificate self-signed 01 30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135 30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535 31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852 E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3 73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC 355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824 D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355 1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86 4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52 46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1 1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5 388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC 1C07F960 64CCE156 F65330FE 02 quit username netadmin privilege 15 password 7 082F495A081D081E1C ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 duplex half speed auto no mop enabled ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown no fair-queue ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! ! ! ip http server ip http authentication local ip http secure-server !



dialer-list 1 protocol ip permit ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 exec-timeout 60 0 password 7 14041305060B392E logging synchronous login history size 100 line aux 0 line vty 0 4 password 7 071C204244060A00 logging synchronous login local history size 100 transport input telnet ssh ! scheduler allocate 20000 1000 ! end



Lab 5-1 Answer Key: Connecting to the Internet When you complete this activity, your workgroup router configuration will be similar to the results here, with differences that are specific to your device or workgroup:

! ! version 12.4 ! service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname RouterX ! boot-start-marker boot-end-marker ! enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c. enable password 7 14141B180F0B ! no aaa new-model ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 10.10.10.149 ip dhcp excluded-address 10.10.10.200 10.10.10.254 ! ip dhcp pool wgA_clients import all network 10.10.10.0 255.255.255.0 lease 0 0 5 ! ! no ip domain lookup ip domain name cisco.com ip ssh version 2 ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-3715519608 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3715519608 revocation-check none rsakeypair TP-self-signed-3715519608



! ! crypto pki certificate chain TP-self-signed-3715519608 certificate self-signed 01 30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135 30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535 31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852 E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3 73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC 355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824 D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355 1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86 4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52 46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1 1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5 388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC 1C07F960 64CCE156 F65330FE 02 quit username netadmin privilege 15 password 7 082F495A081D081E1C ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 duplex half speed auto no mop enabled ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown no fair-queue ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! ! ! ip http server ip http authentication local ip http secure-server ! dialer-list 1 protocol ip permit !



! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 exec-timeout 60 0 password 7 14041305060B392E logging synchronous login history size 100 line aux 0 line vty 0 4 password 7 071C204244060A00 logging synchronous login local history size 100 transport input telnet ssh ! scheduler allocate 20000 1000 ! end



Lab 5-2 Answer Key: Connecting to the Main Office





revocation-check none rsakeypair TP-self-signed-3715519608 ! ! crypto pki certificate chain TP-self-signed-3715519608 certificate self-signed 01 30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135 30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535 31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852 E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3 73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC 355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824 D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355 1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86 4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52 46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1 1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5 388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC 1C07F960 64CCE156 F65330FE 02 quit username netadmin privilege 15 password 7 082F495A081D081E1C ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 ip nat inside ip virtual-reassembly duplex half speed auto no mop enabled ! interface FastEthernet0/1 description $ETH-WAN$ ip address dhcp client-id FastEthernet0/1 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Serial0/0/0 description Link to Main Office ip address 10.140.10.2 255.255.255.0 encapsulation ppp no fair-queue ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! ip route 192.168.21.0 255.255.255.0 10.140.10.1



! ! ip http server ip http authentication local ip http secure-server ip nat inside source list 1 interface FastEthernet0/1 overload ! access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 dialer-list 1 protocol ip permit ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 exec-timeout 60 0 password 7 14041305060B392E logging synchronous login history size 100 line aux 0 line vty 0 4 password 7 071C204244060A00 logging synchronous login local history size 100 transport input telnet ssh ! scheduler allocate 20000 1000 ! end



Lab 5-3 Answer Key: Enabling Dynamic Routing to the Main Office





revocation-check none rsakeypair TP-self-signed-3715519608 ! ! crypto pki certificate chain TP-self-signed-3715519608 certificate self-signed 01 30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135 30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535 31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852 E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3 73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC 355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824 D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355 1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86 4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52 46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1 1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5 388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC 1C07F960 64CCE156 F65330FE 02 quit username netadmin privilege 15 password 7 082F495A081D081E1C ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 ip nat inside ip virtual-reassembly duplex half speed auto no mop enabled ! interface FastEthernet0/1 description $ETH-WAN$ ip address dhcp client-id FastEthernet0/1 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Serial0/0/0 description Link to Main Office ip address 10.140.10.2 255.255.255.0 encapsulation ppp no fair-queue ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! router rip



version 2 network 10.0.0.0 ! ! ! ip http server ip http authentication local ip http secure-server ip nat inside source list 1 interface FastEthernet0/1 overload ! access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 dialer-list 1 protocol ip permit ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 exec-timeout 60 0 password 7 14041305060B392E logging synchronous login history size 100 line aux 0 line vty 0 4 password 7 071C204244060A00 logging synchronous login local history size 100 transport input telnet ssh ! scheduler allocate 20000 1000 ! end



Lab 6-1 Answer Key: Using Cisco Discovery Protocol


! version 12.4 ! service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname RouterX ! boot-start-marker boot-end-marker ! enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c. enable password 7 14141B180F0B ! no aaa new-model ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 10.10.10.149 ip dhcp excluded-address 10.10.10.200 10.10.10.254 ! ip dhcp pool wgA_clients import all network 10.10.10.0 255.255.255.0 lease 0 0 5 ! ! no ip domain lookup ip domain name cisco.com ip ssh version 2 ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-3715519608 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3715519608 revocation-check none



rsakeypair TP-self-signed-3715519608 ! ! crypto pki certificate chain TP-self-signed-3715519608 certificate self-signed 01 30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135 30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535 31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852 E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3 73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC 355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824 D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355 1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86 4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52 46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1 1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5 388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC 1C07F960 64CCE156 F65330FE 02 quit username netadmin privilege 15 password 7 082F495A081D081E1C ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 ip nat inside ip virtual-reassembly duplex half speed auto no mop enabled ! interface FastEthernet0/1 description $ETH-WAN$ ip address dhcp client-id FastEthernet0/1 ip nat outside ip virtual-reassembly duplex auto speed auto no cdp enable ! interface Serial0/0/0 description Link to Main Office ip address 10.140.10.2 255.255.255.0 encapsulation ppp no fair-queue ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! router rip



version 2 network 10.0.0.0 ! ! ! ip http server ip http authentication local ip http secure-server ip nat inside source list 1 interface FastEthernet0/1 overload ! access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 dialer-list 1 protocol ip permit ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 exec-timeout 60 0 password 7 14041305060B392E logging synchronous login history size 100 line aux 0 line vty 0 4 password 7 071C204244060A00 logging synchronous login local history size 100 transport input telnet ssh ! scheduler allocate 20000 1000 ! end ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname SwitchX



! enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr. enable password 7 05080F1C2243 ! username netadmin password 7 030A5E1F070B2C4540 no aaa new-model ip subnet-zero ! no ip domain-lookup ip domain-name cisco.com ip ssh version 2 ! ! crypto pki trustpoint TP-self-signed-1833200768 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1833200768 revocation-check none rsakeypair TP-self-signed-1833200768 ! ! crypto ca certificate chain TP-self-signed-1833200768 certificate self-signed 01 3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886 F70D0109 02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033 30313030 30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603 55040313 26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313833 33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73 775F612E 63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A 41932329 8FB4A8EE 142FAEC4 744CB8BE 021BDAE5 BF005CA6 99D0BDC7 68C4A873 25A2F06C E460FAE5 1435B900 43505E02 3F0F5E4B D61D6787 59B6AE32 13558C75 561A6BB0 42C15C96 D078A449 669E4B58 CD5857D0 1B570F43 008B811F 45CD05B0 50D144BA F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 16801414 679B7C0E C82E65FB 8953EC84 1FC9DD49 E672A630 1D060355 1D0E0416 04141467 9B7C0EC8 2E65FB89 53EC841F C9DD49E6 72A6300D 06092A86 4886F70D 01010405 00038181 006C7E92 A7F96199 D1D81ADA FA16C868 0660013D 4A91A319 6D6DBD61 B5147AAA FF0FCF26 3DF20CA7 9694B3B8 24ABBEAC F8942F5F E53466BB 04E12200 25432AFE A09DDFCF A07A5A4A 145BE58D 4040040A 5B085A4E 895C45BC 4DF264BC BFE32124 F4AA3BDB B9CF2CC2 35F3B42A B16BFD69 44531337 B03B7055 48A0B320 0A6C3173 C0 quit ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0017.5a78.be01 switchport port-security mac-address sticky 001a.2fe7.3089 !



interface FastEthernet0/2 switchport mode access ! interface FastEthernet0/3 switchport mode access shutdown no cdp enable ! interface FastEthernet0/4 switchport mode access shutdown no cdp enable ! interface FastEthernet0/5 switchport mode access shutdown no cdp enable ! interface FastEthernet0/6 switchport mode access shutdown no cdp enable ! interface FastEthernet0/7 switchport mode access shutdown no cdp enable ! interface FastEthernet0/8 switchport mode access shutdown no cdp enable ! interface FastEthernet0/9 switchport mode access shutdown no cdp enable ! interface FastEthernet0/10 switchport mode access shutdown no cdp enable ! interface FastEthernet0/11 switchport mode access no cdp enable ! interface FastEthernet0/12 switchport mode access no cdp enable ! interface FastEthernet0/13 switchport mode access shutdown no cdp enable ! interface FastEthernet0/14 switchport mode access shutdown no cdp enable !



interface FastEthernet0/15 switchport mode access shutdown no cdp enable ! interface FastEthernet0/16 switchport mode access shutdown no cdp enable ! interface FastEthernet0/17 switchport mode access shutdown no cdp enable ! interface FastEthernet0/18 switchport mode access shutdown no cdp enable ! interface FastEthernet0/19 switchport mode access shutdown no cdp enable ! interface FastEthernet0/20 switchport mode access shutdown no cdp enable ! interface FastEthernet0/21 switchport mode access shutdown no cdp enable ! interface FastEthernet0/22 switchport mode access shutdown no cdp enable ! interface FastEthernet0/23 switchport mode access shutdown no cdp enable ! interface FastEthernet0/24 switchport mode access shutdown no cdp enable ! interface GigabitEthernet0/1 switchport mode access shutdown no cdp enable ! interface GigabitEthernet0/2 switchport mode access shutdown no cdp enable ! interface Vlan1



ip address 10.10.10.11 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.10.3 ip http server ip http secure-server ! control-plane ! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 exec-timeout 60 0 password 7 111A180B1D1D1809 logging synchronous login history size 100 line vty 0 4 password 7 111A180B1D1D1809 logging synchronous login local history size 100 line vty 5 15 password 7 111A180B1D1D1809 logging synchronous login local history size 100 ! end



Lab 6-2 Answer Key: Managing Router Startup Options


! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname RouterX ! boot-start-marker boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.10.10.1 boot system flash c2800nm-advipservicesk9-mz.124-12.bin boot system flash boot-end-marker ! no logging buffered enable secret 5 $1$X.GH$OkseupwTuqqjGp4oP4Fdg0 enable password 7 121A0C041104 ! no aaa new-model ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 10.10.10.149 ip dhcp excluded-address 10.10.10.200 10.10.10.254 ! ip dhcp pool wgA_clients import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.3 lease 0 0 5 ! ! no ip domain lookup ip domain name cisco.com ip ssh version 2 ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! !



crypto pki trustpoint TP-self-signed-3715519608 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3715519608 revocation-check none rsakeypair TP-self-signed-3715519608 ! ! crypto pki certificate chain TP-self-signed-3715519608 certificate self-signed 01 30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135 30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535 31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852 E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3 73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC 355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824 D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D 23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355 1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86 4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52 46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1 1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5 388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC 1C07F960 64CCE156 F65330FE 02 quit username netadmin privilege 15 password 7 0208014F0A02022842 ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 ip nat inside ip virtual-reassembly duplex half speed auto no mop enabled ! interface FastEthernet0/1 description $ETH-WAN$ ip address dhcp client-id FastEthernet0/1 ip nat outside ip virtual-reassembly duplex auto speed auto no cdp enable ! interface Serial0/0/0 description Link to Main Office ip address 10.140.10.2 255.255.255.0 encapsulation ppp no fair-queue ! interface Serial0/0/1 no ip address



shutdown clock rate 2000000 ! router rip version 2 network 10.0.0.0 ! ! ! ip http server ip http authentication local no ip http secure-server ip nat inside source list 1 interface FastEthernet0/1 overload ! access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 dialer-list 1 protocol ip permit ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login ^C ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************^C ! line con 0 exec-timeout 60 0 password 7 051807012B435D0C logging synchronous login history size 100 line aux 0 line vty 0 4 password 7 051807012B435D0C logging synchronous login local history size 100 transport input telnet ssh ! scheduler allocate 20000 1000 ! end



Lab 6-3 Answer Key: Managing Cisco Devices When you complete this activity, your workgroup router configuration will be similar to the results here, with differences that are specific to your device or workgroup:

There were no overall changes to the configuration.!



Lab 6-4 Answer Key: Confirming the Reconfiguration of the Branch Network


! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname RouterXX ! boot-start-marker boot system flash c2800nm-advipservicesk9-mz.124-12.bin boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.10.10.1 boot system flash boot-end-marker ! enable secret 5 $1$t7tb$L8Par/.s/MaoshaZH1cLq0 enable password 7 0822455D0A16 ! no aaa new-model ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 10.10.10.149 ip dhcp excluded-address 10.10.10.200 10.10.10.254 ! ip dhcp pool branchXX-clients import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.3 lease 0 0 5 ! ! ip domain name cisco.com ip ssh version 2 ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-3575601183 enrollment selfsigned



subject-name cn=IOS-Self-Signed-Certificate-3575601183 revocation-check none rsakeypair TP-self-signed-3575601183 ! ! crypto pki certificate chain TP-self-signed-3575601183 certificate self-signed 01 3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33353735 36303131 3833301E 170D3037 30353034 32313439 31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35373536 30313138 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100E3CA 6B4F5C16 545F1796 C3600BE9 433F7C87 CB676A33 D42BF42A A6433BAF 25582787 6028AE73 F3EAFD24 EA37AFEE CF6F101D 14EF2CCF 8EF4085C 2ED0E54B E1758915 13A5499E 378275C7 3BBE4F32 009DB10E 5039EB40 2C43D4EA 1407B634 A0EFEB26 23E4045E EAFE99BE 88C4DA01 357684AC 65572494 ABDC6A99 AA85D645 D8530203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 551D1104 0B300982 07526F75 74657258 301F0603 551D2304 18301680 14E0035D 916FE499 69EDA5C0 C15FDB83 17F62591 45301D06 03551D0E 04160414 E0035D91 6FE49969 EDA5C0C1 5FDB8317 F6259145 300D0609 2A864886 F70D0101 04050003 81810070 7B5F8CB1 BB014CBA 3E317573 C2303187 3534E5C7 71FDDDE5 EC4D6331 A0498B71 49FE6A9A 5A5F6703 091EBDDC B828F955 4851F005 B214B407 4A0E67C0 87AC8E94 52F130E9 73E28BD9 EC4A028B 6424BCF2 EF0A993C 1BA75BED E3E0D217 E1129982 E1A40C9C 98F43F91 363474F2 97E3BBFF E60A7AA5 01327A27 EA69FCE6 0C4D36 quit username netadmin privilege 15 password 7 0505031B2048430017 ! ! ! ! ! ! interface FastEthernet0/0 ip address 10.10.10.3 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 description $ETH-WAN$ ip address dhcp client-id FastEthernet0/1 ip nat outside ip virtual-reassembly duplex auto speed auto no cdp enable ! interface Serial0/0/0 ip address 10.140.100.2 255.255.255.0 encapsulation ppp no cdp enable ! interface Serial0/0/1 no ip address shutdown no cdp enable ! router rip version 2



network 10.0.0.0 ! ! ! ip http server ip http authentication local ip http secure-server ip nat inside source list 1 interface FastEthernet0/1 overload ! access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login � ************* Warning ********************** Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************� ! line con 0 exec-timeout 60 0 password 7 08324D4003161612 logging synchronous login history size 100 line aux 0 line vty 0 4 logging synchronous login local history size 100 transport input ssh ! scheduler allocate 20000 1000 ! end ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname SwitchXX ! enable secret 5 $1$LLvt$3gBuRQzm6eAcGfQjsgHC01 enable password 7 01100F175804 !



username netadmin privilege 15 password 7 1419171F0D0027222A no aaa new-model ip subnet-zero ! no ip domain-lookup ip domain-name cisco.com ip ssh version 2 ! ! crypto pki trustpoint TP-self-signed-809024768 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-809024768 revocation-check none rsakeypair TP-self-signed-809024768 ! ! crypto ca certificate chain TP-self-signed-809024768 certificate self-signed 01 3082028B 308201F4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 52312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 38303930 32343736 38312030 1E06092A 864886F7 0D010902 16115377 69746368 582E6369 73636F2E 636F6D30 1E170D39 33303330 31303030 3130305A 170D3230 30313031 30303030 30305A30 52312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 38303930 32343736 38312030 1E06092A 864886F7 0D010902 16115377 69746368 582E6369 73636F2E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 D2D79D92 1395A6CB 46CAAD3C 6873B3D3 75B1B226 1E4EC5BC 87906C24 DAC40D83 6380CE06 C04AE1DE B6DBD7A4 5941D5E5 C2FA7464 DC6135A6 EFED87E4 966DC533 6BB18EDF 213503E7 B5B0E919 99C666B9 89AB8988 553288C0 400D6821 912B2908 B076FE8D 4645B79C 1FDEEBEF 83DBB7AF 3C92B363 52F68131 E2BEEDC3 4E0CC8FB 02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C 0603551D 11041530 13821153 77697463 68582E63 6973636F 2E636F6D 301F0603 551D2304 18301680 14B5A18A 31CE43E7 9D9704B4 815246B1 3D601AB8 A7301D06 03551D0E 04160414 B5A18A31 CE43E79D 9704B481 5246B13D 601AB8A7 300D0609 2A864886 F70D0101 04050003 81810007 16DD332F F2711854 434842FA 026C6F29 82718220 8249778B 4CDFFE66 1B52B55E AA6BC328 CF0CD466 E9DE6464 CF1836A3 F62723B8 14D8A873 535C205E BDC26BAC E73C448D 0E0B8194 402C6A67 CD6EFA78 CDD0A83A 0335EB3E 9ADCA41E 768FA332 572AE050 1121207E D4E79437 894E3588 65E3D60A 57150B63 9206A35B C71BB9 quit ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0017.5a78.be0f switchport port-security mac-address sticky 001a.2fe7.3089 no cdp enable ! interface FastEthernet0/2 switchport mode access !



interface FastEthernet0/3 switchport mode access shutdown no cdp enable ! interface FastEthernet0/4 switchport mode access shutdown no cdp enable ! interface FastEthernet0/5 switchport mode access shutdown no cdp enable ! interface FastEthernet0/6 switchport mode access shutdown no cdp enable ! interface FastEthernet0/7 switchport mode access shutdown no cdp enable ! interface FastEthernet0/8 switchport mode access shutdown no cdp enable ! interface FastEthernet0/9 switchport mode access shutdown no cdp enable ! interface FastEthernet0/10 switchport mode access shutdown no cdp enable ! interface FastEthernet0/11 switchport mode access no cdp enable ! interface FastEthernet0/12 switchport mode access no cdp enable ! interface FastEthernet0/13 switchport mode access shutdown no cdp enable ! interface FastEthernet0/14 switchport mode access shutdown no cdp enable ! interface FastEthernet0/15 switchport mode access shutdown



no cdp enable ! interface FastEthernet0/16 switchport mode access shutdown no cdp enable ! interface FastEthernet0/17 switchport mode access shutdown no cdp enable ! interface FastEthernet0/18 switchport mode access shutdown no cdp enable ! interface FastEthernet0/19 switchport mode access shutdown no cdp enable ! interface FastEthernet0/20 switchport mode access shutdown no cdp enable ! interface FastEthernet0/21 switchport mode access shutdown no cdp enable ! interface FastEthernet0/22 switchport mode access shutdown no cdp enable ! interface FastEthernet0/23 switchport mode access shutdown no cdp enable ! interface FastEthernet0/24 switchport mode access shutdown no cdp enable ! interface GigabitEthernet0/1 switchport mode access shutdown no cdp enable ! interface GigabitEthernet0/2 switchport mode access shutdown no cdp enable ! interface Vlan1 ip address 10.10.10.11 255.255.255.0 no ip route-cache !



ip default-gateway 10.10.10.3 ip http server ip http secure-server ! control-plane ! banner login � ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. **************************************************************� ! line con 0 exec-timeout 60 0 password 7 04480A08052E5F4B logging synchronous login history size 100 line vty 0 4 password 7 03175A01091C24 logging synchronous login local history size 100 transport input ssh line vty 5 15 password 7 001712080E541803 logging synchronous login local history size 100 transport input ssh ! end


