234821765 ccna-virtual-lab

CCNAVirtual LabT i TA N i u m E d i T i o N 3 . 0

• Work with Practice Scenarios Based on

CCNA Exam Objectives

• Set Up Custom Network Configurations

Easily with Drag-and-Drop Functionality

• Hone Your Skills for the Exams with over

150 Hands-On Labs

• Use an Unlimited Number of Switches,

Routers, and Hosts in Your Virtual Network

• Get Useful Feedback with the Valuable

Net Assessment Tool

SeriouS SkillS.

®

William Tedder

Bestselling laB simulation software

COPYRIG

HTED M

ATERIAL

Senior Acquisitions Editor: Jeff KellumDevelopment Editor: Tom CirtinTechnical Editor: Troy McMillanProduction Editor: Christine O’ConnorEditorial Manager: Pete GaughanProduction Manager: Tim TateVice President and Executive Group Publisher: Richard SwadleyVice President and Publisher: Neil EddeSupervising Producer, Vertical Websites: Richard GravesBook Designers: Judy Fung and Bill GibsonCompositor: Craig Woods, Happenstance Type-O-RamaProofreader: Josh Chase, Word One New YorkProject Coordinator, Cover: Katherine CrockerCover Designer: Ryan Sneed

Copyright © 2012 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-118-43199-3

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. [Insert any third-party trademark language.] All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

Contents

Introduction to CCNA Virtual Lab, Titanium Edition 3.0 Labs v

Network Environment 1

Lab 1.1: Loading a Network Layout 2Lab 1.2: Adding a Device to the Network Visualizer Screen 4

Host 4Lab 1.3: Connecting Devices 7

Lab Steps 7Lab 1.4: Network Cables 9

Cable Thickness 12Lab 1.5: Disconnecting Devices 13

Lab Steps 13Lab 1.6: Entering Configurations and Changing

Console Screens 15Changing Console Screens 16

Lab 1.7: Clearing A Network Visualizer Screen 17Lab 1.8: Network Configurations Window 18

Password Lookups 21Lab 1.9: Preferences 21

Background Color 22Other colors 23

ICND1: Cisco IOS 25

Lab 1.1 RouterSim and Cisco Devices 26Lab Steps 26

Lab 1.2: Logging In and Out of a Cisco Router 29Lab Steps 30

Lab 1.3: Overview of Router Modes 32Router Modes 33Lab Steps 34

Lab 1.4: Editing and Help Features 37Lab Steps 38

Lab 1.5: Using Shortcut Commands and Tab Completion in Gathering Basic Router Information 43

Lab Steps 44Lab 1.6: Setting Passwords 48

Lab Steps 49Lab 1.7: Encrypting Your Passwords 52

Lab Steps 53Lab 1.8: Saving Your Configurations 56

vi Contents

Lab 1.9: Setting Router Banners 57Lab 1.10: Configuring Interfaces for the 2621 Router 59

Lab Steps 60Lab 1.11: Configuring Interfaces for the 2811 Router 62

Lab Steps 64Lab 1.12: Configuring Interfaces for the 3560 Switch 66

Lab Steps 68Lab 1.13: Bringing Up an Interface 69

Lab Steps 70Lab 1.14: Configuring an IP Address on an Interface 73

Lab Steps 73Lab 1.15: Serial Interface Commands 75

Lab Steps 77Lab 1.16: Setting the Router Hostnames 78

Lab Steps 78Lab 1.17: Setting Interface Descriptions 79

Lab Steps 80Lab 1.18: Verifying Your Configuration 81

Lab Steps 82Lab 1.19: do Command 86

Lab Steps 87

IP Routing 91

Lab 2: Introduction to IP Routing 92Lab 2.1: Configuring the SDM for the 2811 Router 94

Lab Steps 95Lab 2.2: Connecting to the SDM using the 2811 Router 98

Lab Steps 99Lab 2.3: Configuring an Interface with SDM 104

Lab Steps 106Lab 2.4: Configuring a DHCP Pool with SDM 109

Lab Steps 111Lab 2.5: Configuring Other Items with SDM 114

Lab Steps 116Lab 2.6: Verifying Your Configurations with SDM 119

Lab Steps 120Lab 2.7: Configuring the Routers 121

Lab Steps 122Lab 2.9: Configuring Static Routing 127

Lab Steps 129Lab 2.10: Verifying Static Routing 130

Lab Steps 131Practice Scenario: Basic Cisco Router Operations 134

Lab 2.11: Configuring and Verifying the Hosts 137Lab Steps 137

Contents vii

Lab 2.12: Configuring Default Routing 142Lab Steps 143

Lab 2.13: Verifying Default Routing 145Practice Scenario: Basic Cisco Router Operations 147

Lab 2.14: Configuring RIPv2 149Lab Steps 151

Lab 2.16: Using Traceroute 151Lab Steps 152

Lab 2.17: Using Debug with a RIPv2 Network 156Lab Steps 157

Lab 2.18: Configuring and Verifying a Loopback Interface 157Lab Steps 158

Lab 2.19: Using ARP (Address Resolution Protocol) 161Lab Steps 162

Managing a Cisco Internetwork 165

Lab 3: Introduction to Managing a Cisco Internetwork 166Lab 3.1: Password Recovery Techniques 168

Lab Steps 169Lab 3.11: Configuring IGRP Routing 172

Lab Steps 174Lab 3.12: Verifying IGRP Routing 177

Lab Steps 178Lab 3.2: Backing Up the Cisco IOS 179

Lab Steps 180Lab 3.3: Restoring or Upgrading the Cisco Router IOS 181

Lab Steps 182Lab 3.4: Backing Up the Cisco Configuration 182

Lab Steps 183Lab 3.5: Restoring the Cisco Router Configuration from

a TFTP Server 185Lab Steps 185

Lab 3.6: Using the Cisco Discovery Protocol to Gather Information about Neighbor Devices 186

Lab Steps 187Lab 3.7: Using Telnet 191

Lab Steps 192Lab 3.8: Using Secure Shell in Place of Telnet 197

Lab Steps 198Lab 3.9: Verifying Secure Shell in Place of Telnet 200

Lab Steps 201Lab 3.10: Creating a Hosts Table on a Router and Resolve Host

Names to IP Addresses 202Lab Steps 202

viii Contents

Configuring the Catalyst Switch 205

Lab 4: Introduction to Configuring the Catalyst Switch 206Lab 4.1: Connecting to the 1900 Switch and Setting Passwords 207

Lab Steps 207Lab 4.2: Configuring the 1900 Switch 212

Set the Hostname 212Lab Step 213Configure the IP Address 213Configure Interfaces 214Configure Interface Descriptions 216View Interface Descriptions 217

Lab 4.3: Configuring the 1900 Switch Port Duplex 218Lab Steps 219

Lab 4.4: Verifying 1900 Switch IP Connectivity 220Lab Steps 221

Lab 4.5: Erasing the 1900 Switch Configuration 222Lab Steps 223

Lab 4.6: Utilizing the 2950 and 2960 Switch 224Lab 4.7: Setting Passwords on the 2950/2960 Switch 225

Lab Steps 227Lab 4.8: Configuring the 2950/2960 Switch 229

Set the Hostname 230Lab Steps 231Configure the IP Address 231Configure Interfaces 232

Lab 4.9: Verifying 2950/2960 Switch IP Connectivity 237Lab 4.10: Saving and Erasing 2950/2960 Switch Configuration 239

Lab Steps 240Lab 4.11: Utilizing the 3550 and 3560 Switch 241Lab 4.12: Setting Passwords on the 3550/3560 Switch 241

Lab Steps 242Lab 4.13: Configuring the 3550/3560 Switch 244

Set the Hostname 245Lab Steps 246Configure the IP Address 246Configure Interfaces 247

Lab 4.14: Verifying 3550/3660 Switch IP Connectivity 253Lab 4.15: Saving and Erasing the 3550/3560 Switch

Configuration 255

NAT 257

Lab 5: Introduction to Network Address Translation (NAT) 258Lab 5.1: Configuring Your Routers 259

Setting up the NAT Lab creates an address pool 260Lab Steps 261

Contents ix

Switch Security 267

Lab 6.1: Configuring Switch Security 268 Lab 6.2: Verifying Switch Security 271

Lab Steps 272Individual Labs (Comprehensive) 275Lab Steps 278Launching SDM Via Host A 280Configure IP Address Using SDM 284Configure DHCP Pool with the SDM 288Using the SDM to Configure Other Items 292Verify Router Configurations 295Individual Lab: Configuring Routers 297Lab Steps 299Individual Lab: Configuring the 1900 Switch 303Lab Steps 304Setting the Hostname 308Configuring an IP Address 308Configuring Interfaces 309Configuring Interface Descriptions 311Configuring Port Duplex 312Grade Me 313Erasing the Configuration 313Individual Lab: Configuring 2950 Switch 314Lab Steps 316Setting the Hostname 318Configuring IP Address Information 319Configuring Interfaces 321Verifying the IP Connectivity 326Grade Me 327Saving and Erasing Your Configurations 327Individual Lab: Configuring the 2960 Switch 328Lab Steps 328Setting the Hostname 331Configuring IP Address Information 331Configuring Interfaces 332Verifying the IP Connectivity 336Grade Me 337Saving and Erasing Your Configuration 337Individual Lab: Static Routing 338Lab Steps 340Individual Lab: Telnet 346Lab Steps 348Individual Lab: Using the Cisco Discovery Protocol

to Gather Information about Neighbor Devices 356Lab Steps 358

x Contents

Individual Lab: Working with a Router Interface 363Lab Steps 364Configuring an IP Address on an Interface 366Serial Interface 367Setting An Interface Description 370Individual Lab: Configuring Hosts 371Lab Steps 372

ICND2 383

RIP - IPv6 384Lab 1.1: Configuring RIP Routing 384

Lab Steps 385Lab 1.2: Verifying RIP Routing 388

Lab Steps 389Lab 1.3: Configuring IPv6 Static Routing 392

Address Types 392Unicast Types 393IPv6 Bits 393Lab Steps 394

Lab 1.4: Verifying IPv6 Static Routing 397Lab Steps 398Practice Scenario: Basic Cisco Router Operations 401Troubleshooting IPv6 Static Routing 401(use Practice Scenario: … 401Troubleshooting Ipv6 … ) 401Turn On Hostnames 402Scenario 403Task 403

Lab 1.5: Configuring RIP IPv6 Routing (RIPng) 404Lab Steps 404

Lab 1.6: Verifying RIP IPv6 Routing (RIPng) 406Lab Steps 406

Cisco Wide Area Networks (WAN) 411

Lab 2: Introduction to Cisco Wide Area Network Support 412Lab 2.1: Configuring PPP Encapsulation 413

Lab Steps 414Lab 2.2: Verifying PPP Encapsulation 415

Lab Steps 416Lab 2.3: Configuring PPP Authentication with CHAP 417

Lab Steps 419Lab 2.4: Verifying PPP with Authentication 419

Lab Steps 420

Contents xi

Lab 2.5: Understanding Frame Relay Configuration 423Frame Relay Uses Virtual Circuits 423Configuring Frame Relay Encapsulation 423Frame Relay DLCI 423Frame Relay LMI 424Subinterfaces with Frame Relay 424

Lab 2.6: Configuring Frame Relay Switching 425Lab Steps 426

Lab 2.7: Configuring Frame Relay with Subinterfaces 429Lab Steps 430

Lab 2.8: Verifying Frame Relay 431Lab Steps 431

EIGRP 435

Lab 3: Introduction to EIGRP 436Lab 3.1: Configuring EIGRP Routing 436

Lab Steps 437Lab 3.2: Verifying EIGRP Routing 440Lab 3.3: Configuring EIGRP Wild Card Masks 445

Lab Steps 445Lab 3.4: Verifying EIGRP Wild Card Mask Configurations 446

Lab Steps 447Lab 3.5: Configuring EIGRP Authentication 449

Lab Steps 450Lab 3.6: Verifying EIGRP Authentication 452

Lab Steps 452Lab 3.7: Configuring Advanced Commands with EIGRP 456

OSPF 459

Lab 4: Introduction to OSPF 460Lab 4.1: Configuring Single Area OSPF 460

Lab Steps 462Lab 4.2: Verifying Single Area OSPF 465Lab 4.3: OSPF Authentication 468

Lab Steps 469Lab 4.4: Stub Area Configuration 473

Lab Steps 474Lab 4.5: Totally Stub 476

Lab Steps 476Lab 4.6: OSPF DR and BDR Elections 478

Lab Steps 479

xii Contents

Virtual LANs (VLANs) 483

Lab 5: Introduction to Virtual LANs 484Lab 5.1: Configuring VLANs on a 1900 Switch 485

Lab Steps 486Lab 5.3: Configuring VLANs on a 3550 Switch 489

Lab Steps 490Lab 5.4: Configuring Trunk Ports and VTP Domain on

a 3550 Switch 493Lab Steps 493Configure VTP Domain 494

Lab 5.5: Configuring VLANs on a 3560 Switch 495Lab Steps 496

Lab 5.6: Configuring Trunk Ports and VTP Domain on a 3550 Switch 498

Configure Trunk Ports 498Lab Steps 498Configure VTP Domain 499

Lab 5.7: IntraVLAN and InterVLAN Routing 500Lab Steps 501

Access Lists 505

Lab 6: Introduction to Managing Traffic with Access Lists 506Lab 6.1: Standard IP Access-Lists 507Lab 6.2: Verifying Standard

IP Access-Lists 512Lab Steps 513

Lab 6.3: Applying an Access-List to a VTY Line 514Lab Steps 515

Lab 6.4: Extended IP Access-Lists 516Lab Steps 517

Lab 6.5: Verifying Extended IP Access-lists 519

Lab Steps 520Lab 6.6: Removing Extended

IP Access-lists 521Lab Steps 521Practice Scenario: NAT and ACLs 522Configuring ACLs for Telnet and SSH 522Turn On Hostnames 524Scenario 524Task 524

Contents xiii

NAT/PAT 525

Lab 7.1: Configuring Dynamic NAT 526Lab Steps 527

Lab 7.2: Configuring PAT 529Lab Steps 530

Lab 7.3: NAT/PAT Final Configuration Exercise 531Lab Steps 532

VLSM with Summarization 537

Lab 8.1: VLSM with Summarization Lab—Configuring Routers 538

Lab Steps 540Lab 8.2: VLSM with Summarization

Lab—Configuring Hosts 545Lab Steps 546

Lab 8.4: VLSM with Summarization Lab—Configuring EIGRP with Discontiguous Networking 547

Lab Steps 549Lab 8.5: VLSM with Summarization

Lab—Configuring Summarization 552Lab Steps 553

Individual Labs (Comprehensive) 555

Introduction to Individual Labs 556Grading 556

Individual Lab: RIP Routing 557Lab Steps 559Verify Configurations 563RIPv2 566Verify Configurations 567

Individual Lab: IPv6 Static Routing 568Lab Steps 571Verifying IPv6 Static Routing 572

Individual Lab: RIP IPv6 Routing (RIPng) 576Lab Steps 578Verifying RIP IPv6 Routing (RIPng) 580

Individual Lab: PPP Encapsulation 582Lab Steps 585Verifying PPP Encapsulation 588Configuring PPP Authentication with CHAP 590Verifying PPP with Authentication 591

Individual Lab: Frame Relay Switching 594Understand Frame Relay 596

xiv Contents

Configuring Frame-Relay 598Lab Steps 598Configuring Frame Relay with Subinterfaces 599Verifying Frame Relay 600

Individual Lab: EIGRP Routing 602Lab Steps 605Verifying EIGRP 610

Individual Lab: Single Area OSPF 612Lab Steps 614Verify OSPF 619

Individual Lab: OSPF DR and BDR Elections 622Lab Steps 625

Individual Lab: Configuring VLANs 628Lab Steps 631Setting Up VLANS 631Setting Up Trunk Ports 635Configuring VTP Domain 637IntraVLAN and InterVLAN Routing 640

Individual Lab: Configuring VLANs on a 1900 Switch 645Lab Steps 647Configuring Trunk Ports 650Configuring Inter-Switch Link (ISL) Routing 651Grade Me 652

Individual Lab: Standard IP Access-Lists 653Lab Steps 654Configuring Hosts E and F 658Configuring Switches 659Verifying Standard IP Access-Lists 665Applying an Access-List to a VTY Line 666

Individual Lab: Extended IP Access-Lists 668Lab Steps 670Configuring Hosts E and F 674Configuring Switches 675Verifying Extended IP Access-lists 678Removing Extended IP Access-lists 679

Individual Lab: Network Address Translation (NAT) and Port Address Translation 680

Setting up the NAT Lab 683Lab Steps 684Dynamic NAT 687Configuring PAT 689

Individual Lab: VLSM with Summarization 691Lab Steps 694Configuring Hosts 700

Contents xv

Verify Configurations 701Configuring EIGRP with Discontiguous Networking 703Configuring Summarization 706Verifying Summarization 707

Net Assessment 709

Lab 1.1: Introduction to Net Assessment 710For Instructors 710For Individuals 712

Lab 1.2: Making Changes and Inserting Instructions 712Lab Steps 713

Lab 1.3: Loading Net Assessment 715Lab 1.4: Creating a Net Assessment Template 717

Lab Steps 717Lab 1.5: Net Assessment—Editing Values 722

Lab Steps 722Lab 1.6: Net Assessment—Creating A Test Network 725

Lab Steps 725Lab 1.7: Net Assessment—Assessing

A Test Network 726Lab Steps 726

Lab 1.8: Advanced Values Editing 729Lab 1.9: Edit Values—Changing A Selected Value 730Lab 1.10: Edit Values—Randomizing

A Selected Value 732Lab 1.11: Edit Values—Removing A Selected Value 733Lab 1.12: Edit Values—Auto-Selecting and Randomizing

Any Value 734Exceeding the Number of Configurations 735

Lab 1.13: Edit Values—Auto-Selecting and Removing Any Value 735

Create Your Own Custom Labs 737

Lab 1.1: Creating a Custom Lab 738Lab Steps 738

Introduction to CCNA Virtual Lab, Titanium Edition 3.0 LabsThis program contains all the labs available for CCNA Virtual Lab, Titanium Edition 3.0.

NavigationWhen you load the online documentation, a tree list on the left side of the screen allows you to quickly navigate from one section and lab topic to another. Click on a book to expand the list of labs for that section. You will then see a “?” icon to the left of each topic. Click a topic title to display lab content on the right side of the screen.

xviii Introduction

Types of LabsCCNA Labs and Supporting Material

ICND1 and ICND2 Labs The presentation of CCNA™ labs has been reorganized into two different areas. Individuals preparing for the Cisco® ICND (640-822) exam can easily bring up documentation and networks for the 75 labs that help prepare them. Those preparing for the Cisco® ICND 2 (640-816) exam can now find these 78 labs and networks organized in the same section.

Practice Scenarios Studying for the Cisco® CCNA™ exam is challenging. Trying to figure out which exam topics to study for is difficult. This program assists you by providing Practice Scenarios. We have designed our practice scenarios based on CCNA™ exam topics. Testing yourself with our practice scenarios will give you the confidence needed in preparing for the Cisco® CCNA™ exam. After you go through accumulative and/or Individual labs you can test your problem-solving and troubleshooting skills. In the lab documentation we present Practice Scenarios which are interspersed in the lab documentation. With these scenarios you are presented with partially or incorrectly configured networks and your task is to read the instructions and correct the situation. These are gradable labs.

They can be found in two places on our menu tree. They are interspersed among the accu-mulative labs. After you read about a concept and go through hands-on lab(s), you are then presented with a practice scenario that tests your problem-solving and troubleshooting skills. They can also be found in their own section so that you can quickly choose any of the labs, instead of hunting for them in the accumulative labs.

Individual Labs We also offer CCNA™ labs that stand on their own, are comprehensive and self-contained, and do not require configurations from prior labs. These labs are typically longer than the accumulative labs because you are starting with a non-configured network each time you bring up an Individual lab. You are totally configuring the network for each lab, from beginning to finish. We provide step-by-step instructions for these labs. These are gradable labs.

Net Assessment This feature allows you to test and evaluate your CCNA™ problem-solving and trouble shooting network skills. This is a powerful and flexible tool for all to use, includ-ing teachers, students, individuals, etc. You can grade yourself or if you are an instructor, you can grade your students. There are eight labs that walk you through an example in utilizing Net Assessment. Net Assessment also provides you with more sophisticated and powerful methods in altering values. That is covered in seven additional labs.

Accumulative Labs We provide step-by-step labs that, for the most part, build on each other. Fourteen different network layouts are presented within these labs. When you start working with a new section and encounter a new network layout, you are asked to save your work. It is suggested that you save your network layout with another name so that you always have a non-configured network to fall back on. An example would be saving the original network layout, Standard Layout, as My Standard Layout.

Introduction xix

Network Layouts

Loading a Network Layout

1. On the Network Visualizer screen, click on the File menu and then click Open.

2. When the dialog box appears, make sure you are in the Networks folder.

3. Find and click on the file name and then click OK.

Custom Labs

With CCNA Virtual Lab, Titanium Edition 3.0, you can create your own labs. You can then make your labs available for others to use. They will appear off the main menu of the Network Visualizer screen. You can also imbed instructions into your labs/network. Use a third-party program to create instructions. This can be a text editor, word proces-sor, HTML editor, spreadsheet program, etc.

Network Environment

Lab 1.1: Loading a Network Layout

There are three types of network layouts that you can load with this program.

Accumulative Labs In our lab documentation we provide step-by-step labs that, for the most part, build on each other. Within the accumulative labs there are a handful of different network layouts that you will load. The network layouts are specific to the tasks you will encounter in the labs.



3. Find and click on the file name and then click Open.

Individual Labs We also offer labs that stand on their own, are self-contained, and do not require configurations from prior labs. These labs are typically larger than the accumula-tive labs because you are starting with a non-configured network each time you bring up an Individual lab. You are totally configuring the network for each lab, from beginning to finish. We provide step-by-step instructions for these labs. Some labs require extensive configurations, Instead of manually entering the configurations, you have the ability to copy

Lab 1.1: Loading a Network Layout 3

and paste script into the console. This saves you time so that you do not have to manually type in each command if you do not care to do so.

Practice Scenarios Studying for the Cisco® CCNA exam is challenging. Trying to figure out which exam topics to study for is difficult. We assist you by providing Practice Scenarios. We have designed our practice scenarios based on the CCNA exam topics. Testing yourself with our practice scenarios will give you the confidence needed in preparing for the Cisco® CCNA exam. After you go through accumulative and/or Individual labs you can test your problem-solving and troubleshooting skills. In the lab documentation we present Practice Scenarios which are interspersed in the lab documentation. With these scenarios you are presented with partially or incorrectly configured networks and your task is to read the instructions and cor-rect the situation.

They can be found in two places on our menu tree. They are interspersed among the accu-mulative labs. After you read about a concept and go through hands-on lab(s), you are then presented with a practice scenario that tests your problem-solving and troubleshooting skills. They can also be found in their own section so that you can quickly choose any of the labs, instead of hunting for them in the accumulative labs.

4 Network Environment

Custom Networks With this program, you can create your own labs. You can then make your labs available for others to use. You can distribute your custom labs to others so that they show up on their menus. They can be loaded from the Network Visualizer menu.

Lab 1.2: Adding a Device to the Network Visualizer ScreenThis program offers several devices that you can interact with in our network layouts or networks that you want to create. The following is a list of these devices and their features.

Host

1900 Switch It has 12 10BaseT switched ports and two FastEthernet switched ports.

2621 Router It has Enterprise edition 12.x software. The 2621 has two FastEthernet interfaces and two serial interfaces.

2811 Router It has Enterprise edition 12.4 software, four serial ports and two FastEthernet ports.

2950 Switch It has 12 FastEthernet, 10/100 ports to help you build your LANs and VLANs.

2960 Switch It has eight FastEthernet ports and one GigabitEthernet port.

3550 Switch It has 10 FastEthernet, 10/100 ports.

3560 Switch It has eight FastEthernet ports and one GigabitEthernet port.

Lab 1.2: Adding a Device to the Network Visualizer Screen 5

These devices are represented by device buttons at the top of the Network Visualizer screen.

Description of Toolbar Buttons

New Network Visualizer screen

Load a network

Save a network

Print network layout

Clear all devices off the Network Visualizer screen

Insert a file into the network. For example, this could be a text file, Microsoft Word file, PDF file, graphic file, etc.

Insert a host onto the Network Visualizer screen

Insert a new 2621 router onto the Network Visualizer screen

Insert a new 2811 router onto the Network Visualizer screen

Insert a new 1900 switch onto the Network Visualizer screen






Description of Toolbar Buttons

Display the Net Assessment window

Display the Net Configs window

Display the Net Packet Monitor window

To add one or more of any device, click the device button that corresponds to the host, router, or switch. A new object will appear in the left corner of the Network Visualizer screen. Drag and drop it wherever you want. Devices are labeled sequentially. For example, if you click on the 2811 device button, 2811 Router A will appear on the screen. If you click the device button again, 2811 Router B will appear on the screen. The next one would be 2811 Router C, and so on.

There is an unlimited amount of devices that can be added to a Network Visualizer screen. You are only limited by your computer resources.

(continued)

Lab 1.3: Connecting Devices 7

Lab 1.3: Connecting DevicesOnce you have placed devices onto the Network Visualizer screen, only a couple steps are required to connect them. They need to be connected so that the program knows they are in the same network. All devices must be connected into the same network for you to both configure and test for connectivity.

In the following example, we will connect serial interface 0/0/0 of the 2811 Router A to serial interface 0/0/1 of 2811 Router B.

Lab Steps

1. Right-mouse click 2811 Router A. A graphical representation of its ports will appear. It will appear on top of 2811 Router A.


2. Place your mouse over interface serial 0/0/0 and click your left mouse key.

3. As soon as you click a port, the large graphic disappears and you will see a line attached to the cursor. Move the cursor over to 2811 Router B and click the right mouse button.

4. When the graphical representation of the ports for 2811 Router B appears, click on interface serial 0/0/1.

Lab 1.4: Network Cables 9

The large graphic will disappear and you should see 2811 Router A and 2811 Router B connected with a serial cable. You have the option of viewing interface labels. On the Network Visualizer screen click View and Hostnames.

Lab 1.4: Network CablesThis program provides three different types of cables that can be used when creating networks.


Straight-Through is GREEN in color in our program and provides connectivity from hosts to switches and from routers to switches. This is a twisted-pair cable that uses RJ-45 connectors.

Cross-Over is WHITE in color in our program and is used to connect switch to switch and router to router on an Ethernet port. This cannot be used to connect hosts to switches or switches to routers.

Lab 1.4: Network Cables 11

Serial WAN is RED in color in our program and is represented by a lightning bolt. This is used to simulate a serial WAN connection and can only be connected to serial interfaces on a router. These are point-to-point only and can connect from router to router only via their serial ports. They cannot be used to connect to switches or hosts.

WAN connection

A network connection through routers which connects two geographically distanced networks together. It typically connects several local area networks (LANs), usually through the Internet.


Cable ThicknessYou can change the thickness of cables used in your network. On the Network Visualizer menu, click the View menu, put your mouse over the menu item Line Thickness, and then select one of the three levels of line thickness.

Here is a network that is displays the smallest thickness of cables.

Lab 1.5: Disconnecting Devices 13

Here is a network that displays the largest thickness of cables.

Lab 1.5: Disconnecting DevicesAny network cable can be disconnected. If you want to remove several cables from a device, you will need to do so, one by one. In the following example, we will disconnect the serial cable between 2811 Router A and 2811 Router B.

Lab Steps

1. Place your cursor over 2811 Router A and click your right mouse button.


2. Place your cursor above the cable connector for interface serial 0/0/0 and click your left mouse button.

3. You will be asked to confirm you removing the cable from the port. Click the Yes button.

4. The cable will now be removed and you will have two disconnected routers.

Lab 1.6: Entering Configurations and Changing Console Screens 15

Lab 1.6: Entering Configurations and Changing Console ScreensConfigurations are entered through a console screen. Only one console screen displays at a time, however, you can display a separate console screen for any router or switch in your network.

1. Place a couple 2811 routers onto a Network Visualizer screen.

2. Place your cursor over 2811 Router A and double-click you left mouse button. A con-sole screen will appear.


3. When you first start out with a network you will need to press Enter to display the User mode. From there you can change modes and enter configurations, ping, telnet, and perform show commands.

4. Type enable and press Enter to go to the Privileged mode.

5. Type config t and press Enter so that you can enter Global Configuration mode. You will enter your configurations in this mode and in other modes such as Interface mode.

Changing Console ScreensYou can use the menu system on the console screen to view the consoles for any device on the Network Visualizer screen. In the following example we have a 3550 and 3560 switch on the Network Visualizer screen.

Lab 1.7: Clearing A Network Visualizer Screen 17

In this example you want to go from the console of the 3550 Switch A, to the console of the 3560 Switch A. Click View on the menu, put your mouse over Console, go down and find the desired type of device (in this case it is Switch 3560), and then choose 3560 Switch A.

Lab 1.7: Clearing A Network Visualizer ScreenThere are two ways to clear a Network Visualizer screen.

NN Click the Edit menu and then select Clear.


NN You can also click the trash can icon on the tool bar.

You will be asked to confirm that you want to clear the current network layout.

Lab 1.8: Network Configurations WindowYou can view the configurations for all devices on your Network Visualizer screen. To view the Network Configs screen, click the Tools menu, and then Net Configs.

Lab 1.8: Network Configurations Window 19

Or click the Net Configs button on the button bar.


And the Net Configs screen will appear ...

Lab 1.9: Preferences 21

Password LookupsYou may forget passwords that you enter while configuring devices. You can look them up by clicking the Net Configs button.

You can display the console screen for any device listed in the Net Configs window. Double-click on the name of any device.

Lab 1.9: PreferencesThere are two preferences that you can set for the look and feel of this program.

N Background color of the Network Visualizer screen

NN Autosize the Network Visualizer screen when you load a network


The Preferences window can be displayed by clicking Tools on the Network Visualizer screen, then Preferences.

Background ColorYou can easily change the background of your Network Visualizer screen. Eighteen basic colors are available in choosing the background color. If you click the Default button, your screen will display a dark Navy blue.

Lab 1.9: Preferences 23

Other colorsIf you want to choose another color, click on the Other button.

ICND1: Cisco IOS

Lab 1.1 RouterSim and Cisco Devices

In this program you now have the option of also using traditional Cisco® graphical devices. You can create networks from scratch using several types of devices, however, you cannot mix them. The program will display all RouterSim devices or all Cisco® graphical devices. You can load existing network layouts and easily change their appearance.

Lab Steps

1. On the Network Visualizer menu click View and then select Cisco Devices from the drop down menu.

Lab 1.1 RouterSim and Cisco Devices 27

Network Layout

Load CiscoIOS Layout.rsm before going through the following lab.



3. Click on the file CiscoIOS Layout.rsm and click Open. You should see the following non-configured network:

By default you will see Routersim devices on any network layout that comes with this program.

28 ICND1: Cisco IOS

The network shown at the top of lab quickly changes and Cisco® devices are displayed. If you display the device list, it will now display Cisco® devices.

2. You can change back and display RouterSim devices. On the Network Visualizer menu click View and then select RouterSim Devices from the drop down menu.

Lab 1.2: Logging In and Out of a Cisco Router 29

Lab 1.2: Logging In and Out of a Cisco RouterIn this lab you bring up a router console and learn how to log in using the enable and disable commands.

30 ICND1: Cisco IOS

Lab Steps

1. On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen. You interact with each device through the console screen. You will enter all your CLI commands such as configuring a device, testing connectivity, and displaying output.

Network Layout

Load the network layout you have been working with for labs in section 1.

Connectivity

When testing for connectivity in a network, it refers to the ability of a source device such as a router to connect to a remote device, or another router. If you ping a remote router and it is unsuccessful, you have no connectivity. If your ping is successful, you have connectivity.

Lab 1.2: Logging In and Out of a Cisco Router 31

Output

Information that is displayed on the console screen after you enter a show command. For example, if you enter the command show run, you get the following output:

Building configuration...

Current configuration : 874 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

[output cut]

32 ICND1: Cisco IOS

2. Press Enter and the Router> prompt will appear. You are now in the User mode. This mode is mostly used to view statistics, though it is also a stepping-stone to logging into Privileged mode. You can only view and change the configuration of a Cisco router in Privileged mode, which you enter with the enable command.

Router>

Router>enable

Router#

3. You now end up with a Router# prompt, which indicates you are in Privileged mode. You can both view and change the configuration in Privileged mode. You can go back from Privileged mode to user mode by using the disable command.

Router#disable

Router>

4. At this point you can type logout to exit the console.

Router>logout

Router con0 is now available

Press Return to get started.

5. Or you could just type logout or exit from the Privileged mode prompt to log out.

Router>enable

Router#logout


Press RETURN to get started.

Lab 1.3: Overview of Router ModesIt is important to understand the different prompts you can find when configuring a router so you can know where you are at any time within Configuration mode. In this lab, the prompts that are used on a Cisco router will be demonstrated. Always check your prompts before making any changes to a router’s configuration.

Lab 1.3: Overview of Router Modes 33

Router ModesDepending on what you want to do, you can go to different mode levels interacting with interfaces and devices. Most commands are mode specific. That means that many com-mands work in one mode but not another. That is why you have to change modes, depend-ing on what command you want to enter. However, with the do command you can now enter privileged mode commands in Global Configuration mode. This works on the 2811 router (IOS version 12.4) and the 2960 and 3560 switch (IOS version 12.2 SE). The follow-ing chart displays the different modes you will encounter.

Network Layout


34 ICND1: Cisco IOS

Mode Prompt Typical Use

User Router> Usually the first login prompt when logged in to a Cisco router.

Minimal, fundamental set of non configu-ration commands in this mode.

Only basic router information is given in this mode. Show commands can be given which will result in output displayed in the console screen. Only information about the device is given.

Privileged Router# This mode is accessed by using the enable command from user mode.

You can quit privilege mode by using the disable command.

Can be and should be protected by an enable or enable secret password.

All router functionality can be accessed from this level.

Ping interfaces.

Telnet to devices.

Show commands that display routing information, interface protocols, and the systems entire running configuration.

Global Configuration Router(config#) Configure or make changes that affect the entire router.

Change your device host name.

Change passwords.

Set up access lists.

Interface Router(config-if#) Allows you to configure specific interfaces.

Routing-Configuration Router(config-router) Allows you to configure the routing protocol.

Lab Steps

1. On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.

2. Press Enter and the Router> prompt will appear. You are now in the User mode.

Lab 1.3: Overview of Router Modes 35

3. Change to the Privileged mode.

Router>

Router>enable

4. To configure a device from the CLI, you can make global changes to the router by typ-ing configure terminal (config t for short), which puts you in Global Configuration mode and changes what is known as the running-config. You can type config from the Privileged mode prompt and then just press Enter to take the default of terminal.

Router#config

Configuring from terminal, memory, or network [terminal]?enter

Enter configuration commands, one per line. End with CTRL/Z.

Router(config)#

At this point you make changes that affect the router as a whole, hence the term Global Configuration mode. Notice the prompt is now Router(config)#.

5. To make changes to an interface, you use the interface command from Global Con-figuration mode.

Router(config)#interface ?

Async Async interface

BRI ISDN Basic Rate Interface

BVI Bridge-Group Virtual Interface

CTunnel CTunnel interface

Dialer Dialer interface

FastEthernet FastEthernet IEEE 802.3

Group-Async Async Group interface

Lex Lex interface

Loopback Loopback interface

MFR Multilink Frame Relay bundle interface

Multilink Multilink-group interface

Null Null interface

Tunnel Tunnel interface

Vif PGM Multicast Host interface

Virtual-Template Virtual Template interface

Virtual-TokenRing Virtual TokenRing

range interface range command

Router(config)#interface fastethernet 0/0

Router(config-if)#

Notice the prompt changed to Router(config-if)# to tell you that you are in interface configuration.

36 ICND1: Cisco IOS

6. Sub interfaces allow you to create virtual interfaces within the router. The prompt then changes to Router(config-subif)#.

Router(config)#int f0/0.?

<0-4294967295> FastEthernet interface number

Router(config)#int f0/0.1

Router(config-subif)#

Type exit to go back to Global Configuration mode.

Router(config-subif)#exit

Router(config)#

7. To configure User mode passwords, use the line command. The prompt then becomes Router(config-line)#.


Router(config)#line ?

<0-70> First Line number

aux Auxiliary line

console Primary terminal line

tty Terminal controller

vty Virtual terminal

Router(config)#line console 0

Router(config-line)#

The line console 0 command is known as a major, or global, command, and any command typed from the (config-line) prompt is known as a subcommand.

8. Type exit to go back to Global Configuration mode.

Router(config-line)#exit

Router(config)#

9. The line vty 0 1180 command is used to control inbound telnet connections. This is part of a series of commands that you use to set passwords for interfaces so that you can set up interface security and telnet from one device to another.

Router(config)#line vty 0 1180

Router(config-line)#

10. Type exit to go back to Global Configuration mode.


Router(config)#

11. To configure routing protocols like RIP, use the prompt (config-router)#.

Router(config)#router rip

Router(config-router)#

Lab 1.4: Editing and Help Features 37

It is not important that you understand what each of these commands do at this time. These will all be explained later in greater detail. What you need to understand is the different prompts available. This program sup-ports the line console and line vty commands.

12. Type control+z to go back to Global Configuration mode. Control+z is noted as ctrl+z.

Router(config-router)#ctrl+z

Router#

Lab 1.4: Editing and Help FeaturesYou can use the Cisco® advanced editing features to help you configure your router or switch. This lab will teach you how and where to use a question mark (?) from the CLI as well as how to use keystrokes to help you edit your command strings.

Network Layout


38 ICND1: Cisco IOS

Lab Steps


2. Press enter and the Router> prompt will appear. You are now in the User mode.

3. Change to the Privileged mode.

Router>

Router>enable

4. By using a question mark (?) at any prompt, you can see the list of commands available from that prompt.

Router#?

Exec commands:

access-enable Create a temporary Access-List entry

access-profile Apply user-profile to interface

access-template Create a temporary Access-List entry

archive manage archive files

bfe For manual emergency modes setting

cd Change current directory

clear Reset functions

clock Manage the system clock

cns CNS subsystem

configure Enter configuration mode

connect Open a terminal connection

copy Copy from one file to another

debug Debugging functions (see also 'undebug')

delete Delete a file

dir List files on a filesystem

disable Turn off privileged commands

disconnect Disconnect an existing network connection

enable Turn on privileged commands

erase Erase a filesystem

exit Exit from the EXEC

help Description of the interactive help system

--More--

At this point, you can press the spacebar to get another page of information, or you can press Enter to go one command at a time. You can also press any other key to quit and Enter to return to the prompt.

Lab 1.5 Using Shortcut Commands and Tab Completion 39

5. To find commands that start with a certain letter, use the letter and the question mark (?) with no space between them.

Router#c?

clear

clock

cns

configure

connect

copy cd

Router#c

Notice that by typing “c?”, we receive a response of all the commands that start with “c”. Also notice that the Router# prompt appeared with our command still present. This is helpful when you have long commands and need the next possible command.

Supported Commands in CCNA Virtual Lab, Titanium Edition 3.0

Commands supported in this program were specifically chosen to represent the most important commands needed in configuring networks and in preparing for the CCNA exam. When you enter a help command such as ?, you will see a complete list of IOS commands. However, not all are available and supported in this program.

To view supported commands for CCNA Virtual Lab, Titanium Edition 3.0:

1. Bring up a console screen.

2. Click the View menu.

3. Click Supported Commands.

40 ICND1: Cisco IOS

6. To find the next command in a string, type the first command and then a question mark. Set the router’s clock by typing clock ? and following the help screens; set the router’s time and date.

Router#clock ?

set Set the time and date

Router#clock set ?

hh:mm:ss Current Time

Router#clock set 10:30:10 ?

<1-31> Day of the month

MONTH Month of the year

Router#clock set 10:30:10 28 ?

MONTH Month of the year

Router#clock set 10:30:10 28 december ?

<1993-2035> Year

Router#clock set 10:30:10 28 december 2007 ?

<cr>

Router#

By typing the clock command, then a space and a question mark, you will get a list of the next possible commands and what they do. Notice that we just kept typing a command, a space, and then a question mark until < cr> (carriage return) was our only option.

7. Type show clock to see the time and date you have set.

8. If you are typing commands and receive this:

Router#clock set 10:30:10

% Incomplete command.

Then you know that the command string is not complete. Just press the up arrow key to view the last command entered, then continue with the command by using your question mark.

9. Also, if you receive this error:

Router#clock shut 10:30:10 28 8

^

% Invalid input detected at '^' marker.

You have entered the command incorrectly. The caret (^) marks the point where you have entered the command incorrectly. This is very helpful.

10. You may receive an error when you type in a command that the program cannot match with any known command. For example,

Router#sh s

% Ambiguous command: "sh s"


It means you did not enter all the keywords or values required by this command. Use the question mark to find the command you need.

Router#sh s?

scp

sessions

slm

smas

smf

snapshot

snmp

spanning-tree

stacks

standby

startup-config

subscriber-polocy

subsys

11. Type show access-list 10. Don’t press Enter.

12. Notice the cursor is at the end of the line. Type Ctrl+ A. This takes you to the begin-ning of the line.

13. Type Ctrl+ E. This should take you back to the end of the line.

14. Type Ctrl+ A, then type Control+ F. This should move you forward one character.

15. Type Ctrl + B, which will move you back one character.

16. Press Enter, then type Ctrl + P. This will repeat the last command.

17. Press the up arrow on your keyboard. This will also repeat the last command.

18. Use the show history command to see the last 10 commands entered on the router.

Router#sh history

19. Use the show terminal command to verify the terminal history size.

Router#sh terminal

20. The terminal history size command, used from Privileged mode, can change the size of the history buffer.

Router#terminal history size ?

<0-256> Size of history buffer

Router#terminal history size 25

42 ICND1: Cisco IOS

21. Verify the change with the show terminal command.

Router#sh terminal

22. Type terminal no editing . This turns off advanced editing. Repeat steps 9-13 to see that the shortcut editing keys have no effect.

23. Type terminal editing and press Enter to re-enable advanced editing.

24. Type sh run, then press your tab key. This will finish typing the command for you.

Editing Command TableThe following table displays the editing commands:

Command Description

? Gives you a help screen

<ctrl A> Moves your cursor to the beginning of the line

<ctrl D> Deletes a single character

<ctrl E> Moves your cursor to the end of the line

<ctrl F> Moves forward one character

<ctrl-R> Redisplays a line

<ctrl-U> Erases a line

<ctrl-W> Erases a word

<ctrl-Z> Ends configuration mode and returns to EXEC

<esc B> Moves back one word

<esc F> Moves forward one word

backspace Deletes a single character

tab Finishes typing a command for you


Lab 1.5: Using Shortcut Commands and Tab Completion in Gathering Basic Router InformationIn this lab you will learn about shortcut commands and the tab completion function. You will use these concepts and commands used to gather basic information about a Cisco router.

Network Layout


44 ICND1: Cisco IOS

Lab Steps


2. Press Enter and the Router> prompt will appear. You are now in the user mode.

3. Change to the privileged mode.

Router>

Router>en

Shortcut Commands

Most Cisco IOS commands do not have to be completely spelled out. To facilitate being able to more quickly enter commands, you only have to enter part of a command, plus, each word in a command can be abbreviated. For example the command enable can be shortened to en. Another example is the command show running-configurations. You can abbreviate that and just type in sh run. A final example is when you have the com-mand show interfaces. You only need to type in sh int. The router or switch knows what you mean and correctly interprets and carries out that command.

You do need to type in enough letters for each word in a command for the router or switch to correctly understand and interpret what you are trying to do. If you do not, you will receive feedback that one or more of your words are ambiguous. The reason for that is that letters in one or more of the words in your command can be used to spell out different words. In that case the device does not know what you want to do; there are too many possibilities.

For example, type the following:

Router>#s ver

I get 2811A#s ver

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.[output cut]

Router>A#s v

% Ambiguous command: “show v”

2811 Router A recognized “s” to mean “show” but it did not recognize “v”.

Lab 1.5: Using Shortcut Commands and Tab Completion 45

Enter the following command:

Router>#s v?

vc-group version vlan-range vlan-switch

vlans voice voip vpdn

vrrp vsp vtemplate vtp

In this case “v” could be the first letter in 12 different words.

On a real 2800 device you would get the output with 12 different words. This program does not have 12 different words; therefore, your output will be different.

Try this:

2811A#s v?

Version

Router>#s ver

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)


Copyright (c) 1986-2006 by Cisco Systems, Inc.

[output cut]

The 2811 A router recognized “s” to mean “show” but it did not recognize “v”.

Enter the following command:

Router>#s v?

% incomplete command

Try this:

2811A#s ve?

Now you only have one word, so, the command s ve will work, along with sh ver, show ver, etc.

46 ICND1: Cisco IOS

4. The command show version will provide basic configuration for the system hardware as well as the software version, the names and sources of configuration files, and the boot images.

Router#sh ver [press the tab key]

Router#sh version

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1)



Compiled Fri 17-Nov-06 12:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Router uptime is 4 weeks, 6 days, 18 hours, 29 minutes

System returned to ROM by power-on

System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

[email protected].

Cisco 2811 (revision 53.51) with 249856K/12288K bytes of memory.

Processor board ID FTX1048A54G

2 FastEthernet interfaces

4 Serial(sync/async) interfaces

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Router#

The version number can be found on the first line of ouput ...

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1).

Lab 1.5: Using Shortcut Commands and Tab Completion 47

The show version command gives you how long the router has been running, how it was restarted, the IOS filename running, the model hardware and processor versions, and the amount of DRAM. Also, the configuration register value is listed last. The above router has 256 megabytes of RAM and 64 megabytes of Flash.

5. You can view the router files by typing the command show running-config or show startup-config from privileged mode. The sh run command, which is the shortcut for show running-config, tells us that we are viewing the current configuration.

Router#sh run



!

version 12.4




!

hostname Router

[cut]

6. The sh start command, which is the shortcut for the show startup-config com-mand, shows us the configuration that will be used the next time the router is reloaded and also shows us the amount of NVRAM used to store the startup-config file.

Router#sh start



!

version 12.4


Tab Completion Function

Most of the time you will use shortcut commands to configure devices because they are quick and convenient. However, if for any reason you want to enter all the words in a command, there is an alternative to manually entering every character. You can use the Tab Completion function to spell out any word. Just type part of the word and then press your tab key. It will complete the word. As shown in the earlier command in this lab you can type “sh ver” and press the tab key. The word “version” will be spelled out.

48 ICND1: Cisco IOS



!

hostname Router

[cut]

7. You can delete the startup-config file by using the command erase startup-config. Once you perform this command, you will receive an error if you try to view the startup-config file.

Router#erase startup-config

Erasing the nvram file system will remove all configuration files! Continue? [confirm] (press Enter)

[OK]

Erase of nvram: complete

Router#

00:13:30: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of ...

[cut]

8. Verify that you have erased the startup configuration.

Router#sh start

startup-config is not present

Router#

Lab 1.6: Setting PasswordsThere are five passwords used to secure Cisco routers.

NN The first two passwords discussed in this lab are used to set your enable password, which is used to secure privileged mode. This will prompt a user for a password when the enable command is used.

NN The other three are used to configure a password when user mode is accessed either through the console port, the auxiliary port, or Telnet.

Lab 1.6: Setting Passwords 49

Lab Steps




Router>

Router>enable

4. Set the two enable passwords on your router. You set the enable passwords from Global Configuration mode.

Router(config)#enable ?

last-resort Define enable action if no TACACS servers respond

Network Layout


50 ICND1: Cisco IOS

password Assign the privileged level password

secret Assign the privileged level secret

use-tacacs Use TACACS to check enable passwords

The enable secret and enable password commands are the only enable passwords that are supported in our program at this time.

Router(config)#enable secret todd

Router(config)#enable password cisco

Since the enable secret supercedes the enable password, don’t bother to use the enable password since it will never be used if the enable secret is set.

5. Set your user mode passwords by using the line command.

Router(config)#line ?


aux Auxiliary line


tty Terminal controller


x/y Slot/Port for Modems

x/y/z Slot/Subslot/Port for Modems

NN Router(config)#line Aux is used to set the user-mode password for the auxiliary port. This is typically used for configuring a modem on the router but can be used as a console as well.

NN Console is used to set a console user-mode password.

NN Vty is used to set a Telnet password on the router. If the password is not set, then Telnet cannot be used by default.

NN This program does not support the tty and x/y and x/y/y modem line commands.

To configure the user mode passwords, you configure the line you want and use either the login or no login command to tell the router to prompt for authentication.

6. Set the auxiliary password on your router. To configure the auxiliary password, go to global configuration mode and type line aux?. Notice that you only get a choice of 0–0 because there is only one port.

Router#config t


Router(config)#line aux ?


Router(config)#line aux 0

Lab 1.6: Setting Passwords 51

Router(config-line)#login

% Login disabled on line 65, until 'password' is set

Router(config-line)#password todd


It is important to remember the login command, or the auxiliary port won’t prompt for authentication. However, in the newer IOS that we are now running, the login command cannot be set until you set a password. The reason they added this feature is because if you set the login command and not a password, you are locked out from that line.

7. Set your console password on your router. To set the console password, use the line console 0 command. However, notice that when we tried to type line console 0 ? from the aux line configuration, we got an error. You can still type line console 0 and it will accept it; however, the help screens do not work from that prompt. Type Exit to get back one level if you want to use the help option.

Router(config-line)#line console ?

% Unrecognized command


Router(config)#line console ?


Router(config)#line console 0


% Login disabled on line 0, until 'password' is set

Router(config-line)#password todd1


Since there is only one console port, we can only choose line console 0. The new login feature works on the console line too.

8. Set the optional console port commands on your router. There are a few other impor-tant commands to know for the console port.

The exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, or to never time out. To have fun with your friends at work, set it to 0 1, which makes the console time out in 1 second! The way to fix that is to continually press the down arrow key while changing the timeout time with your free hand.

Logging synchronous is a nice command, and I think it should be a default command, but it is not. What this command provides is to stop console messages from popping up and disrupting input you are trying to type. This command makes reading your input messages much easier.

Here is an example of how to configure both commands:

Router(config)#line con 0

Router(config-line)#exec-timeout ?

<0-35791> Timeout in minutes

52 ICND1: Cisco IOS

Router(config-line)#exec-timeout 0 ?

<0-2147483> Timeout in seconds

<cr>

Router(config-line)#exec-timeout 0 0

Router(config-line)#logging synchronous

9. Set your Telnet password on your router. To set the user-mode password for Telnet access into the router, use the line vty command.

Router(config)#line vty 0 ?

<1-4> Last Line number

<cr>

Router(config)#line vty 0 1180

Router(config-line)#password todd2

Notice we did not use the login command with this line configuration. The login com-mand is set by default on the VTY lines, which stops anyone telneting into the router until you set a password.

If you try to telnet into a router that does not have a VTY password set, you will receive an error stating that the connection is refused because the password is not set. You can tell the router to allow Telnet connections without a password by using the no login command.

By setting this next command, you will not be prompted for password when telneting into the router. This is not recommended, but this is how you would do that:

Router(config-line)#line vty 0 4

Router(config-line)#no login

Router(config-line)#ctrl+z

Router#

After your routers are configured with an IP address, you can use the Telnet program to configure and check your routers. You can use the Telnet program by typing telnet from any command prompt (DOS or Cisco).

Lab 1.7: Encrypting Your PasswordsOnly the enable secret password is encrypted by default. You need to manually configure the user mode and enable passwords.

Lab 1.7: Encrypting Your Passwords 53

Lab Steps


2. Press Enter and the Router> prompt will appear. You are now in the user mode. Change to the privileged mode.

Router>

Router>enable

3. Notice that you can see all the passwords except the enable secret when performing a show running-config command on a router.

Router#sh run


Network Layout


54 ICND1: Cisco IOS


!

version 12.4

service timestamps debug uptime

service timestamps log uptime


!

hostname Router

!

enable secret 5 $1$F/gZ$mNTwylb4ZJ4J1WW97nUJG.

enable password cisco

!

[output cut]

line con 0

password todd1

logging synchronous

login

line aux 0

password todd

login

line vty 0 4

password todd2

login

line vty 5 15

password todd2

login

!

!

end

Router#

The line ... enable secret 5 $1$F/gZ$mNTwylb4ZJ4J1WW97nUJG shows an encrypted enable password.

4. To manually encrypt your passwords, use the service password-encryption command. Here is an example of how to perform manual password encryption.

Router#config t


Router(config)#service password-encryption

Router(config)#exit

Lab 1.7: Encrypting Your Passwords 55

5. The show running-config command, you can see the enable password and the line passwords are all encrypted. If you don’t type show running-config, it does not encrypt the passwords.

Router#show running-config

[cut]

hostname Router

!

enable secret 5 $1$F/gZ$mNTwylb4ZJ4J1WW97nUJG.

enable password 7 05080F1C2243

!

[cut]

!

line con 0

password 7 111D16011343

logging synchronous

login

line aux 0

password 7 044F04020B

login

line vty 0 4

password 7 051F090B251E

login

line vty 5 15

password 7 105A061D0145

login

!

6. Since the service password-encryption is a router process, you do not want to keep this running in the background. Once you perform a show running-config and see the encrypted passwords, turn off the process. After entering the command no service password-encryption, your passwords will still be encrypted until they are reset.

Router#config t

Router(config)#no service password-encryption

Router(config)#ctrl+z

56 ICND1: Cisco IOS

Lab 1.8: Saving Your ConfigurationsIf you have made changes to a device you will want to permanently save the configurations. Your running configuration is only in memory and if something happened; for example, if you lost power to a device, you would lose all unsaved entries. That is why you want to save your running configurations (DRAM) to the permanently stored startup configurations (NVRAM). You can manually save the file from DRAM to NVRAM by using the copy running-config startup-config command. You can also use the shortcut copy run start.

Lab Steps

1. Save the configuration on 2811 Router A.

Router#copy run start

Destination filename [startup-config]?enter


Network Layout


Lab 1.9: Setting Router Banners 57

This will now place the file you created into NVRAM, which will be used the next time the router is booted up.

2. You can view this file with the show startup config command.

Router#show start

Lab 1.9: Setting Router BannersYou can set a banner on a Cisco® router so that when either a user logs into the router or an administrator telnets into the router, for example, a banner will give them information you want them to have. Another reason for having a banner is to add a security notice to users dialing into your internetwork.

Network Layout


58 ICND1: Cisco IOS

The command to use is from global configuration mode and shown below:

Router(config)#banner ?

LINE c banner-text c, where 'c' is a delimiting character

exec Set EXEC process creation banner

incoming Set incoming terminal line banner

login Set login banner

motd Set Message of the Day banner

prompt-timeout Set Message for login authentication timeout

slip-ppp Set Message for SLIP/PPP

This program only supports the MOTD banner.


2. The Message of the Day is the most used and gives a message to every person dialing in or connecting to the router, via Telnet, auxiliary port, or console port.

Router(config)#banner motd ?

LINE c banner-text c, where 'c' is a delimiting character

Router(config)#banner motd #

Enter TEXT message. End with the character '#'.

If you are not authorized to be in RouterSim.com network, then you must disconnect immediately.

#

Router(config)#ctrl+z

Router#

00:25:12: %SYS-5-CONFIG_I: Configured from console by console

Router#exit


Press RETURN to get started.

If you are not authorized to be in RouterSim.com network, then you must disconnect immediately.

Router>

Lab 1.10: Configuring Interfaces for the 2621 Router 59

Lab 1.10: Configuring Interfaces for the 2621 RouterInterface configuration is one of the most important configurations of the router. Without interfaces, the router is useless. Interface configurations must be exact to be able to com-municate with other devices. Interface configuration will be presented for three different devices (in labs 1.10 - 1.12) so that you can see differences among the interfaces:

N 2621 Router

NN 2811 Router

N 3560 Switch

Network Layout


60 ICND1: Cisco IOS

Interfaces correspond to the physical ports available on a device. In this instance the 2621 router has two serial ports and two Fast Ethernet ports:

NN s0/0

NN s0/1

NN fa0/0

NN fa0/1

As you read through the following steps you will notice a correspondence between inter-face and port names. This means you have to use the same names or shortcut commands as the names of the ports.

Lab Steps




Router>

Router>enable

4. Change to the Global Configuration mode.

Router#config



Router(config)#


5. Type interface ? to see all the interfaces available on the router.



BRI ISDN Basic Rate Interface






Lex Lex interface




Null Null interface






The output will vary depending on the type of router device you are connected to.

6. Type the command interface serial ?. To configure the 2621 router interfaces, the con-figuration would be interface type slot/port. The output below shows a 2621 router with 2 serial interfaces, which are labeled 0/0 and 0/1. The first option is the slot and the second option is the port. Each 2621 has two slots that can be filled with physical interfaces. The routers we use in this program only have interfaces in slot 0.

Router(config)#interface serial ?

<0-1> Serial interface number

Router(config)#int serial 0


Router(config)#int serial 0?

/

Router(config)#int serial 0/?


7. At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to choose serial port 1, for example, would be:

Router(config)#interface serial 0/1

Router(config-if)#exit

62 ICND1: Cisco IOS

8. The 2621 router also has two FastEthernet 10/100BaseT ports. For example, the FastEthernet interface configuration is shown below:

Router(config)#interface fastethernet ?


Router(config)#int fastethernet 0


Router(config)#int fastethernet 0?

/

Router(config)#int fastethernet 0/?


Notice that you cannot type int fastethernet 0/. You must type the full command, which is type slot/port, or int fastethernet 0/0. You can type the shortcut int fa 0/0 as well.

9. At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to choose Fast Ethernet port 1, for example, would be:

Router(config)#int fastethernet 0/1


Router(config)#>ctrl+z

Lab 1.11: Configuring Interfaces for the 2811 RouterInterface configuration is one of the most important configurations of the router. Without interfaces, the router is useless. Interface configurations must be exact to be able to com-municate with other devices. Interface configuration will be presented for three different devices (in labs 1.10 - 1.12) so that you can see differences among the interfaces:

NN 2621 Router

NN 2811 Router

NN 3560 Switch


Interfaces correspond to the physical ports available on a device. In this instance the 2811 router has four serial ports and two Fast Ethernet ports:

NN s0/0/0

NN s0/0/1

NN s0/1/0

NN s0/1/1

NN fe0/0

NN fe0/1

Network Layout


64 ICND1: Cisco IOS

As you read through the following steps you will notice a correspondence between inter-face and port names. This means you have to use the same names or shortcut commands as the names of the ports.

Lab Steps




Router>

Router>enable


Router#config



Router(config)#





CDMA-Ix CDMA Ix interface






Lex Lex interface




Null Null interface

Port-channel Ethernet Channel of interfaces

Serial Serial



Virtual-PPP Virtual PPP interface



XTagATM Extended Tag ATM interface



6. Type the command interface serial ?. To configure the 2811 router interfaces, the con-figuration would be interface type router/slot/port. The output below shows a 2811 router with 2 serial interfaces, which are labeled 0/0/0 and 0/0/1. The first option is the router, the second option is the slot, and the third option is the port. Each 2811 has two slots that can be filled with physical interfaces.

Router(config)#interface serial ?


Router(config)#int serial 0


Router(config)#int serial 0?

/

Router(config)#int serial 0/?


Router(config)#int serial 0/0?

. / : <0-19>

Router(config)#int serial 0/0/


7. At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to choose serial port 1, for example, would be:

Router(config)#interface serial 0/0/1


66 ICND1: Cisco IOS

8. The 2811 router also has two FastEthernet 10/100BaseT ports. For example, the FastEthernet interface configuration is shown below:

Router(config)#interface fastethernet ?


Router(config)#int fastethernet 0


Router(config)#int fastethernet 0?

/

Router(config)#int fastethernet 0/?



9. At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to implement FastEthernet port 1, for example, would be:

Router(config)#int fastethernet 0/1


Router(config)#>ctrl+z

Lab 1.12: Configuring Interfaces for the 3560 SwitchInterface configuration is one of the most important configurations of the switch. Without interfaces, the switch is useless. Interface configurations must be exact to be able to com-municate with other devices. Interface configuration will be presented for three different devices (in labs 1.10 - 1.12) so that you can see differences among the interfaces:

NN 2621 Router

NN 2811 Router

NN 3560 Switch

Lab 1.12: Configuring Interfaces for the 3560 Switch 67

Interfaces correspond to the physical ports available on a device. In this instance the 3560 switch has eight Fast Ethernet ports. As you read through the following steps you will notice a correspondence between interface and port names. This means you have to use the same names or shortcut commands as the names of the ports.

Network Layout


68 ICND1: Cisco IOS

Lab Steps

1. On the Network Visualizer screen, double-click on 3560 Switch A. This will bring up a console screen.

2. Press Enter and the Switch> prompt will appear. You are now in the user mode.


Switch>

Switch>enable


Switch#config



Switch(config)#


Switch(config)#interface ?






Filter Filter interface

Filtergroup Filter Group interface

GigabitEthernet GigabitEthernet IEEE 802.3z


Lex Lex interface


Null Null interface


Portgroup Portgroup interface

Pos-channel POS Channel of interfaces





Lab 1.13: Bringing Up an Interface 69

Vlan Catalyst Vlans

fcpa Fiber Channel



6. The 3560 switch has eight Fast Ethernet 10/100BaseT ports. For example, the Fast Eth-ernet interface configuration is shown below:

Switchconfig)#interface fastethernet ?


Switch(config)#int fastethernet 0


Switch(config)#int fastethernet 0?

/

Switch(config)#int fastethernet 0/?



7. At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to implement FastEthernet port 1, for example, would be:

Switch(config)#int fasthernet 0/1

Switch(config-if)#exit

Switch(config)#>ctrl+z

Lab 1.13: Bringing Up an InterfaceBy default, interfaces are shut down and turned off. That means that packets cannot travel through the device to another connected device. You can turn an interface on with the no shutdown command. You can turn off or shut down an interface with the shutdown com-mand. You can check the status of an interface by using the show interface command. If an interface is shut down, it will display administratively down when using the show interface command, and the show running-config command will also show the interface as shut down.

70 ICND1: Cisco IOS

Lab Steps

1. On the Network Visualizer screen, double-click 2621 Router A. This will bring up a console screen.



Router>

Router>enable

4. Type show interface fastethernet 0 and see that it is administratively down.

Router#show int fa0/0

FastEthernet0/0 is administratively down, line protocol is up

[output cut]

Network Layout


Lab 1.13: Bringing Up an Interface 71

5. Bring up interface FastEthernet 0/0 with the no shutdown command.

Router#config t


Router(config)#int fa0/0

Router(config-if)#no shutdown

Router(config-if)#ctrl+z

00:57:08: %LINK-3-UPDOWN: Interface Fastethernet 0/0, changed state to up

00:57:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface Fastethernet 0/0, changed state to up

Router#sh int fa0/0

Fastethernet 0/0 is up, line protocol is up

6. Configure the router to enable all interfaces by issuing the no shutdown command on all interfaces.

Interface and Connection StatesThere are four possible states that you can have in examining if interfaces are turned on and devices properly connected.

FastEthernet Interface

FastEthernet0/0 is administratively down, line protocol is down There are a couple pos-sibilities with this current state.

NN The two devices are not connected and each f0/0 interface on both routers is explicitly shutdown.

NN The two devices are connected and each f0/0 interface on both routers is explicitly shutdown.

FastEthernet0/0 is up, line protocol is down If the two devices are connected this output means that one interface is turned up and the other interface f0/0 is shut down.

Router(config)#int f0/0

Router(config-if)#no shut

23:03:18 %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

72 ICND1: Cisco IOS

23:03:18 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

FastEthernet0/0 is up, line protocol is up This means that the routers are connected and the interfaces are turned on for both routers with the no shut command.

Serial Interface

Serial0/0 is administratively down, line protocol is down There are a couple possibilities with this current state.

NN The two devices are not connected and each s0/0 interface on both routers is explicitly shutdown.

NN The two devices are connected and each s0/0 interface on both routers is explicitly shutdown.

Serial0/0 is down, line protocol is down If the two devices are connected this output means that one interface is turned up and the other interface s0/0 is shut down.

Router(config)#int s0/0


23:03:18 %LINK-3-UPDOWN: Interface Serial0/0, changed state to up

23:03:18 %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up

Serial0/0 is up, line protocol is up This means that the routers are connected and the interfaces are turned on for both routers with the no shut command.

Lab 1.14: Configuring an IP Address on an Interface 73

Lab 1.14: Configuring an IP Address on an InterfaceYou don’t have to use IP on your routers; however, IP is typically used on all routers and it certainly is used in this program. To configure IP addresses on an interface, use the ipaddress command from interface configuration mode.

Lab Steps

1. Configure the FastEthernet 0/0 interface on 2621 Router A with the IP address of 172.16.10.2/24.

Router#config t

Router(config)#int fa0/0

Network Layout


74 ICND1: Cisco IOS

Router(config-if)#ip address 172.16.10.2 255.255.255.0


Notice that in order to enable an interface, we use the no shut command. Remember to look at the command show interface fa0/0, for example, which will show you if it is administratively shut down or not. Showrunning-config will also show you if the interface is shut down.

2. If you want to add a second subnet address to an interface, then you must use the sec-ondary command.

If you type another IP address and press Enter, it will replace the existing IP address and mask. To add a secondary IP address, use the secondary command.

Router(config-if)#ip address 172.16.20.2 255.255.255.0 secondary


3. You can verify both addresses are configured on the interface with the show running-config command (show run for short).

Router#show run


Current configuration:

[output cut]

!

interface Fastethernet 0/0

IP address

Unique identification number for a device that is located on a network. An IP address is equivalent to the address of your home. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 172.16.10.6 could be an IP address.

Subnet Address

Is a range of logical addresses within the address space of an organization. This allows you to take one network and turn it into many more, smaller networks. This allows for less network traffic on each network and faster and more efficient networks.

Lab 1.15: Serial Interface Commands 75

ip address 172.16.20.2 255.255.255.0 secondary

ip address 172.16.10.2 255.255.255.0

Lab 1.15: Serial Interface CommandsTo configure a serial interface, there are a couple of specifics that need to be discussed.

Serial Interface

You have a connection between two devices where data is sent between the two, one bit at a time. This occurs in only one direction at a time.

76 ICND1: Cisco IOS

Typically, when in production, the interface will be attached to a CSU/DSU type of device that provides clocking for the line. However, if you have a back-to-back configura-tion used in a lab environment, for example, one end must provide clocking. This would be the DCE end of the cable. Cisco routers, by default, are all DTE devices, and you must tell an interface to provide clocking if it is to act as a DCE device. If you don’t completely understand this right now, don’t worry, you will. Just run through the commands below for now and I promise it will become clear to you later.

CSU/DSU

A telecommunication device used to connect a carrier circuit to a router. The carrier circuit can be a DS1 or DS3, T1 or T3. The CSU/DSU converts the DS1 signal into signal that the local network can understand. The CSU/DSU also converts the signal from the local network into a DS1 signal so it can be carried back across the DS1 circuit.

Network Layout


Lab 1.15: Serial Interface Commands 77

Lab Steps

1. Double-click on router 2621 Router A to bring up the console. Go to the privilegedmode.

2. You can configure a DCE serial interface with the clock rate command. Configure an interface that has a DCE connection.

Router#config t


Router(config)#int s0/0

Router(config-if)#clock rate ?

Speed (bits per second)

1200

2400

4800

9600

19200

38400

56000

64000

72000

125000

148000

250000

500000

800000

1000000

1300000

2000000

4000000

<300-4000000> Choose clockrate from list above

Router(config-if)#clock rate 64000

Router(config-if)#int s0/1

Router(config-if)#clock rate 64000

It does not hurt anything to try and put a clock rate on an interface. Notice that the clock rate command is in bits per second.

If you are not on an interface that is set to DCE, you will receive an error when trying this command.

78 ICND1: Cisco IOS

3. The next command you need to understand is the bandwidth command. Every Cisco router ships with a default serial link bandwidth of a T1, or 1.544Mbps. However, understand that this has nothing to do with how data is transferred over a link. The bandwidth of a serial link is used by routing protocols such as IGRP, EIGRP, and OSPF to calculate the best cost to a remote network. If you are using RIP routing, then the bandwidth setting of a serial link is irrelevant.

Router(config-if)#bandwidth ?

<1-10000000> Bandwidth in kilobits

Router(config-if)#bandwidth 64

4. Notice that unlike the clock rate command, the bandwidth command is configured in kilobits.

Lab 1.16: Setting the Router HostnamesYou can uniquely identify a device by giving it a hostname; you use the hostname com-mand. This is only locally significant for the administrator, which means it has no bearing on how the router performs name lookups on the internetwork.

On a router the default hostname is Router and Switch on switches. This stays in effect until you intentionally change the hostname.

Lab Steps

1. Set the hostname of 2621 Router A.


Router#config t


Router(config)#hostname 2621A

2621A(config)#

2. Notice that when you press Enter the command takes effect immediately.

Lab 1.17: Setting Interface Descriptions 79

Lab 1.17: Setting Interface DescriptionsSetting descriptions on an interface is helpful to the administrator and, like the hostname, only locally significant. For example, this is a helpful command because it can be used to keep track of circuit numbers.

Network Layout


80 ICND1: Cisco IOS

Lab Steps

1. On 2621 Router A, set the description of interface FastEthernet 0/0 to Sales LAN and the serial 0/0 interface to WAN to Miami with a circuit number of 6fdda4321.

2621A(config)#int fa0/0

2621A(config-if)#description Sales LAN

2621A(config-if)#int s0/0

2621A(config-if)#desc Wan to Miami circuit:6fdda4321

2. You can view the description of an interface either with the show running-config command or the show interface command.

2621A#show run

[output cut]

interface FastEthernet0/0

Network Layout


Lab 1.18: Verifying Your Configuration 81

description Sales LAN


ip address 172.16.10.2 255.255.255.0

no ip directed-broadcast

!

interface Serial0/0

description Wan to Miami circuit:6fdda4321

no ip address


shutdown

2621A#show int fa0/0

FastEthernet 0/0 is up, line protocol is up

Hardware is AmdFE, address is 00b0.6483.2120 (bia 00b0.6483.2120)

Description: Sales LAN

[cut]

2621A#show int s0/0

Serial 0/0 is administratively down, line protocol is down

Hardware is HD64570

Description: Wan to Miami circuit:6fdda4321

[cut]

2621A#

Lab 1.18: Verifying Your ConfigurationOnce you take a look at the running-config, and it appears that everything is in order, you can verify your configuration with utilities, like Ping and Telnet.

Troubleshooting Tip

If you have a local host, to remote host connection issue ...

NN Use the ping command to ping your PC’s local ip address

NN Use the ping command to ping your PC’s default gateway

NN Ping the ip address of the machine or web page you are trying to reach

NN Traceroute the ip address of the machine or web page you are trying to reach

Depending on which of the above tasks fail is where you should begin your search for the connection issue. Always make sure to check if your subnets and mask are correct from end to end.

82 ICND1: Cisco IOS

Lab Steps

1. Bring up the console for 2621 Router A.

2. You can ping with different protocols, and you can see this by typing ping ? at the router user mode or privileged mode prompt, but not configuration mode.

Network Layout


Ping

A diagnostic program that sees if a specific IP address is accessible. Packets are sent to the specified location and if they return correctly, communication was successful. This is used to verify connection to a remote host. Ping works at layer 3 of the OSI model.


2621A#ping ?

WORD Ping destination address or hostname

clns CLNS echo

ip IP echo

tag Tag encapsulated IP echo

<cr>

This program only supports IP ping at this time.

3. You can also use the traceroute program to find the path a packet takes as it traverses an internetwork. Traceroute can also be used with multiple protocols.

2621A#traceroute ?

WORD Trace route to destination address or hostname

appletalk AppleTalk Trace

clns ISO CLNS Trace

ip IP Trace

ipv6 IPv6 Trace

ipx IPX Tra

<cr>

This program only supports IP with the trace command.

4. Telnet can be used to test IP connectivity and to gain access into remote routers. Once you gain access into the remote router you can interact with the device as though you are physically in front of it. From the router prompt, you do not need to type the telnet command. If you just type a hostname or IP address, it will assume you want to telnet. The following example shows how to use Telnet from a router prompt. However, you need to have a configured a working network and destination host for Telnet to be suc-cessful. We will use Telnet more in other labs.

2621A#telnet ?

WORD IP address or hostname of a remote system

<cr>

Traceroute

A TCP/IP utility that allows a user to determine if two computers are communicating successfully with each other. This network tool is used to determine the route taken by packets across an IP network. The time and location of the route taken to reach its des-tination computer is displayed. Traceroute works at layer 3 of the OSI model.

84 ICND1: Cisco IOS

5. Another way to verify your configuration is by typing show interface commands. The first command is show interface?, which shows us all the available configured or physical interfaces for a device. The only interfaces that are not logical are FastEthernet and Serial.

2621A#show int ?









Null Null interface

Serial Serial





accounting Show interface accounting

crb Show interface routing/bridging info

dampening Show interface dampening info

description Show interface description

irb Show interface routing/bridging info

mac-accounting Show interface MAC accounting info

mpls-exp Show interface MPLS experimental accounting info

precedence Show interface precedence accounting info

rate-limit Show interface rate-limit info

<cr>

6. You can be specific with the command and use show interface fastethernet 0/0, or serial 0/0.


FastEthernet0/0 is up, line protocol is up

Hardware is AmdFE, address is 00b0.af40.3e18 (bia 00b0.af40.3e18)

Description: Sales Lan

Internet address is 172.16.10.2/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliablility 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full -duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:50, output 00:00:04, output hang never


Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 1000 bits/sec, 0 packets/sec

588 packets input, 74628 bytes

Received 588 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast

0 input packets with dribble condition detected

231 packets output, 53712 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

--More--

[output cut]

7. Use the show controllers command to display information about the physical interface itself. It will also give you the type of serial cable plugged into a serial port. Typically this will only be a DTE cable, which then plugs into a type of Data Service Unit (DSU).

2621A#show controllers s 0/0

Interface Serial0/0

Hardware is PowerQUICC MPC860

DCE V.35, clock rate 64000

idb at 0x813CA7B4, driver data structure at 0x813D1CE8

[output cut]

8. Clear all configurations. You will want to clear the configurations for any router for which you have entered information, up to this point. This will allow you to configure the devices according to the suggested labs without any extraneous information.

2621A#erase startup-config

Erasing the nvram filesystem will remove all configuration files! Continue? [con

firm]enter

[OK]


2621A#

01:58:09: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram

2621A#reload

System configuration has been modified. Save? [yes/no]: no

Proceed with reload? [confirm] enter

Would you like to enter the initial configuration dialog? [yes/no]: n

86 ICND1: Cisco IOS

Lab 1.19: do CommandThe do command allows you ping other devices and view configurations while in the global configuration mode. Before IOS version 12.3, you could not use the do command. You had to be in user or privileged mode in order to ping other devices or view configurations. However, beginning with IOS version 12.3 you can use the do command in the configuration mode to accomplish this. With IOS version 12.2 you can also use the do command if you have the IOS Special Edition (SE). The do command is convenient because you do not have to exit the cur-rent configuration mode and perform the command in the privileged mode.

With this program, there are three devices that will allow you to use the do command in global configuration mode:

N 2811 router

NN 2960 switch

N 3560 switch

Network Layout


Lab 1.19: do Command 87

Lab Steps


2. Press enter and the Router> prompt will appear. You are now in the user mode.


Router>

Router>enable

4. Change to the Global Configuration mode. Perform the do show run command and the do show int s /0/0/0 command.

Router#

Router#config t

Router(config)#do show run



!

version 12.4




!

[output cut]

Router(config)#do show int s 0/0/0

Serial0/0/0 is administratively down, line protocol is down

Hardware is GT96K Serial



Encapsulation HDLC, loopback not set

Keepalive set (10)


Last clearing of "show interface" counters 02:41:59

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/1/256 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 1158 kilobits/sec


88 ICND1: Cisco IOS


1645 packets input, 100265 bytes, 0 no buffer


0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort




2 carrier transitions

DCD=up DSR=up DTR=up RTS=up CTS=up

5. On the Network Visualizer screen, double-click on 3560 Switch A. This will bring up a console screen.

6. Press Enter and the Switch> prompt will appear. You are now in the user mode.


Switch>

Switch>enable

8. Change to the global configuration mode. Perform the do show run command.

Switch#

Switch#config t

3560A(config)#do show run



!

version 12.2

no service pad




!

no aaa new-model

system mtu routing 1500

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

Lab 1.19: do Command 89

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!


[output cut]

IP Routing

Lab 2: Introduction to IP Routing

This section will discuss the IP routing process. This is an important subject to understand as it pertains to all routers and configurations that use IP. IP routing is the process of moving packets from one network to another network and delivering the packets to hosts. This section will give you the background on how to configure and verify IP routing with Cisco routers.

The following labs are covered in this section:

NN 2.1: Configuring the SDM for the 2811 Router

NN 2.2: Connecting to the SDM using the 2811 Router

NN 2.3: Configuring an Interface with SDM

NN 2.4: Configuring DHCP with SDM

NN 2.5: Configuring Other Items with SDM

NN 2.6: Verifying Configurations with SDM

NN 2.7: Configuring the Routers

NN 2.8: Verifying the Configurations

NN 2.9: Configuring Static Routing

NN 2.10: Verifying Static Routing

NN 2.11: Configuring and Verifying Hosts

NN 2.12: Configuring Default Routing

NN 2.13: Verifying Default Routing

NN 2.14: Configuring RIPv2

NN 2.15: Verifying RIPv2

NN 2.16: Using Traceroute

NN 2.17: Using Debug with a RIPv2 Network

NN 2.18: Configure and Verify a Loopback Interface

NN 2.19: Using ARP (Address Resolution Protocol)

Lab 2: Introduction to IP Routing 93

The following commands are used in this section:

Command Meaning

debug ip igrp events Provides a summary of the IGRP routing information running on the network

debug ip igrp transactions Shows message requests from neighbor routers asking for an update and the broadcasts sent from your router towards that neighbor router

debug ip rip Sends console messages displaying information about RIP packets being sent and received on a router interface

ip classless Global configuration command used to tell a router to forward packets to a default route when the destination network is not in the routing table

ip route Creates static and default routes on a router

network Tells the routing protocol what network to advertise

no auto-summarization Disables auto summarization

no ip route Removes a static or default route

router eigrp as Turns on IP EIGRP routing on a router

router igrp as Turns on IP IGRP routing on a router

router rip Turns on IP RIP routing on a router

show ip protocols Shows the routing protocols and timers associated with each routing protocol configured on a router

show ip route Displays the IP routing table

show protocols Shows the routed protocols and network addresses configured on each interface

version 2 Enables rip version 2

94 IP Routing

Lab 2.1: Configuring the SDM for the 2811 RouterCisco® SDM is a Web-based device-management tool for routers. The SDM is a graphical user interface that allows you to quickly configure the 2811 router. After the initial setup, no interaction with the command line interface (CLI) is required.

Before you can use SDM, you must first manually configure 2811 Router A with the CLI. In this lab we will configure 2811 Router A. Then, there are two more steps that must be finished before you can launch the SDM:

1. Configure Host A because that is where we will launch SDM

2. Set up https services on the router so you can configure 2811 Router A via a secure web browser

Network Layout

Load SDM Layout.rsm before going through the following lab.



3. Click on the file SDM Layout.rsm and click Open.

Lab 2.1: Configuring the SDM for the 2811 Router 95

Lab Steps

1. Double-click 2811 Router A. After the console screen comes up set the hostname and IP addresses of each interface.

Router>enable

Router#config t


2811A(config-line)#interface fastethernet 0/0

2811A(config-if)#ip address 172.16.10.1 255.255.255.0

2811A(config-if)#no shutdown

Router(config-if)#interface fastethernet0/1



2811A(config)#exit

2811A#copy run start

Destination filename [startup-config]? [enter]


[OK]

2811A#

2. Close the console screen.

3. Right-click on Host A.

4. Click on the Configs button.

96 IP Routing

5. On Host A configure:

NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.10.5

Subnet Mask: 255.255.255.0

Default Gateway: 172.16.10.1

6. Click the OK button and then the Close button.

7. Bring up the console screen for 2811 Router A by double clicking on the router. Verify you can reach Host A.

2811A#ping 172.16.10.5

If all is well, you should get the following output from the router!

Sending 5, 100-byte ICMP Echos to 172.16.10.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

2811A#

8. Configure HTTPS on the 2811 Router A and verify your configurations.

2811A(config-if)#exit

2811A(config)#ip http server

2811A(config)#ip http secure-server

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

2811A(config)#ip http authentication local

Lab 2.1: Configuring the SDM for the 2811 Router 97

2811A(config)#username cisco privilege 15 password 0 cisco

2811A(config)#line console 0

2811A(config-line)#login local

2811A(config-line)#line vty 0 1180

2811A(config-line)#privilege level 15


2811A(config-line)#transport input telnet ssh

2811A(config-line)#exit


Before IOS version 12.3, you could not use the do command. You had to be in user or privileged mode in order to ping other devices or view con-figurations. However, beginning with IOS version 12.3 you can use the do command in the configuration mode to accomplish this.

You should now be able to launch the SDM.Rename and Save Your File: Make sure you save the actual network layout file that

you have been working with. You might want to save it to another file name than SDM Layout.rsm. This allows you to start over with a non-configured network if you wish.

1. There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.

98 IP Routing

2. A dialog box will appear. At the bottom you will see the file name SDM Layout.rsm. Rename the file. For example, you could name it My SDM Layout.rsm.

3. Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading SDM Layout.rsm which is non-configured.

Lab 2.2: Connecting to the SDM using the 2811 RouterNow that we have configured 2811 Router A with HTTPS, we can launch SDM via Host A.

Lab 2.2: Connecting to the SDM using the 2811 Router 99

Lab Steps

1. Put your cursor over Host A and click your right mouse button.

Network Layout

Load SDM Layout.rsm or whatever you named the file when you saved your work in the prior lab.

100 IP Routing

2. Click the Web Browser button.

3. When the web browser appears, enter the URL https://172.16.10.1 and press Enter.

4. Select Yes when the Security Alert Dialog appears.

The following screen may be different, depending on the web browser that you use.


5. When the username and password dialog appears, enter the username and password that you created, in Lab 5.1, Step 8.

Username: cisco

Password: cisco

102 IP Routing

6. The SDM Launch screen will appear.

Do not close this window, it will shut down the SDM. Just minimize the window until you shut down SDM.


7. When the Warning Security Dialog appears, check the Always trust content from publisher option and then select Yes.

8. When the username and password dialog appears again, enter the username and pass-word that you created, in Lab 2.1, Step 8.

Username: cisco

Password: cisco

9. When the Change Default User Name and Password dialog screen appears, change your username and password.

You will not see the following screen after your initial launch of the SDM.

104 IP Routing

You will be prompted to enter the new username and password that you just created. The SDM will load the configuration from router 2811A and you should now be connected to the router via the SDM application.

10. When you are finished with the SDM, close the SDM application, SDM launch page, and the Web browser.

Lab 2.3: Configuring an Interface with SDMIn this lab you will learn how to configure an IP address on a router interface of 2811 Router A, using the SDM.

You must manually configure the interface of 2811 Router A before using the SDM to modify it. See Lab 2.1 on how to configure 2811 Router A. If the SDM is not running, refer to Lab 2.2 on how to load it.

Lab 2.3: Configuring an Interface with SDM 105

Network Layout

Load SDM Layout.rsm or whatever you named the file when you saved your work.

106 IP Routing

Now that you have the SDM application up and running, you will see the main SDM window.

Lab Steps

1. Click on the Configure button (upper left corner of the screen) and a configuration window is displayed.

Lab 2.3: Configuring an Interface with SDM 107

2. Then click on the Interface and Connections button.

3. Click the Edit Interface/Connection tab, and the Edit Interface connection tab is displayed.

4. Double click on the line that displays FastEthernet0/1.

108 IP Routing

. . . and the Interface Feature Edit Dialog screen appears:

5. With the Interface Feature Edit dialog open, you can enter a new IP Address and sub-net mask in the appropriate fields.

6. Click the OK button to change the IP Address and subnet mask or click the Cancel button to exit. When a new configuration is sent to the router a Command Delivery Status dialog appears.

When a new configuration is sent to the router a Command deliver window appears.

Lab 2.4: Configuring a DHCP Pool with SDM 109

7. Save your configuration by clicking the Save button at the top of the screen.

8. You will see the following dialog box. Click the Yes button to continue.

Lab 2.4: Configuring a DHCP Pool with SDMThis lab will have you use the SDM to configure a DHCP Pool on 2811 Router A.

110 IP Routing


Network Layout



Lab Steps

1. Click on the Additional Tasks button located on the sidebar menu at the bottom left of the screen. If the Additional Task button is not visible, scroll the side bar menu down until it appears. The Additional Task window will appear.

2. Expand the DHCP tree item by clicking the plus sign next to DHCP.

112 IP Routing

3. Click on DHCP Pools and the DHCP Pools window will appear.

4. Click the Add button and the DHCP Pool Dialog screen will appear.

5. Configure your DHCP pool and then select the OK button.


When a new configuration is sent to the router a Command Delivery Status window appears.

114 IP Routing

6. Save your configuration by clicking the Save button.

Lab 2.5: Configuring Other Items with SDMThis lab will have you use the SDM to configure the hostname, the banner (message of the day), the IP domain-name, and the enable secret password.


Lab 2.5: Configuring Other Items with SDM 115

Network Layout


116 IP Routing

Lab Steps

1. Click on the Router Properties tree item and the Device Properties screen will appear.

2. Click the Edit button on the upper right side of the screen and the Device Properties dialog screen will appear.

Lab 2.5: Configuring Other Items with SDM 117

3. Enter a hostname, an IP domain-name, and the message of the day banner.

4. With the Device Properties dialog still open, click on the Secret Password tab and con-figure your new password and then click OK.

118 IP Routing

When a new configuration is sent to the router a Command Delivery Status dialog appears.


Lab 2.6: Verifying Your Configurations with SDM 119

Lab 2.6: Verifying Your Configurations with SDMThis lab will have you verify your new router configurations.

You must manually configure the interface of the 2811 Router A before using the SDM to modify it. See Lab 2.1 on how to configure 2811 Router A. If the SDM is not running, refer to Lab 2.2 on how to load it.

Network Layout


120 IP Routing

Lab Steps

1. From your current SDM window, click on the Home button located at the top of the screen. You should see the following screen:

2. Click on the View Running Config button on the middle right area of the screen. The Show Running Configuration screen will appear.

Lab 2.7: Configuring the Routers 121

3. Scroll through the running configuration so you can view your configurations.

4. Click the Close button when you are finished.

5. Close the SDM application.

Lab 2.7: Configuring the RoutersIn this lab you will interact with routers, starting with 2621 Router A and working through 2811 Router A, and then finishing with 2621 Router B. After the configurations are complete, we will then build the routing tables.

122 IP Routing

Lab Steps

1. Double-click 2621 Router A. After the console screen comes up set the

NN Hostname

NN Passwords

NN Interface descriptions

NN Banners

NN IP addresses of each interface

Router>enable

Router#config t


2621A(config)#enable secret todd


2621A(config-line)#password todd

2621A(config-line)#login

2621A(config-line)#line aux 0


Network Layout

Load Standard Layout.rsm before going through the following lab.



3. Click on the file Standard Layout.rsm and click Open.






2621A(config-line)#int fa0/0


2621A(config-if)#description connection to LAN 40




2621A(config-if)#description connection to 2811A



2621A(config)#banner motd #

This is the router 2621A

#

2621A(config)#exit




[OK]

2621A#


NN Hostname

NN Passwords


NN Banners


Router>enable

Router#config t










124 IP Routing







2811A(config-if)#int s0/1/1






2811A(config-if)#description connection to 2621B



2811A(config)#banner motd #

This is the router 2811A

#

2811A(config)#exit




[OK]

2811A#

Clock Rate

It is important to understand clocking on and interface. On a real connection, clocking issues will typically cause data loss and or packet errors. You will also see framing slips on a carrier circuit when there is a clocking issue.

You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connec-tion is interface serial 0/1/1 and serial 0/0/1.


The DCE connection is associated with s0/1/1 and a clockrate of 2000000.

3. Double-click 2621 Router B. After the console screen comes up set the

NN Hostname

NN Passwords


NN Banners


Router>enable

Router#config t

Router(config)#hostname 2621B

2621B(config)#enable secret todd

2621B(config)#line console 0

2621B(config-line)#password todd

2621B(config-line)#login

2621B(config-line)#line aux 0



2621B(config-line)#line vty 0 4



2621B(config-line)#int fa0/1

Finding DCE

DCE (data communications equipment) is the side of the connection that provides the clocking. Unless it is a 2811 router, you would enter the clock rate on the DCE side of a connection between routers. If you cannot remember what side of your connection is DCE, you can use the show controllers command. Here is an example:

2811#show controllers s0/1/1

Interface Serial0/1/1

Hardware is GT96K

DCE V.35, clock rate 2000000

idb at 0x454E69C8, driver data structure at 0x454EE0EC

wic_info 0x454EE6E8

Physical Port 0, SCC Num 0

[output cut]

126 IP Routing

2621B(config-if)#ip address 172.16.50.1 255.255.255.0

2621B(config-if)#description connection to LAN 50

2621B(config-if)#no shutdown

2621Bconfig-if)#int s0/0


2621B(config-if)#description connection to 2811A


2621B(config-if)#exit

2621B(config)#banner motd #

This is the router 2621B

#

2621B(config)#exit

2621B#copy run start



[OK]

2621B#

Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than Standard Layout.rsm. This allows you to start over with a non-configured network if you wish.


Lab 2.9: Configuring Static Routing 127

2. A dialog box will appear. At the bottom you will see the file name Standard Layout.rsm. Rename the file. In the following example it is renamed My Standard Layout.rsm.

3. Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading Standard Layout.rsm which is non-configured.

Lab 2.9: Configuring Static RoutingThis lab will have you build the routing tables by hand, which means you will create static routing tables on each router. This will allow you to route throughout the entire network. At this point you can only route to directly connected networks of each router. Remember that the routing will not work until all static routes are configured in all routers.

static route is a manually hard coded routing statement that creates a route in the rout-ing table of a router. The static route specifies how the router will get to a certain network by using a certain path. Static routing refers to the manual method used to set up routing. This method has the advantage of being simple to create and predictable in its functionality. It is easy to manage in small networks but in larger ones it is difficult to set up and manage all

128 IP Routing

possible static routes. Static routes are not dynamically responsive to topology changes in a network.

Network Layout

Load Standard Layout.rsm or whatever you named the file when you saved your work.

Lab 2.9: Configuring Static Routing 129

Lab Steps

1. From 2621 Router A, use the ip route command to configure static routing. 2621 Router A is connected to networks 172.16.20.0 and 172.16.40.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway is always 172.16.20.1 (router 2811 A).

2621A#config t

2621A(config)#ip route 172.16.10.0 255.255.255.0 172.16.20.1

2621A(config)#ip route 172.16.30.0 255.255.255.0 172.16.20.1

2621A(config)#ip route 172.16.50.0 255.255.255.0 172.16.20.1

2621A(config)#exit


2. From 2621 Router, use the ip route command to configure static routing. 2621 Router B is connected to networks 172.16.30.0 and 172.16.50.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway is always 172.16.30.1 (router 2811 A).

2621B#config t

2621B(config)#ip route 172.16.10.0 255.255.255.0 172.16.30.1

2621B(config)#ip route 172.16.20.0 255.255.255.0 172.16.30.1

2621B(config)#ip route 172.16.40.0 255.255.255.0 172.16.30.1

2621B(config)#exit


3. From 2811 Router A, use the ip route command to configure static routing. 2811 Router A is connected to networks 172.16.10.0, 172.16.20.0 and 172.16.30.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway will be either to 2621 Router A or the 2621 Router B.

2811A#config t

2811A(config)#ip route 172.16.40.0 255.255.255.0 172.16.20.2

Anatomy of a Command:IP Route 172.16.10.0 255.255.255.0 172.16.20.1

ip route tells the system we are entering a static route

172.16.10.0 this is the destination ip network address, where we want to send packets

255.255.255.0 the mask of the destination ip network

172.16.20.1 the IP address of the next hop used to reach the destination address

130 IP Routing

2811A(config)#ip route 172.16.50.0 255.255.255.0 172.16.30.2

2811A(config)#exit


Save Your File: Make sure you save the network layout file that you have been work-ing with.

Lab 2.10: Verifying Static RoutingIt is important to be able to verify your configurations. The best command to use is show ip route. However, if a route is not in your routing table, make sure it is correctly config-ured in the running-config. If you see a routing entry in the running-config but it is not in the routing table, check the entry for a typo. If it is correct, then make sure the link to that network is up.

Directly Connected Routes

In the preceding set of ip route commands for 2811 Router A, routes are not estab-lished for networks 20 and 30. 2811 Router A knows about these networks (routes) because they are directly connected to the router. Therefore you do not have to enter ip route commands for these two networks; only for networks that are not directly connected to 2811 Router A, such as networks 40 and 50.

Network Layout


Lab 2.10: Verifying Static Routing 131

Lab Steps

1. From 2621 Router A, use the show ip route command to verify your routing table.

2621A#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

U - per-user static route, o - ODR, P - periodic downloaded static route

T - traffic engineered route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 5 subnets

S 172.16.30.0 [1/0] via 172.16.20.1

C 172.16.40.0 is directly connected, FastEthernet0/0

S 172.16.50.0 [1/0] via 172.16.20.1

C 172.16.20.0 is directly connected, Serial0/0

S 172.16.10.0 [1/0] via 172.16.20.1

2621A#

Anatomy of a Routing Table

Output Description Metric

172.16.0.0/24 is sub-netted, 5 subnets

class B network 172.16.0.0 is subnetted into 5 class C networks.

/24 means a class C network

The 5 subnetted Class C networks are:

172.16.50.0

172.16.40.0

172.16.30.0

172.16.20.0

172.16.10.0

S 172.16.30.0 [1/0] via 172.16.20.1

any packets destined for network 172.16.30.0 are forwarded to the next hop router with the ip address of 172.16.20.1

S means the route is a static route and was manually added using the ip route command.

[1/0] is the administrative distance (1) and routing metric (0).

132 IP Routing


C 172.16.40.0 is directly connected, FastEther-net0/0

any packets destined for network 172.16.40.0 are forwarded to the ip address assigned to the FastEthernet0/0 interface

C means the route is directly con-nected to the local router’s FastEth-ernet0/0 interface The route is automatically added to the local rout-ing table when F0/0 is assigned an ip address, has a physical cable connec-tion, and is turned up for service.

S 172.16.50.0 [1/0] via 172.16.20.1



[1/0] is the administrative distance (1) and routing metric (0)


any packets destined for network 172.16.20.0 are forwarded to ip address assigned to the Serial0/0 interface

C means the route is directly con-nected to the local router’s Serial0/0 interface The route is automatically added to the local routing table when S0/0 is assigned an ip address, has a physical cable connection, and is turned up for service.

S 172.16.10.0 [1/0] via 172.16.20.1



[1/0] is the administrative distance (1) and routing metric (0).

2. From 2621 Router B, use the show ip route command to verify your routing table.

2621B#show ip route








Anatomy of a Routing Table (continued)





S 172.16.40.0 [1/0] via 172.16.30.1


S 172.16.20.0 [1/0] via 172.16.30.1

S 172.16.10.0 [1/0] via 172.16.30.1

2621B#

3. From the 2811 Router A, use the show ip route command to verify your routing table. We will purposely go into the global configuration mode in order to use the do command.

2811A#config t

2811A(config#)do show ip route










C 172.16.30.0 is directly connected, Serial0/0/1

S 172.16.40.0 [1/0] via 172.16.20.2

S 172.16.50.0 [1/0] via 172.16.30.2



2811A#

4. Once you verify the routing tables in all routers, use the ping command to verify IP connectivity between routers.

2621A#ping 172.16.50.1

2621A#ping 172.16.30.2

2621B#ping 172.16.40.1

2621B#ping 172.16.20.2

134 IP Routing

Practice Scenario: Basic Cisco Router Operations

Configuring Static or Default RoutesNow that you have learned about some concepts and completed some hands-on work, try your problem-solving and troubleshooting skills with the following task. To complete your task you will need a network to interact with a scenario and the task(s) at hand.

When you have finished with this scenario ...You can check your work by clicking the Grade Me button in the upper right hand cor-

ner of the Network Visualizer screen.

You will see a report that will display:

N The name of the command entered for this scenario

NN The expected configuration

N Your configuration

NN The result for each command. You will see a green check mark (meaning that you got it correct) or a red X

N A score of the number of correct answers out of the total possible

Turn On HostnamesIn some of the practice labs we refer to the hostname of a device. Therefore, we need to make sure that Hostnames is turned on for this lab. On the Network Visualizer screen click View and then click Hostnames so that it has a checkmark next to it.


136 IP Routing

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Practice Sce-narios, Basic Cisco Router Operations, and Configuring Static or Default Routes - 1.

Lab 2.11: Configuring and Verifying the Hosts 137

ScenarioThe senior network administrator at Smoke-Alarm Inc. would like you to setup static routing on all network routers.

Task

N Configure static routing on the R&D_R1 router

NN Configure static routing on the MARKETING_R1 router

N Configure static routing on the Plant-1 router

Lab 2.11: Configuring and Verifying the HostsWe will now configure all the hosts in the network and then verify the configurations.

Lab Steps


Network Layout

Load the network layout you have been working with in section 2.

138 IP Routing



NN IP address

NN Subnet Mask

NN Default Gateway

IP address unique identification number for a device that is located on a network. An IP address is equivalent to the address of your home. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 172.16.10.6 could be an IP address.

subnet mask when you split up an IP network it is used to determine what section or sub-net the ip address of a networked device belongs to. An IP address has two parts, the net-work address and the host address.

Let’s examine IP address 172.16.10.6. Assuming this is part of a Class B network, the first two numbers (172.16) represent the Class B network address, and the second two numbers (10.6) identify a particular host on this network.

default gateway IP address configured on a networked device that allows that device to communicate outside of its own subnet. A default gateway is usually a layer 3 device like a router. When a network device wants to get to the Internet, it uses a default gateway. A default gateway IP address is equivalent to the on ramp of a highway.

IP Address: 172.16.10.5

Subnet Mask: 255.255.255.0




5. On Host B configure:

NN IP address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.10.6

Subnet Mask: 255.255.255.0



7. On Host C configure:

NN IP address

NN Subnet Mask

NN Default Gateway

140 IP Routing

IP Address: 172.16.10.7

Subnet Mask: 255.255.255.0



9. On Host D configure:

NN IP address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.10.8

Subnet Mask: 255.255.255.0



11. On Host E configure:

NN IP address

NN Subnet Mask

NN Default Gateway


IP Address: 172.16.40.3

Subnet Mask: 255.255.255.0



13. On Host F configure:

NN IP address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.50.3

Subnet Mask: 255.255.255.0



15. From each host, ping all other hosts. Here is an example where we ping all other hosts from Host.

16. Double-click Host D on the network.

142 IP Routing

C:\>ping 172.16.10.5

C:\>ping 172.16.10.6

C:\>ping 172.16.10.7

C:\>ping 172.16.40.3

C:\>ping 172.16.50.3

Save Your File: Make sure you save the network layout file that you have been work-ing with.

Lab 2.12: Configuring Default RoutingStatic routing is great in small networks, and is even better when you are trying to learn IP routing since you really have to understand how the network works to make static routing perform correctly. Configuring default routing on a router is not like setting the default gate-way on a host. Remember that a router is the default gateway and you cannot set a default gateway on a router. However, you can set what is called a Gateway of Last Resort.

You can only configure default routing on a router that is connected to a stub network, which means that there is not another router on the connected networks. In other words, there is only one way in and out. Routers 2621 A and 2621 B are stub routers to the LANs because they are the only way in and out of the LAN. Router 2811 A cannot use default routing because it is connected to multiple routes.

Gateway of Last Resort

If a packet is destined for a network that is not listed in the routing table, the router will forward the packet to the default route.

Lab 2.12: Configuring Default Routing 143

To configure default routing, use the ip route command, but instead of using the net-work and subnet mask, you use all zero (0’s), which mean all networks all masks. You must also use the ip classless command when using default routing. This tells the router to not drop packets, but instead to forward them to the default route address.

Instead of typing all the commands by hand, you can use your up-arrow key to get the command you want to remove. Then press ctrl+a to move your cursor to the beginning of the line, then type no and press Enter. This is just an easier way to remove the static routes.

Lab Steps

1. Before configuring routers 2621 A and B with default routing, you must remove the static routes we created in lab 5.8. Use the no ip route command.

2621A#config t

2621A(config)#no ip route 172.16.10.0 255.255.255.0 172.16.20.1



2621A(config)#exit

Network Layout


144 IP Routing

2. Remove the static routes from 2621 Router B.

2621B#config t

2621B(config)#no ip route 172.16.10.0 255.255.255.0 172.16.30.1



2621B(config)#exit

3. Verify the 2621 Router A and 2621 Router B only have the directly connected net-works in the routing table.

2621A#show ip route

[output cut]





2621B#show ip route

[output cut]





4. From the 2621 Router A, add the default route to 2811 Router A. The default route command will tell the router to send all packets destined for any network not in the routing table to the router 2811 A, which will then route the packet.

2621A(config)#ip route 0.0.0.0 0.0.0.0 172.16.20.1

2621A(config)#ip classless

2621A(config)#exit


Anatomy of a Command: No ip route 172.16.10.0 255.255.255.0 172.16.20.1

no ip route tells the system we are removing a static route




Lab 2.13: Verifying Default Routing 145

5. From 2621 Router B, add the default route to 2811 Router A. The default route com-mand will tell the router to send all packets destined for any network not in the routing table to the router 2811 A, which will then route the packet.

2621B#config t

2621B(config)#ip route 0.0.0.0 0.0.0.0 172.16.30.1

2621B(config)#ip classless

2621B(config)#exit


Save Your File: Make sure you save the network layout file that you have been working on.

Lab 2.13: Verifying Default RoutingTo verify the configurations of the default route, use the show ip route and ping commands.

Anatomy of a Command: [default] ip route 0.0.0.0 0.0.0.0 172.16.20.1

ip route tells the system we are removing a static route

0.0.0.0 this is a destination ip network address prefix that is not in the local routing table

0.0.0.0 this is a destination ip network mask prefix that is not in the local routing table

172.16.20.1 the IP address of the next hop router where packets destined for net-works that have no local routing table entry will be forwarded

Network Layout


146 IP Routing

1. Verify that the network is working by using the show ip route command on 2621 Router A to verify the routing tables.

2621A#show ip route

[output cut]

Gateway of last resort is 172.16.20.1 to network 0.0.0.0




S* 0.0.0.0 [1/0] via 172.16.20.1

2621B#show ip route

[output cut]





S* 0.0.0.0 [1/0] via 172.16.30.1

The Gateway of Last Resort has now been set because a default route was configured for each router. In 2621 Router B, for example, it is denoted by the routing table entry S* 0.0.0.0 [1/0] via 172.16.30.1.

2. Verify your network is working. Ping each host from Host D. Double-click Host D on the network.

Lab 2.13: Verifying Default Routing 147

C:\>ping 172.16.10.5

C:\>ping 172.16.10.6

C:\>ping 172.16.10.7

C:\>ping 172.16.40.3

C:\>ping 172.16.50.3



Configuring Static or Default RoutesNow that you have learned about some concepts and completed some hands-on work, try your problem-solving and troubleshooting skills with the following task. To complete your task you will need a network to interact with a scenario and the task(s) at hand.

When you have finished with this scenario ...You can check your work by clicking the Grade Me button in the upper right hand cor-



NN The name of the command entered for this scenario


NN Your configuration


NN A score of the number of correct answers out of the total possible

148 IP Routing

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Practice Sce-narios, Basic Cisco Router Operations, and Configuring Static or Default Routes - 2 .

Lab 2.14: Configuring RIPv2 149


Scenario:The senior network administrator at Widget Inc. would like you to setup default routing.

Task:

Configure default routing on the R&D_R1 router

Configure default routing on the Plant-1 router

Lab 2.14: Configuring RIPv2This lab will have you configure RIPv2.

RIPv2 RIP does not carry subnet information. To overcome this, RIPv2 was created in 1994 to address some deficiencies in RIP. RIPv2 can carry subnet information. RIPv2 sends

150 IP Routing

routing updates via multicast address 224.0.0.9. It also provides support for variable length subnet masks (VLSM) and discontiguous networking. RIPv2 is not automatically turned on with the router rip command. You must also specify it and use the version 2 command.

VLSM (Variable Length Subnet Mask) the network IP address 192.168.10.0/24 can be used to create subnets that have different subnet masks. You can create subnets 192.168.10.36/30 and 192.168.10.80/29 out of the 192.168.10.0/24 network IP address. You can use the 192.168.10.36/30 networks on your WAN links and 192.168.10.80/29 on one of your LAN segments. It is useful to use VLSM when you have different numbers of networked devices at each of your branch offices. VLSM helps IP administrators use their IP address resources more efficiently.

discontiguous networking when a major network like 192.168.10.0 is separated by a different major network like 10.0.0.0. Example: The 192.168.10.0/24 network can be sub-netted into two or more networks. The networks 192.168.10.36/30 and 192.168.10.80/29 are configured on different routers. The routers are using the 10.0.0.0 network to connect to each other, thus one major network is being separated by another major network.

Network Layout

Load the network layout you have been working with in ICND 2 labs.

Lab 2.16: Using Traceroute 151

Lab Steps

1. From 2621 Router A, configure RIP routing to use version 2.

2621A#config t

2621A(config)#router rip

2621A(config-router)#version 2

2621A(config-router)#ctrl+z

That’s all there is to it! Since we have already added our directly connected networks under router rip in our last lab, we now just have to tell it to run version 2.

2. From 2621 Router B, configure RIP routing to use version 2.

2621B#config t

2621B(config)#router rip

2621B(config-router)#version 2

2621B(config-router)#ctrl+z

3. From the 2811 Router A, configure RIP routing to user version 2.

2811A#config t

2811Aconfig)#router rip



Lab 2.16: Using TracerouteWith the traceroute command you can display a list of routers on a path from a source to a destination in your network.

152 IP Routing

Lab StepsWe will first configure all the devices with IP addresses.

1. Double-click 2621 Router A. After the console screen comes up configure interface s0/0.

Router>enable

Router#config t





2621A(config-if)#ctrl+z

Network Layout

Load Traceroute Layout.rsm before going through the following lab.



3. Click on the file Traceroute Layout.rsm and click Open.





[OK]

2621A#

2. Bring up the console for 2811 Router A. After the console screen configure the interfaces.

Router>enable

Router#config t












[OK]

2811A#

Please Note: You do not have to set the DCE connection associated with s0/1/1 which has a clockrate of 2000000. It is there by default.

3. Double-click 2621 Router B. After the console screen comes up configure interface s0/0.

Router>enable

Router#config t





2621B(config-if)#ctr+z




[OK]

2621B#

154 IP Routing

4. On each the 2621 routers, enter the command show ip route. You should only see directly connected networks in the routing table.

2621B#show ip route



2621A#show ip route



Configure each device with RIPv2


2621A#config t



2621A(config-router)#network 172.16.0.0



2621B#config t



2621B(config-router)#network 172.16.0.0



2811A#config t


RIPv2

RIP does not carry subnet information. To overcome this, RIPv2 was created in 1994 to address some deficiencies in RIP. RIPv2 can carry subnet information. RIPv2 sends routing updates via multicast address 224.0.0.9. It also provides support for variable length subnet masks (VLSM) and discontiguous networking. RIPv2 is not automati-cally turned on with the router rip command. You must also specify it and use the version 2 command.





Verify RIPv2 configurations

8. On both 2621 routers, use the show ip route command to verify the routing table. It should now have entries for router rip.

2621A#show ip route


R 172.16.30.0 [120/2] via 172.16.20.1, 00:00:20, Serial0/0


9. From 2621 Router B, use the show ip route command to verify the routing table.

2621B#show ip route



R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:24, Serial0/0

10. Ping the interfaces on 2811 Router A.

From 2621 Router A, ping s0/0/1 on 2811 Router A. It should succeed.

2621A#ping 172.16.30.1

From 2621 Router B, ping s0/1/1 on 2811 Router A. It should succeed.

2621B#ping 172.16.20.1

Use Traceroute

12. On 2621 Router A, trace the route to interface s0/0 of 2621 Router B.

2621A#traceroute 172.16.30.2

Type escape sequence to abort.

Tracing the route to 172.16.30.2

1 172.16.20.1 12 msec 14 msec 12 msec

2 172.16.30.2 32 msec * 28 msec

Save Your File: Make sure you save the network layout file that you have been working on. You might want to save it with a different network name than Traceroute Layout.rsm. That allows you to load nonconfigured Traceroute Layout.rsm if you want to go through the lab again.

156 IP Routing

Lab 2.17: Using Debug with a RIPv2 NetworkOther than using the traceroute command to view network activity, you can use the debugcommand.

Network Layout

Load Traceroute Layout.rsm or whatever you named it in lab 2.16.



3. Click on the file Traceroute Layout.rsm and click Open.

Lab 2.18: Configuring and Verifying a Loopback Interface 157

Lab Steps

1. Double-click 2811 Router A. After the console screen comes up enter the command debug ip rip. It will take several seconds for output to appear in the console.

2811A>enable

2811A#debug ip rip

*Feb 25 04:59:00.819: RIP: received v2 update from 172.16.20.2 on Serial0/1/1

*Feb 25 04:59:00.819: 172.16.30.0/24 via 0.0.0.0 in 3 hops

*Feb 25 04:59:00.819: 172.16.20.0/24 via 0.0.0.0 in 1 hops

*Feb 25 04:59:16.146: RIP: sending v2 update to 224.0.0.9 via Serial0/0/1 (172.16.30.1)

*Feb 25 04:59:16.146: RIP: build update entries

*Feb 25 04:59:16.146: 172.16.20.0/24 metric 1, tag 0

*Feb 25 04:59:16.146: 172.16.20.0/24 metric 1, tag 0

*Feb 25 04:59:16.147: RIP: sending v2 update to 224.0.0.9 via Serial0/1/1 (172.16.20.1)

*Feb 25 04:59:16.147: RIP: build update entries

*Feb 25 04:59:16.147: 172.16.30.0/24 metric 1, tag 0

*Feb 25 04:59:16.147: 172.16.30.0/24 metric 1, tag 0

*Feb 25 04:59:18.562: RIP: received v2 update from 172.16.30.2 on Serial0/0/1

*Feb 25 04:59:18.562: 172.16.30.0/24 via 0.0.0.0 in 1 hops

*Feb 25 04:59:18.562: 172.16.20.0/24 via 0.0.0.0 in 2 hops

2. The debug activity will keep displaying information until you stop it. Press any key to stop information from displaying on the console screen. Then enter the no debug ip rip command. You will then see confirmation that debugging has been turned off.

2811A#no debug ip rip

RIP protocol debugging is off

Lab 2.18: Configuring and Verifying a Loopback InterfaceA loopback interface is not a real, hardware-based interface like serial 0/0/0/ or fa0/1. It is a logical or virtual interface that is always “up” unlike a hardware interface that may be “up” or “down.” It is the best interface to ping in order to see if the router is “up.”

In this lab you will create a loopback network.

158 IP Routing

Lab Steps

1. Create a loopback interface on Router 2811 A.

2811A>en

2811A(config)#config t

2811A(config)#int loopback 0

2. Enter an ip address for the loopback interface.


Network Layout

Load Loopback Layout.rsm.

Lab 2.18: Configuring and Verifying a Loopback Interface 159

3. Verify the loopback interface on Router 2811 A.


2811A#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 172.16.10.1 YES manual up up

FastEthernet0/1 unassigned YES unset administratively down down

Serial0/0/0 unassigned YES unset administratively down down

Serial0/0/1 172.16.30.1 YES manual up up



Loopback0 172.16.40.1 YES manual up up

4. From 2811 Router A, ping the loopback interface.

2811A#ping 172.16.40.1



!!!!!


5. You can see the loopback entry in the running configs of 2811 Router A.

2811A#show run

!

!

interface Loopback0

ip address 172.16.40.1 255.255.255.0

!


description connection to LAN 10

ip address 172.16.10.1 255.255.255.0


duplex auto

!

[output cut]

160 IP Routing

6. You should be able to successfully ping the loopback interface from another device. Go to Router 2621 A and ping the loopback interface on 2811 Router A. Interface s0/0 is administratively “up.”

2621A#ping 172.16.40.1



!!!!!


7. Unlike the physical interfaces on a router, a loopback interface is virtual and can be removed.

2811A#config t

2811A(config)#no interface loopback 0

2811A(config)#ctl+z

2811A#

8. You can confirm the removal of loopback interface 0.

2811A#show run

!

!

!



ip address 172.16.10.1 255.255.255.0


duplex auto

!

[output cut]

9. You can also use the show ip interface brief command to verify the removal of the loopback interface.

2811A#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 172.16.10.1 YES manual up up

FastEthernet0/1 unassigned YES unset administratively down down





Lab 2.19: Using ARP (Address Resolution Protocol) 161

Lab 2.19: Using ARP (Address Resolution Protocol)ARP finds the unique hardware address of network devices based on IP addresses of the interface. If IP cannot find the destination of the hardware address, the system uses ARP to retrieve this information. In sending data (packets) the source must also have a destination MAC address. If the source does not know the MAC address of the destination, it has to get that address before data can be sent.

To obtain the unknown layer 2 address when the layer 3 address is known, the source transmits an ARP Request. All devices on the path will see it but the only device that will answer it is the one with the matching layer 3 address. That device will send an ARP Reply, unicast back to the source. The sender will then have a MAC address to go with the IP address and can then transmit.

Network Layout

Load ARP Layout.rsm before going through the following lab.



3. Click on the file ARP Layout.rsm and click Open.

162 IP Routing

Lab Steps

1. Bring up the console for 2811 Router A. After the console screen appears, create a hostname.

Router>enable

Router#config t


2811A(config)#exit

2811A#

2. Before any devices are configured the ARP table should have no entries. Use the command show arp to confirm this.

2811A#show arp

Protocol Address Age (min) Hardware Addr Type Interface

3. Configure 2811 Router A.

2811A(config-if)#int fa0/1







2811A#

4. Use the show arp command on 2811 Router A to view the ARP table again. Notice the unique mac addresses associated with the two IP addresses.

2811A#show arp


Internet 172.16.30.1 - 00b0.b250.5f37 ARPA FastEthernet0/0

Internet 172.16.20.1 - 00b0.8911.1e7e ARPA FastEthernet0/1

Lab 2.19: Using ARP (Address Resolution Protocol) 163

5. Double-click 2621 Router A. After the console screen comes up configure the interface.

Router>enable

Router#config t






2621A#

6. Double-click 2621 Router B. After the console screen comes up configure the interface.

Router>enable

Router#config t


2621Bconfig-if)#int fa0/0



2621B(config-if)#ctr+z

2621B#

7. Go back to 2811 Router A and issue the show arp command. Notice that every IP address has an accompanying, unique MAC address or hardware address..

2811A#show arp


Internet 172.16.30.1 - 00b0.b250.5f37 ARPA FastEthernet0/0

Internet 172.16.20.2 30 00b0.76f0.f7c5 ARPA FastEthernet0/1

Internet 172.16.20.1 - 00b0.8911.1e7e ARPA FastEthernet0/1

Internet 172.16.0.2 28 00b0.1dc0.652f ARPA FastEthernet0/0

Managing a Cisco Internetwork

Lab 3: Introduction to Managing a Cisco Internetwork

In this section, you will learn how to manage Cisco routers in an internetwork. The Internetworking Operating System (IOS) and configuration files reside in different loca-tions in a Cisco device, and it is important to understand where these files are located and how they work.

Host E is running a TFTP server daemon and will be used in this section to both back up and restore the Cisco IOS and configuration of the 2621 A router.

The following labs are covered:

NN 3.1: Password Recovery Techniques

NN 3.2: Backing up a Cisco IOS to a TFTP server

NN 3.3: Upgrading or restoring a Cisco IOS from a TFTP server

NN 3.4: Backing up a Cisco router configuration using a TFTP server

NN 3.5: Restoring a Cisco router configuration from a TFTP server

NN 3.6: Using the Cisco Discovery Protocol to gather information about neighbor devices

NN 3.7: Using Telnet

NN 3.8: Using Secure Shell in Place of Telnet

NN 3.9: Verifying Secure Shell in Place of Telnet

NN 3.10: Creating a hosts table on a router and resolving host names to IP addresses

NN 3.11: Configuring IGRP Routing

NN 3.12: Verifying IGRP Routing

The commands covered in this section are as follows:

Command Description

cdp enable Turns on CDP on an individual interface

cdp holdtime Changes the holdtime of CDP packets

cdp run Turns on CDP on a router

cdp timer Changes the CDP update timer

Lab 3: Introduction to Managing a Cisco Internetwork 167

Command Description

config-register (confreg) Tells the router how to boot and to change the configu-ration register setting

copy flash tftp Copies a file from flash memory to a tftp host

copy run start Copies the running-config file to the startup-config file

copy run tftp Copies the running-config file to a tftp host

copy tftp flash Copies a file from a tftp host to flash memory

copy tftp run Copies a configuration from a tftp host to the running-config file

Ctrl+Shift+6, then X (keyboard combination)

Used to take you back to the originating router when you telnet to numerous routers

disconnect Disconnects a connection to a remote router from the originating router

erase startup-config Deletes the contents of NVRAM on a router

exit Disconnects a connection to a remote router via Telnet

ip host Creates a host table on a router

no cdp enable Turns off CDP on an individual interface

no cdp run Turns off CDP completely on a router

no ip host Removes a hostname from a host table

o/r 0x2142 Changes a router to boot without using the contents of NVRAM

show cdp Displays the CDP timer and holdtime frequencies

show cdp entry * Same as show cdp neighbor detail, but does not work on a 1900 switch

show cdp neighbor Shows the directly connected neighbor and the details about them

168 Managing a Cisco Internetwork

Command Description

show cdp neighbor detail Shows the IP address and IOS version and type, and includes all of the information from the show cdp neighbor command

show cdp traffic Shows the CDP packets sent and received on a device and any errors

show flash Views the files in flash memory

show hosts Shows the contents of the host table

show run Displays the running-config file

show sessions Shows your connections via Telnet to remote devices

show start Displays the startup-config file

show version Displays the IOS type and version as well as the con-figuration register

Lab 3.1: Password Recovery TechniquesAll Cisco® routers have a 16-bit software register, which is written into NVRAM. By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM.

By changing the configuration register, you can perform password recovery on a Cisco router.

If you are locked out of a router because you forgot the password, you can change the configuration register to help you recover. Bit 6 in the configuration register is used to tell the router whether or not to use the contents of NVRAM to load a router configuration. The default configuration register value for bit 6 is 0x2102 (the 0 is bit 6), which means that bit 6 is off. With the default setting, the router will look for and load a router configu-ration stored in NVRAM (startup-config). To recover a password, you need to turn on bit 6, which will tell the router to ignore the NVRAM contents. The configuration register value to turn on bit 6 is 0x2142.

(continued)

Lab 3.1: Password Recovery Techniques 169

Lab Steps

1. You can see the current value of the configuration register by using the show version command (sh version or show ver for short), as in the following example on 2621 Router A:

2621A#show version

Cisco Internetwork Operating System Software

IOS (tm) C2621 Software (C2621-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1)

[output cut]

Configuration register is 0x2102

The last information given from this command is the value of the configuration register. In this example, the value is 0x2102, which is the default setting.

2. You can change the configuration register by using the config-register command. For example, the following commands tell the router to boot from ROM monitor mode and then to verify the current configuration register value:

2621A(config)#config-register 0x0101

2621A(config)#ctrl+z

Network Layout

Load Standard Layout.rsm or whatever you named the file when you saved your work while working in section 2.


2621A#sh ver

[output cut]

Configuration register is 0x2102 (will be 0x0101 at next reload)

Notice that the show version command shows the current configuration register value, as well as what it will be when the router reboots. Any change to the configuration reg-ister will not take effect until the router is reloaded.

3. From 2621 Router A, type reload at the privileged mode prompt.


2621A#reload

4. You will then see this output on your screen: “System configuration has been modified. Save? [yes/no]: “. Press Y.

5. You will then be asked to confirm the reload. Press Enter.

6. When the router is rebooting, press and hold ctrl+break on the keyboard, until it takes you into rom monitor mode.

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Copyright (c) 1999 by Cisco Systems, Inc.

TAC:Home:SW:IOS:Specials for info

PC = 0xfff0a530, Vector = 0x500, SP = 0x680127b0

C2621 platform with 32768 Kbytes of main memory

PC = 0xfff0a530, Vector = 0x500, SP = 0x80004374

monitor: command "boot" aborted due to user interrupt rommon 1 >

7. To change the bit value on a Cisco 2621 series router, simply enter the confreg (mean-ing config register) command at the <rommon 1> prompt:

rommon 1 >confreg 0x2142

You must reset or power cycle for new config to take effect.

8. At this point, reset the router.

rommon 1 >reset

9. When the router reloads, say no to entering setup mode.

10. Enter privileged mode and then type copy startup-config running-config.

11. Change your passwords and then save your configuration with the copy run start command.

12. Change your configuration register back to 0x2102.

rommon 1 > confreg 0x2102

Lab 3.1: Password Recovery Techniques 171

Viewing Passwords on Net Configs screenIf you want to take a peek at all the passwords set for the currently loaded network, you can view these on the Net Configs screen.

1. Click Tools on the main menu of the Network Visualizer screen. Then click the Net Configs sub-menu selection. Or, right mouse click on the Network Visualizer screen and choose Net Configs from the pop-up menu.

From the main menu

From the pop-up window


The following information will appear on the Net Configs screen, displaying passwords for every network device.

Lab 3.11: Configuring IGRP RoutingInterior Gateway Routing Protocol (IGRP) is a Cisco proprietary distance vector rout-ing protocol. It is an updated RIP routing protocol that uses an administrative distance of 100, so it will automatically overwrite RIP found routes in the routing table. Also, it uses Autonomous Systems (AS) to create groups of routers that share routing information.

To configure IGRP, it is basically the same as RIP except you choose your AS number. All routers must use the same number as you want them to share information.

Lab 3.11: Configuring IGRP Routing 173

Network Layout

Load IGRP Layout.rsm before going through the following lab.



3. Click on the file IGRP Layout.rsm and click Open. You should see the following non-configured network:


Lab Steps

1. Double-click 2621 Router A. After the console screen comes up, perform the following commands.

Router>enable

Router#config t


2621A(config-if)#interface serial 0/1




2621A(config)#exit




[OK]

2621A#

2. Change the console screen so that you can enter configurations for 2621 Router B. Use the console menu to achieve this. After the console screen comes up, perform the following commands.

Router>enable

Router#config t


2621Bconfig-if)#interface serial 0/0

2621Bconfig-if)#clock rate 64000



2621Bconfig-if)#interface serial 0/1

2621Bconfig-if)#clock rate 64000




2621B(config)#exit




[OK]

2621B#

Lab 3.11: Configuring IGRP Routing 175

3. Change the console screen so that you can enter configurations for 2621 Router C. Use the console menu to achieve this. After the console screen comes up, perform the following commands.

Router>enable

Router#config t

Router(config)#hostname 2621C

2621Cconfig-if)#interface serial 0/0

2621C(config-if)#ip address 172.16.20.2 255.255.255.0

2621C(config-if)#no shutdown

2621C(config-if)#exit

2621C(config)#exit

2621C#copy run start



[OK]

2621C#

4. Configure 2621 Router A to use IGRP with an AS of 10.

2621A#config t

2621A(config)#router igrp 10



2621A#

5. Configure 2621 Router B to use IGRP with an AS of 10.

2621B#config t

2621B(config)#router igrp 10



2621B#

6. Configure 2621 Router C to use IGRP with an AS of 10.

2621C#config t

2621C(config)#router igrp 10

2621C(config-router)#network 172.16.0.0

2621C(config-router)#ctrl+z

2621C#


Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than IGRP Layout.rsm. This allows you to start over with a non-configured network if you wish.


Lab 3.12: Verifying IGRP Routing 177

2. A dialog box will appear. At the bottom you will see the file name IGRP Layout.rsm. Rename the file. For example, you could name it My IGRP Layout.rsm.

3. Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading IGRP Layout.rsm which is non-configured.

Lab 3.12: Verifying IGRP RoutingSince IGRP has a better administrative distance then RIP, all the routing tables should have IGRP found routes. Use the show ip route command and then the debugging tools to verifying IGRP.

Network Layout

Load IGRP Layout.rsm or whatever you named the file when you saved your work in Lab 3.11.


Lab Steps

1. From 2621 Router A, use the show ip route command to verify the routing table.

2621A#show ip route

[output cut]


I 172.16.20.0 [100/160250] via 172.16.10.1, 00:00:14, Serial0/1


2621A

Notice the “I” found routes. This is IGRP.

2. Use the show ip protocol command from 2621 Router A.

2621A#show ip protocol

Routing Protocol is "igrp 10"

Sending updates every 90 seconds, next due in 25 seconds

Invalid after 270 seconds, hold down 270, flushed after 630

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

Default networks flagged in outgoing updates

Default networks accepted from incoming updates

IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0

IGRP maximum hop count 100

IGRP maximum metric variance 1

Redistributing: igrp 10

Routing for networks:

172.16.0.0

Routing information sources:

Gateway Distance Last Update

172.16.10.1 100 00:01:05

Distance: <default is 100>

2621A#

Notice that the timer for IGRP to send out updates is every 90 seconds.


2621B#show ip route

[output cut]



C 172.16.10.0 is directly connected, Serial

2621B#

Lab 3.2: Backing Up the Cisco IOS 179

Routing tables take a small amount of time to update.

4. From 2621 Router C, use the show ip route command to verify the routing table.

2621C#show ip route



I 172.16.10.0 [100/160250] via 172.16.20.1, 00:00:48, Serial0/0

2621C#

5. Use the debug ip igrp events command to see IGRP updates being sent and received on the router. See above.

2621A#debug ip igrp events

IGRP protocol debugging is on

ld23h: IGRP: sending update to 255.255.255.255 via Serial0/1 <172.16.10.2>

ld23h: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes.

ld23h: IGRP: Total routes in update: 1

2621A#

6. Turn off debugging with the no debug ip igrp events command, or the undebug all command.

2621A#undebug all

7. Use the debug ip igrp transactions command to see a summary of the IGRP events being processed on the router.

2621A#debug ip igrp transactions

IGRP protocol debugging is on

2621A#

ld23h: IGRP: sending update to 255.255.255.255 via Serial0/1 <172.16.10.2>

ld23h: subnet 172.16.10.0, metric=189250

2621A#

8. You can turn off the debug ip igrp transactions command.

2621A#no debug ip igrp transactions

Lab 3.2: Backing Up the Cisco IOSBefore you upgrade or restore a Cisco® IOS, you should copy the existing file to a tftp host as a backup in case the new image does not work. You can use any tftp host to perform this function. By default, the flash memory in a router is used to store the Cisco® IOS. The


following sections describe how to check the amount of flash memory, copy the Cisco® IOS from flash memory to a tftp host, and then copy the IOS from a tftp host to flash memory.

Lab Steps

1. Before you attempt to upgrade the Cisco® IOS on your router with a new IOS file, you should verify that your flash memory has enough room to hold the new image. You can verify the amount of flash memory and the file or files being stored in flash memory by using the show flash command:

2621A#show flash

System flash directory:

File Length Name/status

1 6973004 c2600-bin-mz.122-13.T1.bin

[6973068 bytes used, 1415540 available, 8388608 total]

8192K bytes of processor board System flash (Read/Write)

Flash Memory

Is computer memory that can hold information even when the device is powered down. Information can be be written to and stored in this memory.

Network Layout


Lab 3.3: Restoring or Upgrading the Cisco Router IOS 181

2. The last line in the router output shows that the flash is 8192K or 8MB, which is plenty of room for a new file that we want to use that is 6MB in size. Once you verify that the flash memory can hold the IOS you want to copy into flash memory, you can continue with your backup operation.

3. The key to success in this backup routine is to make sure you have good connectivity to the tftp host. You can check this by pinging the device from the router console prompt, as in the following example:

2621A#ping 172.16.40.3



!!!!!


4. After you ping the tftp host to make sure that IP is working, you can use the copy flash tftp command to copy the IOS to the tftp host, as shown below. Notice that after you enter the command, the name of the file in flash memory is displayed. This makes it easy for you.

2621A#copy flash tftp

Source filename []? c2600-bin-mz.122-13.T1.bin

Address or name of remote host []? 172.16.40.3

Destination filename [c2600-bin-mz.122-13.T1.bin]?(press enter)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [output cut]

6973004 bytes copied in 57.704 secs (120841 bytes/sec)

2621A#

5. In this example, the content of flash memory was copied successfully to the tftp host. The address of the remote host is the IP address of the tftp host. The source filename is the file in flash memory. This was a pretty simple process as long as your router can talk to the tftp host.

Lab 3.3: Restoring or Upgrading the Cisco Router IOSYou may need to restore the Cisco® IOS to flash memory to replace an original file that has been damaged or to upgrade the IOS. You can download the file from a tftp host to flash memory by using the copy tftp flash command. This command requires the IP address of the tftp host and the name of the file you want to download to flash memory.


No real files are used in this lab. This is just an exercise to show how it is done.

Lab Steps

1. Type copy tftp flash command from the 2621 A router’s privileged mode prompt. You will see a message informing you that the router must reboot and run a ROM-based IOS image to perform this operation:

2621A#copy tftp flash


Source filename []? c2600-bin-mz.122-13.T1.bin

Destination filename [c2600-bin-mz.122-13.T1.bin]? (press enter)

%Warning:There is a file already existing with this name

Do you want to over write? [confirm] (press enter)

Accessing tftp://172.16.40.3/c2600-bin-mz.122-13.T1.bin...

Erase flash: before copying? [confirm] (press enter)

Erasing the flash filesystem will remove all files! Continue? [confirm] (press enter)

Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased

Erase of flash: complete

Loading c2600-bin-mz.122-13.T1.bin from 1.1.1.1 (via FastEthernet0/0): !!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [output cut]

2. After you tell the router where the file is and the filename, it asks you to confirm that you understand the contents of flash memory will be erased as shown in the output above. You are prompted twice, just to make sure that you really want to proceed with erasing flash memory.

3. The row of e characters shows the contents of flash memory being erased. Each excla-mation point (!) means that one UDP segment has been successfully transferred.

Lab 3.4: Backing Up the Cisco ConfigurationAny changes that you make to the router configuration are stored in the running-config file. If you do not perform a copy run start command after you make a change to running-config, that change will be gone if the router reboots or gets powered down. You may want

Lab 3.4: Backing Up the Cisco Configuration 183

to make another backup of the configuration information as an extra precaution in case the router or switch completely dies or for documentation. The following lab describes how to copy the configuration of a router to a tftp host.

Lab Steps

1. To copy the router’s configuration from a router to a tftp host, you can use either the copy running-config tftp or copy starting-config tftp command. Either com-mand will back up the router configuration that is currently running in DRAM or that is stored in NVRAM.

2. To verify the configuration in DRAM, use the show running-config command (show run for short), as follows:

2621A#show run



!

version 12.2

[output cut]

Network Layout



The current configuration information indicates that the router is now running version 12.2 of the IOS.

3. Next, you would check the configuration stored in NVRAM. To see this, use the show startup-config command (show start for short), as follows:

2621A#show start

Using 781 out of 32762 bytes

!

version 12.2

[output cut]

The second line shows how much room your backup configuration is using. In this example, NVRAM is 32KB and only 781 bytes of it are used. Notice that the version of configuration in NVRAM is 12.2.

If you are not sure that the files are the same, and the running-config file is what you want to use, then use the copy running-config startup-config to make sure both files are the same. By copying running-config to NVRAM as a backup, as shown below, you are assured that your running-config will always be reloaded if the router gets rebooted.


Destination filename [startup-config]?(press enter)


[OK]

4. Now when you enter the show starting-config command, the version shows the latest configuration.

2621A#show startup-config

Using 781 out of 32762 bytes

!

version 12.2

5. Once the file is copied to NVRAM, you can make a second backup to a tftp host by using the copy running-config tftp command (copy run tftp for short), as follows:

2621A#copy run tftp


Destination filename [2621A-confg]? enter

!!


2621A#

6. Notice that this took only two exclamation points (!), which are two UDP acknowledg-ments. If you have a hostname configured, the command will automatically use the hostname plus the extension config as the name of the file.

Lab 3.5: Restoring the Cisco Router Configuration from a TFTP Server 185

Lab 3.5: Restoring the Cisco Router Configuration from a TFTP ServerIf you have changed your router’s running-config and want to restore the configuration to the version in startup-config, the easiest way to do this is to use the copy startup-config running-config command (copy start run for short). You can also use the older Cisco® command, config mem, to restore a configuration. Of course, this will work only if you first copied running-config into NVRAM before making any changes.

Lab Steps

1. If you copied the router’s configuration to a tftp host as a second backup, you can restore the configuration using the copy tftp running-config command (copy tftprun for short) or the copy tftp startup-config command (copy tftp start for short), as shown below.

2621A#copy tftp run


Source filename []? 2621A-confg

Destination filename [running-config]?(press enter)

Network Layout



Accessing tftp://172.16.40.3/2621A-confg...

Loading 2621A-confg from 172.16.40.3 (via Fastethernet 0/0):

!!

[OK - 487/4096 bytes]


2621A#

00:38:31: %SYS-5-CONFIG: Configured from tftp://172.16.40.3/2621A-confg

2621A#

2. After you copy your configuration from a tftp host to your router, you must then enable your interfaces as they are automatically shut down.

Lab 3.6: Using the Cisco Discovery Protocol to Gather Information about Neighbor DevicesCisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help admin-istrators collect information about both locally attached and remote devices. You can gather hardware information, as well as protocol information about neighbor devices. This information is useful for troubleshooting and documenting the network.

Network Layout



Lab Steps

2621 Router A and 2621 Router B need to be configured in order for output to appear when you go through this lab.

1. First gather CDP information on your router by getting CDP Timers and Holdtime Information. Use the show cdp command (sh cdp for short) which shows information about two CDP global parameters that can be configured on Cisco devices. The output on a router looks like this:

2811A#show cdp

Global CDP information:

Sending CDP packets every 60 seconds

Sending a holdtime value of 180 seconds

Sending CDPv2 advertisements is enabled

2811A#

N CDP timer is how often CDP packets are transmitted to all active interfaces.

NN CDP holdtime is the amount of time that the device will hold packets received from neighbor devices.

Both the Cisco routers and the Cisco switches use the same parameters.

2. Use the global commands cdp holdtime and cdp timer to configure the CDP holdtime and timer on a router.

2811A#config t


2811A(config)#cdp ?

advertise-v2 CDP sends version-2 advertisements

holdtime Specify the holdtime (in sec) to be sent in packets

log Log messages generated by CDP

run Enable CDP

source-interface Insert the interface's IP in all CDP packets

timer Specify rate (in sec) at which CDP packets are sent>

2811A(config)#cdp timer 90

2811A(config)#cdp holdtime 240


3. You can turn off CDP completely on the router with the no cdp run command from global configuration mode of a router. Enable CDP with the cdp run command.

2811A(config)#no cdp run

2811 (config)#cdp run



4. To turn off or on CDP on a router interface, use the no cdp enable and cdp enable commands. Enable CDP on the interface with the cdp enable command.

2811A(config)#interface fastethernet 0/0

2811A(config-if)#no cdp enable

2811A(config-if)#cdp enable


5. The show cdp neighbor command (show cdp nei for short) shows information about directly connected devices. It is important to remember that CDP packets are not passed through a Cisco switch, and you only see what is directly attached. On a router connected to a switch, you will not see the other devices connected to the switch. The following output shows the show cdp neighbor command used on the 2811 A router.

2811A#show cdp nei

Device ID Local Intrfce Holdtme Capability Platform Port ID

2621B Ser 0/0 170 R 2621 Ser 0/0/1

2621A Ser 0/0 170 R 2621 Ser 0/1/1

2811A#

The following table summarizes the information displayed by the show cdp neighbor command for each device.

Field Description

Device ID The hostname of the device directly connected.

Local Interface The port or interface on which you are receiving the CDP packet.

Holdtime The amount of time the router will hold the information before discarding it if no more CDP packets are received.

Capability The neighbor’s capability, such as router, switch, or repeater. The capability codes are listed at the top of the command output.

Platform The type of Cisco device. In the above output, a 2811 router, two 2621 routers, a 3550 switch, and a 3560 switch are attached.

Port ID The neighbor device’s port or interface on which the CDP packets are broadcasted out.


6. Another command that provides neighbor information is the show cdp neighbor detail command (show cdp nei de for short), which also can be run on the router or switch. This command shows detailed information about each device connected to the device, as in the router output below.

2811A#show cdp neighbor detail

-------------------------

Device ID: 2621B

Entry address(es):

IP Address: 172.16.30.2

Platform: cisco 2621, Capabilities: Router

Interface: Serial0/0, Port ID (outgoing port): Serial0/0/1

Holdtime : 146 sec

Version :



TAC Support: http://www.cisco.com/tac


Compiled Sat 04-Jan-03 05:58 by ccai

advertisement version: 2

-------------------------

Device ID: 2621A

Entry address(es):

IP Address: 172.16.20.2



Holdtime : 146 sec

Version :







-------------------------

2811A#

The output above shows the hostname and IP address of the directly connected devices. In addition to the same information displayed by the show cdp neighbor command, the show cdp neighbor detail command also shows the IOS version of the neighbor device.


7. The show cdp entry * command displays the same information as the show cdp neighbor details command. The following is an example of the router output of the show cdp entry * command.

2811A#show cdp entry *

-------------------------

Device ID: 2621B

Entry address(es):

IP Address: 172.16.30.2



Holdtime : 146 sec

Version :







-------------------------

Device ID: 2621A

Entry address(es):

IP Address: 172.16.20.2



Holdtime : 146 sec

Version :







-------------------------

2811A#

Lab 3.7: Using Telnet 191

8. The show cdp traffic command displays information about interface traffic, including the number of CDP packets sent and received and the errors with CDP. The following output shows the show cdp traffic command used on a router.

2811A#show cdp traffic

CDP counters :

Total packets output: 14556, Input: 7366

Hdr syntax: 0, Chksum error: 0, Encaps failed: 0

No memory: 0, Invalid packet: 0, Fragmented: 0

CDP version 1 advertisements output: 0, Input: 0


2811A#

Lab 3.7: Using TelnetTelnet is a virtual terminal protocol that is part of the TCP/IP protocol suite. Telnet allows you to make connections to remote devices and gather information and run programs. To start a Telnet session, logging into a another device requires a valid username and password on the destination hardware.

After your routers and switches are configured, you can use the Telnet program to configure and check your routers and switches instead of needing to use a console cable. You use the Telnet program by typing telnet from any command prompt (DOS or Cisco). VTY passwords must be set on the routers for this to work.

You cannot use CDP to gather information about routers and switches that are not directly connected to your device. However, you can use the Telnet application to connect to your neighbor devices and then run CDP on those remote devices to gather CDP information about remote devices.

In this lab we will telnet from 2621 Router B into 2621 Router A and 3550 Switch A. In a prior lab we have configured 2621 Router A but now we need to configure 3550 Switch A at the start of this lab.


Lab Steps

1. Double-click 3550 Switch A in order to bring up the console screen.

2. Perform the following commands:

Switch>en

Switch#config t

Enter configuration commands, one per line. End with CNTL/Z

Switch(config)#

3. To set the IP configuration on a 3550 switch, use the ip address command. However, this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why

Network Layout

Load Standard Layout.rsm or whatever you named the file when you saved your work while working in section 2. You need a configured network in order to complete this lab.


the VLAN1 interface is configured by default. Let’s also set the hostname so that we can more clearly identify this device when we telnet into it in subsequent steps.

Switch(config)#hostname 3550A

3550A(config)#interface vlan 1


4. The default gateway should also be set using the ip default-gateway command. However, unlike the IP address, this is completed at global configuration mode.


3550A(config)#ip default-gateway 172.16.10.1

5. We need to set up a VTY password for the 3550 Switch A.

3550A(config)#line vty 0 15


3550A(config-line)#ctrl+z

6. Switch to 2621 Router A via the console menu.

7. For this lab, remove the telnet and enable passwords from the 2621 Router A.

2621A>enable

2621A#config t


2621A(config)#no enable secret

2621A(config)#no enable password


2621A(config-line)#no password


2621A#


8. You can issue the telnet command from any router prompt, as in the following example from 2621 Router B to 2621 Router A:

2621B#telnet 172.16.20.2

Trying 172.16.10.2 ... Open

Password required, but none set

[Connection to 172.16.20.2 closed by foreign host]

2621B#

Remember that the VTY ports on a router are configured as login, which means that you must either set the VTY passwords or use the no login command.

9. On a Cisco router, you do not need to use the telnet command. If you just type in an IP address from a command prompt, the router will assume you want to telnet to the device, as shown below:

2621B#172.16.20.2

Trying 172.16.10.2 ... Open



2621B#

10. It’s time to set VTY passwords on the router I want to telnet into. Here is an example of what I did:

2621A#config t





2621A#

11. Now, let’s try connecting to the router again (from the 2621 Router B console).

2621B#172.16.20.2

Trying 172.16.20.2 ... Open

User Access Verification

Password:

2621A>

12. Remember that the VTY password is the user mode password, not the enable pass-word. Watch what happens when I try to go into privileged mode after telneting into 2621 Router A:

2621A>en

% No password set

2621A>


This is a good security feature. You don’t want anyone just telneting onto your device and then being able to just type the enable command to get into privileged mode. You must set your enable password or enable secret password to use telnet to configure remote devices.

13. Now, exit out of 2621 Router A.

2621A>exit


2621B#

14. If you telnet to a router or switch, you can end the connection by typing exit at any time. However, what if you want to keep your connection to a remote device but still come back to your original router console? To keep the connection, you can press the Ctrl+Shift+6 key combination, release it, and then press X.

Here’s an example of connecting to multiple devices from 2621 Router B router console:

2621B#telnet 172.16.20.2

Trying 172.16.20.2 ... Open


Password:

2621A> [press ctrl+shift+6 then x]

2621B#

In the example above, I telneted to the 2621 Router A, then typed the password to enter user mode. I then pressed Ctrl+Shift+6, then x (this doesn’t’t show on the screen output). Notice the command prompt is now back at the 2621 Router B.

15. You can also telnet into a switch. In the following example, we telnet to switch 3550 A.

2621B#telnet 172.16.10.17

Trying 172.16.10.17 ... Open


Password:

3550A>

16. At this point, press Ctrl+Shift+6, then X, which will take you back to 2621 Router B console.

2621B#

17. To see the connections made from your router to a remote device, use the show sessions command, as shown below.

2621B#show sessions

Conn Host Address Byte Idle Conn Name

1 172.16.20.2 172.16.20.2 0 0 172.16.20.2

* 2 172.16.10.17 172.16.10.17 0 0 172.16.10.17

2621B#


18. Notice the asterisk (*) next to connection 2. This means that session 2 was the last session. You can return to your last session by pressing enter twice. You can also return to any session by typing the number of the connection and pressing enter twice. Here is an example:

2621B#1

[Resuming connection 1 to 172.16.20.2 ... ] [press enter]

2621A>

When changing windows from Router to Router do not close the window with the x or the Telnet information will be lost.

19. You can list all active consoles and VTY ports in use on your router with the show users command. Type show users from the 2621 Router A, which the 2621 Router B had telneted into.

2621A>show users

Line User Host(s) Idle Location

0 con 0 idle 00:00:00

* 2 vty 0 idle 00:25:12 172.16.30.2

Interface User Mode Idle Peer Address

2621A>

In the output, the con represents the local console. In this example, the console is con-nected to two remote IP addresses, or devices. This output shows that the console is active and that VTY port 0 is being used. The asterisk represents the current terminal session user.

20. You can end Telnet sessions a few different ways. Typing exit or disconnect is probably the easiest and quickest. To end a session from a remote device, use the exit command, as shown below.

2621A#exit


2621B#

21. To end a session from a local device, use the disconnect command, as shown below.

2621B#show sessions


* 2 172.16.10.17 172.16.10.17 0 0 172.16.10.17

2621B#disconnect 2

Lab 3.8: Using Secure Shell in Place of Telnet 197

Closing connection to 172.16.10.17 [confirm] [enter]

2621B#

In this example, we used the session number 2 because that was the connection to 3550 Switch A that we wanted to end. As explained earlier, you can use the show sessions com-mand to see the connection number.


Lab 3.8: Using Secure Shell in Place of TelnetThe last lab had you set your five basic passwords that can be used on a router. In order to gain access to the console (user mode) through the network (called in-band), you set a pass-word on your VTY lines. This allowed Telnet access. However, Telnet is insecure because everything – including passwords – are sent in the clear. However, we can fix that by using Secure Shell (SSH). This is basically the same as using Telnet, but is a secure connection. We will configure our routers to use SSH on the VTY lines.

Network Layout

Load Secure Shell Layout.rsm or whatever you previously named it, before going through the following lab.



3. Click on the file Secure Shell Layout.rsm and click Open.


Lab Steps




Router>

Router>enable

4. We need to set a hostname on 2811 Router A.

Router#config t

Router(config)#hostname2811A

2811A(config)#

5. The next thing we need to do is set a username and password to use for login when using SSH.

2811A(config)#username todd password lammle

6. In addition, a domain name must be set. This is a required step when using SSH. However, it is not important what you set it to unless you are using a DNS server for domain lookups on the router.

2811A(config)#ip domain-name lammle.com

7. Now a key needs to be generated on the router. This will be used to encrypt the pass-word when connecting with SSH to the router.

2811A(config)#crypto key generate rsa

The name for the keys will be: 2811A.lammle.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: [press enter]


2811A(config)#

Now, we need to set our VTY line commands. The vty lines are used to set a Telnet password on the router. If the password is not set, then telnet cannot be used by default. However, we don’t have to use Telnet, we can use SSH instead, or with Telnet. We no longer use the “login” command by itself. We need to use the login local to have the vty lines look for the username and password configured locally on the router. Let’s take a look.

Lab 3.8: Using Secure Shell in Place of Telnet 199

8. Use the line vty command to enter into line mode.

2811A(config)#line vty 0 ?

<1-1180> Last Line number

<cr>



9. After settting the lines to use the username and password configured on the local router, we need to tell the vty lines to use SSH.

2811A(config-line)#transport input ssh

10. The above command allows only SSH session on the vty lines. You can use the follow-ing command to allow both SSH and Telnet into your router (although, if you can use SSH, Telnet is not recommended).

2811A(config-line)#transport input ssh telnet

Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than Secure Shell Layout.rsm. This allows you to start over with a non-configured network if you wish.



2. A dialog box will appear. At the bottom you will see the file name Secure ShellLayout.rsm. Rename the file. In the following example it is renamed My Secure Shell Layout.rsm.

3. Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading Secure Shell Layout.rsm which is non-configured.

Lab 3.9: Verifying Secure Shell in Place of TelnetIn Lab 3.8 we had configured 2811 Router A to be an SSH server. In this lab, we will use 2811 Router B to connect to 2811 Router A and verify that SSH is working. As we discussed in Lab 3.8, the reason we want to use SSH is because Telnet is insecure. However, we can fix that by using Secure Shell (SSH). This is basically the same as using Telnet, but is a secure connection. Let’s configure verify our SSH server on 2811 Router A.

Lab 3.9: Verifying Secure Shell in Place of Telnet 201

Lab Steps

1. On the Network Visualizer screen, double-click 2811 Router B. This will bring up a console screen.

2. The first thing we need to do is ping 2811 Router A from 2811 Router B to verify network connectivity.

2811B(config)#exit

2811B#ping 172.16.20.1

3. Now, let’s SSH into 2811 Router A and verify our connection. We need to use the username configured on the 2811 Router A (from Lab 6.8) as our login. We do this with the “-l” option. The name used in the ssh command is case sensitive.

2811B#ssh -l todd 172.16.20.1

Password: [lammle is the password, does not appear when you type]

2811A>

Network Layout

Work with the saved network that you used to configure devices in Lab 3.8.


4. You can verify your connection on 2811 Router A with the show users command:

2811A>show users


* 66 vty 0 Vail idle 00:00:00 192.0.2.157


2811A>

Lab 3.10: Creating a Hosts Table on a Router and Resolve Host Names to IP AddressesYou can use a hostname to connect to a remote device rather than use an IP address. The device that you are using to make the connection from must be able to translate the hostname to an IP address. This lab will show you how to create a hosts table on your router to resolve host names to IP addresses.

Lab Steps

1. A host table provides name resolution only on the router on which it was built. The command to build a host table on a router is:

ip host name ip_address

2. Here is an example of configuring a host table on the 2621 Router B with two entries to resolve the names for the 2621 Router A and the 3550 Switch A:

2621B#config t


2621B(config)#ip host ?

WORD Name of host

2621B(config)#ip host 2621A ?

<0-65535> Default telnet port number

A.B.C.D Host IP address

additional Append addresses

2621B(config)#ip host 2621A 172.16.20.2 ?

A.B.C.D Host IP address (maximum of 8)

<cr>

Lab 3.10: Creating a Hosts Table on a Router and Resolve Host Names to IP Addresses 203

2621B(config)#ip host 2621A 172.16.20.2

2621B(config)#ip host 3550A 172.16.10.17

2621B(config)#ctrl+z

3. To see the host table, use the show hosts command, as shown below.

2621B#sh hosts

Default domain is not set

Name/address lookup uses domain service

Network Layout

Work with the saved network that you used to configure devices in Lab 3.9. You need a configured network in order to complete this lab.


Name servers are 255.255.255.255

Host Flags Age Type Address(es)

2621A (perm, OK) 0 IP 172.16.20.2

3550A (perm, OK) 0 IP 172.16.10.17

2621B#

In the router output above, you can see the two hostnames and their associated IP addresses. The perm in the Flags column means the entry is manually configured. If it said temp, it would be an entry resolved by DNS.

4. To verify that the host table resolves names, try typing the hostnames at a router prompt. Remember that if you don’t specify the command, the router assumes you want to telnet. Use the hostnames we just created to telnet into the remote devices and then press Ctrl+Shift+6, then X to return to the main console of the 2621B router.

2621B#2621A

Trying 2621A (172.16.20.2)... Open


Password:

2621A>(control+shift+6,then x)

2621B#

2621B#3550A

Trying 3550A (172.16.40.2)... Open


Password:

3550A#

5. Notice in the entries in the show session output below that the hostname now shows up instead of the IP address because the IP addresses has been resolved.3550A#sh sess


1 2621A 172.16.20.2 0 0 2621A

* 2 3550A 172.16.10.17 0 0 3550A

6. You can remove a hostname from the table by using the no ip host command, as in the following example:

3550A>(control+shift+6,then x)

2621B#

2621B#config t


2621B(config)#no ip host 2621A

7. Now remove the other hostname from the table by using the no ip host command.

2621B(config)#no ip host 3550A

Configuring the Catalyst Switch

Lab 4: Introduction to Configuring the Catalyst Switch

The CCNA exam covers specific switch commands for the 2950/2960 and 3550/3560 switches. The following labs will teach you how to connect to the 1900 switch and Catalyst 2950/2960 and 3550/3560 switches and configure LAN switching.

The labs covered in this section include:

NN 4.1: Connecting to the 1900 Switch and setting the passwords

NN 4.2: Configuring the 1900 Switch

NN 4.3: Configuring the 1900 Switch Port Duplex

NN 4.4: Verifying the 1900 Switch IP Connectivity

NN 4.5: Erasing the 1900 Switch Configuration

Labs 4.1 - 4.5 are for the 1900 switch, which is not used in our standard network layouts, but is included for your educational purpose. The 1900 switch is an older switch and is end-of-life from Cisco.

NN 4.6: Utilizing the 2950/2960 Switch

NN 4.7: Setting Passwords on the 2950/2960 Switch

NN 4.8: Configuring the 2950/2960 Switch

NN 4.9: Verifying the 2950/ 2960 Switch IP Connectivity

NN 4.10: Saving and Erasing the 2950/2960 Switch Configuration

NN 4.11: Utilizing the 3550/3560 Switch

NN 4.12: Setting Passwords on the 3550/3560 Switch

NN 4.13: Configuring the 3550/3560 Switch

NN 4.14: Verifying the 3550 /3560 Switch IP Connectivity

NN 4.15: Saving and Erasing the 3550/3560 Switch Configuration

Lab 4.1: Connecting to the 1900 Switch and Setting Passwords 207

Lab 4.1: Connecting to the 1900 Switch and Setting PasswordsThis lab will have you work with a switch and router, enter an IP address on a router, enter global configuration mode and then set the passwords.

Lab Steps

1. Double click the 1900 switch to view the the 1900 switch console.

OR

Network Layout

Load 1900 Switch Layout.rsm before going through the following lab.



3. Click on the file 1900 Switch Layout.rsm and click Open.

208 Configuring the Catalyst Switch

Go to the 1900 switch via the console menu.

2. You will then see the following output. Press K to enter the CLI.

1 user(s) now active on Management Console.

User Interface Menu

[M] Menus

[K] Command Line

[I] IP Configuration

Enter Selection: K

CLI session with the switch is open.

To end the CLI session, enter [Exit].

>

3. The first thing that you should configure on a switch is the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privileged mode passwords, just like a router. Enter privileged mode by using the enable command and then enter global configuration mode by using the config t command. The switch following output shows an example of how to get into enable mode, and then into global configuration mode.

>enable

#config t

Enter configuration commands, one per line. End with CTRL/Z

(config)#


4. Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password command. The switches output below shows the configuration of both the user mode and enable mode passwords.

(config)#enable password ?

level Set exec level password

(config)#enable password level ?

<1-15> Level number

5. To enter the user mode password, use level number 1. To enter the enable mode pass-word, use level mode 15. Remember the password must be at least four characters, but not longer then eight characters. The switch output below shows the user mode password being set and denied because it is more than eight characters.

(config)#enable password level 1 toddlammle

Error: Invalid password length.

Password must be between four and eight characters.

6. The following output is an example of how to set both the user mode and enable mode passwords on the 1900 switch.

(config)#enable password level 1 todd

(config)#enable password level 15 todd1

(config)#exit

#exit

7. At this point, you can press enter and test your passwords. You will be prompted for a user mode password after you press K and then an enable mode password after you type enable.

Catalyst 1900 Management Console

Copyright (c) Cisco Systems, Inc. 1993-1998

All rights reserved.

Enterprise

Edition Software

Ethernet Address: 00-30-80-CC-7D-00

PCA Number: 73-3122-04

PCA Serial Number: FAB033725XG

Model Number: WS-C1912-A

System Serial Number: FAB0339T01M

Power Supply S/N: PHI031801CF


PCB Serial Number: FAB033725XG,73-3122-04

-------------------------------------------------


User Interface Menu

[M] Menus

[K] Command Line

Enter Selection: K

Enter password: ****



>en


#

8. The enable secret password is a more secure password and supersedes the enable pass-word if set. You set this password the same way you set the enable secret password on a router. If you have an enable secret set, you don’t even need to bother setting the enable mode password.

#config t


(config)#enable secret todd2

9. You can use show running-config (show run for short) to see the current configuration on the switch.

(config)#exit

#sh run



enable secret 5 $1$FMFQ$wFVYVLYn2aXscfB3J95.w.

enable password level 1 "TODD"

enable password level 15 "TODD1"

[output cut]

Notice the enable mode passwords are not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router. One more thing to notice is that even though I typed the password as lowercase, the running-config shows the passwords as uppercase. It doesn’t matter how you type it in or how it shows in the configuration because the passwords are not case sensitive on the switch.


Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than 1900 Switch Layout.rsm. This allows you to start over with a non-configured network if you wish.



2. A dialog box will appear. At the bottom you will see the file name 1900 Switch Layout.rsm. Rename the file. In the following example it is renamed to My 1900 Switch Layout.rsm.

3. Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading 1900 Switch Layout.rsm which is non-configured.

Lab 4.2: Configuring the 1900 SwitchUse the saved network layout file from Lab 4.1. The file name is 1900 Switch Layout.rsm or whatever you named it when you saved it in Lab 4.1.

Set the HostnameThe hostname on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network or name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connect-ing to it. A good rule of thumb is to name the switch after the location it is serving.

Lab 4.2: Configuring the 1900 Switch 213

Lab Step

1. The 1900 switch command to set the hostname is exactly like any router: you use the hostname command. Remember, it is one word. The switch output below shows the con-sole screen. Press K to go into user mode, enter the password, use the enable command and enter the enable secret password. From global configuration mode, type the command hostname hostname.


User Interface Menu

[M] Menus

[K] Command Line


Enter Selection: K




>en


#config t


(config)#hostname 1900A

1900A(config)#exit

Notice that as soon as I pressed enter, the hostname of the switch appeared. Remember that from global configuration mode, which you enter by using the config t command, it changes the running-config. Any changes you make in this mode take effect immediately.

Configure the IP AddressYou do not have to set any IP configuration on the switch to make it work. You can just plug in devices and they should start working, just like they would on a hub. The reason you would set the IP address information on the switch is so you can either manage the switch via Telnet or other management software, or you wanted to configure the switch with different VLANs and other network functions. VLANs are discussed in later labs.

2. By default, no IP address or default-gateway information is set. You would set both the IP address and the default-gateway on a layer-two switch, just like any host. By typing the command show ip (or sh ip), you can see the default IP configuration of the switch.

1900A#show ip

IP Address: 0.0.0.0

Subnet Mask: 0.0.0.0


Management VLAN: 1


Domain name:

Name server 1: 0.0.0.0


HTTP server : Enabled

HTTP port : 80

RIP : Enabled

Notice in the above switch output that no IP address, default-gateway, or other IP parameters are configured.

3. To set the IP configuration on a 1900 switch, use the ip address command. The default gateway should also be set using the ip default-gateway command. The switch output below shows an example of how to set the IP address and default-gateway on a 1900 switch.

1900A#config t


1900A(config)#ip address 172.16.10.16 255.255.255.0


1900A(config)#exit

4. Once you have your IP information set, use the show ip command to verify your changes. You can view this information with the show running-config command as well.

1900A#show ip

IP Address: 172.16.10.16

Subnet Mask: 255.255.255.0


Management VLAN: 1

Domain name:




HTTP port : 80

RIP : Enabled

1900A#

To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gateway commands, at the global configuration prompt.

Configure InterfacesIt is important to understand how to access switch ports. The 1900 switch uses the type slot/port command. For example, FastEthernet 0/3 is 10BaseT port 3. Another example


would be FastEthernet 0/26 which is the first of the two FastEthernet ports available on the 1900 switch.

The 1900 switch type slot/port command can be used with either the interface com-mand or the show command. The interface command allows you to set interface specific configurations. The 1900 switch has only one slot: zero (0).

5. To configure an interface on a 1900 switch, go to global configuration mode and use the interface command. From global configuration, use the interface command and the type, either Ethernet or FastEthernet interface. I am going to demonstrate the Ethernet interface configuration first.

1900A#config t


1900A(config)#int ethernet ?

<0-0> IEEE 802.3

6. The previous output asks for the slot. Since the 1900 switch is not modular, there is only one slot. The next output gives us a slash (/) to separate the slot/port configuration.

1900A(config)#int ethernet 0?

/

1900A(config)#int ethernet 0/?

<1-25> IEEE 802.3

7. After the 0/configuration command, the above output shows the amount of ports you can configure. The output below shows the completed command.

1900A(config)#int ethernet 0/1

8. Once you are in interface configuration, the prompt changes to (config-if). After you are at the interface prompt, you can use the help commands to see the available commands.

1900A(config-if)#?

Interface configuration commands:

cdp Cdp interface subcommands

description Interface specific description

duplex Configure duplex operation

exit Exit from interface configuration mode


no Negate a command or set its defaults

port Perform switch port configuration

shutdown Shutdown the selected interface

spantree Spanning tree subsystem

vlan-membership VLAN membership configuration

1900A(config-if)#?exit


You can switch between interface configuration by using the int e 0/# command at any time from global configuration mode.

9. The switch output below shows the configuration of a FastEthernet port on the 1900 switch. Notice that the command is interface fastethernet, but the slot is still 0. The only ports available are 26 and 27.

1900A(config)#int fastethernet ?

<0-0> FastEthernet IEEE 802.3

1900A(config)#int fastethernet 0/?


1900A(config)#int fastethernet 0/26

1900A(config-if)#int fast 0/27

1900A(config-if)#ctl+z

10. After you make any changes you want to the interfaces, you can view the different inter-faces with the show interface command. The switch output below shows the command used to view a 10BaseT interface and the command to view a fastethernet interface.

1900A#show int e0/1

ethernet 0/1 is Suspended-no-linkbeat

Hardware is Built-in 10Base-T

Address is 0030.80CC.7D01

MTU 1500 bytes, BW 10000 Kbits

802.1d STP State: Forwarding Forward Transitions: 1

[output cut]

1900A#show int f0/26

Fastethernet 0/26 is Suspended-no-linkbeat

Hardware is Built-in 100Base-TX

Address is 0030.80CC.7D1A


802.1d STP State: Blocking Forward Transitions: 0

[output cut]

Configure Interface DescriptionsYou can administratively set a name for each interface on the 1900 switch. Like the hostname, the descriptions are only locally significant. For the 1900 series switch, use the description command. You cannot use spaces with the description command, but you can use underlines if you need to.

11. To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface. You can


make the descriptions more then one word, but you can’t use spaces. You will have to use the underline as shown below:

1900A#config t


1900A(config)#int e0/1

1900A(config-if)#description Finance_VLAN

1900A(config-if)#int f0/26

1900A(config-if)#description trunk_to_Building_4

1900A(config-if)#ctl+z

In the configuration example above, we set the description on both a 10Mbps port and a 100Mbps port.

View Interface DescriptionsOnce you have configured the descriptions you want on each interface, you can then view the descriptions with either the show interface command, or show running-config command.

12. View the configuration of the Ethernet interface 0/1 by using the show interface ethernet 0/1 command.

1900A#show int e0/1

Ethernet 0/1 is Enabled





Port monitoring: Disabled

Unknown unicast flooding: Enabled

Unregistered multicast flooding: Enabled

Description: Finance_VLAN

Duplex setting: Half duplex

Back pressure: Disabled

13. Use the show running-config command to view the interface configurations as well.

1900A#show run



!

hostname "1900A"

!

ip address 172.16.10.16 255.255.255.0


ip default-gateway 172.16.10.1

!

enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0



!

interface Ethernet 0/1

description "Finance_VLAN"

[output cut]


Lab 4.3: Configuring the 1900 Switch Port DuplexThe 1900 switch has only 12 or 24 10BaseT ports and comes with one or two FastEthernet ports. You can only set the duplex on the 1900 switch, as the ports are all fixed speeds.

Network Layout

Use the saved network that you have been working with.

Lab 4.3: Configuring the 1900 Switch Port Duplex 219

Lab Steps

1. Use the duplex command in interface configuration.

In the switch output below, notice the options available on the FastEthernet ports.

1900A(config)#int f0/26

1900A(config-if)#duplex ?

auto Enable auto duplex configuration

full Force full duplex operation

full-flow-control Force full duplex with flow control

half Force half duplex operation

1900A(config-if)#duplex full


The following Table shows the different duplex options available on the 1900 switches. The 1900 FastEthernet ports default to auto duplex, which means they will try and auto detect the duplex the other end is running.

TA b LE : Duplex Options

Parameter Definition

Auto Set the port into auto-negotiation mode. Default for all 100BaseTX ports.

Full Forces the 10 or 100Mbps ports into full duplex mode.

Full-flow-control Works only with 100BaseTX ports, uses flow control so buffers won’t overflow.

Half Default for 10BaseT ports, forces the ports to work only in half duplex mode.

2. Once you have the duplex set, you can use the show interface command to view the duplex configuration.


Fastethernet 0/26 is enabled


Address is 0030.80CC.7D1A


802.1d STP State: Blocking Forward Transitions: 0





Description: trunk to Building 4

Duplex setting: Full duplex

Back pressure: Disabled

3. In the output above, the duplex setting shows full duplex.

Lab 4.4: Verifying 1900 Switch IP ConnectivityIt is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 1900 switch. However, you cannot telnet from the 1900 switch or use traceroute.

Network Layout

Use the saved network that you are using while working with the 1900 switch.

Lab 4.4: Verifying 1900 Switch IP Connectivity 221

Lab Steps




NN IP Address

N Subnet Mask

NN Default Gateway

IP Address: 172.16.10.9

Subnet Mask: 255.255.255.0




5. Ping the host from the switch 1900 A.

1900A#ping 172.16.10.9

Sending 5, 100-byte ICMP Echos to 172.16.10.9, time out is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms

The output on a successful ping: exclamation point (!). If you receive periods (.) instead of exclamation points, that signifies a timeout.

6. Telnet to the host.

1900A#telnet 172.16.10.9

^

% Invalid input detected at '^' marker.

In the Telnet example above, notice the error when you try to telnet from the 1900 switch. The command is not available on the 1900 switch. However, you can telnet into a switch at any time, as long as the switch is configured correctly.


Lab 4.5: Erasing the 1900 Switch ConfigurationThe switch configuration is stored in NVRAM, just as any router. You cannot view the startup-config, or contents of NVRAM. You can only view the running-config. When you make a change to the switches’ running-config, the switches automatically copy the configuration on the switch to NVRAM.

You can delete the configuration in NVRAM on the 1900 switch if you want to start over on the switches’ configuration. To delete the contents of NVRAM on a 1900 switch, use the delete nvram command.

Lab 4.5: Erasing the 1900 Switch Configuration 223

Lab Steps

1. Type delete ? from a 1900 Switch A, privileged mode prompt. Notice in the switch out-put below that there are two options: nvram and vtp. We want to delete the contents of NVRAM to the factory default settings.

1900A#delete ?

nvram NVRAM configuration

vtp Reset VTP configuration to defaults

1900A#delete nvram

This command resets the switch with factory defaults. All system parameters will revert to their default factory settings. All static and dynamic addresses will be removed.

2. Reset system with factory defaults, [Y]es or [N]o? Yes

Notice the message received from the switch when the delete nvram command is used. Once you say yes, the configuration is gone.

Network Layout

Use the saved network that you are using while working with the 1900 switch.


3. To confirm the configuration is gone, use the show run command.

#show run



!


!


!


!


[output cut]

Lab 4.6: Utilizing the 2950 and 2960 SwitchThe 2950 and 2960 switches are very similar and basically support the same commands. The configuration commands between the two switches differ because:

NN The Catalyst 2950 switch runs Cisco IOS 12.1EA software, and the Catalyst 2960 switch runs Cisco IOS 12.2SE software.

NN The hardware is different. In this program the 2950 switch has 12 FastEthnet ports ...

Lab 4.7: Setting Passwords on the 2950/2960 Switch 225

NN and the 2960 switch has eight FastEthernet ports and one GigabitEthernet port ...

If you use a 2950 switch command, it might not be supported on the 2960 switch. The 2960 switch software handles the incompatible commands by either:

NN accepting it and translating them

NN rejecting the command

In this program the supported commands for these two switches are identical.

Lab 4.7: Setting Passwords on the 2950/2960 SwitchThis lab will have you work with a 2950/2960 switch. The commands used in configuring the 2950 or 2960 switches are identical in this program. You can choose which device you would like to work with in setting passwords. In this lab, enter the global configuration mode and then set the passwords.


Network Layout

Load Standard Layout.rsm or whatever you named the file when you saved your work in earlier labs.


Lab Steps

1. Double-click 2950 Switch A or 2960 Switch A to open the console screen.

2. Press Enter to connect to the console.

Switch>

3. For the user mode of the switch, you can use the help screen just like a router.

Switch>?

Exec commands:

<1-99> Session number to resume









lock Lock the terminal

login Log in as a particular user

logout Exit from the EXEC

name-connection Name an existing network connection

ping Send echo messages

rcommand Run command on remote switch

resume Resume an active network connection

show Show running system information

systat Display information about terminal lines

telnet Open a telnet connection

terminal Set terminal line parameters

traceroute Trace route to destination

tunnel Open a tunnel connection

--More--

[output cut]

4. The first thing that you should configure on a switch are the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privileged mode passwords, just like a router. Enter the enable mode by using the enable command and then enter global configuration mode by using the config t command. The switch following output shows an example of how to get into enable mode, and then into global configuration mode.

Switch>enable

Switch#config t



Switch(config)#

5. Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password and enable secret command. The switches’ output below shows the configuration of both the user mode and enable mode passwords.

Switch(config)#enable password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) 'enable' password


Switch(config)#enable password todd

Switch(config)#enable secret cisco

Switch(config)

If you set your enable secret, the enable password is superseded and not used, just like in a router.

6. In addition to the enable password and enable secret, the 2950/2960 switch allows you to set a console and Telnet password as well using the line commands, just like in a router.

Switch(config)line ?




Switch(config)#line console 0

Switch(config-line)#password console

Switch(config-line)#login

Switch(config-line)#line vty ?


7. Remember that just like in a router, you cannot get help for a line command from within line configuration mode. Type Exit to go back one step.

Switch(config-line)#exit

Switch(config)#line vty ?


Switch(config)#line vty 0 15

Switch(config-line)#password telnet


Switch(config-line)#ctrl+z

Switch#

Lab 4.8: Configuring the 2950/2960 Switch 229



!

version 12.1

no service pad




!

hostname Switch

!

enable secret 5 $1$yNgO$9uU0Z6NG1ib4vlt05bmMW1

enable password todd

!

ip subnet-zero

!


!

!


no ip address

!


no ip address

--More--

Notice the enable mode password is not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router.


Lab 4.8: Configuring the 2950/2960 SwitchThis lab will have you work with a 2950/2960 switch. The commands used in configuring the 2950 or 2960 switches are identical in this program. Even though the step-by-steps refer to the 2950 switch, you can also configure the 2960 with the same steps.


Set the HostnameThe hostname on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network and is not used for name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.

Network Layout



The 2950/2960 switch command to set the hostname is exactly like any router: you use the hostname command. Remember, it is one word. From global configuration mode, type the command hostname hostname.

Lab Steps

1. Double-click 2950 Switch A or 2960 Switch A to open the console screen.

Switch>enable


Switch#config t



2950A(config)#exit

2950A#

Notice that as soon as you press enter, the hostname of the switch appears. Remember that from global configuration mode, which you enter by using the config t command, it changes the running-config. Any changes you make in this mode take effect immediately.

Configure the IP Address

2. By default, no IP address or default-gateway information is set. You would set both the IP address and the default-gateway on a layer-two switch, just like any host. By typing the command show running-config you can see the default IP configuration of the switch. Notice in your switch output that no IP address, default-gateway, or other IP parameters are configured.

3. To set the IP configuration on a 2950 switch, use the ip address command. However, this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default.

2950A#config t





2950A(config)#

4. The default gateway should also be set using the ip default-gateway command. How-ever, unlike the IP address, this is completed at global configuration mode.


2950A(config)#exit

2950A#


To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gateway commands, at the appropriate configuration prompt.

Configure InterfacesIt is important to understand how to access switch ports. The 2950/2960 switch uses the type slot/port command, just like a 2621 router. For example, Fastethernet 0/3 is 10/100BaseT port 3.

The 2950/2960 switch type slot/port command can be used with either the interface command or the show command. The interface command allows you to set interface specific configurations. The 2950/2960 switch has only one slot: zero (0), just like the 1900.

5. To configure an interface on a 2950/2960 switch, go to global configuration mode and use the interface command as shown. Since the 2950/2960 switch is not modular, there is only one slot, which is 0, although it lists 0-2 for some odd reason. However, you can

IP Default-Gateway

This is used on devices where no routing information is provided by the router that tells you how to get to the next, directly connected device. It tells us what pathway to use to send packets to the next, directly connected device. In the previous set of com-mands the ip default-gateway is 172.16.40.1 because that is the IP address of interface f0/0 on Router 2621 A.


only type in “0” as the slot in this program. Any other slot number will give you an error. The next output gives us a slash (/) to separate the slot/port configuration.

2950A#config t

2950A(config)#interface fastethernet ?


2950A(config)#interface fastethernet 0?

/

2950A(config)#interface fastethernet 0/?




2950A(config-if)#

7. Once you are in interface configuration, the prompt changes to (config-if). You can switch between interface configurations by using the int fa 0/# command at any time from global configuration mode. Now, let’s look at the duplex and speed configura-tions for a switch port.



auto Enable AUTO duplex configuration


half Force half-duplex operation

2950A(config-if)#

2950A(config-if)#speed ?

10 Force 10 Mbps operation


auto Enable AUTO speed configuration

2950A(config-if)#

8. Since the switch port’s duplex and speed settings are already set to auto by default, you do not need to change the switch port settings. It is recommended that you allow the switch port to auto negotiate speed and duplex settings in most situations. In a rare situation, when it is required to manually set the speed and duplex of a switch port, you can use the following configuration.


Duplex will not be set until speed is set to non-auto value

2950A(config-if)#speed 100

9. Notice in the above command that to run full duplex, you must set the speed to non-auto value.


10. In addition to the duplex and speed commands that can be configured on the switch port, you also can turn on what is called portfast. The portfast command allows a switch port to come up quickly. Typically a switch port waits 50 seconds for the spanning-tree to go through its “gotta make sure there are no loops!” cycle. However, if you turn portfast on, then you better be sure you do not create a physical loop on the switch network. A spanning-tree loop can severely hurt or bring your network down. Here is how you would enable portfast on a switch port.

2950A(config-if)#spanning-tree ?

bpdufilter Don’t send or receive BPDUs on this interface

bpduguard Don't accept BPDUs on this interface

cost Change an interface's spanning tree port path cost

guard Change an interface's spanning tree guard mode

link-type Specify a link type for spanning tree protocol use

port-priority Change an interface's spanning tree port priority

portfast Enable an interface to move directly to forwarding on link up

stack-port Enable stack port

vlan VLAN Switch Spanning Tree

11. The command above shows the available options for the spanning-tree command. We want to use the portfast command.

2950A(config-if)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc... to this

interface when portfast is enabled, can cause temporary bridging loops.

Use with CAUTION

%Portfast has been configured on FastEthernet0/1 but will only

have effect when the interface is in a non-trunking mode.

2950A(config-if)#

12. Notice the message the switch provides when enabling portfast. Although it seems like the command did not take effect, as long as the port is in access mode (discussed in a minute), the port will now be in portfast mode.

13. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the command used to view a 10/100BaseT interface on the 2950/2960 switch.


2950A#show int f0/1

FastEthernet0/1 is down line protocol is down (notconnect)

Hardware is FastEthernet, address is 00b0.9eb1.bcd0 (bia 00b0.9eb1.bcd0)


reliability 255/255, txload 1/255, rxload 1/255




Half-duplex, 100Mb/s, media type is 10/100BaseTX

input flow-control is off, output flow-control is unsupported











0 runts, 0 giants, 0 throttles


0 watchdog, 3752639 multicast, 0 pause input







14. In addition to the show interface command, you can use the show running-config command to see the interface configuration as well.

[output cut]

!


duplex full

speed 100

spanning-tree portfast

!


[output cut]

15. You can administratively set a name for each interface on the 2950/2960 switch. Like the hostname, the descriptions are only locally significant. For the 2950/2960 series switch, use the description command. You can use spaces with the description command, but you can use underlines if you need to.


To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface.

2950A#config t


2950A(config)#int fa 0/1

2950A(config-if)#description Sales VLAN

2950A(config-if)#int fa 0/8

2950A(config-if)#description trunk to Building 8

2950A(config-if)#

In the configuration example above, we set the description on both port 1 and 12.

16. Once you have configured the descriptions you want on each interface, you can then view the descriptions with either the show interface command, or show running-config command. View the configuration of the Ethernet interface 0/1 by using the show interface ethernet 0/1 command.

2950A#show int fa 0/1



Description: Sales VLAN






(output cut)


2950A#show run

[output cut]

!


description "Sales VLAN"


!

[output cut]

Notice in the above switch output that the show int fa0/1 command and the show run command both show the description command set on an interface.

Save the network that you have been working on.

Lab 4.9: Verifying 2950/2960 Switch IP Connectivity 237

Lab 4.9: Verifying 2950/2960 Switch IP ConnectivityThis lab will have you work with a 2950/2960 switch. The commands used in configuring the 2950 or 2960 switches are identical in this program. Even though the step-by-steps refer to the 2950 switch, you can also configure the 2960 with the same steps. It is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 2950/2960 switch. However, you cannot telnet from the 2950/2960 switch or use traceroute.

1. In the following example, ping Host E on the network from 2950 Switch A. Notice the output on a successful ping: exclamation point (!). If you receive periods (.) instead of exclamation points, that signifies a timeout.

Network Layout



2950A#ping 172.16.40.3


!!!!!


2. In the following example, ping Host F on the network from the 2960 A switch.

2960A#ping 172.16.50.3


!!!!!


Lab 4.10: Saving and Erasing 2950/2960 Switch Configuration 239

Lab 4.10: Saving and Erasing 2950/2960 Switch ConfigurationThis lab will have you work with a 2950/2960 switch. The commands used in configuring the 2950 or 2960 switches are identical in this program. Even though the step-by-steps refer to the 2950 switch, you can also configure the 2960 with the same steps.

The switch configuration is stored in NVRAM, just as any router, and placed in RAM when the switch boots. The file in RAM is called the running-config and the file in NVRAM is called the startup-config. You can view the startup-config, also called the backup con-figuration, with the show startup-config command.

Network Layout



Lab Steps

1. To save the switch configuration, you type copy running-config startup-config, or copy run start, just like on a router.


Destination filename [startup-config]?press Enter


[OK]

2950A#

2. You can delete the configuration in NVRAM on the 2950 switch if you want to start over on the switches’ configuration. To delete the contents of NVRAM on a 2950 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the running-config.


Erasing the nvram file system will remove all files! Continue? [confirm] press Enter

[OK]


2950A#sh start

%% Non-volatile configuration memory is not present

2950A#

3. Again, just because you have erased the contents of NVRAM with the erase startup-config command, you need to remember that the running-config is still in RAM. To erase the running-config you have to reload the switch.

4. Change to the console screen for 2960 Switch A. Save your configuration.




[OK]

2960A#

5. To delete the contents of NVRAM on a 2960 switch, use the erase startup-configcommand as shown. However, you still need to reload the switch to erase the running-config.


Erasing the nvram file system will remove all files! Continue? [confirm] press Enter

[OK]



2960A#sh start


2960A#

Lab 4.11: Utilizing the 3550 and 3560 SwitchThe 3550 and 3560 switches are very similar and basically support the same commands. The configuration commands between the two switches differ because:

NN The Catalyst 3550 switch runs Cisco IOS 12.1EA software, and the Catalyst 3560 switch runs Cisco IOS 12.2SE software.

NN The hardware is different. In this program, the 3550 switch has 10 FastEthnet ports ...

NN and the 3560 switch has eight FastEthernet ports and one GigabitEthernet port ...

In this program, the supported commands for these two switches are identical.

Lab 4.12: Setting Passwords on the 3550/3560 SwitchThis lab will have you work with a 3550/3560 switch. The commands used in configuring the 3550 or 3560 switches are identical in this program. Even though the step-by-steps refer to the 3550 switch, you can also configure the 3560 with the same steps.

Enter global configuration mode and then set the passwords.


Lab Steps

1. Double-click 3550 Switch A to open the console screen.


3550A>

3. The first thing that you should configure on a switch is the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privileged mode passwords, just like a router. Enter enable mode by using the enable command and then enter global configuration mode by using the config t command. The following output shows an example of how to get into enable mode, and then into global configuration mode.

3550A>enable

3550A#config t


Switch(config)#

4. Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password and enable secret command. The

Network Layout



switches output below shows the configuration of both the user mode and enable mode passwords.

3550A(config)#enable password ?





3550A(config)#enable password todd

3550A(config)#enable secret cisco

3550A(config)


6. In addition to the enable password and enable secret, the 3550/3560 switch allows you to set a console and Telnet password as well using the line commands, just like in a router.

3550A(config)line ?





3550A(config-line)#password console




3550A(config-line)#password telnet



The telnet password was already set for 3550 Switch A in an earlier lab.



3550A#show run



!

version 12.1

no service single-slot-reload-enable


no service pad




!

hostname 3550A

!



!

ip subnet-zero

!

!


!

!


switchport mode dynamic desirable

!



[output cut]

The enable mode password is not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router.

Lab 4.13: Configuring the 3550/3560 SwitchThis lab will have you work with a 3550 switch. The commands used in configuring the 3550 or 3560 switches are identical in this program. Even though the step-by-steps refer to the 3550 switch, you can also configure the 3560 with the same steps.

The hostnames on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network and is not used for name resolution what-soever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.


Set the HostnameThe hostnames on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network and is not used for name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.

Network Layout



Lab Steps

1. The 3550/3560 switch command to set the hostname is exactly like any router: you use the hostname command. Remember, it is one word. From global configuration mode, type the command hostname hostname.

Switch>enable


Switch#config t



3550A(config)#exit

3550A#

Notice that as soon as you press Enter, the hostname of the switch appears. Remember that from global configuration mode, which you enter by using the config t command, it changes the running-config.

Any changes you make in this mode take effect immediately.

Configure the IP Address


3. To set the IP configuration on a 3550/3560 switch, use the ip address command. However, this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default.

3550A#config t





3550A(config)#



3550A(config)#exit

3550A#



Configure InterfacesIt is important to understand how to access switch ports. The 3550/3560 uses the type slot/port command, just like a 2621 router and just like the 3550/3560. For example, Fastethernet 0/3 is 10/100BaseT port 3.

The 3550/3560 type slot/port command can be used with either the interface com-mand or the show command. The interface command allows you to set interface specific configurations. The 3550/3560 has only one slot: zero (0), just like the 1900.

5. To configure an interface on a 3550/3560, go to global configuration mode and use the interface command as shown.

3550A#config t


3550A(config)#interface ?






Lex Lex interface



Null Null interface


Transparent Transparent interface




Vlan Catalyst Vlans

fcpa Fiber Channel


3550A(config)#interface

6. The next output asks for the slot. Since the 3550/3560 is not modular, there is only one slot, which is 0, although it lists 0-2 for some odd reason. However, you can only type in “0” as the slot in this program. Any other slot number will give you an error. The next output gives us a slash (/) to separate the slot/port configuration.





/





3550A(config-if)#

8. Once you are in interface configuration mode, the prompt changes to (config-if). After you are at the interface prompt, you can use the help commands to see the available commands.

3550A(config-if)#?


arp Set arp type (arpa, probe, snap) or timeout

bandwidth Set bandwidth informational parameter

carrier-delay Specify delay for interface transitions

cdp CDP interface subcommands

channel-group Etherchannel/port bundling configuration

default Set a command to its defaults

delay Specify interface throughput delay


dot1x IEEE 802.1X subsystem




hold-queue Set hold queue depth

ip Interface Internet Protocol config commands

keepalive Enable keepalive

load-interval Specify interval for load calculation for an interface

logging Configure logging for interface

mac-address Manually set interface MAC address

mls mls interface commands

mvr MVR per port configuration


ntp Configure NTP

--More--


You can switch between interface configurations by using the int fa 0/# command at any time from global configuration mode.

9. Let’s look at the duplex and speed configurations for a switch port.







3550A(config-if)#

3550A(config-if)#speed?



auto Enable AUTO speed configuration

3550A(config-if)#

10. Since the switch port’s duplex and speed settings are already set to auto by default, you do not need to change the switch port settings. It is recommended that you allow the switch port to auto negotiate speed and duplex settings in most situations. In a rare situation, when it is required to manually set the speed and duplex of a switch port, you can use the following configuration.





Full Duplex

Transmission of data in two directions simultaneously. It has a higher throughput than half duplex.

NN There are no collision domains with this setting

NN Both sides must have the capability of being set to full duplex

NN Both sides of the connection must be configured with full duplex

NN Each side transmits and receives at full bandwidth in both directions


12. In addition to the duplex and speed commands that can be configured on the switch port, you also can turn on what is called portfast. The portfast command allows a switch port to come up quickly. Typically a switch port waits 50 seconds for spanning-tree to go through its “gotta make sure there are no loops!” cycle. However, if you turn portfast on, then you better be sure you do not create a physical loop on the switch network. A spanning-tree loop can severely hurt or bring your network down. Here is how you would enable portfast on a switch port.


bpdufilter Don't send or receive BPDUs on this interface

bpduguard Don't accept BPDUs on this interface













Use with CAUTION



3550A(config-if)#

14. Notice the message the switch provides when enabling portfast. Although it seems like the command did not take effect, as long as the port is in access mode (discussed in a minute), the port will now be in portfast mode.

15. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the command used to view a 10/100BaseT interface on the 3550/3560.


3550A#show int f0/4


Hardware is Fast Ethernet, address is 00b0.c5e4.e2cf (bia 00b0.c5e4.e2cf)






Full duplex, 100Mb/s

input flow-control is off, output flow-control is off


Last input never, output 1w6d, output hang never




Output queue :0/40 (size/max)











0 lost carrier, 0 no carrier, 0 PAUSE output


3550A#


3550A#show run

[output cut]



!




!


[output cut]


17. You can administratively set a name for each interface on the 3550/3560. Like the hostname, the descriptions are only locally significant. For the 3550 series switch, use the description command. You can use spaces with the description command, but you can use underlines if you need to.


3550A#config t



3550A(config-if)#description Marketing VLAN



3550A(config-if)#






Hardware is Fast Ethernet, address is 00b0.1a09.2097 (bia 00b0.1a09.2097)

Description: Marketing VLAN

(output cut)


3550A#show run

[output cut]

!


description "Marketing VLAN"

duplex full

speed 100


!

[output cut]

Lab 4.14: Verifying 3550/3660 Switch IP Connectivity 253


Save the network that you have been working on.

Lab 4.14: Verifying 3550/3660 Switch IP ConnectivityThis lab will have you work with a 3550/3560 switch. The commands used in configuring the 3550 or 3560 switches are identical in this program. Even though the step-by-steps refer to the 3550 switch, you can also configure the 3560 with the same steps.

It is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 3550/3560 switch. However, you cannot telnet from the 3550/3560 switch or use traceroute.

1. In the following example, ping Host B on the network from the 3550 Switch A . Notice the output on a successful ping: exclamation point (!). If you receive periods (.) instead of exclamation points, that signifies a timeout.

Network Layout



3550A#ping 172.16.10.6


!!!!!


2. In the following example, ping Host C on the network from the 3560 A switch.

3560A#ping 172.16.10.7


!!!!!


Lab 4.15: Saving and Erasing the 3550/3560 Switch Configuration 255

Lab 4.15: Saving and Erasing the 3550/3560 Switch ConfigurationThis lab will have you work with a 3550/3560 switch. The commands used in configuring the 3550 or 3560 switches are identical in this program. Even though the step-by-steps refer to the 3550 switch, you can also configure the 3560 with the same steps.

The switch configuration is stored in NVRAM, just as any router and placed in RAM when the switch boots. The file in RAM is called the running-config and the file in NVRAM is called the startup-config. You can view the startup-config, also called the backup configuration, with the show startup-config command.

Network Layout







[OK]

3550A#

2. You can delete the configuration in NVRAM on the 3550 switch if you want to start over on the switches’ configuration. To delete the contents of NVRAM on a 3550 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the running-config.


Erasing the nvram filesystem will remove all files! Continue? [confirm] press Enter

[OK]


3550A#sh start


3550A#

3. Again, just because you have erased the contents of NVRAM with the erase startup-config command, you need to remember that the running-config is still in RAM. To erase the running-config you have to reload the switch.

4. Change to the console screen for 3560 Switch A. Save your configuration.




[OK]

3560A#

5. To delete the contents of NVRAM on a 3560 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the running-config.



[OK]


3560A#sh start


3560A#

NAT

Lab 5: Introduction to Network Address Translation (NAT)

What Does NAT Do? NAT splits networks into two distinct sections, outside and inside. Inside addresses are usually assigned PRIVATE IP addresses and the outside addresses are assigned PUBLIC IP addresses on the Internet.

When Do You Use NAT? NAT, at times, decreases the overwhelming amount of Public IP addresses required in your networking environment. And NAT comes in really handy when two companies that have duplicate internal addressing schemes merge. NAT is also great to have around when an organization changes its Internet Service Provider (ISP) and the networking manager doesn’t want to hassle with changing the internal address scheme.

Here’s a list of situations when it’s best to have NAT on your side:

NN You need to connect to the Internet and your hosts do not have globally unique IP addresses.

NN You change to a new ISP that requires you to renumber your network.

NN You require two Intranets with duplicate addresses to merge.

Advantages and Disadvantages of Implementing NAT

Advantages Disadvantages

Conserves legally registered addresses Translation introduces switching path delays

Reduces address overlap occurrence Loss of end-to-end IP traceability

Increases flexibility when connecting to Internet

Certain applications will not function with NAT enabled

Eliminates address renumbering as network changes

Lab 5.1: Configuring Your Routers 259

Lab 5.1: Configuring Your RoutersIn this lab, you will configure NAT on 2811 Router A to translate the private IP address of 192.168.10.0 to a public address of 171.16.10.0.

Network Layout

Load Nat-Pat Layout.rsm before going through the following lab.



3. Click on the file Nat-Pat Layout.rsm and click Open.

260 NAT

Command Summary for NAT/PAT Lab

Command Purpose

IP nat inside source list acl pool name Translates IPs that match the ACL from the pool

IP nat inside source static inside_addr outside_addr

Statically maps an inside address to an outside address

IP nat pool name Creates an address pool

IP nat inside Sets an interface to be an inside interface

IP nat outside Sets an interface to be an outside interface

Show ip nat translations Shows current NAT translations

Setting up the NAT Lab creates an address poolYou will set up IP addresses on the router interfaces, plus, turn on EIGRP on every router. Configure the routers with the IP addresses listed below:

Router IP Address Scheme

Router Interface IP Address

2811 A S0/0/0 171.16.10.1/24

2811 B F0/0 192.168.10.1/24

2811 B S0/0/0 171.16.10.2/24

2811 C F0/0 192.168.10.2/24

2811 C F0/1 192.168.20.1/24

2811 D F0/1 192.168.20.2/24


Lab Steps

1. Double-click 2811 Router A in order to bring up the console screen. Configure the router.

Router>enable

Router#config t


2811A(config-if)#interface serial 0/0/0




2811A(config)#router eigrp 15






[OK]

2811A#

2. Use the console menu to bring up the console screen for 2811 Router B.

3. Configure 2811 Router B.

Router>enable

Router#config t


2811B(config-if)#interface serial 0/0/0



2811B(config-if)#interface f0/0




2811B(config)#router eigrp 15



2811B(config-router)#no auto-summary


262 NAT




[OK]

2811B#

4. Use the console menu to bring up the console screen for 2811 Router C.

5. Configure 2811 Router C.

Router>enable

Router#config t


2811C(config-if)#interface f0/0



2811C(config-if)#interface f0/1



Auto-Summary

The process of taking subnets like 192.168.10.4/30 or 192.168.10.56/29 and sum-marizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29 the networks are summarized to their Class C base network address of 192.168.10.0/24.

Summarization occurs at classful network boundaries. Classful network boundaries occur when one class of networks meet a different class of networks, thus a network boundary. If subnet 192.168.10.4/30 or 192.168.10.56/29 were crossing over to another router connected by the 10.1.1.0/24 network, the classful network boundary is between the 10.0.0.0/8 and 192.168.10.0/24 networks.

No Auto-Summary

The process of taking the subnets like 192.168.10.4/30 or 192.168.10.56/29 and not summarizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29, the networks are never summarized to their Class C base network address of 192.168.10./24 when classful network boundaries are encountered.



2811C(config)#router eigrp 15







[OK]

2811C#

6. Use the console menu to bring up the console screen for 2811 Router D.

7. Configure 2811 Router D.

Router>enable

Router#config t

Router(config)#hostname 2811D

2811D(config-if)#interface f0/1

2811D(config-if)#ip address 192.168.20.2 255.255.255.0

2811D(config-if)#no shutdown

2811D(config-if)#exit

2811D(config)#router eigrp 15

2811D(config-router)#network 192.168.20.0

2811D(config-router)#ctrl+z

2811D#copy run start



[OK]

2811D#

8. After you configure the routers, you should be able to ping from router to router. Verify that you can ping from 2811 Router A to 2811 Router D and from 2811 Router D to 2811 Router A. If you cannot, STOP!, troubleshoot your network.

2811A#ping 192.168.20.2



!!!!!


2811A#

2811D#ping 171.16.10.1

264 NAT



!!!!!


2811D#

9. You can also verify your EIGRP routes with the show ip route command.

2811A#show ip route

[output cut]



D 192.168.20.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0

D 192.168.10.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0

2811A#

2811B#show ip route

[output cut]



D 192.168.20.0 [90/2172416] via 192.168.10.2, 00:08:08, FastEthernet0/0

C 192.168.10.0/24 is directly connected, FastEthernet0/0

2811B#

2811C#show ip route

[output cut]





2811C#

2811D#show ip route

[output cut]





2811D#


Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than Nat-Pat Layout.rsm. This allows you to start over with a non-configured network if you wish.


266 NAT

2. A dialog box will appear. At the bottom you will see the file name Nat-Pat Layout.rsm. Rename the file. In the following example it is renamed to My Nat-Pat Layout.rsm.

3. Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading Nat-Pat Layout.rsm which is non-configured.

Switch Security

Lab 6.1: Configuring Switch Security

In this lab you will configure a switch to mitigate security attacks.In some networks it may be desirable to implement security on switchports in order to

restrict which computers can access the network. This is accomplished through switchport security commands. Through such commands an administrator can control how many computers can be connected to a given port as well as specify, based on MAC addresses, which computers are allowed to connect to the port.

The lab topology consists of 2960 Switch A with a connection to Hosts A and B.

Host MAC Address

Host A 8e36.6b21.6e25

Host B 1175.3e8b.d4f0

Lab Steps

1. First you will enable switchport security on interface FastEthernetst 0/1 on 2960 Switch A. This and the subsequent security commands are entered in the interface configuration mode.

Switch>enable

Switch#config t

Switch#hostname 2960A


2960A(config-if)#switchport mode access

2960A(config-if)#switchport port-security

2. Configure 2960 Switch A to limit the devices that can connect through interface FastEthernet 0/1. You will set the maximum number of devices to 1.

2960A(config-if)#switchport port-security maximum 1

3. Set the MAC address that can be learned through the interface.

2960A(config-if)#switchport port-security mac-address b21f.135f.d81e

Lab 6.1: Configuring Switch Security 269

4. The switch response when port security is violated depends on which response state has been configured. These states are as follows:

Protect Once the maximum number of secure MAC addresses is reached on a port additional addresses will not be learned and packets from unknown addresses are dropped. No notification is sent.

Restrict Once the maximum number of secure MAC addresses is reached on a port additional addresses will not be learned and packets from unknown addresses are dropped. An SNMP trap is sent, a syslog message is logged and the violation counter increases.

Shutdown Once the maximum number of secure MAC addresses is reached on a port the receipt of a packet from an unknown address causes the port to be “error disabled” and the port LED turns off. An SNMP trap is sent, a syslog message is logged and the violation counter increases.

Network Layout

Load Switchport Security Layout.rsm before going through the following lab.



3. Click on the file Switchport Security Layout.rsm and click Open. You should see the following non-configured network:

270 Switch Security

Shutdown VLAN This mode is implemented on a per VLAN basis. Once the maxi-mum number of secure MAC addresses is reached on a port for a designated VLAN, the receipt of a packet from an unknown address causes the port to be “error disabled” for that VLAN.

5. Configure FastEthernet 0/1 to be shut down upon a violation.

2960A(config-if)#switchport port-security violation shutdown

6. Configure interface FastEthernet 0/2 to only allow one MAC address to be learned through the interface but will use the “sticky” method for that MAC address to be learned and placed in the configuration.



2960A(config-if)#switchport port-security

2960A(config-if)#switchport port-security maximum 1

2960A(config-if)#switchport port-security mac-address sticky

7. Go back to the enable mode.


2960A#

Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than Switchport Security Layout.rsm. This allows you to start over with your initial, non-configured net-work if you wish.

There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.

Lab 6.2: Verifying Switch Security 271

Lab 6.2: Verifying Switch SecurityNow that the switch configuration is complete, you will verify that the switch security con-figuration effectively prevents the attachment of an unauthorized host machine.

272 Switch Security

Lab Steps

1. Issue the show mac-address-table command from 2960 Switch A. This should con-firm that MAC addresses of host A and host B are in the MAC address table.

The addresses are listed below.

Network Layout

Load Switchport Security Layout.rsm or whatever you named the file when you saved your work. You need a configured network in order to complete this lab.



3. Click on the file Switchport Security Layout.rsm and click Open.


Host MAC Address IP Address

Host A 8e36.6b21.6e25 10.1.1.1

Host B 1175.3e8b.d4f0 10.1.1.2

Host C 2c9b.00e9.9c64 10.1.1.3

If the addresses are not in the table, issue a ping from host A to host B (ping 10.1.1.2 from host A).

2960A#show mac-address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 8e36.6b21.6e25 STATIC Fa0/1

1 1175.3e8b.d4f0 STATIC Fa0/2

2. Next issue the show run command. You should see the following output.

2960A#show run


switchport mode access

switchport port-security

switchport port-security maximum 1

switchport port-security mac-address b21f.135f.d81e



switchport port-security

switchport port-security maximum 1

switchport port-security mac-address sticky

switchport port-security mac-address sticky 1175.3e8b.d4f0

3. Next you will confirm the effectiveness of these commands by disconnecting host B from FastEthernet port 0/2 on 2960 Switch A and connecting host C to FastEthernet port 0/2.

a. Right-click on host B and click on the Ethernet 0/0 interface.

b. When asked if you want to remove this connection, click Yes.

c. Right-mouse click host C, click Ethernet port 0/0, then move the mouse pointer over to 2960 Switch A.

274 Switch Security

d. Right-mouse click 2960 Switch A and then click FastEthernet 0/2 to complete the connection.

Once you have done so return to the switch command prompt. You should see the following messages displayed:

2960A#

%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down

%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up

Press the Enter key if necessary.

4. Bring up the DOS screen for host A. Ping from host A to host C (ping 10.1.1.3). Once you have done so return to the switch command prompt. You should see the following messages displayed:

%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down


This confirms that the interface was disabled when it saw a new MAC address con-nected to the port.

Individual Labs (Comprehensive)Please Note: Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.

Introduction to Individual LabsWe offer CCNA labs that are comprehensive and self-contained. They stand on their own, and do not require configurations from prior labs. These labs are typically longer than the accumulative labs because you are starting with a non-configured network each time you bring up an Individual lab. You are totally configuring the network for each lab, from beginning to finish. We provide step-by-step instructions for these labs.

GradingWhen you have finished with each Individual lab ...

You can check your work by clicking the Grade Me button in the upper right hand cor-ner of the Network Visualizer screen.


NN The name of the command entered for this lab.

NN The expected configuration.

NN Your configuration.

NN The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X.

NN A score of the number of correct answers out of the total possible.

276 Switch Security

Individual Lab: Cisco 2811 Router and Security Device Manager (SDM)Cisco® SDM is a Web-based device-management tool for routers. The SDM is a graphical user interface that allows to quickly configure the 2811 router. No interaction with the com-mand line interface (CLI) is required.

Please Note: Before you can use SDM, you must first manually configure the 2811 router with the CLI.

In this lab we will:

N Configure 2811 Router A

NN Configure Host A because that is where we will be launching the SDM

N Set up https services on the router so you can configure 2811 Router A via a secure web browser

When you have finished with this lab ...You can check your work by clicking the Grade Me button in the upper right hand corner

of the Network Visualizer screen.



N The expected configuration.


N The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X.



Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, IP Routing, and 2811 Router and SDM.

278 Switch Security

Lab Steps

1. Double-click 2811 Router A. After the console screen comes up set the hostname and IP addresses of each interface.

Router>enable

Router#config t









2811A(config)#exit




[OK]

2811A#




N IP address

NN Subnet Mask

N Default Gateway


IP Address: 172.16.10.5

Subnet Mask: 255.255.255.0



6. Bring up the console screen for 2811 Router A by double-clicking on the router. Verify you can reach Host A.

2811A#ping 172.16.10.5

If all is well, you should get the following output from the router!


!!!!!


2811A#

7. Configure HTTPS on the 2811 Router A and verify your configurations.

2811A#config t

2811A(config)#ip http server

2811A(config)#ip http secure-server


2811A(config)#ip http authentication local

2811A(config)#username cisco privilege 15 password 0 cisco




280 Switch Security

2811A(config-line)#privilege level 15


2811A(config-line)#transport input telnet

2811A(config-line)#transport input telnet ssh



Before IOS version 12.3, you could not use the do command. You had to be in user or privileged mode in order to ping other devices or view configura-tions. However, beginning with IOS version 12.3 you can use the do com-mand in the configuration mode to accomplish this.

You should now be able to launch SDM.

Launching SDM Via Host ANow that we have configured 2811 Router A with HTTPS, we can launch SDM via Host A.

8. Put your cursor over Host A and click your right mouse button.

9. Click the Web Browser button.

10. When the web browser appears, enter the URL https://172.16.10.1

11. Select Yes when the Security Alert Dialog appears.

The following screen may be different, depending on the web browser that you use.

Network Layout

If it is not already loaded, bring up Standard Layout.rsm before going through the following lab.


12. When the username and password dialog appears, enter the username and password that you created earlier.

282 Switch Security

Username: cisco

Password: cisco

13. The SDM Launch screen will appear.

Do not close this window, it will shut down the SDM. Just minimize the window until you shut down the SDM.


14. When the Warning Security Dialog appears, check the Always trust content from pub-lisher option and then select Yes.

15. When the username and password dialog appears again, enter the username and pass-word that you created earlier.

Username: ciscoPassword: cisco

16. When the Change Default User Name and Password dialog screen appears, change your username and password.

You will not see the following screen after your initial launch of the SDM.

284 Switch Security

You will be prompted to enter the new username and password that you just created. The SDM will load the configuration from 2811 RouterA and you should now be connected to the router via the SDM application.

Configure IP Address Using SDMYou will now learn how to configure an IP address on a router interface of 2811 Router A, using the SDM. Now that you have the SDM application up and running, you will see the main SDM window.


17. Click on the Configure button (upper left corner of the screen) and a configuration window is displayed.

286 Switch Security

18. Then click on the Interface and Connections button.

19. Click the Edit Interface/Connection tab, and the Edit Interface connection tab is displayed.

20. Double-click on the line that displays FastEthernet0/1.


. . . and the Interface Feature Edit Dialog screen appears:

21. With the Interface Feature Edit dialog open, you can enter a new IP Address and sub-net mask in the appropriate fields.

22. Click the OK button to change the IP Address and subnet mask or click the Cancel button to exit.

When a new configuration is sent to the router a Command deliver window appears.

288 Switch Security

23. Save your configuration by clicking the Save button at the top of the screen.

You will see the following dialog box. Click the Yes button to continue.

Configure DHCP Pool with the SDMYou will now use the SDM to configure a DHCP Pool on your 2811 Router A.


24. Click on the Additional Tasks button located on the sidebar menu and at the bottom left of the screen. If the Additional Task button is not visible, scroll the side bar menu until it appears. The Additional Task window will appear.

25. Expand the DHCP tree item by clicking the plus sign next to DHCP.

290 Switch Security

26. Click on DHCP Pools and the DHCP Pools window will appear.

27. Click the Add button and the DHCP Pool Dialog screen will appear.


28. Configure your DHCP pool and then select the OK button.

When a new configuration is sent to the router a Command Delivery Status window appears.

292 Switch Security


Using the SDM to Configure Other ItemsYou will now use the SDM to configure the hostname, the banner (message of the day), the IP domain-name, and the enable secret password.

30. Click on the Router Properties tree item and the Device Properties screen will appear.


31. Click the Edit button on the upper right side of the screen and the Device Properties dialog screen will appear.

32. Enter a hostname, an IP domain-name, and the message of the day banner.

294 Switch Security

33. With the Device Properties dialog still open, click on the Secret Password tab and con-figure your new password and then click OK.

When a new configuration is sent to the router a Command Delivery Status dialog appears.



Verify Router ConfigurationsYou will now verify your new router configurations.

35. From your current SDM window, click on the Home button located at the top of the screen. You should see the following screen:

296 Switch Security

36. Click on the View Running Config button on the middle right area of the screen. The Show Running Configuration screen will appear.

37. Scroll through the running configuration so you can view your configurations.


38. Click the Close button when you are finished.

39. Close the SDM application.

40. The SDM launch page and browser need to be closed manually.

Individual Lab: Configuring RoutersIn this lab you will connect to the routers starting with 2621 Router A and working through 2811 Router A, and then finishing with 2621 Router B. After the configurations are complete, we will then build the routing tables. Then we will verify configurations with the show run command and the show ip route command.

Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.

When you have finished with this lab ...You can check your work by clicking the Grade Me button in the upper right hand cor-








298 Switch Security

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, IP Routing, and Configuring Routers.


Lab Steps


N Hostname

NN Passwords

N Interface descriptions

NN Banners

N IP addresses of each interface

Router>enable

Router#config t

















2621A(config)#exit




[OK]

2621A#


N Hostname

NN Passwords

N Interface descriptions

300 Switch Security

NN Banners


Router>enable

Router#config t





















2811A(config)#exit




[OK]

2811A#

Clock Rate

It is important to understand clocking on and interface. On a real connection, clocking issues will typically cause data loss and or packet errors. You will also see framing slips on a carrier circuit when there is a clocking issue.

You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.



NN Hostname

NN Passwords


NN Banners


Router>enable

Router#config t


2621B(config)#enable secret todd

2621B(config)#line console 0



2621B(config-line)#line aux 0











2621B(config)#exit




[OK]

2621B#

4. Starting at 2621 Router A and finishing at 2621 Router B, run the following two commands:

2621A#show run



!

version 12.2



302 Switch Security


!

hostname 2621A

!


!

ip subnet-zero

!


no ip address


shutdown

!

interface Serial0/0

description connection to 2811A

ip address 172.16.20.2 255.255.255.0


!

[output cut]

2621A#show ip route











2621A#

Show IP Route

Is used to see the routing table on your router. It is important to notice that only the directly connected networks are showing. This means the routers can only route to the directly connected networks. In order to send packets to another network not in the routing table, we must configure the routing table with this network and how to get to the remote network.


Notice that the running-config command shows the complete configuration your router is running.

5. Run through the verification commands on the other routers.

2811A#show run

2811A#show ip route












2811A#

This table shows a directly connected route to routers 2621 A and 2621 B.Please Note: Enter all commands in lower case. The program’s grading feature expects

lower case and may count an answer wrong if it is in upper case.

2621B#show run

2621B#show ip route

Individual Lab: Configuring the 1900 Switch


In this lab you will work with a switch and router to:

NN Enter an IP address on 2621 Router A

NN Set the passwords on 1900 Switch A

NN Set the Hostname

NN Configure an IP Address

NN Configure Interfaces

NN Configure Interface Descriptions

NN Configure Port Duplex

NN Erase the Configuration

304 Switch Security









Lab Steps

1. Double-click 1900 Switch A to view the 1900 Switch A console.

2. You will then see the following output. Press K to enter the CLI.


User Interface Menu

[M] Menus

[K] Command Line


Enter Selection: K



>


3. The first thing that you should configure on a switch is the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privi-leged mode passwords, just like a router. Enter enable mode by using the enable com-

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Layer 2 Switching, and 1900 Switch A.

306 Switch Security

mand and then enter global configuration mode by using the config t command. The switch following output shows an example of how to get into enable mode, and then into global configuration mode.

>enable

#config t


(config)#

4. Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password command. The switches output below shows the configuration of both the user mode and enable mode passwords.

(config)#enable password ?


(config)#enable password level ?

<1-15> Level number

5. To enter the user mode password, use level number 1. To enter the enable mode pass-word, use level mode 15. Remember the password must be at least four characters, but no longer than eight characters. The switch output below shows the user mode pass-word being set and denied because it is more than eight characters.

(config)#enable password level 1 toddlammle

Error: Invalid password length.

Password must be between four and eight characters.

6. The following output is an example of how to set both the user mode and enable mode passwords on 1900 Switch A.

(config)#enable password level 1 todd

(config)#enable password level 15 todd1

(config)#exit

#exit

7. At this point, you can press enter and test your passwords. You will be prompted for a user mode password after you press K and then an enable mode password after you type enable.

Catalyst 1900 Management Console

Copyright (c) Cisco Systems, Inc. 1993-1998

All rights reserved.

Enterprise

Edition Software

Ethernet Address: 00-30-80-CC-7D-00

PCA Number: 73-3122-04


PCA Serial Number: FAB033725XG

Model Number: WS-C1912-A

System Serial Number: FAB0339T01M

Power Supply S/N: PHI031801CF

PCB Serial Number: FAB033725XG,73-3122-04

-------------------------------------------------


User Interface Menu

[M] Menus

[K] Command Line

Enter Selection: K




>en


#

8. The enable secret password is a more secure password and supersedes the enable pass-word if set. You set this password the same way you set the enable secret password on a router. If you have an enable secret set, you don’t even need to bother setting the enable mode password.

#config t


(config)#enable secret todd2


(config)#exit

#show run



enable secret 5 $1$FMFQ$wFVYVLYn2aXscfB3J95.w.



[output cut]

Notice the enable mode passwords are not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router. One more thing to notice is that even though I typed the password as lowercase, the running-config shows the passwords as uppercase. It does not matter how you type it in or how it shows in the configuration because the passwords are not case sensitive on the switch.

308 Switch Security

Setting the HostnameThe hostname on a switch, as well as on a router, is only locally significant. This means that it doesn’t have any function on the network or name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connect-ing to it. A good rule of thumb is to name the switch after the location it is serving.

10. Enter a hostname for 1900 Switch A.

#config t



1900A(config)#exit

Notice that as soon as I pressed enter, the hostname of the switch appeared. Remember that from global configuration mode, which you enter by using the config tcommand, it changes the running-config. Any changes you make in this mode take effect immediately.

Configuring an IP AddressYou do not have to set any IP configuration on the switch to make it work. You can just plug in devices and they should start working, just like they would on a hub. The reason you would set the IP address information on the switch is so you can either manage the switch via Telnet or other management software, or you wanted to configure the switch with different VLANs and other network functions. VLANs are discussed in later labs.

11. By default, no IP address or default-gateway information is set. You would set both the IP address and the default-gateway on a layer-two switch, just like any host. By typing the command show ip, you can see the default IP configuration of the switch.

1900A#show ip

IP Address: 0.0.0.0

Subnet Mask: 0.0.0.0


Management VLAN: 1

Domain name:




HTTP port : 80

RIP : Enabled

Notice in the above switch output that no IP address, default-gateway, or other IP parameters are configured.


12. To set the IP configuration on a 1900 Switch A, use the ip address command. The default gateway should also be set using the ip default-gateway command. The switch output below shows an example of how to set the IP address and default-gate-way on a 1900 Switch A.

1900A#config t


1900A(config)#ip address 172.16.10.16 255.255.255.0


1900A(config)#exit

13. Once you have your IP information set, use the show ip command to verify your changes. You can view this information with the show running-config command as well.

1900A#show ip

IP Address: 172.16.10.16

Subnet Mask: 255.255.255.0


Management VLAN: 1

Domain name:




HTTP port : 80

RIP : Enabled

1900A#

To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gateway commands, at the global configuration prompt.

Configuring InterfacesIt is important to understand how to access switch ports. 1900 Switch A uses the type slot/port command. For example, FastEthernet 0/3 is 10BaseT port 3. Another example would be FastEthernet 0/26 which is the first of the two Fast Ethernet ports available on 1900 Switch A.

1900 Switch A type slot/port command can be used with either the interface command or the show command. The interface command allows you to set interface specific configura-tions. 1900 Switch A has only one slot: zero (0).

14. To configure an interface on a 1900 Switch A, go to global configuration mode and use the interface command. From global configuration, use the interface command

310 Switch Security

and the type, either Ethernet or FastEthernet interface. I am going to demonstrate the ethernet interface configuration first.

1900A#config t


1900A(config)#int ethernet ?

<0-0> IEEE 802.3

15. The previous output asks for the slot. Since 1900 Switch A is not modular, there is only one slot. The next output gives us a slash (/) to separate the slot/port configuration.

1900A(config)#int ethernet 0?

/

1900A(config)#int ethernet 0/?

<1-25> IEEE 802.3


1900A(config)#int ethernet 0/1

17. Once you are in interface configuration, the prompt changes to (config-if). After you are at the interface prompt, you can use the help commands to see the available com-mands.

1900A(config-if)#?


cdp Cdp interface subcommands






port Perform switch port configuration

shutdown Shutdown the selected interface

spantree Spanning tree subsystem

vlan-membership VLAN membership configuration

1900A(config-if)#?exit

You can switch between interface configuration by using the int e 0/# command at any time from global configuration mode.

18. The switch output below shows the configuration of a FastEthernet port on 1900 Switch A. Notice that the command is interface fastethernet, but the slot is still 0. The only ports available are 26 and 27.






1900A(config)#int fastethernet 0/26

1900A(config-if)#int fast 0/27


19. After you make any changes you want to the interfaces, you can view the different inter-faces with the show interface command. The switch output below shows the command used to view a 10BaseT interface and the command to view a FastEthernet interface.

1900A#show int e0/1

ethernet 0/1 is Suspended-no-linkbeat





[output cut]


FastEthernet 0/26 is Enabled


Address is 00b0.8f36.3eac



[output cut]

Configuring Interface DescriptionsYou can administratively set a name for each interface on 1900 Switch A. Like the hostname, the descriptions are only locally significant. For a 1900 series switch, use the description> command. You cannot use spaces with the description command, but you can use under-lines if you need to.

20. To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface. You can make the descriptions more than one word, but you can’t use spaces. You’ll have to use the underline as shown below:

1900A#config t



1900A(config-if)#description Finance_VLAN


1900A(config-if)#description trunk_to_Building_4

1900A(config-if)#

312 Switch Security

In the configuration example above, we set the description on both a 10Mbps port and a 100Mbps port.

Configuring Port Duplex1900 Switch A has only 12 or 24 10BaseT ports and comes with one or two FastEthernet ports. You can only set the duplex on 1900 Switch A, as the ports are all fixed speeds.

21. Use the duplex command in interface configuration.

In the switch output below, notice the options available on the FastEthernet ports.


auto Enable auto duplex configuration


full-flow-control Force full duplex with flow control

half Force half duplex operation



The following table shows the different duplex options available on 1900 Switch A. 1900 Switch A FastEthernet ports default to auto duplex, which means they will try and auto-detect the duplex the other end is running.

Duplex Options

Parameter Definition

Auto Set the port into auto-negotiation mode. Default for all 100BaseTX ports.

Full Forces the 10 or 100Mbps ports into full duplex mode.

Full-flow-control Works only with 100BaseTX ports; uses flow control so buf-fers won’t overflow.

Half Default for 10BaseT ports; forces the ports to work only in half duplex mode.

22. Once you have the duplex set, you can use the show interface command to view the duplex configuration.


FastEthernet 0/26 is Enabled


Address is 00b0.8f36.3eac







Description: trunk_to_Building_4

Duplex/Flow Control setting: Full duplex

Enhanced Congestion Control: Disabled

23. In the output above, the duplex setting shows full duplex.

Grade MeBefore you move on and erase your configurations, you should click the Grade Me button to check out your work.

Erasing the ConfigurationThe switch configuration is stored in NVRAM, just as any router. You cannot view the startup-config, or contents of NVRAM. You can only view the running-config. When you make a change to the switches’ running-config, the switches automatically copy the configuration on the switch to NVRAM.

You can delete the configuration in NVRAM on 1900 Switch A if you want to start over on the switches’ configuration. To delete the contents of NVRAM on a 1900 Switch A, use the delete nvram command.

24. Type delete ? from a 1900 A privileged mode prompt. Notice in the switch output below that there are two options: nvram and vtp. We want to delete the contents of NVRAM to the factory default settings.

1900A#delete ?



1900A#delete nvram

This command resets the switch with factory defaults. All system parameters will revert to their default factory settings. All static and dynamic addresses will be removed.

Reset system with factory defaults, [Y]es or [N]o? Yes

Notice the message received from the switch when the delete nvram command is used. Once you say yes, the configuration is gone.

25. To confirm the configuration is gone, use the show run command.

#show run



!

314 Switch Security


!


!


!


[output cut]

Individual Lab: Configuring 2950 SwitchThis lab will have you work with a 2950 switch, enter global configuration mode and then set the passwords.


When you have finished with this lab ...You can check your work by clicking the Grade Me button in the upper right hand

corner of the Network Visualizer screen.








Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Layer 2 Switching, and 2950 Switch.

316 Switch Security

Lab Steps


2. Press enter to connect to the console

Switch>

3. For the user mode of the switch, you can use the help screen just like a router.

Switch>?

Exec commands:

<1-99> Session number to resume









lock Lock the terminal

login Log in as a particular user

logout Exit from the EXEC

name-connection Name an existing network connection

ping Send echo messages

rcommand Run command on remote switch

resume Resume an active network connection

show Show running system information

systat Display information about terminal lines

telnet Open a telnet connection

terminal Set terminal line parameters

traceroute Trace route to destination

tunnel Open a tunnel connection

--More--

[output cut]

4. The first thing that you should configure on a switch is the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privi-leged mode passwords, just like a router. Enter the enable mode by using the enable command and then enter global configuration mode by using the config t command.


The switch following output shows an example of how to get into enable mode, and then into global configuration mode.

Switch>enable

Switch#config t


Switch(config)#

5. Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password and enable secret command. The switches output below shows the configuration of both the user mode and enable mode passwords.

Switch(config)#enable password ?







Switch(config)

6. Remember, if you set your enable secret, the enable password is superseded and not used, just like in a router.

7. In addition to the enable password and enable secret, 2950 allows you to set a console and Telnet password as well using the line commands, just like in a router.

Switch(config)line ?







Switch(config-line)#line vty ?


8. Remember that just like in a router, you cannot get help for a line command from within line configuration mode. Type exit to go back one step.


Switch(config)#line vty ?


318 Switch Security





Switch#

9. You can use show running-config (show run for short) to see the current configura-tion on the switch.


!

version 12.1

no service pad




!

hostname Switch

!

enable secret 5 $1$yNgO$9uU0Z6NG1ib4vlt05bmMW1


!

ip subnet-zero

!


!

!


no ip address

!


no ip address

--More--


Setting the HostnameThe hostname on a switch, as well as on a router, is only locally significant. This means that it doesn’t have any function on the network and is not used for name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.


10. The 2950 switch command to set the hostname is exactly like any router: you use the hostname command. Remember, it is one word. From global configuration mode, type the command hostname hostname.

Switch>enable


Switch#config t



2950A(config)#exit

2950A#

Notice that as soon as you press Enter, the hostname of the switch appears. Remember that from global configuration mode, which you enter by using the config t command, it changes the running-config. Any changes you make in this mode take effect immediately.

Configuring IP Address InformationYou do not have to set any IP configuration on the switch to make it work. You can just plug in devices and they should start working, just like they would on a hub. The reason you would set the IP address information on the switch is so you can either manage the switch via Telnet or other management software, or you wanted to configure the switch with different VLANs and other network functions. VLANs are discussed later labs.



2950A#config t


2950A(config)#int vlan 1



2950A(config)#

13. Before we perform step 14, we need to configure 2621 Router A.

Router>enable

Router#config t

320 Switch Security








2950A(config)#exit

2950A#


IP Default-Gateway

This is used on devices where no routing information is provided by the router that tells you how to get to the next, directly connected device. It tells us what pathway to use to send packets to the next, directly connected device. In the previous set of com-mands the ip default-gateway is 172.16.40.1 because that is the IP address of interface f0/0 on 2621 Router A.


Configuring InterfacesIt is important to understand how to access switch ports. The 2960 switch uses the type slot/port command, just like a 2600 router and just like 2950 switch. For example, FastEthernet 0/3 is 10/100BaseT port 3.

The 2960 switch type slot/port command can be used with either the interface com-mand or the show command. The interface command allows you to set interface specific configurations. The 2960 switch has only one slot: zero (0), just like the 1900.

15. To configure an interface on a 2950 switch, go to global configuration mode and use the interface command as shown.

2950A#config t


2950A(config)#interface ?






Lex Lex interface



Null Null interface


Transparent Transparent interface




Vlan Catalyst Vlans

fcpa Fiber Channel


2950A(config)#interface

16. The next output asks for the slot. Since a 2950 switch is not modular, there is only one slot, which is 0, although it lists 0-2 for some odd reason. However, you can only type in “0” as the slot in this program. Any other slot number will give you an error. The next output gives us a slash (/) to separate the slot/port configuration.



2950A(config)#int fastethernet 0?

/



322 Switch Security

17. After the 0/ configuration command, the above output shows the amount of ports you can configure. The output below shows the completed command.


2950A(config-if)#

18. Once you are in interface configuration, the prompt changes to (config-if). After you are at the interface prompt, you can use the help commands to see the available commands.

2950A(config-if)#?


arp Set arp type (arpa, probe, snap) or timeout

bandwidth Set bandwidth informational parameter

carrier-delay Specify delay for interface transitions

cdp CDP interface subcommands

channel-group Etherchannel/port bundling configuration

default Set a command to its defaults

delay Specify interface throughput delay


dot1x IEEE 802.1X subsystem




hold-queue Set hold queue depth

ip Interface Internet Protocol config commands

keepalive Enable keepalive

load-interval Specify interval for load calculation for an interface

logging Configure logging for interface

mac-address Manually set interface MAC address

mls mls interface commands

mvr MVR per port configuration


ntp Configure NTP

--More--

You can switch between interface configurations by using the int fa 0/# command at any time from global configuration mode.

19. There are a couple of interface commands that you can configure on the switch. The commands we are interested in are the duplex command and the portfast command.

2950A#config t

Enter configuration commands, one per line. End with CNTL/Z.







2950A(config-if)#

20. Since the switch ports are set to auto by default, you can change each of the switch ports to always be in full-duplex mode for better performance. This is recommended.





22. In addition to the duplex and speed commands that can be configured on the switch port, you also can turn on what is called portfast. The portfast command allows a switch port to come up quickly. Typically a switch port waits 50 seconds for spanning-tree to go through its “gotta make sure there are no loops!” cycle. However, if you turn portfast on, then you better be sure you do not create a physical loop on the switch network. A spanning-tree loop can severely hurt or bring your network down. Here is how you would enable portfast on a switch port.


bpdufilter Do not send or receive BPDUs on this interface

bpduguard Do not accept BPDUs on this interface













Use with CAUTION



2950A(config-if)#

324 Switch Security

24. Notice the message the switch provides when enabling portfast. Although it seems like the command didn’t take effect, as long as the port is in access mode (discussed in a minute), the port will now be in portfast mode.

25. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the command used to view a 10/100BaseT interface on a 2950 switch.

2950A#ctrl+z

2950A#show int f0/9







Full duplex, 100Mb/s

input flow-control is off, output flow-control is off


Last input never, output 1w6d, output hang never




Output queue :0/40 (size/max)











0 lost carrier, 0 no carrier, 0 PAUSE output


2950A#


[output cut]



!



!


[output cut]

27. You can administratively set a name for each interface on a 2950 switch. Like the host-name, the descriptions are only locally significant. For a 2950 series switch, use the description command. You can use spaces with the description command, but you can use underlines if you need to.


2950A#config t



2950A(config-if)#description Finance VLAN



2950A(config-if)#






Description: Finance VLAN

(output cut)


2950A#show run

[output cut]

!


description "Finance VLAN"


!

[output cut]

326 Switch Security


Verifying the IP ConnectivityIt is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 2950 switch. However, you cannot telnet from the 2950 switch or use traceroute. At this point we will configure Host E so that we can perform step 33.

30. Right-mouse click Host E.



NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.40.3

Subnet Mask: 255.255.255.0



33. In the following example, ping Host E from 2950 Switch A. Notice the output on a successful ping: exclamation point (!). If you receive periods (.) instead of exclamation points, that signifies a timeout.

2950A#ping 172.16.40.3


!!!!!



Saving and Erasing Your ConfigurationsThe switch configuration is stored in NVRAM, just as any router, and placed in RAM when the switch boots. The file in RAM is called the running-config and the file in NVRAM is called the startup-config. You can view the startup-config, also called the backup configuration, with the show startup-config command.





[OK]

2950A#

35. To delete the contents of NVRAM on a 2950 switch, use the erase startup-config com-mand as shown. However, you still need to reload the switch to erase the running-config.



[OK]


2950A#showstart


2950A#

328 Switch Security

Individual Lab: Configuring the 2960 SwitchThis lab will have you work with a 2960 switch, enter global configuration mode and then set the passwords.










Lab Steps



Switch>

3. Enter the enable mode by using the enable command and then enter global configura-tion mode by using the config t command.

Switch>enable

Switch#config t


Switch(config)#


4. Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password and enable secret command. The switches output below shows the configuration of both the user mode and enable mode passwords.



Switch(config)


Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Layer 2 Switching, and 2960 Switch.

330 Switch Security

5. In addition to the enable password and enable secret, the 2960 switch allows you to set a console and Telnet password as well using the line commands, just like in a router.




6. Remember that just like in a router, you cannot get help for a line command from within line configuration mode. Type exit to go back one step.






Switch#


Switch#show run



!

version 12.2

no service pad




!

hostname switch

!



!

no aaa new-model

system mtu routing 1500

no ip subnet-zero

[output cut]



Setting the HostnameThe hostname on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network and is not used for name resolution what-soever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.

8. The 2960 switch command to set the hostname is exactly like any router: you use the hostname command. From global configuration mode, type the command hostnamehostname.

Switch>enable


Switch#config t



2960A(config)#exit

2960A#

Any changes you make in this mode take effect immediately.

Configuring IP Address InformationYou do not have to set any IP configuration on the switch to make it work. You can just plug in devices and they should start working, just like they would on a hub. The reason you would set the IP address information on the switch is so you can either manage the switch via Telnet or other management software, or you wanted to configure the switch with different VLANs and other network functions. VLANs are discussed in later labs.


2960A#config t


2960A(config)#int vlan1



2960A(config)#

10. Before we perform step 11, we need to configure router 2621 B.

Router>enable

Router#config t

332 Switch Security








2960A(config)#exit

2960A#

To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gate-way commands, at the appropriate configuration prompt.

Configuring InterfacesIt is important to understand how to access switch ports. The 2960 switch uses the type slot/port command, just like a 2621 router and just like the 2960 switch. For example, FastEthernet 0/3 is 10/100BaseT port 3.

The 2960 switch type slot/port command can be used with either the interface com-mand or the show command. The interface command allows you to set interface specific configurations. The 2960 switch has only one slot: zero (0), just like the 1900.

12. To configure an interface on a 2960 switch, go to global configuration mode and use the interface command as shown. Since the 2960 switch is not modular, there is only one slot, which is 0, although it lists 0-2 for some odd reason. However, you can only type in “0” as the slot in this program. Any other slot number will give you an error. The next output gives us a slash (/) to separate the slot/port configuration.

2960A#config t




/





2960A(config-if)#


14. Once you are in interface configuration, the prompt changes to (config-if). You can switch between interface configurations by using the int fa 0/# command at any time from global configuration mode. There are a couple of interface commands that you can configure on the switch. The commands we are interested in are the duplex com-mand and the portfast command.






2960A(config-if)#

15. Since the switch ports are set to “auto” by default, you can change each of the switch ports to always be in full-duplex mode for better performance. This is recommended.





17. In addition to the duplex commands that can be configured on the switch ports, you also can turn on what is called portfast. This enables a switch port to come up quickly and not to wait the typical 50 seconds for spanning-tree to go through its “I gotta make sure there are no loops!” cycle. However, if you turn portfast on, then you better be sure you do not create a physical loop on the switch network or it will bring your network down. You are basically telling the switch to not check for loops using these ports. Here is how you would enable portfast on a switch port.


bpdufilter Do not send or receive BPDUs on this interface

bpduguard Do not accept BPDUs on this interface











334 Switch Security



Use with CAUTION



2960A(config-if)#

19. Notice the message the switch provides when enabling portfast. Although it seems like the command didn’t take effect, as long as the port is in access mode (discussed in a minute), the port will now be in portfast mode.

20. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the command used to view a 10/100BaseT interface on the 2960 switch.

2960A#show int f0/1







Full-duplex, 100Mb/s, media type is 10/100BaseTX

input flow-control is off, output flow-control is unsupported











0 runts, 0 giants, 0 throttles











[output cut]

!



!


[output cut]

22. You can administratively set a name for each interface on the 2960 switch. Like the hostname, the descriptions are only locally significant. For the 2960 series switch, use the description command. You can use spaces with the description command, but you can use underlines if you need to.


2960A#config t



2960A(config-if)#description Sales VLAN



2960A(config-if)#






Description: Sales VLAN






(output cut)

336 Switch Security


2960A#show run

[output cut]

!


description "Sales VLAN"


!

[output cut]


Verifying the IP ConnectivityIt is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 2960 switch. However, you cannot telnet from the 2960 switch or use traceroute.

25. Right-mouse click Host F.



NN IP Address

NN Subnet Mask

NN Default Gateway


IP Address: 172.16.50.3

Subnet Mask: 255.255.255.0


28. In the following example, ping Host F on the network from the 2960 A switch.

2960A#ping 172.16.50.3


!!!!!



Saving and Erasing Your ConfigurationThe switch configuration is stored in NVRAM, just as any router and placed in RAM when the switch boots. The file in RAM is called the running-config and the file in NVRAM is called the startup-config. You can view the startup-config, also called the backup configuration, with the show startup-config command.

29. To save the switch configuration, you type copy running-config startup-config, or copy run start , just like on a router.




[OK]

2960A#

30. To delete the contents of NVRAM on a 2960 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the running-config.



[OK]


338 Switch Security

2960A#show start


2960A#

Individual Lab: Static RoutingThis lab will have you build the routing tables by hand, which means you will create static routing tables on each router. This will allow you to route throughout the entire network. At this point you can only route to directly connected networks of each router. Remember that the routing will not work until all static routes are configured on all routers.











Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, IP Routing, and Static Routing.

340 Switch Security

Lab Steps

Copy and Paste ScriptSteps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into user mode, copy and paste the script into the

Static Route

Is a manually hard coded routing statement that creates a route in the routing table of a router. The static route specifies how the router will get to a certain network by using a certain path. Static routing refers to the manual method used to set up rout-ing. This method has the advantage of being simple to create and predictable in its functionality. It is easy to manage in small networks but in larger ones it is difficult to set up and manage all possible static routes. Static routes are not dynamically respon-sive to topology changes in a network.


console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.

After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter.

2621 Router A 2811 Router A 2621 Router B

enable

config t

hostname 2621A

line vty 0 4

password todd

login

int s0/0

ip address 172.16.20.2 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2811A

line vty 0 1180

password todd

login

int s0/1/1

ip address 172.16.20.1 255.255.255.0


no shutdown

int s0/0/1

ip address 172.16.30.1 255.255.255.0

description connection to 2621B

no shutdown

exit

exit

copy run start

enable

config t

hostname 2621B

line vty 0 4

password todd

login

int s0/0

ip address 172.16.30.2 255.255.255.0

description connec-tion to 2811A

no shutdown

exit

exit

copy run start


Router>enable

Router#config t

342 Switch Security










2621A(config)#exit




[OK]

2621A#


Router>enable

Router#config t














2811A(config)#exit




[OK]

2811A#


3. Double-click 2811 Router B. After the console screen comes up, perform the following commands.

Router>enable

Router#config t










2621B(config)#exit




[OK]

2621B#

4. From 2621 Router A, use the ip route command to configure static routing. 2621 Router A is connected to network 172.16.20.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway is always 172.16.20.1 (router 2811 A).

2621A#config t

2621A(config)#ip route 172.16.30.0 255.255.255.0 172.16.20.1

2621A(config)#exit


Clock Rate

You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the con-nection is interface serial 0/1/1 and serial 0/0/1.

344 Switch Security

5. From 2621 Router B, use the ip route command to configure static routing. is con-nected to network 172.16.30.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway is always 172.16.30.1 (router 2811 A).

2621B#config t

2621B(config)#ip route 172.16.20.0 255.255.255.0 172.16.30.1

2621B(config)#exit


6. From 2621 Router A, use the show ip route command to verify your routing table.

2621A#show ip route









Anatomy of a Command: IP Route 172.16.30.0 255.255.255.0 172.16.20.1

ip route tells the system we are entering a static route




Directly Connected Routes

In the preceding set of ip route commands for 2621 Router B, routes are not estab-lished for network 30. 2621 Router B knows about network 30 because it is directly connected to it. Therefore you do not have to enter ip route commands for network 30; only for networks that are not directly connected to 2621 Router B, such as network 20.



S 172.16.30.0 [1/0] via 172.16.20.1


2621A#

anatomy of a routing table



class B network 172.16.0.0 is subnetted into two class C networks

/24 means a class C network

The two subnetted Class C networks are

172.16.30.0

172.16.20.0

S 172.16.30.0 [1/0] via 172.16.20.1


S means the route is a static route and was manually added using the ip route command

[1/0] is the administrative distance (1) and routing met-ric (0)

C 172.16.20.0 is directly con-nected, Serial0/0

any packets destined for network 172.16.20.0 are forwarded to ip address assigned to the Serial0/0 interface

C means the route is directly connected to the local router’s Serial0/0 interface. The route is automatically added to the local routing table when S0/0 is assigned an ip address, has a physical cable connection, and is turned up for service

7. From 2621 Router B, use the show ip route command to verify your routing table.

2621B#show ip route










346 Switch Security


S 172.16.20.0 [1/0] via 172.16.30.1

2621B#

8. Once you verify the routing tables in all routers, use the ping command to verify IP connectivity between routers.

2621A#ping 172.16.30.2

2621B#ping 172.16.20.2

Individual Lab: TelnetTelnet is a virtual terminal protocol that is part of the TCP/IP protocol suite. Telnet allows you to make connections to remote devices and gather information and run programs.

After your routers and switches are configured, you can use the Telnet program to con-figure and check your routers and switches instead of needing to use a console cable. You use the Telnet program by typing telnet from any command prompt (DOS or Cisco). VTY passwords must be set on the routers for this to work.

You cannot use CDP to gather information about routers and switches that are not directly connected to your device. However, you can use the Telnet application to connect to your neighbor devices and then run CDP on those remote devices to gather CDP infor-mation about remote devices.

In this lab we will telnet from 2621 Router B into 2621 Router A and 3550 Switch A.











Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Cisco Internetwork, and Telnet.

348 Switch Security

Lab Steps

Copy and Paste Script

Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into user mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.

After pasting the script into the console, you will see the prompt Destination filename[startup-config]?. At this point, press Enter.


Router 2621 A Router 2811 A Router 2621 B

enable

config t

hostname 2621A

line vty 0 4

password todd

login

interface s0/0

ip address 172.16.20.2 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2811A

line vty 0 1180

password todd

login

interface fastethernet 0/0

ip address 172.16.10.1 255.255.255.0


no shutdown

interface s0/1/1

ip address 172.16.20.1 255.255.255.0


no shutdown

interface s0/0/1

ip address 172.16.30.1 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2621B

line vty 0 4

password todd

login

interface s0/0

ip address 172.16.30.2 255.255.255.0


no shutdown

exit

exit

copy run start

1. Double-click 2621 Router A. After the console comes up, perform the following com-mands.

Router>enable

Router#config t






350 Switch Security





2621A(config)#exit




[OK]

2621A#


Router>enable

Router#config t





2811A(config-line)#int fastethernet 0/0













2811A(config)#exit




[OK]

2811A#



Router>enable

Router#config t





2621Bconfig-if)#interface s0/0





2621B(config)#exit




[OK]

2621B#

4. We need to add a routing protocol such as RIP. Add RIP for each router with a network of 172.16.0.0.

2621A#config t




2621B#config t




2811A#config t




Clock Rate


352 Switch Security

5. Go to the console for 3550 Switch A and perform the following commands:

switch>en

switch#config t


switch(config)#

6. To set the IP configuration on a 3550 switch, use the ip address command. However, this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default. Let’s also set the hostname so that we can more clearly identify this device when we telnet into it in subsequent steps.

switch(config)#hostname 3550A






8. We need to set up a VTY password for the 3550 Switch A.






9. Switch to the 2621 B router via the console menu.


10. You can issue the telnet command from any router prompt, as in the following example from 2621 Router B to 2621 Router A:

2621B#telnet 172.16.20.2

Trying 172.16.10.2 ... Open



2621B#

Remember that the VTY ports on a router are configured as login, which means that you must either set the VTY passwords or use the no login command.

11. On a Cisco router, you do not need to use the telnet command. If you just type in an IP address from a command prompt, the router will assume you want to telnet to the device, as shown below:

2621B#172.16.20.2

Trying 172.16.10.2 ... Open



2621B#

12. It’s time to set VTY passwords on the router I want to telnet into. Here is an example of what was done:

2621A#config t






2621A#

13. Now, let’s try connecting to the router again (from the 2621 Router B console).

2621B#172.16.20.2

Trying 172.16.20.2 ... Open


Password:

2621A>

14. Remember that the VTY password is the user mode password, not the enable pass-word. Watch what happens when I try to go into privileged mode after telneting into 2621 Router A:

2621A>en

% No password set

2621A>

354 Switch Security

This is a good security feature. You don’t want anyone just telneting onto your device and then being able to just type the enable command to get into privileged mode. You must set your enable password or enable secret password to use telnet to configure remote devices.

15. Now, exit out of 2621 Router A.

2621A>exit


2621B#

16. If you telnet to a router or switch, you can end the connection by typing Exit at any time. However, what if you want to keep your connection to a remote device but still come back to your original router console? To keep the connection, you can press the Ctrl+Shift+6 key combination, release it, and then press X.

Here’s an example of connecting to multiple devices from the 2621 Router B console:

2621B#telnet 172.16.20.2

Trying 172.16.20.2 ... Open


Password:

2621A> [press ctrl+shift+6 then x]

2621B#

In the example above, I telneted to 2621 Router A, then typed the password to enter user mode. I then pressed Ctrl+Shift+6, then x (this does not show on the screen out-put). Notice the command prompt is now back at the 2621 B router.

17. You can also telnet into a switch. In the following example, we telnet to 3550 Switch A.

2621B#telnet 172.16.10.17

Trying 172.16.10.17 ... Open


Password:

3550A>

18. At this point, press Ctrl+Shift+6, then X, which will take you back to the 2621 B router console.

2621B#

19. To see the connections made from your router to a remote device, use the show ses-sions command, as shown below.

2621B#show sessions



1 172.16.20.2 172.16.20.2 0 0 172.16.20.2

* 2 172.16.10.17 172.16.10.17 0 0 172.16.10.17

2621B#

20. Notice the asterisk (*) next to connection 2. This means that session 2 was the last ses-sion. You can return to your last session by pressing enter twice. You can also return to any session by typing the number of the connection and pressing enter twice. Here is an example:

2621B#1

[Resuming connection 1 to 172.16.20.2 ... ] [press enter]

2621A>

When changing windows from Router to Router do not close the window with the “x” or the telnet information will be lost.

21. You can list all active consoles and VTY ports in use on your router with the show users command. Type show users from 2621 Router A, which 2621 Router B had telneted into.

2621A>show users


0 con 0 idle 00:00:00

* 2 vty 0 idle 00:25:12 172.16.30.2


2621A>

In the command’s output, the con represents the local console. In this example, the console is connected to two remote IP addresses, or devices. This output shows that the console is active and that VTY port 0 is being used. The asterisk represents the current terminal session user.

22. You can end Telnet sessions a few different ways. Typing exit or disconnect is probably the easiest and quickest. To end a session from a remote device, use the exit command, as shown below.

2621A#exit


2621B#

23. To end a session from a local device, use the disconnect command, as shown below.

2621B#show sessions


356 Switch Security

* 2 172.16.10.17 172.16.10.17 0 0 172.16.10.17

2621B#disconnect 2

Closing connection to 172.16.10.17 [confirm] [enter]

2621B#

In this example, we used the session number 2 because that was the connection to the 3550 Switch A that we wanted to end. As explained earlier, you can use the show sessions command to see the connection number.

Individual Lab: Using the Cisco Discovery Protocol to Gather Information about Neighbor DevicesCisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help admin-istrators collect information about both locally attached and remote devices. You can gather hardware information, as well as protocol information about neighbor devices. This infor-mation is useful for troubleshooting and documenting the network.











Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Cisco Internetwork, and Cisco Discovery Protocol.

358 Switch Security

Lab Steps


Router>enable

Router#config t










2621A(config)#exit




[OK]

2621A#


Router>enable

Router#config t














2811A(config)#exit





[OK]

2811A#


Router>enable

Router#config t










2621B(config)#exit




[OK]

2621B

4. Gather CDP information on your router by getting CDP Timers and Holdtime Informa-tion. Use the show cdp command which shows information about two CDP global param-eters that can be configured on Cisco devices. The output on a router looks like this:

2811A#show cdp

Global CDP information:

Sending CDP packets every 60 seconds

Sending a holdtime value of 180 seconds

Sending CDPv2 advertisements is enabled

2811A#

Clock Rate


360 Switch Security

NN CDP timer is how often CDP packets are transmitted to all active interfaces.

NN CDP holdtime is the amount of time that the device will hold packets received from neighbor devices.

Both the Cisco routers and the Cisco switches use the same parameters.

5. Use the global commands cdp holdtime and cdp timer to configure the CDP holdtime and timer on a router.

2811A#config t


2811A(config)#cdp ?

advertise-v2 CDP sends version-2 advertisements

holdtime Specify the holdtime (in sec) to be sent in packets

log Log messages generated by CDP

run Enable CDP

source-interface Insert the interface's IP in all CDP packets

timer Specify rate (in sec) at which CDP packets are sent

2811A(config)#cdp timer 90

2811A(config)#cdp holdtime 240


6. You can turn off CDP completely on the router with the no cdp run command from global configuration mode of a router. Enable CDP with the cdp run command.

2811A(config)#no cdp run

2811 (config)#cdp run


7. To turn off or on CDP on a router interface, use the no cdp enable and cdp enable commands. Enable CDP on the interface with the cdp enable command.


2811A(config-if)#no cdp enable

2811A(config-if)#cdp enable


8. The show cdp neighbor command (show cdp nei for short) shows information about directly connected devices. It is important to remember that CDP packets are not passed through a Cisco switch, and you only see what is directly attached. On a router con-nected to a switch, you will not see the other devices connected to the switch. The fol-lowing output shows the show cdp neighbor command used on the 2811 A router.

2811A#show cdp nei

Device ID Local Intrfce Holdtme Capability Platform Port ID

2621B Ser 0/0/1 170 R 2621 Ser 0/0


2621A Ser 0/1/1 170 R 2621 Ser 0/0

2811A#

The following table summarizes the information displayed by the show cdp neighbor command for each device.

Field Description

Device ID The hostname of the device directly connected.

Local Interface The port or interface on which you are receiving the CDP packet.

Holdtime The amount of time the router will hold the information before discarding it if no more CDP packets are received.

Capability The neighbor’s capability, such as router, switch, or repeater. The capability codes are listed at the top of the command output.

Platform The type of Cisco device. In the above output, a 2811 router, two 2621 routers, a 3550 switch, and a 3560 switch are attached.

Port ID The neighbor device’s port or interface on which the CDP packets are broadcasted out.

9. Another command that provides neighbor information is the show cdp neighbor detail command (show cdp nei de for short), which also can be run on the router or switch. This command shows detailed information about each device connected to the device, as in the router output below.

2811A#show cdp neighbor detail

-------------------------

Device ID: 2621B

Entry address(es):

IP Address: 172.16.30.2



Holdtime : 146 sec

Version :





362 Switch Security



-------------------------

Device ID: 2621A

Entry address(es):

IP Address: 172.16.20.2



Holdtime : 146 sec

Version :







-------------------------

2811A#

The output above shows the hostname and IP address of the directly connected devices. In addition to the same information displayed by the show cdp neighbor command, the show cdp neighbor detail command also shows the IOS version of the neighbor device.

10. The show cdp entry * command displays the same information as the show cdp neighbor details command. The following is an example of the router output of the show cdp entry * command.

2811A#show cdp entry *

-------------------------

Device ID: 2621B

Entry address(es):

IP Address: 172.16.30.2



Holdtime : 146 sec

Version :








-------------------------

Device ID: 2621A

Entry address(es):

IP Address: 172.16.20.2



Holdtime : 146 sec

Version :







-------------------------

2811A#

11. The show cdp traffic command displays information about interface traffic, including the number of CDP packets sent and received and the errors with CDP. The following output shows the show cdp traffic command used on a router.

2811A#show cdp traffic

CDP counters :

Total packets output: 30, Input: 30

Hdr syntax: 0, Chksum error: 0, Encaps failed: 0

No memory: 0, Invalid packet: 0, Fragmented: 0



2811A#

Individual Lab: Working with a Router Interface


By default, interfaces are shut down and turned off. That means that packets cannot travel through the device to another connected device. You can turn an interface on with the no shutdown command. You can turn off or shut down an interface with the shutdown command. You can check the status of an interface by using the show interface command. If an inter-face is shut down, it will display administratively down when using the show interface com-mand, and the show running-config command will also show the interface as shut down.

364 Switch Security









Lab Steps



3. Change to the privileged mode and global configuration mode.

Router>

Router>enable

Router>config t


4. Set the hostname.



Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Cisco IOS, and Router Interface.

366 Switch Security

5. Type show interface fastethernet 0 and see that it is administratively down.

2621A(config)#exit


FastEthernet0/0 is administratively down, line protocol is up

[output cut]

6. Bring up interface FastEthernet 0/0 with the no shutdown command.

2621A#config t





00:57:08: %LINK-3-UPDOWN: Interface Fastethernet 0/0, changed state to up

00:57:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface Fastethernet 0/0, changed state to up


Fastethernet 0/0 is up, line protocol is down

[output cut]

7. Configure the router to enable all interfaces by issuing the no shutdown command on all interfaces.

Configuring an IP Address on an Interface

8. Configure the FastEthernet 0/0 interface with the IP address of 172.16.10.2/24.

2621A#config t



Notice that in order to enable an interface, we use the no shut command. Remember to look at the command show interface fa0/0, for example, which will show you if it administratively shut down or not. Show running-config will also show you if the inter-face is shut down.

9. If you want to add a second subnet address to an interface, then you must use the secondary command.


If you type another IP address and press Enter, it will replace the existing IP address and mask. To add a secondary IP address, use the secondary command.

2621A(config-if)#ip address 172.16.20.2 255.255.255.0 secondary


10. You can verify both addresses are configured on the interface with the show running-config command (show run for short).

2621A#show run



[output cut]

!

interface Fastethernet 0/0


ip address 172.16.10.2 255.255.255.0

Serial InterfaceTo configure a serial interface, there are a couple of specifics that need to be discussed.

Typically, when in production, the interface will be attached to a CSU/DSU type of device that provides clocking for the line. However, if you have a back-to-back configura-tion used in a lab environment, for example, one end must provide clocking. This would be the DCE end of the cable. Cisco routers, by default, are all DTE devices, and you must tell an interface to provide clocking if it is to act as a DCE device. If you don’t completely understand this right now, don’t worry, you will. Just run through the commands below for now and I promise it will become clear to you later.

Subnet Address

Is a range of logical addresses within the address space of an organization. This allows you to take one network and turn it into many more, smaller networks. This allows for less network traffic on each network and faster and more efficient networks. See the section Subnetting Basics in the Sybex CCNA Study Guide, 7th edition.

368 Switch Security

Serial Interface

You have a connection between two devices where data is sent between the two one bit at a time. This occurs in only one direction at a time.


11. You can configure a DCE serial interface with the clock rate command. Configure an interface that has a DCE connection.

2621A#config t


2621A(config)#int s0/0

2621A(config-if)#clock rate ?

Speed (bits per second)

1200

2400

4800

9600

19200

38400

56000

64000

72000

125000

148000

250000

500000

800000

1000000

1300000

2000000

4000000

<300-4000000> Choose clockrate from list above

2621A(config-if)#clock rate 64000

It does not hurt anything to try and put a clock rate on an interface. Notice that the clock rate command is in bits per second.

If you are not on an interface that is set to DCE than you will receive an error when trying this command.

370 Switch Security

12. The next command you need to understand is the bandwidth command. Every Cisco router ships with a default serial link bandwidth of a T1, or 1.544Mbps. However, understand that this has nothing to do with how data is transferred over a link. The bandwidth of a serial link is used by routing protocols such as IGRP, EIGRP, and OSPF to calculate the best cost to a remote network. If you are using RIP routing, then the bandwidth setting of a serial link is irrelevant.

2621A(config-if)#bandwidth ?

<1-10000000> Bandwidth in kilobits

2621A(config-if)#bandwidth 64

Notice that unlike the clock rate command, the bandwidth command is configured in kilobits.

Setting An Interface Description

13. Set the description of the interface serial 0/0 interface to WAN to Miami with a circuit number of 6fdda4321.


2621A(config-if)#desc Wan to Miami circuit:6fdda4321

14. You can view the description of an interface either with the show running-config command or the show interface command.

2621A#show run

[output cut]

Finding DCE

DCE (data communications equipment) is the side of the connection that provides the clocking. Unless it is a 2811 router, you would enter the clock rate on the DCE side of a connection between routers. If you cannot remember what side of your connection is DCE, you can use the show controllers command. Here is an example:

2811#show controllers s0/1/1

Interface Serial0/1/1

Hardware is GT96K

DCE V.35, clock rate 2000000 <------------ The DCE connection is associated with s0/1/1 and a clockrate of 2000000

idb at 0x454E69C8, driver data structure at 0x454EE0EC

wic_info 0x454EE6E8

Physical Port 0, SCC Num 0

[output cut]


!

interface Serial0/0

description Wan to Miami circuit:6fdda4321

no ip address


shutdown

clockrate 64000

!

[output cut]

2621A#show int s0/0

Serial0/0 is administratively down, line protocol is down

Hardware is PowerQUICC Serial

Description: Wan to Miami circuit:6fdda4321

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 0.


Encapsulation HDLC, loopback not set

[output cut]

2621A#

Individual Lab: Configuring HostsWe will now configure all the hosts in the network and then verify the configurations. We will start with Host A.




372 Switch Security







Lab Steps

Copy and Paste ScriptSteps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into User mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.

After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press enter.


Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Cisco IOS, and Configuring Hosts.

374 Switch Security


enable

config t

hostname 2621A

line vty 0 4

password todd

login

interface serial 0/0

ip address 172.16.20.2 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2811A

line vty 0 1180

password todd

login


ip address 172.16.10.1 255.255.255.0


no shutdown

interface serial 0/1/1

ip address 172.16.20.1 255.255.255.0


no shutdown


ip address 172.16.30.1 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2621B

line vty 0 4

password todd

login


ip address 172.16.30.2 255.255.255.0


no shutdown

exit

exit

copy run start


N Hostname

NN Interface description

N IP addresses of each interface

Router>enable

Router#config t












NN Hostname



Router>enable

Router#config t


















Clock Rate

You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the con-nection is interface serial 0/1/1 and serial 0/0/1.

376 Switch Security


NN Hostname



Router>enable

Router#config t










4. We need to add a routing protocol such as RIP. Add RIP for each router with a net-work of 172.16.0.0.







[OK]

2621A#

2621B#config t







[OK]

2621B#

2811A#config t








[OK]

2811A#




NN IP Address

NN Subnet Mask

NN Default Gateway


378 Switch Security

subnet mask when you split up an IP network it is used to determine what section or subnet the IP address of networked device belongs to. An IP address has two parts, the network address and the host address.

Let’s examine IP address 172.16.10.6. Assuming this is part of a Class B network, the first two numbers (172.16) represent the Class B network address, and the second two numbers (10.6) identify a particular host on this network.


IP Address: 172.16.10.5

Subnet Mask: 255.255.255.0


8. Right-click on Host B.




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.10.6

Subnet Mask: 255.255.255.0




NN IP Address

NN Subnet Mask

NN Default Gateway

380 Switch Security

IP Address: 172.16.10.7

Subnet Mask: 255.255.255.0




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.10.8

Subnet Mask: 255.255.255.0




NN IP Address

NN Subnet Mask

NN Default Gateway


IP Address: 172.16.40.3

Subnet Mask: 255.255.255.0




NN IP Address

N Subnet Mask

NN Default Gateway

IP Address: 172.16.50.3

Subnet Mask: 255.255.255.0



20. From each host, ping all other hosts. Here is an example where we ping all others hosts from Host.

382 Switch Security

21. Double-click Host D on the network.

C:\>ping 172.16.10.5

C:\>ping 172.16.10.6

C:\>ping 172.16.10.7

C:\>ping 172.16.40.3 (this should fail)

C:\>ping 172.16.50.3 (this should fail)

ICND2

RIP - IPv6

Lab 1.1: Configuring RIP RoutingConfiguring the routers with static and default routing is interesting to say the least. However, it is not very often that you would use just static and default routing in a network these days. This lab will configure Routing Information Protocol (RIP), one of the first dynamic routing protocols created. It is easy and works pretty well in small to medium size networks.

Dynamic Routing

The process of routers in an Intranet or Internet advertising route information automati-cally between each other. There is typically a common dynamic routing protocol con-figured on each router. RIP Version 1 and 2, OSPF, EIGRP, and BGP are some examples of dynamic routing protocols. When all routers have received routing updates and have updated routing tables, the network is said to have converged. Convergence means that all routers in the internetwork have the same routing information. At this point, a routed protocol, IP for example, can send user data throughout the internetwork.

Network Layout

Load Standard Layout.rsm (or whatever you have named it in ICND1 labs) before going through the following lab.



Lab 1.1: Configuring RIP Routing 385

Lab StepsTo configure RIP routing, you first have to remove the static and default routes configured on the routers. This is assuming that you completed ICND1 Lab 2.9. Skip to lab step 4 if you did not work with ICND1 Lab 2.9.

If do not remove static and default routes, you will have connectivity throughout the net-work and will not know if you have correctly set up RIP. Removing static and default routes will help you clearly determine when and if you have set up RIP throughout the network. Then use the router rip command to configure RIP. Then tell the routers which networks are advertised with RIP.

1. From 2621 Router A, delete the default route and then verify the routing table with the show ip route command. Only the directly connected networks should be in the routing table.

2621A#config t


2621A(config)#exit

2621A#show ip route

[output cut]





3. Click on the file Standard Layout.rsm and click Open.

386 ICND2

2. From the 2621 Router B, delete the default route and then verify the routing table with the show ip route command. Only the directly connected networks should be in the routing table.

2621B#config t


2621B(config)#exit

2621B#show ip route

[output cut]





3. From 2811 Router A, delete the static routes and then verify the routing table with the show ip route command. Only the directly connected networks should be in the routing table.

2811A#config t



2811A(config)#do show ip route

[output cut]






Deleting the static and default routes was the hardest part of configuring RIP routing! Now, configure each router with RIP.

4. From 2621 Router A, configure RIP routing and tell RIP the network you want to advertise.

Router Rip Command

Turns on RIP routing.

Network Command

Should be entered for each of the networks that the router is connected to and is a part of the RIP network. In our network we have only one network, network 172.16.0.0.

Lab 1.1: Configuring RIP Routing 387

2621A#config t




That’s all there is to it! Dynamic routing is easy on small networks. The important thing to notice here is that the network address is a classful address, which means you use the classful boundary.

5. From 2621 Router B, configure RIP routing and tell RIP the network you want to advertise.

2621B#config t


RIP

NN Stands for Routing Information Protocol.

NN Sends routing-update messages at regular intervals (usually every 30 seconds) and when the network topology changes.

NN Uses a single metric called a hop, which measures the distance between the source and destination.

NN Is limited to a hop count of 15. It has a maximum hop count. This means a network cannot be more than 15 hops from the source to the destination. Otherwise the destination is deemed as unreachable.

NN Has a routing update timer that is used so that on a period basis (usually every 30 seconds) creates an update for each known route.

NN Does not support VLSM.

Classful Routing

Routing protocols (i.e., RIPv1 and IGRP) where subnet masks (routing masks) are not sent in the periodic routing updates. For example, we use the 172.16.0.0 class B network address and subnet that network with 24 bits of subnetting. This means the third octet is used for subnets and the fourth octet is the host addresses for each subnet. RIP is a classful routing protocol, which means that you do not type in any subnet addresses, only the class B address. When using a classful network protocol like RIP, make sure that all networked devices have the same subnet mask.

388 ICND2




2811A#config t





Lab 1.2: Verifying RIP RoutingConfiguring RIP is pretty easy, especially in small networks. It is important to be able to verify RIP on Cisco® routers. This lab will provide you with the commands to verify RIP.

Network Layout

Load the network layout you have been working with in Lab 1.1.

Lab 1.2: Verifying RIP Routing 389

Lab Steps


2621A#show ip route


R 172.16.30.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0



R 172.16.10.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0

R 172.16.50.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0

Notice the R, which means it is a RIP found route. The C is a directly connected network. You should see two directly connected routes and three RIP routes.


2621B#show ip route



R 172.16.40.0 [120/2] via 172.16.30.1, 00:00:21, Serial0/0


R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:21, Serial0/0

R 172.16.10.0 [120/1] via 172.16.30.1, 00:00:21, Serial0/0

3. From the 2811 Router A, use the show ip route command to verify the routing table.

2811A#show ip route



R 172.16.40.0 [120/1] via 172.16.20.2, 00:00:27, Serial0/1/1

R 172.16.50.0 [120/1] via 172.16.30.2, 00:00:27, Serial0/0/1



4. From 2621 Router B, use the debug ip rip command to see RIP updates being sent and received on the router.

2621B#debug ip rip

RIP protocol debugging is on

2621B#

then after a few seconds ....

*Oct 13 17:19:25.906: RIP: received v1 update from 172.16.30.1 on Serial0/0

*Oct 13 17:19:25.906: 172.16.40.0 in 2 hops

*Oct 13 17:19:25.906: 172.16.20.0 in 2 hops


390 ICND2

*Oct 13 17:19:25.906: 172.16.40.0 in 3 hops

*Oct 13 17:19:25.906: 172.16.20.0 in 3 hops


*Oct 13 17:19:25.906: 172.16.40.0 in 4 hops

*Oct 13 17:19:25.906: 172.16.20.0 in 4 hops


*Oct 13 17:19:25.906: 172.16.40.0 in 5 hops

[output cut]

5. To turn off debugging, use the no debug ip rip command, or the undebug all command.

2621B#undebug all

6. To see detailed information about currently configured protocols on a router, use the show ip protocols command.

2621B#show ip protocols

Routing Protocol is "rip"





Redistributing: rip

Default version control: send version 1, receive any version

Interface Send Recv Triggered RIP Key-chain

Serial0/0 1 1 2

FastEthernet0/0 1 1 2

Automatic network summarization is in effect

Maximum path: 4


172.16.0.0



172.16.30.1 120 00:00:03


2621B#

Notice the timers. RIP is sent out every 30 seconds by default. The administrative distance for RIP is 120 by default.

7. Another really good command is the show protocols command, which shows you the routed protocol configuration of each interface.

2621B#show protocols

Global values:

Internet protocol routing is enabled

Lab 1.2: Verifying RIP Routing 391


Serial0/0 is up, line protocol is up


FastEthernet0/1 is administratively down, line protocol is down



Administrative Distance

Is a measure of the trustworthiness of the source of the routing information. It is reported as a number between 0 and 255. The smaller the number, the more reliable the protocol. If you have, for example, two protocols IGRP and RIP configured on a router, the IGRP routes will be preferred over the RIP routes. This is because you have an administrative distance of 120 for RIP and 100 for IGRP.

Source Default Distance Value

Connected interface 0

Static route 1

Enhanced Interior Gateway Routing Protocol (EIGRP) summary route

5

External Border Gateway Protocol (BGP) 20

Internal EIGRP 90

IGRP 100

OSPF 110

Intermediate System-to-Intermediate System (IS-IS) 115

Routing Information Protocol (RIP) 120

Exterior Gateway Protocol (EGP) 140

On Demand Routing (ODR) 160

External EIGRP 170

Internal BGP 200

Unknown 255

392 ICND2

8. From 2811 Router A, use the show protocols command.

2811A#show protocols

Global values:



Serial0/0/1 is up, line protocol is up







Lab 1.3: Configuring IPv6 Static RoutingInternet Protocol Version 6 (IPv6) is the new addressing scheme that will eventually replace all IPv4 addresses. The IPv4 address scheme is no longer adequate to meet the needs of the growing Internet, and growing Intranets. IPv6 was also designed to increase routing perfor-mance and network scalability issues. IPv6 addresses are 128 bits in length.

Hexadecimal GroupsIPv6 addresses are divided into eight, 16 bit hexadecimal groups. For example,

2001:0000:0000:0008:0000:0000:0000:0012 can be divided into ...

2001: 0000: 0000: 0008: 0000: 0000: 0000: 0012

1 2 3 4 5 6 7 8

The IPV6 address above can also be shortened to 2001:0:0:8:0:0:0:12 or 2001::8:0:0:0:12

Address TypesThere are three IPv6 address types:

NN Unicast

NN Anycast

NN Multicast

Lab 1.3: Configuring IPv6 Static Routing 393

Unicast TypesThere are four unicast address types:

NN Link local

N Unique local

NN Global

N Special

IPv6 BitsIPv6 bit address can be divided into ...

48 bits 16 bits 64 bits

2001:0000:0000: 0008: 0000:0000:0000:0012

Global Prefix Subnet Interface ID

This lab will have you create an IPv6 network. In this network you will use IPv6 to create both default and static routing. The network used in this lab has IPv4 addresses already configured on each router interface. Having both IPv4 and IPv6 addresses on an interface is called DUAL stacking.

Network Layout

Load IPv6 Layout.rsm before going through the following lab.



394 ICND2

Lab Steps

1. Enable IPv6 routing and Cisco Express Forwarding (CEF) on each router.

2811A#config t

2811A(config)#ipv6 unicast-routing

2811A(config)#ipv6 cef

2811B#config t

2811B(config)#ipv6 unicast-routing

2811B(config)#ipv6 cef

2811C#config t

2811C(config)#ipv6 unicast-routing

2811C(config)#ipv6 cef

2. Configure IPv6 addresses on 2811 Router A.


2811A(config-if)#ipv6 address 2001::10:1/112

3. Click on the file IPv6 Layout.rsm and click Open. You should see the following non-configured network:

Lab 1.3: Configuring IPv6 Static Routing 395


2811A(config-if )ipv6 address 2001::20:1/112




3. Configure IPv6 addresses on 2811 Router B.

2811B(config)#interface fastethernet 0/0

2811B(config-if)# ipv6 address 2001::40:1/112

2811B(config-if)#int s0/1/0

2811B(config-if)#ipv6 address 2001::30:2/112


4. Configure IPv6 addresses on 2811 Router C.

2811C(config)#int fa0/0

2811C(config-if)# ipv6 address 2001::50:1/112

2811C(config-if)#int s0/0/0

2811C(config-if)#ipv6 address 2001::20:2/112


5. Configure two IPv6 static routes on 2811 Router A.

2811A(config)#ipv6 route 2001::40:0/112 2001::30:2


2811A(config)#exit


The static routes will allow 2811 Router A to communicate with the rest of the network.

6. Configure a IPv6 default route on 2811 Router B.

2811B(config)#ipv6 route ::/0 2001::30:1

2811B(config)#exit


This default route will allow 2811 Router B to communicate with the rest of the net-work. 2811 Router B will use 2811 Router A as a gateway of last resort.

7. Configure a IPv6 default route on 2811 Router C.

2811C(config)#ipv6 route ::/0 2001::20:1

2811C(config)#exit


This default route will allow 2811 Router C to communicate with the rest of the net-work. 2811 Router C will use 2811 Router A as a gateway of last resort.

396 ICND2

Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than IPv6 Layout.rsm. This allows you to start over with a non-configured network if you wish.


Lab 1.4: Verifying IPv6 Static Routing 397

2. A dialog box will appear. At the bottom you will see the file name IPv6 Layout.rsm. Rename the file. For example, you could name it My IPv6 Layout.rsm.

3. Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading IPv6 Layout.rsm which is non-configured.

Lab 1.4: Verifying IPv6 Static RoutingUnderstanding how to configure routers is very important. But just as important as the understanding of configuring routers is the process of verifying your configurations. This lab will provide you with the commands to verify your IPv6 Static Routing configurations.

Network Layout

Load IPv6 Layout.rsm or whatever you named the file when you saved your work. You need a configured network in order to complete this lab.

398 ICND2

Lab Steps

1. On 2811 Router A, issue the show running-configuration command to verify the IPv6 configurations.

2811A#show run

[output cut]

!


ip address 172.16.10.1 255.255.255.0


ipv6 address 2001::10:1/112

!

[output cut]

!

interface Serial0/0/0

ip address 172.16.20.1 255.255.255.0


clockrate 2000000

ipv6 address 2001::20:1/112

!

[output cut]

!


ip address 172.16.30.1 255.255.255.0


clockrate 2000000

ipv6 address 2001::30:1/112

!

[output cut]

!

ipv6 route 2001::40:0/112 2001::30:2

ipv6 route 2001::50:0/112 2001::20:2

!

[output cut]

2811A#

As you can see, each interface has an IPv6 address. You can also see the IPv6 static routes that are configured.

2. On 2811 Router A, issue the show ipv6 interface command to see which router interfaces are configured for IPv6.

2811A#show ipv6 interface



IPv6 is enabled, link-local address is FE80::21A:2FFF:FE55:D408

Global unicast address(es):

2001::10:1, subnet is 2001::10:0/112

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF10:1

FF02::1:FF55:D408

MTU is 1500 bytes

ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

[output cut]



Description: conn-to-2811A


2001::20:1, subnet is 2001::30:0/112


FF02::1

FF02::2

FF02::1:FF20:1

FF02::1:FF55:D408

MTU is 1500 bytes



[output cut]



Description: conn-to-2811C


2001::30:1, subnet is 2001::20:0/112


FF02::1

FF02::2

FF02::1:FF30:1

FF02::1:FF55:D408

MTU is 1500 bytes



[output cut]

2811A#

400 ICND2

3. On 2811 Router A, issue the show ipv6 interface brief command to see a summary of the router interfaces configured for IPv6.

2811A#show ipv6 interface brief

FastEthernet0/0 [up/up]

FE80::21A:2FFF:FE55:D408

2001::10:1

FastEthernet0/1 [administratively down/down]

Serial0/0/0 [up/up]

FE80::21A:2FFF:FE55:D408

2001::20:1

Serial0/0/1 [administratively down/down]

Serial0/1/0 [up/up]

FE80::21A:2FFF:FE55:D408

2001::30:1


2811A#

4. On 2811 Router A, issue the show ipv6 route command to see the IPv6 routing table.

2811A#show ipv6 route

IPv6 Routing Table - 10 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

U - Per-user Static route

I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary

O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

C 2001::10:0/112 [0/0]

via ::, FastEthernet0/0

L 2001::10:1/128 [0/0]


C 2001::20:0/112 [0/0]

via ::, Serial0/0/0

L 2001::20:1/128 [0/0]

via ::, Serial0/0/0

C 2001::30:0/112 [0/0]

via ::, Serial0/1/0

L 2001::30:1/128 [0/0]

via ::, Serial0/1/0

S 2001::40:0/112 [1/0]

via 2001::30:2

S 2001::50:0/112 [1/0]


via 2001::20:2

L FE80::/10 [0/0]

via ::, Null0

L FF00::/8 [0/0]

via ::, Null0

2811A#

5. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of routers 2811 B and 2811 C. Pinging will verify that your default and static routing configurations are correct.

2811A#ping ipv6 2001::40:1


Sending 5, 100-byte ICMP Echos to 2001::40:1, timeout is 2 seconds:

!!!!!


2811A#

2811A#ping ipv6 2001::50:1



!!!!!


2811A#


Troubleshooting IPv6 Static RoutingYou have been asked to resolve the issue. This is stated below.

(use Practice Scenario: …

Troubleshooting Ipv6 … )Now that you have learned about some concepts and completed some hands-on work, try your problem-solving and troubleshooting skills with the following task. To complete your task you will load a specific network layout which you will use in working through the scenario.

When you have finished with this lab ...

402 ICND2

You can check your work by clicking the Grade Me button in the upper right hand cor-ner of the Network Visualizer screen.





NN The result for each command. You will see a green check mark (meaning that you got it correct) or a red X.




ScenarioYour IPv6 network has been working fine up until today.

TaskYou have been asked to resolve the issue.

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Practice Sce-narios, Basic Cisco Router Operations, and Troubleshooting IPv6 Static Routing.

404 ICND2

Lab 1.5: Configuring RIP IPv6 Routing (RIPng)In this lab you will create an IPv6 RIPng network. The network used in this lab has IPv4 addresses already configured on each router interface. This will demonstrate DUAL stacking. You will also be given the commands to verify your RIPng routing configurations.

Lab Steps

1. You need to remove the IPv6 routing configured in the previous lab. Perform this for each of the three routers.

2811A#config t

2811A(config)#no ipv6 route 2001::40:0/112 2001::30:2

2811A(config)#no ipv6 route 2001::50:0/112 2001::20:2

Network Layout

Load IPv6 Layout.rsm or whatever you named the file when you saved your work in Lab 1.3.

Lab 1.5: Configuring RIP IPv6 Routing (RIPng) 405

2811B#config t

2811B(config)#no ipv6 route ::/0 2001::30:1

2811C#config t

2811C(config)#no ipv6 route ::/0 2001::20:1

2. On the 2811 Router A, enable the IPv6 RIPng routing process from global and interface configuration mode.

2811A(config)#ipv6 router rip myripngprocess

2811A(config-rtr)#exit


2811A(config-if)#ipv6 rip myripngprocess enable


2811A(config-if )ipv6 rip myripngprocess enable





Remember that the ipv6 unicast-routing command must be configured on the router before the RIPng routing process can be enabled. The previous labs had you configure the command on all routers so we will not do it here.

3. On the 2811 Router B, enable the IPv6 RIPng routing process from global configura-tion mode.

2811B(config)#ipv6 router rip myripngprocess


2811B(config)#int fa0/0

2811B(config-if)#ipv6 rip myripngprocess enable



2811B(config-if)#ctrl+z


4. On the 2811 Router C, enable the IPv6 RIPng routing process from global configura-tion mode.

2811C(config)#ipv6 router rip myripngprocess

2811C(config-rtr)#exit


2811C(config-if)#ipv6 rip myripngprocess enable



2811C(config-if)#ctrl+z


406 ICND2

Lab 1.6: Verifying RIP IPv6 Routing (RIPng)Understanding how to configure routers is very important. But just as important as the understanding of configuring routers is the process of verifying your configurations. This lab will provide you with the commands to verify your RIPng routing configurations.

Lab Steps

1. On the 2811 Router A, issue the show running-configuration command to verify the IPv6 configurations.

2811A# show run

[output cut]

Network Layout

Load IPv6 Layout.rsm or whatever you named the file when you saved your work in Lab 1.5.

Lab 1.6: Verifying RIP IPv6 Routing (RIPng) 407

!

ipv6 unicast-routing

ipv6 cef

!

[output cut]

!


ip address 172.16.10.1 255.255.255.0

no ip directed broadcast

ipv6 address 2001::10:1/112

ipv6 rip myripngprocess enable

!

[output cut]

!


ip address 172.16.20.1 255.255.255.0


ipv6 address 2001::20:1/112

clock rate 8000000


!


ip address 172.16.30.1 255.255.255.0


ipv6 address 2001::30:1/112


clock rate 8000000

no cdp enable

!

[output cut]

!

ipv6 router rip myripngprocess

[output cut]

2811A#

As you can see, RIPng is configured on each interface. You can also see the IPv6 RIP (RIPng) routing process.





408 ICND2





C 2001::10:0/112 [0/0]


L 2001::10:1/128 [0/0]


C 2001::20:0/112 [0/0]

via ::, Serial0/0/0

L 2001::20:1/128 [0/0]

via ::, Serial0/0/0

C 2001::30:0/112 [0/0]

via ::, Serial0/1/0

L 2001::30:1/128 [0/0]

via ::, Serial0/1/0

R 2001::40:0/112 [120/2]

via FE80::215:FAFF:FED7:EDA0, Serial0/1/0

R 2001::50:0/112 [120/2]

via FE80::21A:2FFF:FE52:4808, Serial0/0/0

L FE80::/10 [0/0]

via ::, Null0

L FF00::/8 [0/0]

via ::, Null0

2811A#

3. On 2811 Router A, issue the show ipv6 protocols command to see the IPv6 protocols that are running on the router.

2811A#show ipv6 protocols

IPv6 Routing Protocol is "connected"

IPv6 Routing Protocol is "static"

IPv6 Routing Protocol is "rip myripngprocess"

Interfaces:

Serial0/0/1

Serial0/0/0

FastEthernet0/0

Redistribution:

None

2811A_aka_2811B#

Lab 1.6: Verifying RIP IPv6 Routing (RIPng) 409

4. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of Routers 2811 B and 2811 C. Pinging will verify that your RIPng configurations are correct.

2811A#ping ipv6 2001::40:1



!!!!!


2811A#ping ipv6 2001::50:1


Sending 5, 100-byte ICMP Echos to 2001::5 0:1, timeout is 2 seconds:

!!!!!


2621B_aka_2811A#

Cisco Wide Area Networks (WAN)

Lab 2: Introduction to Cisco Wide Area Network Support

The Cisco IOS WAN can support many different WAN protocols that can help you extend your LANs to other LANs at remote sites. Connecting company sites together so informa-tion can be exchanged is imperative in this economy. However, it would take a truckload of money to put in your own cable or dedicated connections to network all of your company’s remote locations. Service providers allow you to lease or share connections that the service provider already has installed, which can save money and time.

Although this section does not cover every type of Cisco WAN support, it does cover the HDLC, PPP, and Frame Relay.

The labs covered in this section are as follows:

NN 2.1: Configuring PPP Encapsulation

NN 2.2: Verifying PPP Encapsulation

NN 2.3: Configuring PPP Authentication with CHAP

NN 2.4: Verifying PPP with Authentication

NN 2.5: Understanding Frame Relay Configuration

NN 2.6: Configuring Frame Relay Switching

NN 2.7: Configuring Frame Relay with Subinterfaces

NN 2.8: Verifying Frame Relay

The commands covered in this section are as follows:

Command Meaning

encapsulation frame-relay Changes the encapsulation to frame-relay on a serial link.

encapsulation frame-relay ietf Sets the encapsulation type to the Internet Engi-neering Task Force (IETF). Used to connect Cisco routers to off-brand routers.

encapsulation hdlc Restores the default encapsulation of HDLC on a serial link.

Lab 2.1: Configuring PPP Encapsulation 413

Command Meaning

encapsulation ppp Changes the encapsulation on a serial link to PPP.

frame-relay interface-dlci Configures the PVC address on a serial interface or subinterface.

frame-relay lmi-type Configures the LMI type on a serial link.

interface s0.16 point-to-point Creates a point-to-point subinterface on a serial link that can be used with frame-relay.

ppp authentication chap Tells PPP to use CHAP authentication.

show frame-relay lmi Sets the LMI type on a serial interface.

show frame-relay map Shows the static and dynamic Network layer to PVC mappings.

show frame-relay pvc Shows the configured PVC’s and DLCI numbers configured on a router.

username name password password Creates usernames and passwords used for authentication on a Cisco router.

Lab 2.1: Configuring PPP EncapsulationThe High-Level Data-Link Control protocol (HDLC) is a point-to-point protocol used on leased lines. No authentication can be used with HDLC and is the default encapsulation used by Cisco routers over synchronous serial links. Cisco’s HDLC is proprietary—it won’t communicate with any other vendor’s HDLC implementation. If you wanted to either offer authentication on a serial link or to connect from a Cisco router to another vendor router, then we need to configure PPP on the serial interfaces.

PPP (Point-to-Point Protocol) is a data-link protocol that can be used over asynchronous serial (dial-up) media and uses the LCP (Link Control Protocol) to build and maintain data-link connections. The basic purpose of PPP is to transport layer-3 packets across a data link layer point-to-point link.

This lab will have you configure PPP on all four serial networks, and replace HDLC as the encapsulation method on our serial links.

414 Cisco Wide Area Networks (WAN)

Lab Steps

1. Connect to 2811 Router B and change the encapsulation on the serial links from HDLC to PPP.

2811A>enable

2811A#config t

2811A(config)#interface serial 0/0/1

2811A(config-if)#encapsulation ppp

2811A(config-if)#interface serial 0/1/1



2811A#


2621B>enable

2621B#config t

2621B(config)#interface serial 0/0

2621B(config-if)#encapsulation ppp

Network Layout


Lab 2.2: Verifying PPP Encapsulation 415


2621B#

3. Connect to 2621 Router A and change the encapsulation on the serial link from HDLC to PPP.

2621A>enable

2621A#config t

2621A(config)#interface serial 0/0



2621A#

That is all there is to it. This part is easy.Save Your File: Make sure you save the network layout file that you have been working on.

Lab 2.2: Verifying PPP EncapsulationOnce you have replaced HDLC as the serial encapsulation method, then you need to verify your network is still working properly.

The first command to use is the show ip route command to make sure all your IP routes are still present.

Network Layout



Lab Steps

1. From 2621 Router A, use the show ip route command to verify the network is still running.

2621A#show ip route

[output cut]

172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks

O 172.16.30.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0

C 172.16.20.1/32 is directly connected, Serial0/0


O 172.16.50.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0


O 172.16.10.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0

2621A#

2. From 2621 Router B, use the show ip route command to verify the network is still running.

2621B#show ip route

[output cut]




O 172.16.40.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0


O 172.16.20.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0

O 172.16.10.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0

2621B#


2811A#show ip route

[output cut]


C 172.16.30.2/32 is directly connected, Serial0/0/1


O 172.16.40.0/24 [110/74] via 172.16.20.2, 22:22:18, Serial0/1/1


O 172.16.50.0/24 [110/74] via 172.16.30.2, 22:22:18, Serial0/0/1



2811A#

Lab 2.3: Configuring PPP Authentication with CHAP 417

4. From 2811 Router A, use the show interface command to see the serial link encap-sulation.

2811A#show interface s0/0/1



Description: connection to 2621B




Encapsulation PPP, loopback not set

[output cut]

2811A#show interface s0/1/1



Description: connection to 2621A





Lab 2.3: Configuring PPP Authentication with CHAPNow that the network should be up and working with PPP, you can use PPP authentication to stop unwanted users from connected to your network. Although, this is typically used with dial-up, it still can be used with serial interfaces.

This lab will have you configure PPP authentication on all routers serial interfaces using the CHAP protocol.

Challenge Authentication Protocol (CHAP) is used at the initial startup of a link and at periodic checkups on the link to make sure the router is still communicating with the same host. After PPP finishes its initial phase, the local router sends a challenge request to the remote device. The remote device sends a value calculated using a one-way hash function called MD5. The local router checks this hash value to make sure it matches. If the values don’t match, the link is immediately terminated.

To configure PPP authentication, first set the hostname of the router if it is not already set (this is not an option!). Then set the username and password for the remote router con-necting to your router. For example, if you are connected to 2621 Router A and want to configure authentication, you would set the hostname and then create a username that con-sists of the router you are going to connect to, in this example, 2811 Router A.


This is shown below:

Router#config t



2621A(config)#username 2811A password cisco

When using the hostname command, remember that the username is the hostname of the remote router connecting to your router. It is case-sensitive. Also, the password on both routers must be the same. It is a plain-text password and can be seen with a show run command.

You must have a username and password configured for each remote system you are going to connect to. The remote routers must also be configured with usernames and passwords.

After you set the hostname, usernames, and passwords, choose the authentication as shown in the following example:

2621A#config t



2621A(config-if)#ppp authentication chap


2621A#

Network Layout


Lab 2.4: Verifying PPP with Authentication 419

Lab Steps

1. Open a console to 2621 Router A and create a username of 2811A and with a pass-word of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap.

2621A#config t





2621A#

2. Open a console to 2621 Router B and create a username of 2811A and with a password of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap.

2621B#config t

2621B(config)#username 2811A password cisco

2621B(config)#int s0/0

2621B(config-if)#ppp authentication chap


2621B#

3. Open a console to 2811 Router A and create a username of router 2621A and 2621Band with a password of cisco. Then configure the serial interfaces 0/0/1 and 0/1/1 to use ppp authentication of chap.

2811A#config t


2811A(config)#username 2621B password cisco

2811A(config)#int s0/0/1





Save Your File: Make sure you save the network layout file that you have been work-ing on.

Lab 2.4: Verifying PPP with AuthenticationOnce you have configured PPP with authentication as the serial encapsulation method, then you need to verify your network is still working properly.


The first command to use is the show ip route command to make sure all your IP routes are still present. The next command to use is the show interface command.

Lab Steps


2621A#show ip route

[output cut]


O 172.16.30.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0



O 172.16.50.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0


O 172.16.10.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0

2621A#

Network Layout


Lab 2.4: Verifying PPP with Authentication 421


2621B#show ip route

[output cut]




O 172.16.40.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0


O 172.16.20.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0

O 172.16.10.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0

2621B#


2811A#show ip route

[output cut]




O 172.16.40.0/24 [110/74] via 172.16.20.2, 22:22:18, Serial0/1/1


O 172.16.50.0/24 [110/74] via 172.16.30.2, 22:22:18, Serial0/0/1



2811A#

4. From 2811 Router A use the show interface command to see the serial link encapsu-lation.

2811A#show int s0/0/1








Keepalive set (10)




















2811A#









Keepalive set (10)



















Lab 2.5: Understanding Frame Relay Configuration 423

Lab 2.5: Understanding Frame Relay ConfigurationFrame Relay provides a communications interface between DTE (data terminal equipment) and DCE (data circuit-terminating equipment, such as packet switches) devices. DTE con-sists of terminals, PCs, routers, and bridges—customer-owned end-node and internetwork-ing devices. DCE consists of carrier-owned internetworking devices.

Frame Relay sends packets at the data link layer (layer 2) of the OSI model rather than at the network layer (layer 3). A frame can incorporate packets from different protocols.

Frame Relay Uses Virtual CircuitsFrame Relay provides connection-oriented, Data Link layer communication via virtual circuits. These virtual circuits are logical connections created between two DTE’s across a packet-switched network, which is identified by a DLCI, or Data Link Connection Identifier.

Also, Frame Relay uses both PVCs (Permanent Virtual Circuits) and SVCs (Switched Virtual Circuits which is a form of dialup), although most Frame Relay networks use only PVCs. This virtual circuit provides the complete path to the destination network prior to the sending of the first frame.

Configuring Frame Relay EncapsulationWhen configuring Frame Relay on Cisco routers, you need to specify it as an encapsula-tion on serial interfaces. There are only two encapsulation types: Cisco and IETF (Internet Engineering Task Force). The following router output shows the two different encapsulation methods when choosing Frame Relay on your Cisco router:

2621A#config t

2621A(config)#interface s0/0

2621A(config-if)#encapsulation frame-relay ?

ietf Use RFC1490 encapsulation

<cr>

The default encapsulation is Cisco unless you manually type in IETF, and Cisco is the type used when connecting two Cisco devices. You’d opt for the IETF-type encapsulation if you needed to connect a Cisco device to a non-Cisco device with Frame Relay.

Frame Relay DLCIFrame Relay virtual circuits (PVCs) are identified by Data Link Connection Identifiers(DLCIs). A Frame Relay service provider, such as the telephone company, typically assigns DLCI values, which are used by Frame Relay to distinguish between different virtual circuits on the network. Because many virtual circuits can be terminated on one multipoint Frame Relay interface, many DLCIs are often affiliated with it.


For the IP devices at each end of a virtual circuit to communicate, their IP addresses need to be mapped to DLCIs. This mapping can function as a multipoint device—one that can identify to the Frame Relay network the appropriate destination virtual circuit for each packet that is sent over the single physical interface. The mappings can be done dynamically through IARP (Inverse ARP) or manually through the frame relay map command.

DLCI numbers, used to identify a PVC, are typically assigned by the provider and start at 16. Configuring a DLCI number to be applied to an interface is shown below:

2621A(config-if)#frame-relay interface-dlci ?

<16-1007> Define a DLCI as part of the current subinterface

2621A(config-if)#frame-relay interface-dlci 16

Frame Relay LMIThe Local Management Interface (LMI) was developed in 1990 by Cisco Systems, StrataCom, Northern Telecom, and Digital Equipment Corporation and became known as the Gang-of-Four LMI or Cisco LMI. This gang took the basic Frame Relay protocol from the CCIT and added extensions onto the protocol features that allow internetwork-ing devices to communicate easily with a Frame Relay network.

The LMI is a signaling standard between a CPE device (router) and a frame switch. The LMI is responsible for managing and maintaining status between these devices.

If you’re not going to use the auto-sense feature of LMI, you’ll need to check with your Frame Relay provider to find out which type to use instead. The default type is Cisco, but you may need to change to ANSI or Q.933A. The three different LMI types are depicted in the router output below.

2621A(config-if)#frame-relay lmi-type ?

cisco

ansi

q933a

2621A(config-if)#frame-relay lmi-type ansi

You can have multiple virtual circuits on a single serial interface and yet treat each as a separate interface. These are known as subinterfaces. Think of a subinterface as a hardware interface defined by the IOS software. An advantage gained through using subinterfaces is the ability to assign different Network layer characteristics to each subinterface and virtual circuit, such as IP routing on one virtual circuit and IPX on another.

Subinterfaces with Frame RelayYou define subinterfaces with the int s0.subinterface number command as shown below. You first set the encapsulation on the serial interface, and then you can define the subinterfaces.

2621A(config-int)#encapsulation frame-relay

2621A(config-int)#exit

Lab 2.6: Configuring Frame Relay Switching 425

2621A(config)#int s0/0.?


2621A(config)#int s0/0.16 ?

multipoint Treat as a multipoint link

point-to-point Treat as a point-to-point link

2621A(config)#int s0/0.16 point-to-point

2621A(config-subif)#

You can define an almost limitless number of subinterfaces on a given physical interface (keeping router memory in mind). In the above example, we chose to use subinterface 16 because that represents the DLCI number assigned to that interface. However, you can choose any number between 0 and 4,292,967,295.

Lab 2.6: Configuring Frame Relay SwitchingNow that you should have a background on how to configure basic Frame Relay on a Cisco router, this lab will have you configure 2811 Router A as a Frame relay switch. Then you will configure routers 2811 B and 2811 C as remote Frame Relay connections.

To perform this lab, you need to delete the configurations on 2811 Router A first since the Frame Relay switching configuration is completely different then what we have now.

Network Layout



Lab Steps

1. From 2811 Router A, type erase start then reload.

2811A#erase start

Erasing the nvram filesystem will remove all configuration files!

Continue? [confirm] [press Enter]

[OK]


*Oct 27 19:30:52.640: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram

2811A#

2811A#reload

System configuration has been modified. Save? [yes/no]: n

Proceed with reload? [confirm] (press enter)

*Nov 15 16:11:07.406: %SYS-5-RELOAD: Reload requested by console. Reload Reason:

Reload Command.

System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)

Copyright (c) 2005 by cisco Systems, Inc.

Initializing memory for ECC

c2811 processor with 262144 Kbytes of main memory

Main memory is configured to 64 bit mode with ECC enabled

Readonly ROMMON initialized

program load complete, entry point: 0x8000f000, size: 0xc940

program load complete, entry point: 0x8000f000, size: 0xc940

program load complete, entry point: 0x8000f000, size: 0x228d9f8

Self decompressing the image : #################################################

######################################################################### [OK]

Smart Init is enabled

smart init is sizing iomem

ID MEMORY_REQ TYPE

0003E7 0X003DA000 C2811 Mainboard

0X00263F50 Onboard VPN

0X000021B8 Onboard USB

0X002C29F0 public buffer pools

0X00211000 public particle pools

TOTAL: 0X00B13AF8

If any of the above Memory Requirements are

Lab 2.6: Configuring Frame Relay Switching 427

"UNKNOWN", you may be using an unsupported

configuration or there is a software problem and

system operation may be compromised.

Rounded IOMEM up to: 12Mb.

Using 4 percent iomem. [12Mb/256Mb]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12),

RELEASE SOFTWARE (fc1)



Compiled Fri 17-Nov-06 12:02 by prod_rel_team

Image text-base: 0x40093160, data-base: 0x42B00000

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

[email protected].

Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.

Processor board ID FTX0952C3EG

2 FastEthernet interfaces

4 Serial(sync/async) interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.


239K bytes of non-volatile configuration memory.

125440K bytes of ATA CompactFlash (Read/Write)

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: (press n)

2. Open a console for 2811 Router A and configure the hostname.

Router>enable

Router#config t



2811A(config)#

Once your router is clear, you can now make them a frame relay switch with the frame-relay switching command. However, that is the easy part. You need to map every DLCI on the switch. Of course the router only has two connections, so it is not too time consuming, but if you had dozens of PVCs, this could take a while.

3. On the frame relay switch, use the frame relay route command to map each and every DLCI. Here is an example:


2811A(config-if)#frame-relay route 17 int serial 0/1/1 16


2811A(config)#

This command tells the switch that if it receives a frame on serial 0/0/1 with a PVC of 17, then send it out serial 0/1/1 using a PVC of 16. Again, in our network, this configuration will only be two routes so it’s not a big deal.

4. On 2811 Router A configure the Frame Switching. No IP addresses are assigned to the routes interfaces. Remember, this is a Data Link layer function only, so IP is irrelevant to this configuration.

2811A(config)#frame-relay switching


2811A(config)#encapsulation frame-relay

2811A(config-if)#no shut

2811A(config-if)#frame intf-type dce






Lab 2.7: Configuring Frame Relay with Subinterfaces 429



2811A#

5. Save you configurations.


6. Now that the frame-relay switching router is configured, you need to configure the remote routers.


Lab 2.7: Configuring Frame Relay with SubinterfacesThis lab will have you bring up the console for Routers 2811 B and 2811 C and configure them for frame relay configuration using subinterfaces.

Since the Frame-Relay switches are not using IP addressing, connecting from Routers 2811 B to 2811 C, for example, will use one subnet and appear like a direct connection. Use subnet 172.16.100.0.

Network Layout



Lab Steps

1. Open the console for 2811 Router B and configure the serial 0/0 interface with a Frame Relay subinterface. To perform this, you must remove the IP address from the serial interface.

2811B#config t

2811B(config)#int serial 0/0

2811B(config-if)#no ip address

2811B(config-if)#no shut

2811B(config-if)#encapsulation frame-relay

2811B(config-if)#int serial 0/0.16 point-to-point

2811B(config-subif)#ip address 172.16.100.1 255.255.255.0

2811B(config-subif)#frame-relay interface-dlci 16

2811B(config-subif)#ctrl+z

2811B#

2. Open the console for 2811 Router C and configure the serial 0/0 interface with a Frame Relay subinterface.

2811C#config t

2811C(config)#int serial 0/0

2811C(config-if)#no ip address

2811C(config-if)#no shut

2811C(config-if)#encapsulation frame-relay

2811C(config-if)#int serial 0/0.17 point-to-point

2811C(config-subif)#ip address 172.16.100.2 255.255.255.0

2811C(config-subif)#frame-relay interface-dlci 17

2811C(config-subif)#ctrl+z

2811C#

3. Verify the Frame Relay connection is up and running. Ping from 2811 Router B to the 2811 Router C.

2811B#ping 172.16.100.2



!!!!!


2811B#

Lab 2.8: Verifying Frame Relay 431

Lab 2.8: Verifying Frame RelayThere are several ways to check the status of your interfaces and PVCs once you have Frame Relay encapsulation set up and running.

Lab Steps

1. Open the console screen for 2621 Router A. I have this in the online docs.

2. You can use the show frame-relay command with a question mark (?) to get the command options: The show frame-relay lmi command will give you the LMI traffic statistics exchanged between the local router and the Frame Relay switch.

2621A#show frame ?

ip show frame relay IP statistics

lapf show frame relay lapf status/statistics

lmi show frame relay lmi statistics

map Frame-Relay map table

pvc show frame relay pvc statistics

qos-autosense show frame relay qos-autosense information

route show frame relay route

rtp show frame relay RTP statistics

Network Layout



svc show frame relay SVC stuff

traffic Frame-Relay protocol statistics

vofr show frame relay VoFR statistics

261A#show frame lmi

LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = ANSI

Invalid Unnumbered info 0 Invalid Prot Disc 0

Invalid dummy Call Ref 0 Invalid Msg Type 0

Invalid Status Message 0 Invalid Lock Shift 0

Invalid Information ID 0 Invalid Report IE Len 0

Invalid Report Request 0 Invalid Keep IE Len 0

Num Status Enq. Rcvd 1748 Num Status msgs Sent 1748

Num Update Status Sent 0 Num St Enq. Timeouts 0

2811B#

The router output from the show frame-relay lmi command shows you LMI errors as well as the LMI type.

3. The show frame pvc command will list all configured PVCs and DLCI numbers. It provides the status of each PVC connection and traffic statistics. It will also give you the number of BECN and FECN packets received on the router.

2621A#show frame pvc

PVC Statistics for interface Serial0/0 (Frame Relay DTE)

DLCI = 16 , DLCI USAGE = LOCAL , PVC STATUS = ACTIVE , INTERFACE = Serial0/0.16

input pkts 11290 output pkts 11277 in bytes 898590

out bytes 899156 dropped pkts 2 in FECN pkts 0

in BECN pkts 0 out FECN pkts 0 out BECN pkts 0

in DE pkts 0 out DE pkts 0

out bcast pkts 11264 out bcast bytes 898468

pvc create time 13:25:57, last time pvc status changed 13:25:39

2811B#

4. You can also use the show interface command to check for LMI traffic. The show interface command displays information about the encapsulation as well as layer-2 and layer-3 information.

The LMI DLCI is used to define the type of LMI being used. If it is 1023, it is the default LMI type of Cisco. If the LMI DLCI is zero, then it is the ANSI LMI type.

2621A#show int s0/0




Lab 2.8: Verifying Frame Relay 433



Encapsulation FRAME-RELAY, loopback not set

Keepalive set (10)

FR SVC disabled, LAPF state down

LMI enq sent 41, LMI stat recvd 22, LMI upd recvd 0, DTE LMI down

LMI enq recvd 4, LMI stat sent 0, LMI upd sent 0

LMI DLCI 0 LMI type is ANSI frame relay DTE

Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0

[output cut]

2811B#

The show interface command displays line, protocol, DLCI and LMI information.

5. The show frame map command will show you the Network layer-to-DLCI mappings.

2621A#show frame map

Serial0/0 (up):ip dlci 16(0x66,0x1860), broadcast

status defined, active

Serial0/0.16 (up): point-to-point dlci, dlci 16(0x66,0x1860), broadcast


2621A#

EIGRP

Lab 3: Introduction to EIGRPIn this section you will learn about EIGRP which is a proprietary Cisco protocol that only runs on Cisco routers. You will learn how to manage Cisco routers in an internetwork. EIGRP uses the properties of both distance vector and link state and uses autonomous systems (AS) to create groups of routers that share routing information.


NN 3.1: Configuring EIGRP Routing

NN 3.2: Verifying EIGRP Routing

NN 3.3: Configuring EIGRP Wild Card Masks

NN 3.4: Verifying EIGRP Wild Card Masks Configurations

NN 3.5: Configuring EIGRP Authentication

NN 3.6: Verifying EIGRP Authentication

NN 3.7: Configuring Advanced Commands with EIGRP

Lab 3.1: Configuring EIGRP RoutingEIGRP is a Cisco proprietary hybrid routing protocol. If you want your routers to share information they must all:

NN have EIGRP running

NN use the same AS number

Network Layout

Load Standard Layout.rsm or whatever you named the file when you saved your work in earlier labs. You need a configured network in order to complete this lab.

Lab 3.1: Configuring EIGRP Routing 437

Lab Steps

1. First go to 2621 Router A and ping interface f 0/0 on 2621 Router B. The packet will travel through 2811 Router A on its way to 2621 Router B.

2621A#ping 172.16.30.2



!!!!!

2. We have not done anything yet with EIGRP but we can ping a distant router. If you look back at Lab 5.16 (if you have been sequentially going through the labs), we configured every router with RIP version 2. We need to remove RIP from every router so that we can test the effects of the EIGRP commands.

2621A#config t

2621A(config)#no router rip

2621B#config t

2621B(config)#no router rip

2811A#config t

2811A(config)#no router rip

EIGRP

NN Stands for Enhanced Interior Routing Protocol

NN Uses properties of both distance vector and link state

NN Has an administrative distance of 90

NN Has a maximum hop count of 255

NN Will automatically overwrite RIP (which has a default administrative distance of 120) routes in the routing table

NN Uses autonomous systems (AS) to create groups of routers that share routing information

NN Classless routing protocol but configured in a classful manner

NN Uses RTP Reliable Transport Protocol

NN Uses DUAL Diffusing Update Algorithm

NN Supports VLSM, summarization, and discontiguous networking

NN Supports IP V4 and V6, IPX, AppleTalk

438 EIGRP

3. Now try pinging 172.16.30.2.

2621A#ping 172.16.30.2



.....


2621A#

Good! We have removed RIP and now no connectivity. We can now proceed with EIGRP.

4. Configure 2621 Router A to use EIGRP with an AS of 10.

2621A#config t




2621A#

5. Configure 2621 Router B to use EIGRP with an AS of 10.

2621B#config t



2621B(config-router)


2811A#config t



2811A(config-router)#exit

7. Now that we have EIGRP on every router, go to 2621 Router A and ping 172.16.30.2 on 2621 Router B.

2621A#ping 172.16.30.2



.....


2621A#

Lab 3.1: Configuring EIGRP Routing 439

It did not work. Click on the Net Detective icon to see if we can find out why the ping was not successful.

You will see the following information:

1. Network 172.16.0.0 was not found in the routing tables for 2621 Router A.

2. The desired address falls outside of the protocol networks set up for one or more of the devices.

3. The desired IP address of 172.16.30.2 was not found. None of the interfaces in the current network have been configured with this IP address.

Net Detective®

Unless you are an expert in using routers and switches, you might enter a command, have it not work, and not immediately know what you did wrong. We have tried to bridge that gap with Net Detective®. There are several hundred commands that Net Detective monitors. If something does not work properly, clicking on the Net Detective button may prove be helpful. For example, if you are unsuccessful in trying to ping between 2600 A and 2600 B, Net Detective® will provide a several suggestions as to what is possibly wrong.

440 EIGRP

We know that Network 172.16.0.0 is in the routing table. Maybe #2 is true. Ok, I found it. The AS number for 2811 Router A is wrong. Change it from 15 to 10.

8. First, remove router eigrp 15 and put the correct command in.

2811A(config)#no router eigrp


(We forgot to put 15 in the command. Try again)

2811A(config)#no router eigrp 15




2811A#

9. Now the ping should work. Go to 2621 Router A and ping interface f 0/1 on 2621 Router B.

2621A#ping 172.16.50.1



!!!!!


Lab 3.2: Verifying EIGRP RoutingSince EIGRP has a better administrative distance then IGRP and RIP, all the routing tables should have EIGRP found routes (D). Use the show ip route command and other EIGRP show commands to verify EIGRP.


2621A#show ip route




Network Layout

Work with the saved network that you used in Lab 3.1.

Lab 3.2: Verifying EIGRP Routing 441







D 172.16.30.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0


D 172.16.50.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0


D 172.16.10.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0

2621A#

Notice the routes that begin with D. These are EIGRP routes.



Routing Protocol is "eigrp 10"





EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0

EIGRP maximum hop count 100

EIGRP maximum metric variance 1

Redistributing: eigrp 10


Maximum path: 4


172.16.0.0



172.16.20.1 90 02:23:05

Distance: internal 90 external 170

2621A#

Based on this output, we can see that EIGRP is enabled for autonomous system 10 and that the K values are set to their defaults. The variance is 1, so only equal-cost load balancing will be performed. Automatic summarization is on. We can also see that EIGRP is advertising for one network and that it sees one neighbor.

442 EIGRP

3. From the 2621 Router B, use the show ip route command to verify the routing table.

2621B#show ip route

[output cut]



D 172.16.40.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0


D 172.16.20.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0

D 172.16.10.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0

2621B#


2811A#show ip route

[output cut]



D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:20:55, Serial0/1/1

D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:20:55, Serial0/0/1



2811A#

5. From 2621 Router A, use the show ip eigrp neighbors command to see the EIGRP neighbor table. This table holds information about the router’s directly connected neighbors.

2621A#show ip eigrp neighbor

IP-EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) cnt Num

0 172.16.20.1 S0/0 12 02:28:04 20 200 0 1

2621A#

In the above output, H indicates the order in which the neighbor was discovered. The hold time is how long this router will wait for a Hello packet to arrive from a specific neighbor. The uptime indicates how long the neighbor relationship has been established. The SRTT field is the smooth round-trip timer, which is an indication of the time it takes for a round-trip from this router to its neighbor and back. This value is used to determine how long to wait after a multicast for a reply from this neighbor. If a reply is not received, this router will switch to using unicasts to attempt to complete the communication. The time between multicast attempts is specified by the Retransmission Time Out (RTO) field,

Lab 3.2: Verifying EIGRP Routing 443

which is itself based upon the SRTT values. The Q value indicates whether there are any outstanding messages in the queue; consistently large values would indicate a problem. And finally the Seq field indicates the sequence number of the last update from that neigh-bor, which is used to maintain synchronization and avoid duplicate or out-of-sequence processing of messages.

6. From the 2621 Router A, use the show ip route eigrp. This command gives you a quick picture of the EIGRP routes. If a route does not appear in the routing table, verify the source of the route. If the source is functioning properly, check the topology table. The routing table from the perspective of 2621 Router A looks like this:

2621A#show ip route eigrp


D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:00:49, Serial0/0

D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:00:49, Serial0/0

D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:00:49, Serial0/0

2621A#

Notice that most EIGRP routes are indicated with simply a D designation and that the administrative distance of these routes is 90. This represents internal EIGRP routes. If a route has a D EX designation, this would indicate that it is an external EIGRP route, which implies that the route was introduced into EIGRP via redistribution.

7. From the 2621 Router A, use the show ip eigrp topology command to see the EIGRP topology table. This table shows the entire network as 2621 Router A understands it. If the route is not in the topology table, it is safe to assume that there is a problem between the topology database and the routing table. There must be a reason the topology data-base is not injecting the route into the routing table.

2621A#show ip route eigrp topology

IP-EIGRP Topology Table for AS(10)/ID(172.16.20.2)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 172.16.30.0/24, 1 successors, FD is 2172416

via 172.16.20.1 (2172416/28160), Serial0/1/1


via Connected, FastEthernet0/0


via 172.16.20.1 (2172416/28160), Serial0/1/1


via Connected, Serial0/0


via 172.16.20.1 (2172416/28160), Serial0/1/1

2621A#

444 EIGRP

Notice that every route is preceded by a P; this indicates that the route is in the passive state, which is good. Routes in the active state indicate that the router has lost its path to this network and is searching for a replacement. Each entry also indicates the feasible distance, or FD, to each remote network and the next-hop neighbor through which pack-ets will travel to this destination. Each entry also has two numbers in brackets ( ), the first indicating the feasible distance and the second the advertised distance to a remote network.

Additionally, if you want to find out about any secondary route (feasible successor route) to another network, you can use the show ip eigrp topology command.

8. From 2621 Router A, use the show ip eigrp traffic command to see if updates are being sent. If the counters for EIGRP input and output packets don’t increase, no EIGRP information is being sent between peers.

The following output indicates that 2621A is experiencing normal traffic.

2811A#show ip eigrp traffic

IP-EIGRP Traffic Statistics for process 10

Hellos sent/received: 640/279

Updates sent/received: 3/1

Queries sent/received: 0/0

Replies sent/received: 0/0

Acks sent/received: 5/7

Input queue high water mark 1, 0 drops

SIA-Queries sent/received: 0/0

SIA-Replies sent/received: 0/0

2811A#

9. From 2621 Router A, use the show ip eigrp events command. This command dis-plays a log of every EIGRP event—when routes are injected and removed from the routing table and when EIGRP adjacencies reset or fail. This information can be used to see if there are routing instabilities in the network. Be cautioned that this command displays a substantial amount of information in even the simplest configurations.

2621A#show ip eigrp events

Event information for AS 10:

1 15:49:03.848 Change queue emptied, entries: 1

2 15:49:03.848 Metric set: 172.16.30.0/24 2707456

3 15:49:03.848 Update reason, delay: new if 4294967295

4 15:49:03.848 Update sent, RD: 172.16.30.0/24 4294967295

5 15:49:03.848 Update reason, delay: metric chg 4294967295

6 15:49:03.848 Update sent, RD: 172.16.30.0/24 4294967295

7 15:49:03.848 Route install: 172.16.30.0/24 172.16.20.1

8 15:49:03.848 Find FS: 172.16.30.0/24 4294967295

Lab 3.3: Configuring EIGRP Wild Card Masks 445

9 15:49:03.848 Rcv update met/succmet: 2707456 2195456

10 15:49:03.848 Rcv update dest/nh: 172.16.30.0/24 172.16.20.1

11 15:49:03.848 Metric set: 172.16.30.0/24 4294967295

[output cut]

All of the commands covered in this lab are intended to be used by the system adminis-trator when troubleshooting a problem in the network.

Lab 3.3: Configuring EIGRP Wild Card MasksCisco added the wild card mask or inverse mask feature to EIGRP in IOS version 12.0(4). EIGRP wild card masks are similar to the OSPF implementation. The addition of wild card masks to the EIGRP configuration suite gives network administrators more administrative control. Wild card masks allow network administrators to easily designate which routed interfaces will or will not participate in EIGRP routing advertisements.

In this lab, configure EIGRP wild card masks on each router.

Lab StepsAny previous EIGRP configuration needs to be removed before configuring EIGRP with wild card masks.

1. Configure wild card masks on 2811 Router A.

2811A#config t



2811A(config-router)#network 172.16.10.1 0.0.0.0




2811A(config)#exit


Network Layout


446 EIGRP

The commands: network 172.16.10.1 0.0.0.0, network 172.16.20.1 0.0.0.0, and network 172.16.30.1 0.0.0.0 tell the EIGRP process to advertise the interfaces 172.16.10.1, 172.16.20.1, and 172.16.30.1. The wildcard mask of 0.0.0.0 tells the EIGRP process to match all four octets exactly.

2. Configure wild card masks on 2621 Router A.

2621A#config t






2621A(config)#exit


The commands: network 172.16.20.0 0.0.0.255, and network 172.16.40.0 0.0.0.255 tell the EIGRP process to look for and advertise interfaces configured with network 172.16.20 or 172.16.40 in the first three octets, and any value in the last octet.

3. Configure wild card masks on 2621 Router B.

2621B#config t

2621B(config)#no router eigrp 10


2621B(config-router)#network 172.0.0.0 0.255.255.255

2621B(config-router)#exit

2621B(config)#exit


The command: 172.0.0.0 0.255.255.255 tells the EIGRP process to look for and advertise any interface configured with network 172 in the first octet, and any value in the last three octets.

Lab 3.4: Verifying EIGRP Wild Card Mask ConfigurationsThis lab will provide you with the commands to verify EIGRP wild card mask configurations.

Lab 3.4: Verifying EIGRP Wild Card Mask Configurations 447

Lab Steps

1. At this point, your network should have converged. Issue the show ip route command on each router.

2811A#show ip route



D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:03:07, Serial0/1/10

D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:03:07, Serial0/0/



2811A#

2621A#show ip route


D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0


D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0


D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0

2621A#

2621B#show ip route



D 172.16.40.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0


D 172.16.20.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0

D 172.16.10.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0

2621B#

Network Layout

Load Standard Layout.rsm or whatever you named the file when you saved your work. You need a configured network in order to complete this lab.

448 EIGRP

2. Issue the show running-configuration command on each router to verify wild card mask configurations.

2811A#show run

[output cut]

!

router eigrp 10

network 172.16.10.1 0.0.0.0

network 172.16.20.1 0.0.0.0

network 172.16.30.1 0.0.0.0

!

[output cut]

2621A#show run

[output cut]

!

router eigrp 10

network 172.16.20.0 0.0.0.255

network 172.16.40.0 0.0.0.255

!

[output cut]

2621B# show run

[output cut]

!

router eigrp 10

network 172.0.0.0 0.255.255.255

!

[output cut]

3. Issue the show ip eigrp interfaces command to display interfaces configured within the EIGRP process.

2811A#show ip eigrp interfaces

IP-EIGRP interfaces for process 10

Xmit Queue Mean Pacing Time Multicast Pending

Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes

Fa0/0 0 0/0 0 0/1 0 0

Se0/0/1 0 0/0 0 0/1 0 0

Se0/1/1 0 0/0 0 0/1 0 0

2811A#

Lab 3.5: Configuring EIGRP Authentication 449

2621A#show ip eigrp interfaces




Fa0/0 0 0/0 0 0/1 0 0

Se0/0 0 0/0 0 0/1 0 0

2621A#

2621B#show ip eigrp interfaces




Fa0/1 0 0/0 0 0/1 0 0

Se0/0 0 0/0 0 0/1 0 0

2621B#

Lab 3.5: Configuring EIGRP AuthenticationEIGRP Authentication protects network routers from unauthorized access. Implementing EIGRP Authentication adds a layer of security to routing messages. Routing messages are shared among routers in a common autonomous system. Only routers configured with the appropriate authentication credentials will share routing updates. Pre-shared keys (PSKs) and Message Digest 5 (MD5) facilitate messages authen-tication between routers.

Typically, routers belonging to the same EIGRP autonomous system exchange routing updates without requiring message authentication. Routers in this lab will require message authentication before EIGRP routing updates are accepted. Pre-shared keys are configured from global configuration mode. Additionally, authentication will need to be configured on each interface.

Network Layout


450 EIGRP

Lab Steps

1. Issue the show ip route command on Routers 2811 A, 2621 A, and 2621 B. Make sure your network is completely converged.

2811A#show ip route



D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:03:07, Serial0/1/10

D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:03:07, Serial0/0/1


C 172.16.10.0 is directly connected, fastethernet0/0

2811A#

2621A#show ip route


D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0


D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0


D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0

2621A#

2621B#show ip route



D 172.16.40.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0


D 172.16.20.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0

D 172.16.10.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0

2621B#

2. Configure a pre-shared key on 2811 Router A.

2811A#config t

2811A(config)#key chain securekey-2811A

2811A(config-keychain)#key 100

2811A(config-keychain-key)#key-string secure-eigrp-traffic

2811A(config-keychain-key)#exit

2811A(config-keychain)#exit

Lab 3.5: Configuring EIGRP Authentication 451

3. Configure a pre-shared key on 2621 Router A.

2621A#config t

2621A(config)#key chain securekey-2621A

2621A(config-keychain)#key 100

2621A(config-keychain-key)#key-string secure-eigrp-traffic

2621A(config-keychain-key)#exit

2621A(config-keychain)#exit

4. Configure a pre-shared key on 2621 Router B.

2621B#config t

2621B(config)#key chain securekey-2621B

2621B(config-keychain)#key 100

2621B(config-keychain-key)#key-string secure-eigrp-traffic

2621B(config-keychain-key)#exit

2621B(config-keychain)#exit

5. Configure interfaces on 2811 Router A with authentication.


2811A(config-if)#ip authentication mode eigrp 10 md5

2811A(config-if)#ip authentication key-chain eigrp 10 securekey-2811A








2811A(config)#exit

2811A# copy run start

6. Configure interfaces on 2621 Router A with authentication.








2621A(config)#exit


452 EIGRP

7. Configure interfaces on 2621 Router B with authentication.


2621B(config-if)#ip authentication mode eigrp 10 md5

2621B(config-if)#ip authentication key-chain eigrp 10 securekey-2621B

2621B(config-if)#int s0/0

2621B(config-if)#ip authentication mode eigrp 10 md5

2621B(config-if)#ip authentication key-chain eigrp 10 securekey-2621B


2621B(config)#exit



Lab 3.6: Verifying EIGRP AuthenticationThis lab will provide you with the commands to verify EIGRP Authentication.

Lab Steps

1. At this point, your network should have converged and message authentication should be in effect. Issue the show ip route command on each router.

2811A#show ip route



D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:03:07, Serial0/1/10

D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:03:07, Serial0/0/1



2811A#

2621A#show ip route


Network Layout


Lab 3.6: Verifying EIGRP Authentication 453

D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0


D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0


D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0

2621A#

2621B#show ip route



D 172.16.40.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0


D 172.16.20.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0

D 172.16.10.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0

2621B#

2. Issue the show running-configuration command on each router to verify EIGRP Authentication.

2811A#show run

[output cut]

!

key chain securekey-2811A

key 100

key-string secure-eigrp-traffic

!

[output cut]

2621A# show run

[output cut]

!

key chain securekey-2621A

key 100


!

[output cut]

2621B# show run

[output cut]

!

key chain securekey-2621B

key 100


!

[output cut]

454 EIGRP

3. Issue the show key chain command to display all the configured key chains.

2811A#show key chain

Key-chain securekey-2811A:

key 100 -- text "secure-eigrp-traffic"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

2811A#

2621A#show key chain

Key-chain securekey-2621A:




2621A#

2621B#show key chain

Key-chain securekey-2621B:




2621B#

4. Issue the show ip eigrp interfaces detail command to display interfaces configu-rations.

2811A#show ip eigrp interfaces detail

[output cut]

Se0/0/1 0 0/0 0 0/1 0 0

Hello interval is 5 sec

Next xmit serial <none>

Un/reliable mcasts: 0/0 Un/reliable ucasts: 0/0

Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0

Retransmissions sent: 0 Out-of-sequence rcvd: 0

Authentication mode is md5, key-chain is "securekey-2811A"

Use unicast

[output cut]

2621A#show ip eigrp interfaces detail

[output cut]

Fa0/0 0 0/0 0 0/1 0 0




Lab 3.6: Verifying EIGRP Authentication 455



Authentication mode is md5, key-chain is "securekey-2621A"

Use unicast

[output cut]

2621B#show ip eigrp interfaces detail

[output cut]

Se0/0 0 0/0 0 0/1 0 0






Authentication mode is md5, key-chain is "securekey-2621B"

Use unicast

2621B#

The command displays the authentication mode and the name of the configured key chain.

5. Verify that 2621 Router B will not receive any routing updates if EIGRP Authentication is not configured correctly.

2621B#config t

2621B(config)# interface serial 0/0

2621B(config-if)#no ip authentication mode eigrp 10 md5

2621B(config-if)#no ip authentication key-chain eigrp 10


2621B(config)#exit

2621B#

6. Issue the show ip route command on 2621 Router B.

2621B#show ip route

[output cut]




2621B#

As you can see above, the routing table for 2621 Router B has no EIGRP routing entries. Without the correct authentication configured on an interface, 2621 Router B will never receive routing updates.

456 EIGRP

Lab 3.7: Configuring Advanced Commands with EIGRPThis section will have you configure a router with advanced EIGRP commands. Although the network used in this lab is too small to see any advantage to most of these commands, running through the commands on a router will help you become more familiar and com-fortable with the commands when used later in the Extended labs or when you build your own larger networks.

Unless set otherwise, the bandwidth on a serial interface is assumed to be T1 (1.544Kbps). In order to identify slower links, such as a 128K link, you must configure this manually. It is important that the bandwidth setting accurately reflect the actual bandwidth because it is one of the two elements used to calculate a route’s metric. Improperly set bandwidth statements will skew the route decisions made by EIGRP. Use the bandwidth command followed by the bandwidth in kilobits in interface configuration mode. The possible values are from 1 to 10,000,000. The following command sets the bandwidth to 512K:


Router(config-if)#bandwidth 512

The default for EIGRP is to use 50 percent of the available bandwidth per neighbor. This can be adjusted if you wish, by using the interface configuration command ip bandwidth-percent eigrp as percent, where percent indicates the percentage of band-width that EIGRP could potentially use. The following command configures EIGRP to use 40 percent of the available bandwidth per neighbor for autonomous system 10 on interface Serial 0/0:

2621A(config-if)#ip bandwidth-percent eigrp 10 40

In congested networks, it may also be necessary to increase the EIGRP hello-interval and hold-time so that neighbors do not mistakenly assume that an EIGRP neighbor has died when in fact there has simply been a delay in the arrival of Hello packets. The command to set the Hello interval is ip hello-interval eigrp as seconds; this indicates the number of seconds between transmissions of Hello packets. The command to set the hold timer is ip hold-time eigrp as seconds; this indicates how long to wait for a Hello packet before assuming that the neighbor has failed. In general, the hold time should be three times the

Network Layout

Work with the saved network that you used in Lab 3.5.

Lab 3.7: Configuring Advanced Commands with EIGRP 457

Hello interval. The hello-interval defaults to 60 seconds on NBMA media running at speeds of T1 or slower, and for all other networks, it defaults to 5 seconds. The hold-time defaults to 180 seconds on T1 or slower NBMA networks and 15 seconds on all other net-works. Both commands are entered under interface configuration mode, and the seconds parameter can range from 1 to 65535.

2621A(config-if)#interface fastethernet 0/0

2621A(config-if)#ip hello-interval eigrp ?

<1-65535> Autonomous system number

2621A(config-if)#ip hello-interval eigrp 10 ?

<1-65535> Seconds between hello transmissions

2621A(config-if)#ip hello-interval eigrp 10 100

2621A(config-if)#ip hold-time eigrp 10 ?

<1-65535> Seconds before neighbor is considered down

2621A(config-if)#ip hold-time eigrp 10 300

The commands above set the Hello interval to 100 seconds and the hold time to 300 seconds for EIGRP AS 10.

OSPF

Lab 4: Introduction to OSPFOSPF is an open standards routing protocol that has been implemented by a wide variety of network vendors, including Cisco. The easiest way to configure OSPF is simply to use a single area. We will also discuss OSPF DR and BDR Elections.


NN 4.1: Configuring Single Area OSPF

NN 4.2: Verifying Single Area OSPF

NN 4.3: OSPF Authentication

NN 4.4: Stub Area Configuration

NN 4.5: Totally Stub

NN 4.6: OSPF DR and BDR Elections

Lab 4.1: Configuring Single Area OSPFThis section will discuss the OSPF routing process.

OSPF an open standards routing protocol that has been implemented by a wide variety of network vendors, including Cisco. The benefit of an approach based on open standards is that equipment from multiple vendors can interoperate as long as their implementations are compliant with the appropriate Requests for Comments (RFCs). This does not mean that vendors are forced to restrict their implementations to only the features documented in the RFCs.

On the contrary, Cisco and others have added features to their versions of OSPF that may not be found in other vendors’ implementations. Knowing which features are standards based and which are proprietary becomes important when deploying multivendor OSPF networks.

NN Stands for open shortest path first

NN Uses the concept of an area, which is a grouping of contiguous OSPF networks and hosts

NN Is a link-state routing protocol

Lab 4.1: Configuring Single Area OSPF 461

NN Has no maximum hop count


NN Includes equal-cost multipath routing

NN Supports VLSM, summarization, and discontiguous networks

The easiest (and least scalable) way to configure OSPF is simply to use a single area, which requires a minimum of two commands.

This program only supports a single area OSPF network, which will always be area 0.

The command to activate the OSPF routing process is as follows:

2621A(config)#router ospf ?

<1-65535>

A value in the range 1 through 65535 identifies the OSPF Process ID, which is a unique number on this router that groups a series of OSPF configuration commands under a specific running process. Different OSPF routers do not have to use the same Process ID in order to communicate. It is purely a local value and is basically irrelevant. The only time an OPSF number would matter is when you have multiple OSPF Autonomous Systems (AS) connecting together on the same network.

This lab will be pretty simple as far as OSPF goes. We will start the process on each router, then configure the interfaces to be in OSPF area 0. This is much more complicated then any of the other routing protocols we have configured, but simple nonetheless for OSPF. However, since EIGRP has a better administrative distance then OSPF, we need to also disable the EIGRP routing processes on each router.

Network Layout

Work with the saved network that you have been using in section 3.

462 OSPF

Lab Steps

1. First, disable EIGRP on the 2621 Router A.

2621A#conf t

Enter configuration commands, one per line.

End with CNTL/Z.


2. Disable EIGRP on the 2621 B router.

2621B#conf t


End with CNTL/Z.

2621B(config)#no router eigrp 10

3. Disable EIGRP on the 2811 Router A.

2811A#conf t


End with CNTL/Z.


4. You will start the OSPF process by issuing the following command, as an example:

2621A(config)#router ospf 100

5. After starting the OSPF process (and disabling EIGRP on each router), you need to identify the interfaces on which to activate OSPF communications and the area in which each resides. This will also configure the networks you will advertise to others. This is achieved with the following command as an example:

2621A(config-router)#network 10.0.0.0 0.255.255.255 area ?

<0-4294967295> OSPF area ID as a decimal value

A.B.C.D OSPF area ID in IP address format

A 0 (zero) octet in the wildcard mask indicates that the corresponding octet in the net-work must match exactly. A 255, on the other hand, indicates that you do not care what the corresponding octet is in the network number. A network and wildcard mask combi-nation of 1.1.1.1 0.0.0.0 would match 1.1.1.1 only and nothing else. This is useful if you want to activate OSPF on a specific interface in a very clear and simple fashion. If you insist on matching a range of networks, the network and wildcard mask combination of 1.1.0.0 0.0.255.255 would match anything in the range 1.1.0.0–1.1.255.255. It’s simpler and safer to stick to using wildcard masks of 0.0.0.0 and identify each OSPF interface individually.

Lab 4.1: Configuring Single Area OSPF 463

Remember that OSPF routers will only become neighbors if their interfaces share a network that is configured to belong to the same area number. The format of the area number is either a decimal value from the range 0–4294967295 or a value represented in standard dotted-decimal notation. Area 0.0.0.0 is a legitimate area, for example, and is identical to area 0. Again, we only support area 0 in this module at this time.

Just a reminder, here are the router interface IP addresses for routers on the current network:


2621 A Serial 0/0 172.16.20.2

2621 A Fastethernet 0/0 172.16.40.1

2621 B Serial 0/0 172.16.30.2

2621 B Fastethernet 0/0 172.16.50.1

2811 A Serial 0/1/1 172.16.20.1

2811 A Serial 0/0/1 172.16.30.1

2811 A Fastethernet 0/0 172.16.10.1

6. Configure the 2621 Router A to advertise both directly connected networks with OSPF. The router ospf number does not matter; use whatever feels good to you. The number can even all be the same on all routers, or they can be different. In this lab we will use different numbers.


2621A(config-router)#network 172.16.20.2 0.0.0.0 area 0



Anatomy of a Command: Network 172.16.20.2 0.0.0.0 area 0

Network 172.16.20.2 0.0.0.0 area 0 - tells the OSPF process to advertise the interface 172.16.20.2 into area 0.

172.16.20.2—the network number

0.0.0.0—The wildcard mask of 0.0.0.0 tells the process to match each octet exactly.

0 - The final argument is the area number. It indicates the area to which the interfaces identified in the network and wildcard mask portion belong. It tells the OSPF process to advertise the interface 172.16.20.2 into area 0.

The combination of the two first two numbers identifies the interfaces that OSPF will operate on and that will also be included in its OSPF Link State Advertisements (LSA) advertisements.

464 OSPF

7. Configure 2621 Router B to advertise both directly connected networks with OSPF.

2621B(config)#router ospf 101

2621B(config-router)#network 172.16.30.2 0.0.0.0 area 0



Now, let us go over what we have configured on 2621 Router B. Please understand that all we are doing is advertising OSPF networks and this lab is showing the many ways to accomplish the same thing.

The command network 172.16.30.2 0.0.0.0 area 0 tells the OSPF process to advertise the interface 172.16.30.2 into area 0. The wildcard mask of 0.0.0.0 tells the process to match all four octets exactly.

The command network 172.0.0.0 0.255.255.255 area 0 tells the OSPF process to look for an interface configured with network 172 in the first octet, but the other three octets can be any value. Once found, place that interface in area 0. Now, understand that with this second command, the first command is really not needed; we just did it for fun! The network command 172.0.0.0 will find any interface that has an IP address that starts with 172 and put that in area 0.

Anatomy of a command: network 172.16.40.0 0.0.0.2555 area 0

Network 172.16.40.0 0.0.0.255 area 0—tells the router OSPF process to look for any interface in subnet 172.16.40.0 and advertise that in area 0.

172.16.40.0—the network number.

0.0.0.255—With a wildcard of 0.0.0.255, this tells the OSPF process to match the first three octets exactly, but the fourth octet value is irrelevant. We could have used this command as well: network 172.16.40.1 0.0.0.0 area 0, which is just another way to advertise the same interface, but is more precise. No difference in function on the router or OSPF.

0—The final argument is the area number. It indicates the area to which the interfaces identified in the network and wildcard mask portion belong. It tells the OSPF process to advertise the interface 172.16.40.0 into area 0.

The combination of the two first two numbers identifies the interfaces that OSPF will operate on and that will also be included in its OSPF Link State Advertisements (LSA) advertisements.

Lab 4.2: Verifying Single Area OSPF 465

8. Configure 2811 Router A to advertise all directly connected networks with OSPF.







Lab 4.2: Verifying Single Area OSPFThis lab describes several ways to verify proper OSPF configuration and operation.

1. The show ip ospf command is used to display OSPF information for one or all OSPF processes running on the router. Information contained therein includes the Router ID, area information, SPF statistics, and LSA timer information. Here is a sample output from 2621 Router A:

2621A#sho ip ospf

Routing Process "ospf 100" with ID 172.16.40.1

Network Layout


466 OSPF

Supports only single TOS(TOS0) routes

SPF schedule delay 5 secs, Hold time between two SPFs 10 secs

Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs

Number of external LSA 0. Checksum Sum 0x0

Number of DCbitless external LSA 0

Number of DoNotAge external LSA 0

Number of areas in this router is 1. 1 normal 0 stub 0 nssa

External flood list length 0

Area BACKBONE(0) (Inactive)

Number of interfaces in this area is 2

Area has no authentication

SPF algorithm executed 7 times

Area ranges are

Number of LSA 7. Checksum Sum 0x2E2A0

Number of DCbitless LSA 0

Number of indication LSA 0

Number of DoNotAge LSA 0

Flood list length 0

2621A#

2. The information displayed by the show ip ospf database command indicates the number of links and the neighboring Router ID. The output is broken down by area. Here is a sample output from 2621 Router A:

2621A#show ip ospf database

OSPF Router with ID (172.16.40.1) (Process ID 100)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

172.16.50.1 172.16.50.1 475 0x80000003 0x0030F9 3

172.16.40.1 172.16.40.1 475 0x80000003 0x0030F9 3

172.16.30.1 172.16.30.1 475 0x80000003 0x0030F9 3

2621A#

3. The show ip ospf interface command displays all interface-related OSPF information. Data is displayed about OSPF information for all interfaces or for specified interfaces. Information includes the interface IP address, area assignment, Process ID, Router ID, network type, cost, priority, DR/BDR (if applicable), timer intervals, and adjacent neigh-bor information. Here is a sample output:

2621A#show ip ospf interface


Internet Address 172.16.40.1/24, Area 0

Process ID 100, Router ID 172.16.40.1, Network Type BROADCAST, Cost: 1

Lab 4.2: Verifying Single Area OSPF 467

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 172.16.40.1, Interface address 172.16.40.1

No backup designated router on this network

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:06

Index 2/2, flood queue length 0

[output cut]



Process ID 100, Router ID 172.16.40.1, Network Type POINT_TO_POINT, Cost: 64

Transmit Delay is 1 sec, State POINT_TO_POINT,


oob-resync timeout 40


[output cut]

2621A#

Notice in the above output that the hello timer is set to 10 seconds and the dead timer is set to 40. If two or more routers are connected together, the timers must be set exactly the same. By looking at line three of the show ip ospf interface command, you can see the OSPF network type.

4. The show ip ospf neighbor command is very useful. It summarizes the pertinent OSPF information regarding neighbors and the adjacency state. If a DR or BDR exists, that information is also displayed. Here is an output from 2621 Router A:

2621A#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

172.16.30.1 1 FULL/BDR 00:00:36 172.16.20.1 Serial0/0

2621A#

OSPF network types

NN Point-to-Point

NN Broadcast

NN Point-to-Multipoint

NN Nonbroadcast

NN Point-to-Multipoint Nonbroadcast

468 OSPF

5. The show ip protocols command is useful whether you are running OSPF, EIGRP, IGRP, RIP, BGP, ISIS, or any other routing protocol you can configure on your router. It provides an excellent overview of the actual operation of all currently running protocols.

2621A#show ip protocols

Routing Protocol is "ospf 100"



Router ID 172.16.40.1


Maximum path: 4

Routing for Networks:

172.16.20.2 0.0.0.0 area 0

172.16.40.0 0.0.0.255 area 0

Routing Information Sources:


172.16.30.1 110 00:00:29

172.16.50.1 110 00:00:29

Distance: (default is 110)

2621A#

6. Based upon this output, you can determine the OSPF Process ID, OSPF Router ID, type of OSPF area, networks and areas configured for OSPF, and OSPF Router IDs of neighbors.

Lab 4.3: OSPF AuthenticationOSPF supports different methods of authentication. Authentication can be configured to pass the authentication key in clear text or encrypted. You will configure both methods of authentication in this lab. Additionally, when configuring an encrypted key, you can specify a single key or, by assigning numbers to keys, specify a series of keys.

2811 Router A has interfaces in both Area 0 and Area 1. 2811 Router B has an interface in Area 0 directly connected to 2811 Router A. 2811 Router C has an interface in Area 0 directly connected to 2811 Router A. 2811 Router D has an interface in Area 1 directly connected to 2811 Router A. For both the 2811 Router A - 2811 Router B and 2811 Router A - 2811 Router C connections you will configure message digest authentication. For the 2811 Router A - 2811 Router C connection you will configure a key list. For the 2811 Router A - 2811 Router D connection you will configure clear text authentication.

Network Layout: Load OSPF Authentication Layout.rsm before going through the fol-lowing lab.



Lab 4.3: OSPF Authentication 469

3. Click on the file OSPF Authentication Layout.rsm and click Open. You should see the following network:

Lab Steps

1. Bring up the console for 2811 Router A. After the console screen comes up set the:

Hostname

IP Address

OSPF Parameters Router#config t



2811A(config-if)#ip add 10.1.0.1 255.255.255.0

470 OSPF



2811A(config-if)#ip add 10.2.0.1 255.255.255.02811A(config-if)#no shut


2811A(config-if)#ip add 172.16.1.1 255.255.255.0


2811A(config-if)#router ospf 25




2. Bring up the console for 2811 Router B. After the console screen comes up set the:

Hostname

IP Address


Router(config)#hostname 2811B2811B(config)#int f0/1

2811B(config-if)#ip add 10.1.0.2 255.255.255.0


2811B(config-if)#router ospf 25


3. Bring up the console for 2811 Router C. After the console screen comes up set the:

Hostname

IP Address



2811C(config)#int f0/0

2811C(config-if)#ip add 10.2.0.2 255.255.255.0


2811C(config-if)#router ospf 25

2811C(config-router)#network 10.2.0.2 0.0.0.0 area 0

4. Bring up the console for 2811 Router D. After the console screen comes up set the:

Hostname

IP Address



2811D(config)#int s0/0/0

Lab 4.3: OSPF Authentication 471

2811D(config-if)#ip add 172.16.1.2 255.255.255.0

2811D(config-if)#no shut

2811D(config-if)#router ospf 25

2811D(config-router)#network 172.16.1.2 0.0.0.0 area 1

Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than OSPF Authentication Layout.rsm This allows you to start over with your initial, non-configured network if you wish.

There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.

5. On 2811 Router A, confirm that 2811 Router A has an OSPF neighbor relationship with 2811 Router B, 2811 Router C and 2811 Router D.2811A(config-router)#ctrl+z



172.16.1.2 1 FULL/ - 00:00:36 172.16.1.2 Serial0/0/0

472 OSPF

10.2.0.2 1 FULL/BDR 00:00:36 10.2.0.2 FastEthernet0/0


6. You will now configure authentication on 2811 Rouer A only. You will configure mes-sage-digest authentication for area 0 and plain text authentication for area 1. You will then confirm that all neighbor relationships have closed as expected (authentication is not configured on any other routers)2811A#config t


2811A(config-router)#area 0 authentication message-digest

2811A(config-router)#area 1 authentication

2811A(config-router)#int f0/1

2811A(config-if)#ip ospf authentication-key 0 cisco


2811A(config-if)#ip ospf message-digest-key 1 md5 0 cisco1

2811A(config-if)#ip ospf message-digest-key 2 md5 0 cisco2


2811A(config-if)#ip ospf authentication-key 0 cisco3



2811A#

7. Now you will configure authentication on the other routers then confirm that the neighbor relationships have been re-established.2811B(config-router)#exit


2811B(config-router)#area 0 authentication message-digest

2811B(config-router)#int f0/1

2811B(config-if)#ip ospf authentication-key 0 cisco


2811C(config-router)#exit

2811C(config)#router ospf 25

2811C(config-router)#area 0 authentication message-digest

2811C(config)#int f0/0

2811C(config-if)#ip ospf message-digest-key 1 md5 0 cisco1

2811C(config-if)#ip ospf message-digest-key 2 md5 0 cisco2


Lab 4.4: Stub Area Configuration 473

2811D(config-router)#exit

2811D(config)#router ospf 25

2811D(config-router)#area 1 authentication


2811D(config-if)#ip ospf authentication-key 0 cisco3


8. On 2811 Router A, confirm that 2811 Router A has an OSPF neighbor relationship with 2811 Router B, 2811 Router C and 2811 Router D.2811A#show ip ospf neighbor


172.16.1.2 1 FULL/ - 00:00:36 172.16.1.2 Serial0/0/0



Lab 4.4: Stub Area ConfigurationSince the main purpose of having stub areas is to keep such areas from carrying external routes, we need to review some design guidelines before configuring a stub area or a totally stubby area:

Area 0 (the backbone area) cannot be made a stub area.Since autonomous system boundary routers inject external routes, do not make any area

containing an ASBR a stub area.Since routers within a stub area use a default route to get out of the stub area, typically

there is only one route out of the stub area. Therefore, a stub area should usually only con-tain a single area border router. Keep in mind that since a default route is being used, if a stub area contains more than one ABR, a non-optimal path may be used.

If you decide to make a particular area a stub area, be sure to configure all the routers in the area as stubby. If a router within a stub area has not been configured as stubby, it will not be able to correctly form adjacencies and exchange OSPF routes.

The following are some benefits of a stub area configuration:

Smaller Link State Database

Reduction in the size of the routing table

Reduction in CPU processing for link state advertising

Automatic creation of default gateway

474 OSPF

With the guidelines in mind, let’s examine a sample configuration for a stub area. We are going to make Area 2 a stub area.Let’s review some key elements of our stub area con-figuration example:

The syntax to make a router stubby is [area area-id stub].All routers that are part of Area 2 are configured as stubby.Area 2 has only one ABR (i.e., only one path out of the area).The ABR used the area area-id stub command only for Area 2, not for Area 0, which is

not stubby.Network Layout: Work with the saved network that you used to configure devices in

lab 4.1.

Lab Steps

1. Configure 2811 Router A to be stubby:2811A#config t


End with CNTL/Z.

2811A(config)# router ospf 102

2811A(config-router)#area 2 stub


2. Configure 2621 Router B to be stubby:2621B#config t


End with CNTL/Z.


2621B(config-router)#area 2 stub


3. Verify your stub configurations on routers 2811 A, and 2621 B.2811A#show ip ospf

Routing Process “ospf 102” with ID 172.16.30.1


It is an area border router








Lab 4.4: Stub Area Configuration 475

[output cut]

Area 1

[output cut]

Area 2


It is a stub area



Area ranges are





Flood list length 0

2811A#

2621B#show ip ospf










Area 2


It is a stub area

[output cut]

2621B#

As you can see, area 2 is now a stub area on both routers.

4. Issue the show ip route to verify that the routing table now has a gateway of last resort set.2621B#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP



E1 - OSPF external type 1, E2 - OSPF external type 2

476 OSPF

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route


O IA 172.16.20.0/24 [110/128] via 172.16.30.1, 00:00:15, Serial0/0

O IA 172.16.10.0/24 [110/129] via 172.16.30.1, 00:00:15, Serial0/0

O IA 172.16.40.0/24 [110/65] via 172.16.30.1, 00:00:15, Serial0/0




O*IA 0.0.0.0/0 [110/65] via 172.16.30.1, 00:00:15, Serial0/0

2621B#

As you can see, a gateway of last resort has automatically been added to the routing table.

5. Issue the show run command on router 2811 A and 2621 B to verify the stubby c onfiguration.

Lab 4.5: Totally StubUsing the same network topology as we had for the stub area configuration lets examine how to make Area 2 a totally stubby area. Remember, the only difference between a stub area and a totally stubby area is that totally a stubby area does not allow summary routes to be injected into it.

The following are some benefits of a totally stub area configuration:

Smaller Link State Database

Reduction in the size of the routing table

Reduction in CPU processing for link state advertising

Automatic creation of default gateway Network Layout: Work with the saved network that you used to configure devices in

lab 4.4.

Lab Steps

1. Issue the show ip route command on 2621 Router B.2621B.#show ip route




Lab 4.5: Totally Stub 477






O IA 172.16.20.0/24 [110/128] via 172.16.30.1, 00:00:15, Serial0/0

O IA 172.16.10.0/24 [110/129] via 172.16.30.1, 00:00:15, Serial0/0

O IA 172.16.40.0/24 [110/65] via 172.16.30.1, 00:00:15, Serial0/0




O*IA 0.0.0.0/0 [110/65] via 172.16.30.1, 00:00:15, Serial0/0

2621B#

As you can see, the routing table still has routes flagged with “O IA”, OSPF inter area routes. The routing table should look like this for now.

2. Configure OSPF area 2 on the 2811 Router A (ABR) router to be totally stubby:2811A#config t


End with CNTL/Z.


2811A(config-router)#area 2 stub no-summary


The totally stubby configuration only needs to be made on our (ABR) router 2811 A.

3. Issue the show ip ospf command to verify your totally stubby configurations on 2811 Router A.2811A#show ip ospf



It is an area border router








[output cut]

Area 2

478 OSPF


It is a stub area, no summary LSA in this area


[output cut]

2811A#

As you can see, area 2 is not allowing summary routes into the stub area.

4. Issue the show ip route command on 2621 Router B.2621B.#show ip route












O*IA 0.0.0.0/0 [110/65] via 172.16.30.1, 00:01:33, Serial0/0

2621B#

You can now see that the routing table no longer has routes flagged with “O IA”, OSPF inter area routes. The routing table only displays directly connected interfaces and a gateway of last resort. As you can see the routing table is noticeable smaller.

5. Issue the show run command on 2811 Router A to verify the totally stubby configura-tion.

Lab 4.6: OSPF DR and BDR ElectionsThis lab will have you work with the lab OSPF DR and BDR Election layout to watch the DR and BDR elections on the 10.10.10.0 network, by forcing and verifying the election pro-cess. Remember that elections occur on broadcast and non-broadcast multi-access networks only. This means we need a LAN to run this lab, as shown in the network layout .

Lab 4.6: OSPF DR and BDR Elections 479

Network Layout: Load the network layout file, OSPF DR and BDR Elections Layout.rsm.

Lab Steps

1. Double-click 2621 Router A in order to bring up the console screen.

2. Configure the hostname.Router>enable

Router#config t


3. Configure the router with OSPF.2621A(config)#router ospf 1


4. Configure interface Fa0/0 for 2621 Router A.2621A(config)#int f0/0

2621A(config-if)#ip add 10.10.10.1 255.255.255.0




480 OSPF

5. Use the menu to change to the console for 2621 Router B.


Router#config t


7. Configure the router with OSPF.2621B(config)#router ospf 1


8. Configure interface Fa0/0 for 2621 Router B.2621B(config)#int f0/0

2621B(config-if)#ip add 10.10.10.3 255.255.255.0




9. Use the menu to change to the console for 2811 Router A.


Router#config t


11. Configure the router with OSPF.2811A(config)#router ospf 1


12. Configure interface Fa0/0 for the 2811 A router.2811A(config)#int f0/0

2811A(config-if)#ip add 10.10.10.2 255.255.255.0




13. Use the menu to change to the console for 2811 Router B.


Router#config t


Lab 4.6: OSPF DR and BDR Elections 481

15. Configure the router with OSPF2811B(config)#router ospf 1


16. Configure interface Fa0/0 for 2811 Router B.2811B(config)#int f0/0

2811B(config-if)#ip add 10.10.10.4 255.255.255.0




17. On 2621 Router A verify the RID of your router. Use the show ip ospf command on the router to gather this information.2621A#show ip ospf














Area ranges are





Flood list length 0

2621A#

18. Enter the command show ip ospf interface fa0/0 to verify area ID, DR, BDR informa-tion and the hello and dead timers of the interface connected to the 10.1.1.0 network.2621A#show ip ospf interface fa0/0




Transmit Delay is 1 sec, State DROTHER, Priority 1

Designated Router (ID) 10.10.10.4 , Interface address 10.10.10.4

482 OSPF

Backup Designated router (ID) 10.10.10.3 , Interface address 10.10.10.3




Next 0x0(0)/0x0(0)

Last flood scan length is 0, maximum is 0

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 3, Adjacent neighbor count is 3

Adjacent with neighbor 10.10.10.3(Backup Designated Router)

Adjacent with neighbor 10.10.10.2(Other Designated Router)

Adjacent with neighbor 10.10.10.4(Designated Router)

Suppress hello for 0 neighbor(s)

2621A#

19. By looking at the show ip ospf interface fa0/0 output, which router is the DR? Which router is the BDR?

20. Verify the network type of your router. Since the connection is on an Ethernet LAN, the Network Type is BROADCAST. What would the Network Type be if you were viewing a serial connection? Answer: point-to-point.

21. he priority of all routers, by default, is 1. If you were to change the priority to 0, then the router would never participate in the election process for the LAN (remember that elections do not occur on serial point-to-point links).

22. Change the priority of a router that you choose to become the new DR. Choose any router that is not the DR at this moment.

23. Enable the debugging process that allows you to see the DR and BDR election take place. Use the command debug ip ospf adjacency on the router that will become the DR.

24. For the router that was chosen to become the new DR, set your priority of the FastEthernet 0/0 interface to 3. Here is how you do that:config t

int fa0/0

ip ospf priority 3

25. Now shut down all the Fa0/0 interfaces of all four routers.

26. Now enable all four routers fa0/0 interfaces with the no shut command.

27. The election should take place and the router you have chosen with the highest priority should now be the DR.

28. Type show ip ospf interface fa0/0 to verify the DR and BDR information.

29. Hopefully you also noticed the debug output of the election process.

30. The priority of a routers interface can be set all the way up to 255. However, if the priority is set to 255, the DR/BDR can never be formed.

Virtual LANs (VLANs)

Lab 5: Introduction to Virtual LANs

VLANs is a group of hosts that are (logically) connected, regardless of their (physical) LAN segment location. This allows you to specify where packets are transmitted instead of them being seen by every device. VLAN configuring is accomplished through software configura-tions which makes it easy to add or move a single host or group hosts when needed. VLANs create smaller broadcast domains, thus reducing broadcast collisions and increasing the effi-ciency of your network resources. Easily managing your network, adding security, and the future growth of your network can be addressed by the use of VLANs.

This section will cover VLANs configured for the 1900, 3550, and 3560 switches. The labs covered in this section include:

NN 5.1: Configuring VLANs on a 1900 Switch

NN 5.2: Configuring the 1900 Switch

The labs above are for the 1900 switch, which is not a switch used in the Standard Layout, but is included for your educational purpose. The 1900 switch is an older switch and is end-of-life from Cisco®.


NN 5.4: Configuring Trunk Ports/VTP Domain a 3550 Switch


NN 5.6: Configuring Trunk Ports/VTP Domain on a 3560 Switch

NN 5.7: Intra and InterVLAN Routing

The commands used in this section are described below:

Command Description

delete vtp Deletes VTP configurations from a switch

encapsulation isl 2 Sets ISL routing for VLAN 2

Lab 5.1: Configuring VLANs on a 1900 Switch 485

Command Description

int f0/0.1 Creates a subinterface

interface e0/5 Configures Ethernet interface 5

interface f0/26 Configures FastEthernet 26

show trunk A Shows the trunking status of port 26

show trunk B Shows the trunking status of port 27

show vlan Shows all configured VLANs

show vlan-membership Shows all port VLAN assignments

show vtp Shows the VTP configuration of a switch

trunk auto Sets the port to auto trunking mode

trunk on Sets a port to permanent trunking mode

vlan 2 name Sales Creates a VLAN 2 named Sales

vlan-membership static 2 Assigns a static VLAN to a port

vtp client Sets the switch to be a VTP client

vtp domain Sets the domain name for the VTP configuration

vtp server Sets the switch to be a VTP server

Lab 5.1: Configuring VLANs on a 1900 SwitchConfiguring VLANs is the easy part of the job. It is trying to understand which users you want in each VLAN that is time consuming. Once you have decided the number of VLANs you want to create and the users that will be members of each VLAN, you can create your VLAN. You can create up to 64 VLANs on a 1900 switch.

486 Virtual LANs (VLANs)

Lab Steps

1. Double-click 1900 Switch A in order to bring up the console screen.

2. To configure VLANs on the 1900 series switch, choose “k” from the initial user inter-face menu to get into IOS configuration. The following switch output is the console display when connecting to a 1900 switch. Press “k” to enter the CLI mode, and enter global configuration mode using the enable command and then config t.


User Interface Menu

[M] Menus

[K] Command Line

Enter Selection: k

Network Layout

Load 1900 Switch Layout.rsm before going through the following lab.



3. Click on the file 1900 Switch Layout.rsm and click Open.




3. To configure VLANs on an IOS-based switch, use the vlan [vlan#] name [vlan name] command. The following will demonstrate how to configure VLANs on the switch by creating three VLANs for three different departments.

>en

#config t


(config)#hostname1900A

1900A(config)#vlan 2 name sales

1900A(config)#vlan 3 name marketing

1900A(config)#vlan 4 name mis

1900A(config)#exit

4. After you create the VLANs that you want, you can use the show vlan command to see the configured VLANs. However, notice that by default all ports on the switch are in VLAN 1. To change the VLAN associated with a port you need to go to each interface and tell it what VLAN to be a member of.

Once the VLANs are created, verify your configuration with the show vlan command (sh vlan for short).

1900A#sh vlan

VLAN Name Status Ports

--------------------------------------

1 default Enabled 1-12,A,B,AUI

2 sales Enabled

3 marketing Enabled

4 mis Enabled

1002 fddi-default Suspended

1003 token-ring-defau Suspended

1004 fddinet-default Suspended

1005 trnet-default Suspended

--------------------------------------

[output cut]

5. You can configure each port to be in a VLAN by using the vlan-membership command. You can only configure VLANs one port at a time. There is no command to assign more than one port to a VLAN at a time with the 1900 switch. In the following example, we configure interface 2 to VLAN 2, interface 4 to VLAN 3, and interface 5 to VLAN 4.

1900A#config t




1900A(config-if)#vlan-membership ?

dynamic Set VLAN membership type as dynamic

static Set VLAN membership type as static

1900A(config-if)#vlan-membership static ?

<1-1005> ISL VLAN index

1900A(config-if)#vlan-membership static 2

1900A(config-if)#int e0/4





1900A(config)#exit

6. Now, type show vlan again to see the ports assigned to each VLAN.

1900A#sh vlan


--------------------------------------

1 default Enabled 1,3,6-12,A,B,AUI

2 sales Enabled 2

3 marketing Enabled 4

4 mis Enabled 5





--------------------------------------

[output cut]

7. Another command you can use to see the ports assigned to a VLAN is show vlan-membership. Notice that this command shows each port on the switch, which VLAN the port is a member of, and the membership type (static or dynamic).

1900A#sh vlan-membership

Port VLAN Membership Type Port VLAN Membership Type

----------------------------- -----------------------------

1 1 Static

2 2 Static

3 1 Static

4 3 Static

5 4 Static


6 1 Static

7 1 Static

8 1 Static

9 1 Static

10 1 Static

11 1 Static

12 1 Static

AUI 1 Static

A 1 Static

B 1 Static

1900A#


Lab 5.3: Configuring VLANs on a 3550 SwitchConfiguring VLANs is the easy part of the job. It is trying to understand which users you want in each VLAN that is time consuming. Once you have decided the number of VLANs you want to create and the users that will be members of each VLAN, you can create your VLAN.

Network Layout



Lab Steps

1. To configure VLANs on the 3550 series switch, you can configure the VLANs from the VLAN database. You do this from privileged mode, not configuration mode. Type vlan database:

3550A#vlan database

2. To configure VLANs on the 3550 switch, use the vlan # name name command. The following shows an example of creating three VLANs.

3550A(vlan)#vlan 2 name Sales

VLAN 2 added:

Name: Sales

3550A(vlan)#vlan 4 name Marketing

VLAN 4 added:

Name: Marketing

3550A(vlan)#vlan 7 name Research

VLAN 7 added:

Name: Research

3550A(vlan)#exit

APPLY completed.

Exiting....

3550A#

3. You must apply your changes to the switch. You can either use the apply command or use the exit command which will then apply the changes.

4. After you create the VLANs that you want, you can use the show vlan command to see the configured VLANs. However, notice that by default all ports on the switch are in VLAN 1. To change the VLAN associated with a port you need to go to each inter-face and tell it what VLAN to be a member of.

Once the VLANs are created, verify your configuration with the show vlan command (show vlan for short).

3550A#show vlan


---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5

Fa0/6, Fa0/7, Fa0/8, Fa0/9

Fa0/10


2 Sales active

4 Marketing active

7 Research active

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

[output cut]

5. You can configure each port to be in a VLAN by using the switchport access vlan # command. You can only configure VLANs one port at a time. In the following example, we configure interface 1 to VLAN 2, interface 5 to VLAN 7, and interface 10 to VLAN 4.

3550A#config t



3550A(config-if)#switchport access vlan 2






6. You must also set the port to be in access mode, which means that the interface will only be a member of one VLAN.








3550A(config)#exit


Destination filename [startup-config]?


[OK]

3550A#



3550A#sh vlan


---- -------------------------------- --------- -------------------------------


Fa0/8, Fa0/9

2 Sales active Fa0/1

4 Marketing active Fa0/10

7 Research active Fa0/5





[output cut]

Interface Fa0/1 is a member of VLAN 2, interface Fa0/05 a member of VLAN 5, and interface Fa0/10 is a member of VLAN 4.

8. Another command you can use to see the ports assigned to a VLAN is show running-config.

3550A#show run

[output cut]

!


switchport access vlan 2


!




!




!

[output cut]

3550A#



Lab 5.4: Configuring Trunk Ports and VTP Domain on a 3550 Switch

Configure Trunk PortsTrunk links are 100 or 1000 Mbps point-to-point links between two switches, between a switch and router, or between a switch and server. Trunked links carry the traffic of multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps links, nor would you want to. Remember that an access link is a port on a switch that is a member of only one VLAN.

In this network 3560 Switch A is connected to 3550 Switch A via interface Fa0/3 on each device. That is what we are going to use to set our trunk port between the two switches.

Lab Steps

1. To configure trunking on a 3550 port, use the interface command switchport modecommand. In this lab we will set it up for fa0/3.

3550A>en

3550A#config t

Network Layout




3550A(config-if)#switchport trunk encapsulation ?

dot1q Interface uses only 802.1q trunking encapsulation when trunking

isl Interface uses only ISL trunking encapsulation when trunking

negotiate Device will negotiate trunking encapsulation with peer on interface

3550A(config-if)#switchport trunk encapsulation dot1q

3550A(config-if)#switchport mode trunk

2. By default, traffic from all VLANs are sent over a trunk link. To change the VLANs permitted to send traffic on a trunk link, use the switchport trunk allowed vlan except # command. The command allows traffic from all VLANs except the VLANs listed. In lab 9.5 we set up VLAN 7, for now we do not want to allow VLAN 7 to send traffic across the trunk link.

3550A(config-if)#switchport trunk allowed vlan except 7

3. The above command sets the trunking interface to allow traffic from all VLANs except for VLAN 7.

4. To verify your trunk ports, use the show running-config command.


3550A(config)#exit

3550A#show run

[output cut]

!


switchport trunk allowed vlan 1-6,8-1005

switchport mode trunk

switchport trunk encapsulation dot1q

!

[output cut]

5. Notice in the above output that all VLANs are allowed except for VLAN 7.

Configure VTP DomainEvery Catalyst switch is configured by default to be a VTP server. To configure VTP, first configure the domain name you want to use, as discussed in the next section. Once you con-figure the VTP information on a switch, you need to verify the configuration.


6. Use the vtp global configuration mode command to set this information. In the following example, we explicitly set switch 3550 A to be a VTP server, which it already is, and then set the VTP domain to routersim.

3550A(config)#vtp mode server

Device mode already VTP SERVER.

3550A(config)#vtp domain routersim

Changing VTP domain name from NULL to routersim

3550A(config)#

7. After you configure the VTP information, you can verify it with the show vtp status command.

3550A#show vtp status

VTP Version : 2

Configuration Revision : 4

Maximum VLANs supported locally : 64

Number of existing VLANs : 8

VTP Operating Mode : Server

VTP Domain Name : routersim

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x70 0x01 0xF2 0x72 0x97 0xA1 0x35 0xEB

Configuration last modified by: 172.16.10.17 at 11-29-93 20:39:24

Local updater ID is 172.16.10.17 on interface Vl1 (lowest numbered VLAN interface found)

3550A#

The preceding switch output shows the VTP domain and the switch’s mode.

Lab 5.5: Configuring VLANs on a 3560 SwitchIn this lab we want to eventually associate ports 2 and 8 with VLANs 2 and 4, that were set up for 3550 Switch A in lab 5.3. However, we do not have to manually set up VLANs 2 and 4 again for 3560 Switch A. That can be broadcast from 3550 Switch A (from work you did in lab 5.2), however, we must do a couple things in order to facilitate that.


Lab Steps

1. Initially, let’s issue the show vlan command to verify that there are no VLANs associated with 3560 Switch A.

3560A#sh vlan


---- -------------------------------- --------- -------------------------------


Fa0/6, Fa0/7, Fa0/8, Gi0/1





[output cut]

No VLANs!

Network Layout



2. We now need to configure two ports, one for each VLAN by using the switchport access vlan # command. You can only configure VLANs one port at a time. In the following example, we configure interface 2 to VLAN 2 and interface 8 to VLAN 4.













3560A(config)#exit




[OK]

3560A#

4. We can verify what we did with the two ports with the show run command.

3560A#show run

[output cut]

!




!




!

[output cut]

3560A#



Lab 5.6: Configuring Trunk Ports and VTP Domain on a 3550 Switch

Configure Trunk PortsTrunk links are 100 or 1000 Mbps point-to-point links between two switches, between a switch and router, or between a switch and server. Trunked links carry the traffic of multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps links, nor would you want to. Remember that an access link is a port on a switch that is a member of only one VLAN.

Lab Steps

1. To configure trunking on a 3560 port, use the interface command switchport modetrunk command. In this lab we will configure interface fa0/3.

3560A>en

3560A#config t

Network Layout






2. To verify your trunk port, use the show running-config command.


3560A(config)#exit

3560A#show run

[output cut]

!




!

[output cut]

Configure VTP DomainEvery Catalyst switch is configured by default to be a VTP server. To configure VTP, first con-figure the domain name you want to use, as discussed in the next section. Once you configure the VTP information on a switch, you need to verify the configuration.

3. Use the vtp global configuration mode command to set this information. In the fol-lowing example, we set the switch to a VTP client and then set the VTP domain to routersim.


3560A(config)#vtp mode client

Setting device to VTP CLIENT mode.




4. After you configure the VTP information, you can verify it with the show vtp command.

3560A#sh vtp status

VTP Version : 2




VTP Operating Mode : Client








Local updater ID is 172.16.10.3 on interface Vl1 (lowest numbered VLAN interface

found)

3560A#


5. VLAN information should now be propagated from 3550 Switch A to 3560 Switch A. Confirm this with the show vlan command.

3560A#show vlan


---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6, Fa0/7

Gi0/1



7 Research active





VLAN 7 will not be allowed to pass any traffic on the trunk link because we issued the command switchport trunk allowed vlan except 7 in lab 5.4, step 2.

Lab 5.7: IntraVLAN and InterVLAN RoutingIn previous labs we have set up VLANs 2 and 4 for the 3550 and 3560 switches. We will first set up the proper subnetting so that we can place Hosts A and C in VLANs 2 and Hosts B and D in VLANs 4. We will then have you test this by communicating with the

Lab 5.7: IntraVLAN and InterVLAN Routing 501

VLANS. Then we will set up interVLAN routing so that Hosts from VLANs 2 and 4 can communicate with each other. Network devices in different VLANs cannot communicate with each other without sending traffic through a router. In this lab we will use 2811 Router A to perform the 802.1q routing so that we can route traffic between the two VLANs.

Two new subnets will be needed. We will us subnets 172.16.2.0/24 and 172.16.3.0/24. 2811 Router A FastEthernet 0/0 interface will stay at 172.16.10.1/24, however, the IP address needs to be moved to a subinterface, which we’ll do in a minute.

Lab Steps

1. We configured all hosts in this network in ICND1 lab 2.11. If you have not configured the hosts in this lab, you should go through ICND1 lab 2.11.

Let’s start from that point. VLAN 2 will have a subnet of 172.16.2.0/24 and VLAN 4 will have a subnet of 172.16.3.0/24. Change the current IP addresses of the hosts so they are in their proper VLAN. Change the IP addresses and default-gateways of the four hosts.

Network Layout



Host Current IP Address New IP Address New Default Gateway

A 172.16.10.5 172.16.2.2 172.16.2.1

B 172.16.10.6 172.16.3.3 172.16.3.1

C 172.16.10.7 172.16.2.3 172.16.2.1

D 172.16.10.8 172.16.3.2 172.16.3.1

2. Verify you have set up the VLANs correctly by pinging from Host A to Host C.

C:\>ping 172.16.2.3

Pinging 172.16.2.3 with 32 bytes of data:

Reply from 172.16.2.3 ;bytes=32 time=22ms TTL=254




Ping Statistics for 172.16.2.3:

Packets Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 22ms, Maximum = 23ms, Average = 22ms

C:\>

Once you can ping, you know you have configured at least one VLAN correctly. At this time, Host A and Host C cannot ping anything else in the network except each other.

3. At this point you should not be able to ping Host B even though it is connected to the same switch.

C:\>ping 172.16.3.3


Request timed out.

Request timed out.

Request timed out.

Request timed out.





C:\>

Lab 5.7: IntraVLAN and InterVLAN Routing 503

4. Verify you have set up the VLANs correctly by pinging from Host B to Host D.

C:\>ping 172.16.3.2










C:\>

Once you can ping, you know you have configured both VLANs correctly. At this time, Host B and Host D cannot ping anything else in the network except each other.

5. To have the hosts ping outside their own VLAN, you must setup some type of rout-ing You also need to setup a trunk link between the switch and the router. Use 2811 Router A FastEthernet 0/0 interface and create 802.1q routing. Create three subinter-faces, one for each VLAN. To establish a trunk link between 3550 Switch A and the 2811 Router A, configure FastEthernet 0/4, on the 3550 Switch A as a trunk port with 802.1q encapsulation.

2811A>enable

2811A#config t


2811A(config-if)#no ip address

2811A(config-if)#int fa0/0.1

2811A(config-subif)#encapsulation dot1q 1

2811A(config-subif)#ip address 172.16.10.1 255.255.255.0

2811A(config-subif)# int fa0/0.2






2811A(config-subif)#router ospf 102

2811A(config-router)#network 172.16.2.0 0.0.0.255 a 0

2811A(config-router)#network 172.16.3.0 0.0.0.255 a 0

2811A(config-subif)#exit

2811A(config)#exit





[OK]

2811A#

3550A>en

3550A#config t




6. Verify your sub-interface configurations with the show run command.

2811A(config)#show run

[output cut]

!



no ip address


!

interface FastEthernet0/0.1

encapsulation dot1Q 1

ip address 172.16.10.1 255.255.255.0

!



ip address 172.16.2.1 255.255.255.0

!



ip address 172.16.3.1 255.255.255.0

!

[output cut]

7. At this point, the hosts should be able to ping all hosts and 2811 Router A.

Access Lists

Lab 6: Introduction to Managing Traffic with Access Lists

This set of labs will have you configure IP filtering on the internetwork. The proper use and configuration of access lists is a vital part of router configuration. Contributing mightily to the efficiency and optimization of your network, access lists give network managers a huge amount of control over traffic flow throughout the internetwork.

With access lists, managers can gather basic statistics on packet flow and security policies can be implemented. Sensitive devices can also be protected from unauthorized access. We will discuss access lists for TCP/IP, and we will cover some of the tools available to test and monitor the functionality of applied access lists.

The following labs are presented in this section:

NN 6.1: Standard IP Access-Lists Lab

NN 6.2: Verifying Standard IP Access-lists Lab

NN 6.3: Applying an Access-List to a VTY Line Lab

NN 6.4: Extended IP Access-Lists Lab

NN 6.5: Verifying Extended IP Access-lists

NN 6.6: Removing Extended IP Access-lists

The commands covered in this chapter are as follows:

Command Meaning

access-list Creates a list of tests to filter the networks.

host Specifies a single host address.

Access List

A set of permissions that have been established at an interface level that are used to permit or deny packets moving through a router, and permit or deny Telnet (VTY) access to or from a router. It essentially acts as a packet filtering firewall.

Lab 6.1: Standard IP Access-Lists 507

Command Meaning

any Wildcard command. Specifies any host or any network; same as the 0.0.0.0 255.255.255.255 command.

0.0.0.0 255.255.255.255 Wildcard command; same as the any command.

ip access-group Applies an IP access-list to an interface.

access-class Applies a standard IP access list to a VTY line.

show access-list Shows all the access lists configured on the router.

show access-list 110 Shows only access-list 110.

show ip access-list Shows only the IP access lists.

show ip interface Shows which interfaces have IP access lists applied.

There are two types of access lists used with IP.

Standard access lists use only the source IP address in an IP packet to filter the network. This basically permits or denies an entire suite of protocols. IPX standards can filter on both source and destination IPX address.

Extended access lists these check for both source and destination IP address, protocol field in the Network layer header, and port number at the Transport layer header.

Once you create an access list, you apply it to an interface with either an inbound or outbound list:

Inbound access lists packets are processes through the access list before being routed to the outbound interface.

Outbound access lists packets are routed to the outbound interface and then processed through the access list.

Lab 6.1: Standard IP Access-ListsThis lab will have you block access to network 172.16.40.0 from Host F. Access-lists can be tricky because if you do not create your lists correctly, you can bring the network down. There are two steps with access-lists:

NN Create an access-list

N Apply an access-list

standard IP access-lists use source addresses for filtering packets. A collection of permit and deny conditions is applied to IP addresses.

508 Access Lists

1. Double-click Host F.

Network Layout



2. Verify that you can ping to the 2950 Switch A and that you can ping Host E from Host F.

C:\ping 172.16.40.2










C:\>ping 172.16.40.3










C:\>

510 Access Lists

3. From the Host F menu, bring up the console for the 2621 Router A.

4. Create an access-list that blocks access from host F trying to get to network 172.16.40.0.

2621A>enable

2621A#config t

2621A(config)#access-list 10 deny host 172.16.50.3

2621A(config)#access-list 10 permit any

That is all we’re going to do for the list. Remember that IP standard access-lists should be created closest to the destination network, which is why we built that access-list on 2621 Router A. It is directly connected to network 172.16.40.0.


5. After creating an access-list for 2621 Router A, we now need to add the access-list to the serial 0/0 interface of 2621 Router A.


2621A(config-if)#ip access-group 10 in

This applied the access-list 10 to the serial 0/0 interface of 2621 Router A and filtered any incoming packets.

6. Check to see that Host F can no longer ping to 172.16.40.2 and 172.16.40.3.

C:\>ping 172.16.40.2


Request timed out.

Request timed out.

Request timed out.

Request timed out.

C:\>

C:\>ping 172.16.40.3


Request timed out.

Request timed out.

Request timed out.

Request timed out.

C:\>

512 Access Lists

7. If the access-list is correct, all other devices should still be able to reach network 172.16.40.0. Ping from 2621 Router B and verify that you can reach 172.16.40.2 and 172.16.40.3.

2621B#ping 172.16.40.2



!!!!!


2621B#

2621B#ping 172.16.40.3



!!!!!


2621B#


Lab 6.2: Verifying Standard IP Access-ListsPinging and telnetting through the internetwork is a really good way to verify the network and access-lists. However, using the Cisco IOS commands is also a good way to verify the lists.

Network Layout

Work with the saved network that you used to configure devices in lab 6.1.

Lab 6.2: Verifying Standard IP Access-Lists 513

Lab Steps

1. Bring up the console for 2621 Router A and type show access-list to see the list config-ured on the router.


2621A#show access-list

Standard IP access list 10

deny 172.16.50.3

permit any

2621A#

2. You can also type either show ip access-list or show access-list 10 to gather specific list configurations.

2621A#show access-list 10


deny 172.16.50.3

permit any

2621A#

3. To see which interface has access-lists applied, use the show ip interface command.

2621A#show ip interface



Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1514 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is 10

[output cut]

4. The show running-config is useful to see both the access-list and to verify the inter-face where the access-list is applied.

2621Ashow run

[output cut]

!

interface Serial0/0


514 Access Lists

ip address 172.16.20.2 255.255.255.0


ip access-group 10 in

!

[output cut]

Lab 6.3: Applying an Access-List to a VTY LineYou will have a difficult time trying to stop users from telneting into a router because any active port on a router is fair game for VTY access. However, you can use a standard IP access-list to control access by placing the access-list on the VTY lines themselves.

To perform this function:

1. Create a standard IP access-list that permits only the host or hosts you want to be able to telnet into the routers.

2. Apply the access list to the VTY line with the access-class command.

This lab will have you stop Host F from telneting into 2621 Router A.

Network Layout


Lab 6.3: Applying an Access-List to a VTY Line 515

Lab Steps

1. Remove the access-list on 2621 Router A.

2621A#config t

2621A(config)#no access-list 10

2. Remove the access-list on the serial 0/0 interface of 2621 Router A.


2621A(config-if)#no ip access-group 10 in

You can just type no access-list 10 on to remove the access-list, but you must type the whole command from the interface to remove the list from the interface on the router.

3. Verify that Host F can telnet into 2621 Router A.

C:\>telnet 172.16.20.2

Connecting To 172.16.20.2 ...

This is 2621 Router A


Password:

2621A>

4. Exit from your telnet session.

2621A>exit

Connection to host lost.

C:\>

5. Connect to 2621 Router A and block telnet access for Host F, but allow all other devices to telnet to the 2621 A router.

2621A#config t



6. Apply the access-list directly to the VTY lines and not to an interface.


2621A(config-line)#access-class 20 in


2621A#

516 Access Lists

7. Verify that Host F can no longer telnet into 2621 Router A.

C:\>telnet 172.16.20.2

Connecting To 172.16.20.2 ...Could not open a connection to host: Connect failed

C:\>

8. Use the Host F menu to go to the 2621 Router A console.

9. Verify that 2621 Router B can still telnet into 2621 Router A.

2621B#telnet 172.16.20.2

Trying 172.16.20.2 ... Open



Password:

2621A>

Save Your File: Make sure you save the network layout file that you have been work-ing on.

Lab 6.4: Extended IP Access-ListsIn this lab we will remove the standard IP access-list on 2621 Router A and create a new access-list that is more succinct on 2621 Router A. We want Host F to use the services on the 172.16.40.0 network, but we don’t want them to telnet into 2950 Switch A.

Lab 6.4: Extended IP Access-Lists 517

Lab Steps


2621A#config t


2. Bring up the Host F console by using 2621 Router A’s menu.

Network Layout


518 Access Lists

3. Verify that Host F can now ping 172.16.40.2 and 172.16.40.3.

C:\ping 172.16.40.2










C:\>ping 172.16.40.3










C:\>

4. Create an access-list on 2621 Router A to block telnet access into the 172.16.40.0 net-work, but still allow Host F to ping Host E.

2621A#config t

2621A(config)#access-list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet

2621A(config)#access-list 110 permit ip any any

This access-list blocked source address 172.16.50.3 from telneting into 172.16.40.0.

5. Apply this access-list to the serial interface 0/0 of 2621 Router A to filter the packets coming into the router.




2621A#

Lab 6.5: Verifying Extended IP Access-lists 519

6. Test the access-list by trying to telnet 172.16.40.2 From Host F, (remember, you cannot telnet to a host). All other devices should be able to telnet to 172.16.40.2.

C:\>telnet 172.16.40.2


C:\


Lab 6.5: Verifying Extended IP Access-listsWe will use the same command as we did to verify the IP Standard Access-Lists. Go to 2621 Router A (if you created the list on 2621 Router A) and verify your access-list. Remember that ping and telnet are really good tools to verify your network as well.

Network Layout


520 Access Lists

Lab Steps

1. From 2621 Router A, type the show access-list command to see the configured list.


Extended IP access list 110

deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet

permit ip any any

2621A#

2. Use the show access-list 110 command to see only list 110.




permit ip any any

2621A#

3. You can also use show ip access-list to see only the IP access-list configured on your router.

2621A#show ip access-list



permit ip any any

2621A#

4. Verify which interface has an access-list set by using the show ip interface command on 2621 Router A.






MTU is 1514 bytes





[output cut]

2621A#

Lab 6.6: Removing Extended IP Access-lists 521

Lab 6.6: Removing Extended IP Access-listsTo remove the extended IP access-list, perform the following steps.

Lab Steps


2621A#config t






Network Layout


522 Access Lists

3. Verify that you have removed the extended IP access-list.


[output cut]

!

interface Serial0/0


ip address 172.16.20.2 255.255.255.0


!

[output cut]

Practice Scenario: NAT and ACLs

Configuring ACLs for Telnet and SSHNow that you have learned about some concepts and completed some hands-on work, try your problem-solving and troubleshooting skills with the following task. To complete your task you will need a network to interact with a scenario and the task(s) at hand.

When you have finished with this scenario ...You can check your work by clicking the Grade Me button in the upper right hand corner



NN The name of the command entered for this scenario



Lab 6.6: Removing Extended IP Access-lists 523



Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Practice Sce-narios, NAT and ACLs, and Configuring ACLs for Telnet and SSH.

524 Access Lists


ScenarioColorado Company RouterSim is planning and designing their new corporate Internetwork. You are the network administrator for the Denver network. Develop an extended access list that will block the California network from telneting into the DNVR_RTR router.

TaskConfigure access-list 150 on the DNVR_RTR router as close as possible to the source network. Set it up so that any router or switch in the 172.16.40 network is blocked.

NAT/PAT

Lab 7.1: Configuring Dynamic NAT

This section will show you how to configure NAT to translate from real ISP assigned addresses to private addresses so that the inside network can communicate to the Internet.

Network Layout

Use the network the you worked with in ICND1 lab 5.1. The network is Nat-Pat Layout.rsm or whatever you renamed it in the earlier lab. If you have not completed that lab, please go back and go through it.

Lab 7.1: Configuring Dynamic NAT 527

Lab Steps

1. In this step, you’ll configure a dynamic NAT pool on 2811 Router B. Create a pool of addresses called RouterSim on 2811 Router B. The pool should contain a range of addresses of 171.16.10.50 through 171.16.10.55.

2811B(config)#ip nat pool RouterSim 171.16.10.50 171.16.10.55 net255.255.255.0

2. Create access-list 1. This list permits traffic from the 192.168.20.0 and 192.168.10.0 network to be translated.

2811B(config)#access-list 1 permit 192.168.20.0 0.0.0.255


3. Map the access list to the pool that was created.

2811B(config)#ip nat inside source list 1 pool RouterSim

4. Configure fa0/0 as an inside NAT interface.


2811B(config-if)#ip nat inside

5. Configure serial 0/0/0 as an outside NAT interface.


2811B(config-if)#ip nat outside

6. Bring up the console for 2811 Router D. Telnet from 2811 Router D to 2811 Router A—do not disconnect.

2811D#telnet 171.16.10.1

Trying 171.16.10.1 ... Open



2811D#

We received this message because we did not set up a telnet password on 2811 Router A.

7. Go to the 2811 A router and set up a telnet password.

2811A#config t

2811ARouter(config)#line vty 0 1180

2811ARouter(config-line)#password todd2

8. Try step 6 again and if you are successful, move on to step 9.

528 NAT/PAT

9. Bring up the console for 2811 Router C. Telnet from the 2811 Router C to 2811 Router A—do not disconnect.

2811C#telnet 171.16.10.1

10. Go back to 2811 Router A and execute the command show users. (This shows who is accessing the VTY lines).

2811A#show users


0 con 0 idle 00:00:00

2 vty 0 idle 00:00:40 171.16.10.50

* 3 vty 1 idle 00:00:17 171.16.10.51


2811A#

Notice that there is a one-to-one translation. Which means you must have a real IP address for every host that wants to get to the Internet, which is not always possible.

11. Leave the session open on 2811 Router A and connect back to 2811 Router B.

12. Bring up the console for 2811 Router B and view your current translations by entering the show ip nat translation command. You should see something like this:

2811B#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 171.16.10.50 192.168.20.2 --- ---

--- 171.16.10.51 192.168.10.2 --- ---

2811B#

Remember that the “inside local is before translation” and the “inside global is after translation”, and how you are known on the Internet.

Exit out of the telnet session from 2811 Router D.

13. If you turn on debug ip nat on 2811 Router B and then ping through the router from 2811 Router D, you will see the actual NAT process take place, which will look some-thing like this:

2811B#debug ip nat

2811D#ping 171.16.10.1

2811B#

Feb 27 17:16:18.256: NAT*: s=192.168.20.2->171.16.10.52, d=171.16.10.1 [1]

Feb 27 17:16:18.260: NAT*: s=171.16.10.1->171.16.10.52, d=192.168.20.2 [1]


Lab 7.2: Configuring PAT 529

Lab 7.2: Configuring PATPort Address Translation (PAT), also called NAT Overload, uses TCP and UDP port numbers to uniquely identify hosts on the inside network so that everyone on the inside network can use only one real IP address to send packets to the Internet. Static NAT is a one-for-one translation, which means that each host uses a unique real IP address to send packets to the Internet. By using PAT, we save address space by using only one real IP address for all hosts.

In this lab, you’ll configure Port Address Translation (PAT) on 2811 Router B. We will use PAT because we don’t want a one-to-one translation, but instead we want to just use one IP address for every user on the network.

Network Layout

Use the network you worked with in lab 7.1.

530 NAT/PAT

Lab Steps

1. Terminate the telnet sessions on 2811 Router C by using the exit command.

2. On the 2811 Router B, delete the translation table and remove the dynamic NAT pool.

2811B#clear ip nat translation *

2811B#config t

2811B(config)#no ip nat pool RouterSim 171.16.10.50 171.16.10.55 netmask 255.255.255.0

2811B(config)#no ip nat inside source list 1 pool RouterSim

3. On 2811 Router B, create a NAT pool with one address called Lammle. The pool should contain a single address 171.16.10.100. Enter the command below:

2811B(config)#ip nat pool Lammle 171.16.10.100 171.16.10.100 netmask255.255.255.0

4. Create access-list 2. It should permit networks 192.168.20.0 and 192.168.10.0 to be translated.



5. Map the access-list 2 to the new pool, allowing PAT to occur by using the overload command.

2811B(config)#ip nat inside source list 2 pool Lammle overload

6. Bring up the console for 2811 Router D and telnet to 2811 Router A. Then bring up the 2811 Router C and telnet to 2811 Router A.

7. From the ISP router use the show users command. The output should look something like this:

2811A>sh users


0 con 0 idle 00:00:00

2 vty 0 idle 00:00:29 171.16.10.100

* 3 vty 1 idle 00:00:21 171.16.10.100


2811A>

Lab 7.3: NAT/PAT Final Configuration Exercise 531

8. From 2811 Router B use the show ip nat translations command.



tcp 171.16.10.100:1723 192.168.10.2:1723 171.16.10.1:23 171.16.10.1:23

tcp 171.16.10.100:1723 192.168.20.2:1723 171.16.10.1:23 171.16.10.1:23

2811B#

9. Exit the telnet session from 2811 Router D.

10. Also make sure that the debug ip nat command is on 2811 Router B. If you ping from 2811 Router C to 2811 Router A, the output will look like this:

01:12:36: NAT: s=192.168.10.2->171.16.10.100, d=171.16.10.1 [35]

01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [35]

01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [36]

01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [36]

01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [37]

01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [37]

01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [38]

01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [38]

01:12:37: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [39]

01:12:37: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2

Lab 7.3: NAT/PAT Final Configuration ExerciseIn this lab, you will configure two routers and a host so that the inside network can com-municate with the outside network using Port Address Translation. You will not use the network layout used previously. You have six public IP address assigned to your company: 198.18.194.73 -78. There are 30 hosts that need to access the Internet simultaneously.

NN Hosts range on the inside network is 192.168.35.65- 94

NN Inside global addresses are 198.18.194.73-78/29

NN Inside local addresses are 192.168.35.65-94/27

532 NAT/PAT

Lab Steps

1. Double-click 2811 Router B to open the console screen.

Network Layout

Load Nat-Pat Final Layout.rsm before going through the following lab.



3. Click on the file Nat-Pat Final Layout and click Open.



Router>en

Router#config t








2811B(config-if)#clock rate 1000000






[OK]

2811B#

3. Configure 2811 Router A with IP addresses and default routing.

Router>en

Router#config t






2811A(config)#ip route 0.0.0.0 0.0.0.0 192.0.2.157

4. Configure your host with the IP address 192.168.35.65/27. Don’t forget to set your default-gateway.

5. Create an inside source list that will allow the inside hosts to access the NAT pool and allow the use of PAT.

2811B#config t

2811B(config)#ip nat inside source list 10 pool 2811B overload

6. Next, create an access-list for IP range 192.168.35.65-94/27.


534 NAT/PAT

7. Verify your access-list.

2811B(config)#do show run


!


!

access-list 10 permit 192.168.35.64 0.0.0.31

[output cut]

2811B(config)#do show access-lists


10 permit 192.168.35.64, wildcard bits 0.0.0.31

2811B(config)#

8. Create the pool with the six available global hosts IP addresses.

2811B(config)#ip nat pool 2811B 198.18.194.73 198.18.194.78 netmask 255.255.255.248

9. Configure the interfaces for use with NAT.






2811B(config)#exit




[OK]

2811B#

10. Change the console screen to Host A and then ping 2811 Router A.

C:\ping 192.0.2.158

11. Change to the console screen for 2811 Router B and verify your NAT/PAT configura-tion by enabling debug ip nat.

2811B#debug ip nat

IP NAT debugging is on


Dec 3 16:48:09.484: NAT*: s=192.168.35.65->198.18.194.73, d=192.0.2.158 [1] Dec 3 16:48:09.500: NAT*: s=192.0.2.158->198.18.194.73, d=192.168.35.65 [1]

2811B#

12. Verify your NAT table with the following command:



icmp 198.18.194.74:1 192.168.35.65:1 192.0.2.158:1 192.0.2.158:1

2811B#

13. Delete the NAT/PAT configuration on your routers.

14. Reconfigure the router with the following IP addresses on 2811 Router B (try to configure this without looking at the answers for the NAT/PAT configuration we just finished):

Interface f0/0: 192.168.76.94/27

Interface s0/0/0: 192.0.2.165/30

Inside global: 198.18.149.113-118/29

Inside local: 192.168.76.65-94/27

15. Verify your NAT configuration.

VLSM with Summarization

Lab 8.1: VLSM with Summarization Lab—Configuring Routers

The following lab will have you configure a medium size network into block sizes of 32 (/27) using the EIGRP routing protocol and summarizing the classless boundaries. The switches will not be configured in this lab and they will behave just like hubs. You will configure each router in the lab with the appropriate IP addressing and verify the configuration in lab 8.2.

Network Layout

Load VLSM Layout.rsm before going through the following lab.



3. Click on the file VLSM Layout.rsm and click Open.


Routers 2811 A through 2811 E will be configured in the 192.168.10.32/27 network and routers 2811 F through 2811 J will be configured in the 192.168.10.64/27 network. In each network there are four block sizes of four (the WAN links) and two block sizes of eight (the LANs).

To connect routers 2811 A and 2811 F across the backbone, we will use the 10.1.1.0/24 network. This is called discontiguous networking because we have one class of network (192.168.10.0) connecting across to the same network address through the 10.0.0.0 network—and this will not work by default. RIPv1 and IGRP can never work in this type of network. In order to use VLSM with discontiguous networking in your network, you must use one the fol-lowing routing protocols: RIPv2, EIGRP, OSPF or ISIS (these are considered classless routing protocols). This lab will have you use EIGRP as the classless routing protocol.

Here is the IP addressing scheme used in this lab for routers 2811 A through 2811 E: (notice how the four block sizes of four, and two block sizes of eight fit in one block size of 32—VLSM network addressing).

Router Block Sizes

2811 Router A S0/0/0: 192.168.10.37/30 (subnet 36, block size of 4)

S0/0/1: 192.168.10.33/30 (subnet 32, block size of 4)

F0/0: 10.1.1.1/24

2811 Router B S0/0/0: 192.168.10.41/30 (subnet 40, block size of 4)

S0/0/1: 192.168.10.34/30 (subnet 32, connected to s0/0/1 of 2811 Router A)

2811 Router C S0/0/0: 192.168.10.45/30 (subnet 44, block size of 4)


2811 Router D S0/0/0: 192.168.10.42/30 (connected to s0/0/0 of router 2811 B)

F0/0: 192.168.10.49/29 (subnet 48, block size of 8)

Discontiguous Networking

When a major network like 192.168.10.0 is separated by a different major network like 10.0.0.0. Example: The 192.168.10.0/24 network can be subnetted into two or more net-works. The networks 192.168.10.36/30 and 192.168.10.80/29 are configured on different routers. The routers are using the 10.0.0.0 network to connect to each other, thus one major network being separated by another major network.

540 VLSM with Summarization

Router Block Sizes

2811 Router E S0/0/0: 192.168.10.46/30 (connected to s0/0/0 of router 2811 C)


2811 Router F S0/0/0: 192.168.10.69/30 (subnet 64, block size of 4)


F0/0: 10.1.1.2/24

2811 Router G S0/0/0: 192.168.10.73/30 (subnet 72, block size of 4)

S0/0/1: 192.168.10.66/30 (subnet 64, connected to s0/0/1 of 2811 Router F)

2811 Router H S0/0/0: 192.168.10.77/30 (subnet 76, block size of 4)


2811 Router I S0/0/0: 192.168.10.74/30 (connected to s0/0/0 of router 2811 G)


2811 Router J S0/0/0: 192.168.10.78/30 (connected to s0/0/0 of router 2811 H)

F0/0: 192.168.10.89 (subnet 88, block size of 8)

Lab Steps

1. Double-click on 2811 Router A to bring up the console screen.


Router>en

Router#config t










(continued)






3. Change to the console for 2811 Router B.


Router>en

Router#config t



2811B(config)#int s0/0/0








5. Change to the console for 2811 Router C.


Router>en

Router#config t



2811C(config)#int s0/0/0








7. Change to the console for 2811 Router D.


Router>en

Router#config t







2811D(config-if)#int f0/0




2811D(config-if)#ctrl+z


9. Change to the console for 2811 Router E.

10. Configure 2811 Router E.

Router>en

Router#config t


Router(config)#hostname 2811E

2811E(config)#int s0/0/0

2811E(config-if)#ip address 192.168.10.46 255.255.255.252

2811E(config-if)#no shut

2811E(config-if)#int f0/0



2811E(config-if)#ctrl+z

2811E#copy run start

11. Change to the console for 2811 Router F.

12. Configure 2811 Router F.

Router>en

Router#config t


Router(config)#hostname 2811F

2811F(config)#int s0/0/0

2811F(config-if)#ip address 192.168.10.69 255.255.255.252

2811F(config-if)#no shut

2811F(config-if)#int s0/0/1



2811F(config-if)#int f0/0




2811F(config-if)#ctrl+z

2811F#copy run start

13. Change to the console for 2811 Router G.

14. Configure 2811 Router G.

Router>en

Router#config t


Router(config)#hostname 2811G

2811G(config)#int s0/0/0

2811G(config-if)#ip address 192.168.10.73 255.255.255.252

2811G(config-if)#no shut

2811G(config-if)#int s0/0/1



2811G(config-if)#ctrl+z

2811G#copy run start

15. Change to the console for 2811 Router H.

16. Configure 2811 Router H.

Router>en

Router#config t


Router(config)#hostname 2811H

2811H(config)#int s0/0/0

2811H(config-if)#ip address 192.168.10.77 255.255.255.252

2811H(config-if)#no shut

2811H(config-if)#int s0/0/1



2811H(config-if)#ctrl+z

2811H#copy run start

17. Change to the console for 2811 Router I.

18. Configure 2811 Router I.

Router>en

Router#config t



Router(config)#hostname 2811I

2811I(config)#int s0/0/0

2811I(config-if)#ip address 192.168.10.74 255.255.255.252

2811I(config-if)#no shut

2811I(config-if)#int f0/0



2811I(config-if)#ctrl+z

2811I#copy run start

19. Change to the console for 2811 Router J.

20. Configure 2811 Router J.

Router>en

Router#config t


Router(config)#hostname 2811J

2811J(config)#int s0/0/0

2811J(config-if)#ip address 192.168.10.78 255.255.255.252

2811J(config-if)#no shut

2811J(config-if)#int f0/0



2811J(config-if)#ctrl+z

2811J#copy run start

Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than VLSM Layout.rsm. This allows you to start over with a non-configured network if you wish.


Lab 8.2: VLSM with Summarization Lab—Configuring Hosts 545

2. A dialog box will appear. At the bottom you will see the file name VLSM Layout.rsm. Rename the file. In the following example it is renamed to My VLSM Layout.rsm.

3. Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading VLSM Layout.rsm which is not configured.

Lab 8.2: VLSM with Summarization Lab—Configuring HostsWe will now configure all the hosts in the network.

Network Layout

Use the saved network you were working with in Lab 8.1.


Lab Steps




NN IP Address

N Subnet Mask

NN Default Gateway

IP Address:192.168.10.50

Subnet Mask: 255.255.255.248

Default Gateway:192.168.10.49



NN IP Address

N Subnet Mask

NN Default Gateway

Lab 8.4: VLSM with Summarization Lab—Configuring EIGRP 547

IP Address:192.168.10.58

Subnet Mask: 255.255.255.248




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address:192.168.10.82

Subnet Mask: 255.255.255.248




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address:192.168.10.90

Subnet Mask: 255.255.255.248




Lab 8.4: VLSM with Summarization Lab—Configuring EIGRP with Discontiguous NetworkingIn this lab you will configure the classless routing protocol EIGRP on each router. EIGRP is an advanced Distance Vector routing protocol that supports VLSM and discontiguous networks. In addition, it can be used to manually summarize contiguous network boundaries, which is what we have.

Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary hybrid routing protocol. It uses the properties of both distance vector and link state and uses an administrative distance of 90, so it will automatically overwrite RIP (which has a


default administrative distance of 120) routes in the routing table. Also, it uses autono-mous systems (AS) to create groups of routers that share routing information. The major difference between IGRP and EIGRP is that EIGRP uses three different tables to create a stable routing environment and additionally EIGRP only sends updates when needed whereas IGRP broadcasts routing table entries every 90 seconds.

Remember that although EIGRP is considered a classless routing protocol (which means it sends subnet mask information with each route update), it is configured in a classful manner. What this means is that you turn off all subnet bits and host bits to add each network statement—which is why the network statement is 192.168.10.0, not 192.168.10.32, 192.168.10.36, etc. for each subnet. EIGRP will find the subnets; you don’t type subnets in with the network statement.

Router A is directly connected to the 192.168.10.0 network, but also the 10.1.1.0/24 network is directly connected off of F0/0. What is the network statement we will use? Remember, ALL subnet bits and host bits are off!

Add EIGRP with AS 10 to each router, using the correct network statement. Also, add the network statement of network 192.168.10.0 under EIGRP 10 for each router, except for routers A and F, which will need the network 10.0.0.0 statement as well.

Network Layout

Use the network you were working with in Lab 8.2.


Lab Steps

1. From each router global configuration prompt, add the routing protocol EIGRP with an AS number of 10:

2811A>en

2811A#config t




2811A(config)#auto-summary

2811A(config-router)#

2811B>en

2811B#config t



2811B(config)#auto-summary

2811B(config-router)#

2811C>en

2811C#config t



2811C(config)#auto-summary

2811C(config-router)#

2811D>en

2811D#config t



2811D(config)#auto-summary

2811D(config-router)#

2811E>en

2811E#config t

2811E(config)#router eigrp 10

2811E(config-router)#network 192.168.10.0

2811E(config)#auto-summary

2811E(config-router)#

2811F>en

2811F#config t

2811F(config)#router eigrp 10

2811F(config-router)#network 192.168.10.0



2811F(config)#auto-summary

2811F(config-router)#

2811G>en

2811G#config t

2811G(config)#router eigrp 10

2811G(config-router)#network 192.168.10.0

2811G(config)#auto-summary

2811G(config-router)#

2811H>en

2811H#config t

2811H(config)#router eigrp 10

2811H(config-router)#network 192.168.10.0

2811H(config)#auto-summary

2811H(config-router)#

2811I>en

2811I#config t

2811I(config)#router eigrp 10

2811I(config-router)#network 192.168.10.0

2811I(config)#auto-summary

2811I(config-router)#

2811J>en

2811J#config t

2811J(config)#router eigrp 10

2811J(config-router)#network 192.168.10.0

2811J(config)#auto-summary

2811J(config-router)#

2. Now that we have added our directly connected networks under EIGRP (remember, add networks, not subnets!), we need to configure 2811 Router A and 2811 Router F to work using discontiguous networking. Take a look at the routing table of each router and notice that you can see the subnets in the routing table from each contiguous net-work only (2811 Router A through 2811 Router E and 2811 Router F through 2811 Router J). This is because discontiguous networking does not work by default.


2811A#sh ip route

2811F(config-router)#ctrl+z

2811F#sh ip route


3. We need to add the no auto-summary command to 2811 Router A and 2811 Router F to have this work.

2811A#config t


2811A(config-router)#no auto-summary

2811F#config t


2811F(config-router)#no auto-summary

4. Now, let’s take a look at the routing tables of each router and notice that ALL subnets are now listed in each router’s routing table.

2811J#show ip route

[output cut]


D 10.1.1.0 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0


D 192.168.10.44/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.68/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.32/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

Auto-summary

The process of taking subnets like 192.168.10.4/30 or 192.168.10.56/29 and sum-marizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29 the networks are summarized to their Class C base network address of 192.168.10.0/24.

No auto-summary

The process of taking the subnets like 192.168.10.4/30 or 192.168.10.56/29 and not summarizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29, the networks are never summarized to their Class C base network address of 192.168.10./24 when classful network boundaries are encountered.




D 192.168.10.36/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.40/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.64/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.48/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.80/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.72/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.56/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

5. This is a small network and the routing tables are manageable.. However, if we had more routers, our routing tables would be rather large, which takes up memory and router processing parsing the routing table. What can we do to make our routing table smaller, more efficient, yet still keep all our connectivity from end to end? You guessed it! Summarization baby!

Lab 8.5: VLSM with Summarization Lab—Configuring SummarizationNow that we have configured the internetwork from end to end using VLSM and discontiguous networking, and EIGRP with the no auto-summary command to support the discontiguous net-work, it is time to configure summarization.

Summarization would be done on the boundaries of each contiguous configured net-work (routers 2811 A and 2811 F). Summarization is used by EIGRP under the interface configuration using the ip summary-address eigrp 10 network mask command.

Before we add the summary commands to routers 2811 A and 2811 F, we need to know what network and mask to add to the summary command. Remember, summary addresses are configured in block sizes, just like subnets. The summary address for the 2811 Router A would be 192.168.10.32, since we are starting at subnet 32; however, what is our summary mask? Well, what is the block size of our contiguous networks? Thirty-two (32). What mask provides a block size of 32? A /27, which is 255.255.255.224; this is our summary mask.

For the 2811 F configuration, we would start at subnet 192.168.10.64, which is also a summary mask of /27, since the contiguous networks fit in a block size of 32.

Lab 8.5: VLSM with Summarization Lab—Configuring Summarization 553

Lab Steps

1. Here is our configuration on both routers:

2811A#config t

2811A(config)#interface fa0/0

2811A(config-if)#ip summary-address eigrp 10 192.168.10.32 255.255.255.224

2811F#config t

2811F(config)#interface fa0/0

2811F(config-if)#ip summary-address eigrp 10 192.168.10.64 255.255.255.224

At this point, we have disabled automatic summarization under EIGRP since we need to support discontiguous networking. We then configured manual summarization at contiguous classful boundaries.

2. If we take a look at the routing tables now, we can see that 2811 Router A is summa-rizing the contiguous network with a 192.168.10.32/27 route into the 2811 Router F routing tables, which is then sent to the other routers connected to 2811 Router F.

2811F>en

2811F#show ip route

Network Layout

Use the network you were working with in Lab 8.4.


[output cut]



D 192.168.10.80/29 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1


D 192.168.10.72/30 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1

D 192.168.10.76/30 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0

D 192.168.10.32/27 [90/2172416] via 10.1.1.1, 00:05:49, FastEthernet0/0

D 192.168.10.88/29 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0



3. For 2811 Router A, the routing table now looks like this, which is sent to all routers connected to 2811 Router A.

2811A#show ip route

[output cut]






D 192.168.10.44/30 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0

D 192.168.10.40/30 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1

D 192.168.10.48/29 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1


D 192.168.10.56/29 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0

Our routing tables are smaller, more efficient, and easier for IP to parse.

Individual Labs (Comprehensive)

Introduction to Individual Labs

We offer CCNA labs that are comprehensive and self-contained. They stand on their own, and do not require configurations from prior labs. These labs are typically longer than the accumu-lative labs because you are starting with a non-configured network each time you bring up an Individual lab. You are totally configuring the network for each lab, from beginning to finish. We provide step-by-step instructions for these labs.

GradingWhen you have finished with each Individual lab ...

You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.


NN The name of the command entered for this lab



NN The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X


Individual Lab: RIP Routing 557

Individual Lab: RIP RoutingConfiguring the routers with static and default routing is interesting to say the least. However, it is not very often that you would use just static and default routing in a network these days. This lab will have you configure Routing Information Protocol (RIP), one of the first dynamic routing protocols created. It is easy and works pretty well in small to medium size networks.




RIP

N Stands for routing information protocol.

NN Sends routing-update messages at regular intervals (usually every 30 seconds) and when the network topology changes.

N Uses a single metric called a hop, which measures the distance between the source and destination.

NN Is limited to a hop count of 15. It has a maximum hop count. This means a network cannot be more than 15 hops from the source to the destination. Otherwise the destination is deemed as unreachable.

N Has a timeout timer that is used on a period basis (usually every 30 seconds) for each known route. If the timer times out this usually means that path is no longer available. Therefore that route is removed from routing tables.

NN Does not support VLSM.

558 Individual Labs (Comprehensive)







Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and RIP.


Lab Steps

Copy and Paste ScriptSteps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into user mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.



enable

config t

hostname 2621A

line vty 0 4

password todd

login


IP address 172.16.20.2 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2811A

line vty 0 1180

password todd

login


IP address 172.16.20.1 255.255.255.0


no shutdown


IP address 172.16.30.1 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2621B

line vty 0 4

password todd

login


IP address 172.16.30.2 255.255.255.0


no shutdown

exit

exit

copy run start



Router>enable

Router#config t













[OK]

2621A#


Router>enable

Router#config t

















[OK]

2811A#



Router>enable

Router#config t













[OK]

2621B#


Clock Rate


Dynamic Routing

The process of routers in an Intranet or internet advertising route information automat-ically between each other. There is typically a common dynamic routing protocol con-figured on each router. RIP Version 1 and 2, OSPF, EIGRP, and BGP are some examples of dynamic routing protocols. When all routers have received routing updates and have updated routing tables, the network is said to have converged. Convergence means that all routers in the internetwork have the same routing information. At this point, a routed protocol, IP for example, can send user data throughout the internetwork.


2621A#config t




That’s all there is to it! Dynamic routing is easy on small networks. The important thing to notice here is that the network address is a classful address, which means you use the classful boundary.

5. From 2621 Router B, configure RIP routing and tell RIP the network you want to advertise.

2621B#config t




Router RIP Command

Turns on RIP routing.

Network Command

Should be entered for each of the networks that the router is connected to and is a part of the RIP network. In our network we have only one network, network 172.16.0.0.

Classful Routing

Routing protocols (i.e., RIPv1 and IGRP) where subnet masks (routing masks) are not sent in the periodic routing updates. For example, we use a 172.16.0.0 class B network address and subnet that network with 24 bits of subnetting. This means the third octet is used for subnets and the fourth octet are the host addresses for each subnet. RIP is a classful routing protocol, which means that you do not type in any subnet addresses, only the class B address. When using a classful network protocol like RIP, make sure that all networked devices have the same subnet mask.



2811A#config t




Verify Configurations


2621A#show ip route


R 172.16.30.0 [120/1] via 172.16.20.1, 00:00:21, Serial0/0


2621A#

Notice the “R”, which means it is a RIP found route. The “C” is a directly connected network. You should see two directly connected routes and three RIP routes.


2621B#show ip route



R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:13, Serial0/0

2621B#


2811A#show ip route




10. From 2621 Router B, use the debug ip rip command to see RIP updates being sent and received on the router.

2621B#debug ip rip

RIP protocol debugging is on

2621B#

then after a few seconds ....



*Oct 13 17:19:25.906: 172.16.20.0 in 2 hops


*Oct 13 17:19:25.906: 172.16.20.0 in 3 hops


*Oct 13 17:19:25.906: 172.16.20.0 in 4 hops


[output cut]


2621B#undebug all

12. To see detailed information about currently configured protocols on a router, use the show ip protocols command.

2621B#show ip protocols






Redistributing: rip

Default version control: send version 1, receive any version


Serial0/0 1 1 2


Maximum path: 4


172.16.0.0



172.16.30.1 120 00:00:11


2621B#

Notice the timers. RIP is sent out every 30 seconds by default. The administrative dis-tance for RIP is 120 by default.

Administrative distance is a measure of the trustworthiness of the source of the routing information. It is reported as a number between 0 and 255. The smaller the number, the more reliable the protocol. If you have, for example, two protocols IGRP and RIP config-ured on a router, the IGRP routes will be preferred over the RIP routes. This is because you have an administrative distance of 120 for RIP and 100 for IGRP.


Source Default Distance Value

Connected interface 0

Static route 1

Enhanced Interior Gateway Routing Protocol (EIGRP) summary route

5

External Border Gateway Protocol (BGP) 20

Internal EIGRP 90

IGRP 100

OSPF 110

Intermediate System-to-Intermediate System (IS-IS) 115

Routing Information Protocol (RIP) 120

Exterior Gateway Protocol (EGP) 140

On Demand Routing (ODR) 160

External EIGRP 170

Internal BGP 200

Unknown 255

13. Another really good command is the show protocols command, which shows you the routed protocol configuration of each interface.

2621B#show protocols

Global values:







2621B#


14. From 2811 Router A, use the show protocols command.

2811A#show protocols

Global values:










2811A#

RIPv2You will now configure RIPv2.

RIPv2 RIP does not carry subnet information. To overcome this, RIPv2 was created in 1994 to address some deficiencies in RIP. RIPv2 can carry subnet information. RIPv2 sends routing updates via multicast address 224.0.0.9. It also provides support for variable length subnet masks (VLSM) and discontiguous networking. RIPv2 is not automatically turned on with the router rip command. You must also specify it and use the version 2 command.


2621A#config t




That’s all there is to it! Since we have already added our directly connected networks under router rip in our last lab, we now just have to tell it to run version 2.


2621B#config t






2811A#config t




Verify Configurations


2621A#show ip route


R 172.16.30.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0


Notice the “R”, which means it is a RIP found route. The “C” is a directly connected network. The routing tables will look the same as version 1 unless you have VLSM net-works configured.

19. From the 2621 Router B, use the show ip route command to verify the routing table.

2621B#show ip route



R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:09, Serial0/0


2811A#show ip route




21. From 2621 Router A, use the debug ip rip command to see RIP updates being sent and received on the router.

2621A#debug ip rip


2621A#undebug all


23. To see the routing protocol timers, use the show ip protocols command.







Redistributing: rip

Default version control: send version 2, receive version 2


Serial0/0 1 1 2


Maximum path: 4


172.16.0.0



172.16.20.1 120 00:00:07


2621A#

Notice the timers. RIP is sent out every 30 seconds by default. The administrative dis-tance is 120 by default. Both RIPv1 and RIPv2 use the same timers.

Individual Lab: IPv6 Static Routing


Internet Protocol Version 6 (IPv6) is the new addressing scheme that will eventually replace all IPv4 addresses. The IPv4 address scheme is no longer adequate to meet the needs of the growing Internet, and growing Intranets. IPv6 was also designed to increase routing performance and network scalability issues. IPv6 addresses are 128 bits in length.

Hexadecimal Groups IPv6 addresses are divided into eight, 16 bit hexadecimal groups. For example, 2001:0000:0000:0008:0000:0000:0000:0012 can be divided into ...

2001: 0000: 0000: 0008: 0000: 0000: 0000: 0012

1 2 3 4 5 6 7 8

Individual Lab: IPv6 Static Routing 569

The IPV6 address above can also be shortened to 2001:0:0:8:0:0:0:12 or 2001::8:0:0:0:12

Address Types There are three IPv6 address types:

NN Unicast

NN Anycast

NN Multicast

Unicast Types There are four unicast address types:

NN Link local

NN Unique local

NN Global

NN Special

IPv6 Bits IPv6 bit address can be divided into ...

48 bits 16 bits 64 bits

2001:0000:0000: 0008: 0000:0000:0000:0012

Global Prefix Subnet Interface ID

This lab will have you create an IPv6 network. In this network you will use IPv6 to create both default and static routing. The network used in this lab has IPv4 addresses already con-figured on each router interface. Having both IPv4 and IPv6 addresses on an interface is called DUAL stacking. You will also verify your IPv6 Static Routing configurations.










Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and Static IPv6.rsm.


Lab Steps


2811A#en

2811A#config t



2811B#en

2811B#config t



2811C#en

2811C#config t
























5. Configure two IPv6 static routes on 2811 Router A.



2811A(config)#exit


The static routes will allow 2811 Router A to communicate with the rest of the network.

6. Configure a IPv6 default route on 2811 Router B.

2811B(config)#ipv6 route ::/0 2001::30:1

2811B(config)#exit


This default route will allow 2811 Router B to communicate with the rest of the network. 2811 Router B will use router 2811 A as a gateway of last resort.

7. Configure a IPv6 default route on 2811 Router C.

2811C(config)#ipv6 route ::/0 2001::20:1

2811C(config)#exit


This default route will allow 2811 Router C to communicate with the rest of the network. 2811 Router C will use router Router A as a gateway of last resort.

Verifying IPv6 Static Routing


2811A#show run

[output cut]

!


ip address 172.16.10.1 255.255.255.0


ipv6 address 2001::10:1/112

!

[output cut]

!



ip address 172.16.20.1 255.255.255.0


clockrate 2000000

ipv6 address 2001::20:1/112

!

[output cut]

!


ip address 172.16.30.1 255.255.255.0


clockrate 2000000

ipv6 address 2001::30:1/112

!

[output cut]

!

ipv6 route 2001::40:0/112 2001::30:2

ipv6 route 2001::50:0/112 2001::20:2

!

[output cut]

2811A#

As you can see, each interface has an IPv6 address. You can also see the IPv6 static routes that are configured.

9. On 2811 Router A, issue the show ipv6 interface command to see which router interfaces are configured for IPv6.

2811A#show ipv6 interface




2001::10:1, subnet is 2001::10:0/112


FF02::1

FF02::2

FF02::1:FF10:1

FF02::1:FF55:D408

MTU is 1500 bytes



[output cut]




Description: conn-to-2811A


2001::20:1, subnet is 2001::30:0/112


FF02::1

FF02::2

FF02::1:FF20:1

FF02::1:FF55:D408

MTU is 1500 bytes



[output cut]



Description: conn-to-2811C


2001::30:1, subnet is 2001::20:0/112


FF02::1

FF02::2

FF02::1:FF30:1

FF02::1:FF55:D408

MTU is 1500 bytes



[output cut]

2811A#

10. On 2811 Router A, issue the show ipv6 interface brief command to see a summary of the router interfaces configured for IPv6.

2811A#show ipv6 interface brief

FastEthernet0/0 [up/up]

FE80::21A:2FFF:FE55:D408

2001::10:1

FastEthernet0/1 [administratively down/down]

Serial0/0/0 [up/up]

FE80::21A:2FFF:FE55:D408

2001::20:1



Serial0/1/0 [up/up]

FE80::21A:2FFF:FE55:D408

2001::30:1


2811A#









C 2001::10:0/112 [0/0]


L 2001::10:1/128 [0/0]


C 2001::20:0/112 [0/0]

via ::, Serial0/0/0

L 2001::20:1/128 [0/0]

via ::, Serial0/0/0

C 2001::30:0/112 [0/0]

via ::, Serial0/1/0

L 2001::30:1/128 [0/0]

via ::, Serial0/1/0

S 2001::40:0/112 [1/0]

via 2001::30:2

S 2001::50:0/112 [1/0]

via 2001::20:2

L FE80::/10 [0/0]

via ::, Null0

L FF00::/8 [0/0]

via ::, Null0

2811A#

12. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of routers 2811 B and 2811 C. Pinging will verify that your default and static routing configurations are correct.

2811A#ping ipv6 2001::40:1




!!!!!


2811A#

2811A#ping ipv6 2001::50:1



!!!!!


2811A#

Individual Lab: RIP IPv6 Routing (RIPng)


In this lab you will create an IPv6 RIPng network. The network used in this lab has IPv4 addresses already configured on each router interface. This will demonstrate DUAL stacking. You will also be given the commands to verify your RIPng routing configurations.







Individual Lab: RIP IPv6 Routing (RIPng) 577



Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and RIP IPv6.rsm.


Lab Steps


2811A#en

2811A#config t



2811B#en

2811B#config t



2811C#en

2811C#config t












2811B(config)#interface fastthernet 0/0












5. On 2811 Router A, enable the IPv6 RIPng routing process from global and interface configuration mode.

2811A(config)#ipv6 router rip myripngprocess





2811A(config-if )ipv6 rip myripngprocess enable





Remember that the ipv6 unicast-routing command must be configured on the router before the RIPng routing process can be enabled. The previous labs had you configure the command on all routers so we will not do it here.

6. On 2811 Router B, enable the IPv6 RIPng routing process from global configuration mode.

2811B(config)#ipv6 router rip myripngprocess

2811B(config-rtr)#exit







7. On 2811 Router C, enable the IPv6 RIPng routing process from global configuration mode.

2811C(config)#ipv6 router rip myripngprocess

2811C(config-rtr)#exit








Verifying RIP IPv6 Routing (RIPng)


2811A#show run

[output cut]

!

ipv6 unicast-routing

ipv6 cef

!

[output cut]

!


ip address 172.16.10.1 255.255.255.0


ipv6 address 2001::10:1/112


!

[output cut]

!


ip address 172.16.20.1 255.255.255.0


ipv6 address 2001::20:1/112

clock rate 8000000


!


ip address 172.16.30.1 255.255.255.0


ipv6 address 2001::30:1/112


clock rate 8000000

no cdp enable

!

[output cut]

!

ipv6 router rip myripngprocess

[output cut]

2811A#


As you can see, RIPng is configured on each interface. You can also see the ipv6 RIP (RIPng) routing process.









C 2001::10:0/112 [0/0]


L 2001::10:1/128 [0/0]


C 2001::20:0/112 [0/0]

via ::, Serial0/0/0

L 2001::20:1/128 [0/0]

via ::, Serial0/0/0

C 2001::30:0/112 [0/0]

via ::, Serial0/1/0

L 2001::30:1/128 [0/0]

via ::, Serial0/1/0

R 2001::40:0/112 [120/2]

via FE80::215:FAFF:FED7:EDA0, Serial0/1/0

R 2001::50:0/112 [120/2]

via FE80::21A:2FFF:FE52:4808, Serial0/0/0

L FE80::/10 [0/0]

via ::, Null0

L FF00::/8 [0/0]

via ::, Null0

2811A#

10. On 2811 Router A, issue the show ipv6 protocols command to see the IPv6 protocols that are running on the router.

2811A#show ipv6 protocols

IPv6 Routing Protocol is "connected"

IPv6 Routing Protocol is "static"

IPv6 Routing Protocol is "rip myripngprocess"

Interfaces:


Serial0/0/1

Serial0/0/0

FastEthernet0/0

Redistribution:

None

2811A_aka_2811B#

11. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of routers 2811 B and 2811 C. Pinging will verify that your RIPng configurations are correct.

2811A#ping ipv6 2001::40:1



!!!!!


2621B_aka_2811A#

2811A#ping ipv6 2001::50:1


Sending 5, 100-byte ICMP Echos to 2001::5 0:1, timeout is 2 seconds:

!!!!!


2621B_aka_2811A#

Individual Lab: PPP Encapsulation


The High-Level Data-Link Control protocol (HDLC) is a point-to-point protocol used on leased lines. No authentication can be used with HDLC and it is the default encapsulation used by Cisco routers over synchronous serial links. Cisco’s HDLC is proprietary—it won’t communicate with any other vendor’s HDLC implementation. If you wanted to either offer authentication on a serial link or to connect from a Cisco router to another vendor router, then we need to configure PPP on the serial interfaces.

Individual Lab: PPP Encapsulation 583

PPP (Point-to-Point Protocol) is a data-link protocol that can be used over asynchronous serial (dial-up) media and uses the LCP (Link Control Protocol) to build and maintain data-link connections. The basic purpose of PPP is to transport layer-3 packets across a Data Link layer point-to-point link.

This lab will have you configure PPP on all four serial networks, and replace HDLC as the encapsulation method on our serial links.










Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, WAN, and PPP.


Lab Steps

Copy and Paste ScriptSteps 1-3 are necessary in order to perform this lab. If you do not want to manually com-plete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into user mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.



enable

config t

hostname 2621A

line vty 0 4

password todd

login


ip address 172.16.20.2 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2811A

line vty 0 1180

password todd

login


ip address 172.16.20.1 255.255.255.0


no shutdown


ip address 172.16.30.1 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2621B

line vty 0 4

password todd

login


ip address 172.16.30.2 255.255.255.0


no shutdown

exit

exit

copy run start



Router>enable

Router#config t










2621A(config)#exit




[OK]

2621A#


Router>enable

Router#config t

















[OK]

2811A#



Router>enable

Router#config t













[OK]

2621B#

4. Now, configure each router with OSPF.








2621B(config-router)#exit


Clock Rate







5. Bring up the console for 2811 Router A and change the encapsulation on the serial links from HDLC to PPP.






2811A#



2621B(config-if)#encapsulation ppp


2621B#

7. Connect to 2621 Router A and change the encapsulation on the serial link from HDLC to PPP.




2621A#

That’s all there is to it. This part is easy.

Verifying PPP EncapsulationOnce you have replaced HDLC as the serial encapsulation method, then you need to verify your network is still working properly.

The first command to use is the show ip route command to make sure all your IP routes are still present.


2621A#show ip route

[output cut]



O 172.16.30.0/24 [110/74] via 172.16.20.1, 07:50:33, Serial0/0



2621A#


2621B#show ip route

[output cut]




O 172.16.20.0/24 [110/74] via 172.16.30.1, 07:50:33, Serial0/0

2621B#


2811A#show ip route

[output cut]






2811A#

11. From 2811 Router A, use the show interface command to see the serial link encapsulation.









[output cut]










Configuring PPP Authentication with CHAPNow that the network should be up and working with PPP, you can use PPP authentication to stop unwanted users from connecting to your network. Although, this is typically used with dial-up, it still can be used with serial interfaces.

This lab will have you configure PPP authentication on all router’s serial interfaces using the CHAP protocol.

Challenge Authentication Protocol (CHAP) is used at the initial startup of a link and at period checkups on the link to make sure the router is still communicating with the same host. After PPP finishes its initial phase, the local router sends a challenge request to the remote device. The remote device sends a value calculated using a one-way hash function called MD5. The local router checks this hash value to make sure it matches. If the values don’t match, the link is immediately terminated.

12. To configure PPP authentication, first set the hostname of the router if it is not already set (this is not an option!). Then set the username and password for the remote router connecting to your router. For example, if you are connected to 2621 Router A and want to configure authentication, you would set the hostname and then create a username that consists of the router you are going to connect to, in this example, 2811 Router A.

This is shown below:

Router#config t




When using the hostname command, remember that the username is the hostname of the remote router connecting to your router. It is case-sensitive. Also, the password on both routers must be the same. It is a plain-text password and can be seen with a show run command.

You must have a username and password configured for each remote system you are going to connect to. The remote routers must also be configured with usernames and passwords.

13. After you set the hostname, usernames, and passwords, choose the authentication as shown in the following example:

2621A#config t






2621A(config)#

14. Open a console to 2621 Router A and create a username of 2811 Router A and with a password of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap.





2621A#

15. Open a console to 2621 Router B and create a username of 2811 Router A and with a password of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap.

2621B#config t

2621B(config)#username 2811A password cisco


2621B(config-if)#ppp authentication chap


2621B#

16. Open a console to 2811 Router A and create a username of 2621 Router A and 2621 Router B and with a password of cisco. Then configure the serial interfaces 0/0/1 and 0/1/1 to use ppp authentication of chap.


2811A(config)#username 2621B password cisco






2811A#

Verifying PPP with AuthenticationOnce you have configured PPP with authentication as the serial encapsulation method, then you need to verify your network is still working properly.

The first command to use is the show ip route command to make sure all your IP routes are still present. The next command to use is the show interface command.



2621A#show ip route

[output cut]


O 172.16.30.0/24 [110/74] via 172.16.20.1, 08:08:48, Serial0/0



2621A#


2621B#show ip route

[output cut]




O 172.16.20.0/24 [110/74] via 172.16.30.1, 08:08:48, Serial0/0

2621B#


2811A#show ip route

[output cut]






2811A#

20. From 2811 Router A, use the show interface command to see the serial link encapsulation.









Keepalive set (10)




















2811A#









Keepalive set (10)




















Individual Lab: Frame Relay Switching


Frame Relay provides connection-oriented, Data Link layer communication via virtual circuits. These virtual circuits are logical connections created between two DTEs across a packet-switched network, which is identified by a DLCI, or Data Link Connection Identifier.

Also, Frame Relay uses both PVCs (Permanent Virtual Circuits) and SVCs (Switched Virtual Circuits, which is a form of dialup), although most Frame Relay networks use only PVCs. This virtual circuit provides the complete path to the destination network prior to the sending of the first frame.

Frame Relay provides a communications interface between DTE (data terminal equip-ment) and DCE (data circuit-terminating equipment, such as packet switches) devices. DTE consists of terminals, PCs, routers, and bridges—customer-owned end-node and Internetworking devices. DCE consists of carrier-owned internetworking devices.

Frame Relay sends packets at the Data Link Layer (layer 2) of the OSI model rather than at the network layer (layer 3). A frame can incorporate packets from different protocols.



Individual Lab: Frame Relay Switching 595

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, WAN, and Frame Relay.








Understand Frame Relay

Frame Relay Uses Virtual Circuits`Frame Relay provides connection-oriented, Data Link layer communication via virtual circuits. These virtual circuits are logical connections created between two DTEs across a packet-switched network, which is identified by a DLCI, or Data Link Connection Identifier.

Also, Frame Relay uses both PVCs (Permanent Virtual Circuits) and SVCs (Switched Virtual Circuits, which is a form of dialup), although most Frame Relay networks use only PVCs. This virtual circuit provides the complete path to the destination network prior to the sending of the first frame.

Configuring Frame Relay EncapsulationWhen configuring Frame Relay on Cisco routers, you need to specify it as an encapsula-tion on serial interfaces. There are only two encapsulation types: Cisco and IETF (Internet Engineering Task Force). The following router output shows the two different encapsula-tion methods when choosing Frame Relay on your Cisco router:

2621A#config t


2621A(config-if)#encapsulation frame-relay ?

ietf Use RFC1490 encapsulation

<cr>

The default encapsulation is Cisco unless you manually type in IETF, and Cisco is the type used when connecting two Cisco devices. You’d opt for the IETF-type encapsulation if you needed to connect a Cisco device to a non-Cisco device with Frame Relay.

Frame Relay DLCIFrame Relay virtual circuits (PVCs) are identified by Data Link Connection Identifiers (DLCIs). A Frame Relay service provider, such as the telephone company, typically assigns DLCI values, which are used by Frame Relay to distinguish between different virtual cir-cuits on the network. Because many virtual circuits can be terminated on one multipoint Frame Relay interface, many DLCIs are often affiliated with it.

Individual Lab: Frame Relay Switching 597

For the IP devices at each end of a virtual circuit to communicate, their IP addresses need to be mapped to DLCIs. This mapping can function as a multipoint device—one that can identify to the Frame Relay network the appropriate destination virtual circuit for each packet that is sent over the single physical interface. The mappings can be done dynami-cally through IARP (Inverse ARP) or manually through the frame relay map command.

DLCI numbers, used to identify a PVC, are typically assigned by the provider and start at 16. Configuring a DLCI number to be applied to an interface is shown below:

2621A(config-if)#frame-relay interface-dlci ?

<16-1007> Define a DLCI as part of the current subinterface

2621A(config-if)#frame-relay interface-dlci 16

Frame Relay LMIThe Local Management Interface (LMI) was developed in 1990 by Cisco Systems, StrataCom, Northern Telecom, and Digital Equipment Corporation and became known as the Gang-of-Four LMI or Cisco LMI. This gang took the basic Frame Relay protocol from the CCIT and added extensions onto the protocol features that allow internetworking devices to communicate easily with a Frame Relay network.

The LMI is a signaling standard between a CPE device (router) and a frame switch. The LMI is responsible for managing and maintaining status between these devices.

If you’re not going to use the auto-sense feature of LMI, you’ll need to check with your Frame Relay provider to find out which type to use instead. The default type is Cisco, but you may need to change to ANSI or Q.933A. The three different LMI types are depicted in the router output below.

2621A(config-if)#frame-relay lmi-type ?

cisco

ansi

q933a

2621A(config-if)#frame-relay lmi-type ansi

You can have multiple virtual circuits on a single serial interface and yet treat each as a separate interface. These are known as subinterfaces. Think of a subinterface as a hardware interface defined by the IOS software. An advantage gained through using subinterfaces is the ability to assign different Network layer characteristics to each subinterface and virtual circuit, such as IP routing on one virtual circuit and IPX on another.

Subinterfaces with Frame RelayYou define subinterfaces with the int s0.subinterface number command as shown below. You first set the encapsulation on the serial interface, and then you can define the subinterfaces.

2621A(config-int)#encapsulation frame-relay

2621A(config-int)#exit


2621A(config)#int s0/0.?


2621A(config)#int s0/0.16 ?

multipoint Treat as a multipoint link

point-to-point Treat as a point-to-point link

2621A(config)#int s0/0.16 point-to-point


You can define an almost limitless number of subinterfaces on a given physical interface (keeping router memory in mind). In the above example, we chose to use subinterface 16 because that represents the DLCI number assigned to that interface. However, you can choose any number between 0 and 4,292,967,295.

Configuring Frame-Relay

Lab StepsNow that you should have a background on how to configure basic Frame Relay on a Cisco router, this lab will have you configure 2811 Router A as a Frame Relay switch. Then you’ll configure routers 2621 A and 2621 B as remote Frame Relay connections.

1. Open a console for 2811 A and configure the hostname.

Router>enable

Router#config t


2811A(config)#

Once your router is clear, you can now make them a Frame Relay switch with the frame-relay switching command. However, that is the easy part. You need to map every DLCI on the switch. Of course the router only has two connections, so it is not too time consuming, but if you had dozens of PVCs, this could take a while.

2811 A

serial 0/0/1 DLCI 16

serial 0/1/1 DLCI 17

On the frame relay switch, use the frame relay route command to map each and every DLCI. Here is an example:


2811A(config-if)#frame-relay route 17 interface serial 0/1/1 16


2811A(config)#

Configuring Frame-Relay 599

This command tells the switch that if it receives a frame on serial 0/0/1 with a PVC of 16, then send it out serial 0/1/1 using a PVC of 17. Again, in our network, this configura-tion will only be two routes so it’s not a big deal.

2. On 2811 Router A configure the Frame Switching. No IP addresses are assigned to the routes interfaces. Remember, this is a Data Link layer function only, so IP is irrelevant to this configuration.

2811A(config)#frame-relay switching












2811A#

Configuring Frame Relay with SubinterfacesNow that the Frame-Relay switching router is configured, you need to configure the remote routers. You will bring up the console for routers 2621 A and 2621 B and configure them for Frame Relay configuration using subinterfaces.

Since the Frame-Relay switches are not using IP addressing, connecting from routers 2621 A to 2621 B, for example, will use one subnet and appear like a direct connection. Use subnet 172.16.100.0.

3. Open a console on 2621 Router A and configure the serial 0/0 interface with a Frame Relay subinterface. To perform this, you must remove the IP address and IPX network number from the serial interface. In this lab we do not have an existing IP address but we wanted to include the configuration to remove it. You may be constructing your own network and already have an IP address for s0/0 and you will need to remember to remove it.

Router>enable

Router#config t



2621A(config-if)#no ip address


2621A(config-if)#encapsulation frame-relay

2621A(config-if)#int s0/0.16 point-to-point



2621A(config-subif)#frame-relay interface-dlci 16

2621A(config-subif)#ctrl+z

2621A#

4. Open a console on 2621 Router B and configure the serial 0/0 interface with a Frame Relay subinterface.

Router>enable

Router#config t



2621B(config-if)#no ip address


2621B(config-if)#encapsulation frame-relay

2621B(config-if)#int s0/0.17 point-to-point

2621B(config-subif)#ip address 172.16.100.2 255.255.255.0

2621B(config-subif)#frame-relay interface-dlci 17

2621B(config-subif)#ctrl+z

2621B#

5. Verify the Frame-Relay connection is up and running. Ping from 2621 Router A to 2621 Router B.

2621A#ping 172.16.100.2



!!!!!


2621A#

Verifying Frame Relay

There are several ways to check the status of your interfaces and PVCs once you have Frame Relay encapsulation set up and running. You can use the show frame-relay command with a question mark (?) to get the command options:

2621A#show frame ?

ip show frame relay IP statistics

lapf show frame relay lapf status/statistics

lmi show frame relay lmi statistics

map Frame-Relay map table

Configuring Frame-Relay 601

pvc show frame relay pvc statistics

qos-autosense show frame relay qos-autosense information

route show frame relay route

rtp show frame relay RTP statistics

svc show frame relay SVC stuff

traffic Frame-Relay protocol statistics

6. Change to the console for 2621 Router A.

7. The show frame-relay lmi command will give you the LMI traffic statistics exchanged between the local router and the Frame Relay switch.

2621A#show frame lmi

LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = CISCO

Invalid Unnumbered info 0 Invalid Prot Disc 0

Invalid dummy Call Ref 0 Invalid Msg Type 0

Invalid Status Message 0 Invalid Lock Shift 0

Invalid Information ID 0 Invalid Report IE Len 0

Invalid Report Request 0 Invalid Keep IE Len 0

Num Status Enq. Rcvd 1748 Num Status msgs Sent 1748

Num Update Status Sent 0 Num St Enq. Timeouts 0

2621A#

The router output from the show frame-relay lmi command shows you LMI errors as well as the LMI type.

8. The show frame pvc command will list all configured PVCs and DLCI numbers. It pro-vides the status of each PVC connection and traffic statistics. It will also give you the number of BECN and FECN packets received on the router.

2621A#show frame pvc

PVC Statistics for interface Serial0/0 (Frame Relay DTE)

DLCI = 16 , DLCI USAGE = LOCAL , PVC STATUS = ACTIVE , INTERFACE = Serial0/0.16

input pkts 11290 output pkts 11277 in bytes 898590

out bytes 899156 dropped pkts 2 in FECN pkts 0

in BECN pkts 0 out FECN pkts 0 out BECN pkts 0

in DE pkts 0 out DE pkts 0

out bcast pkts 11264 out bcast bytes 898468

pvc create time 13:25:57, last time pvc status changed 13:25:39

2621A#

9. You can also use the show interface command to check for LMI traffic. The show interface command displays information about the encapsulation as well as layer-2 and layer-3 information.

The LMI DLCI is used to define the type of LMI being used. If it is 1023, it is the default LMI type of Cisco. If the LMI DLCI is zero, then it is the ANSI LMI type.


2621A#show int s0/0





Encapsulation FRAME-RELAY, loopback not set

Keepalive set (10)

FR SVC disabled, LAPF state down

LMI enq sent 41, LMI stat recvd 22, LMI upd recvd 0, DTE LMI down

LMI enq recvd 4, LMI stat sent 0, LMI upd sent 0

LMI DLCI 1023 LMI type is CISCO frame relay DTE

Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0

[output cut]

2621A#

The show interface command displays line, protocol, DLCI and LMI information.

10. The show frame map command will show you the Network layer-to-DLCI mappings.

2621A#show frame map

Serial0/0.16 (up): point-to-point dlci, dlci 16(0x66,0x1860), broadcast


2621A#

Individual Lab: EIGRP Routing


Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary hybrid routing protocol. If you want your routers to share information they must all:

NN have EIGRP running

NN use the same AS numberWhen you have finished with this lab ...

Individual Lab: EIGRP Routing 603








EIGRP

NN Stands for Enhanced Interior Gateway Routing Protocol

NN Uses properties of both distance vector and link state


NN Has a maximum hop count of 255

NN Will automatically overwrite RIP (which has a default administrative distance of 120) routes in the routing table

NN Uses autonomous systems (AS) to create groups of routers that share routing information

NN Classless routing protocol but configured in a classful manner

NN Uses RTP Reliable Transport Protocol

NN Uses DUAL Reliable Transport Protocol

NN Supports VLSM, summarization, and discontiguous networking

NN Supports IP v4 and v6, IPX, AppleTalk


Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and EIGRP.


Lab Steps




enable

config t

hostname 2621A

line vty 0 4

password todd

login


ip address 172.16.20.2 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2811A

line vty 0 1180

password todd

login


ip address 172.16.20.1 255.255.255.0


no shutdown


ip address 172.16.30.1 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2621B

line vty 0 4

password todd

login


ip address 172.16.30.2 255.255.255.0


no shutdown

exit

exit

copy run start



Router>enable

Router#config t













[OK]

2621A#


Router>enable

Router#config t

















[OK]

2811A#



Router>enable

Router#config t













[OK]

2621B#

4. Go to the console screen for 2621 Router A and ping interface s 0/0 on 2621 Router B. The packet will travel through 2811 Router A on its way to router 2621 B.

2621A#ping 172.16.30.2



.....


2621A#

No routing protocol is set up. The routing table for router 2621 A does not know how to get to the destination address.


2621A#config t


Clock Rate





2621A#

6. Configure 2621 Router B to use EIGRP with an AS of 10.

2621B#config t



2621B(config-router)


2811A#config t




2811A(config)#

8. Now that we have EIGRP on every router, go to router 2621 A and ping 172.16.30.2 on router 2621 B.

2621A#ping 172.16.30.2



.....


2621A#

It did not work. Click on the Net Detective icon to see if we can find out why the ping was not successful.


You will see the following information:

1. Network 172.16.0.0 was not found in the routing tables for 2621 Router A.

2. The desired address falls outside of the protocol networks set up for one or more of the devices.

3. The desired IP address of 172.16.30.2 was not found. None of the interfaces in the current network have been configured with this IP address.

We know that Network 172.16.0.0 is in the routing table. Maybe #2 is true. Ok, I found it. The AS number for 2811 Router A is wrong. Change it from 15 to 10.

9. First, remove router eigrp 15 and put the correct command in.

2811A(config)#no router eigrp


(We forgot to put 15 in the command. Try again)





2811A#

10. Now the ping should work. Go to 2621 Router A and ping interface f 0/0 on 2621 B.

2621A#ping 172.16.30.2



!!!!!


2621A#

Net Detective®

Unless you are an expert in using routers and switches, you might enter a command, have it not work, and not immediately know what you did wrong. We have tried to bridge that gap with Net Detective®. There are several hundred commands that Net Detective monitors. If something does not work properly, clicking on the Net Detective button may prove be helpful. For example, if you are unsuccessful in trying to ping between 2600 A and 2600 B, Net Detective® will provide a several suggestions as to what is possibly wrong.


Verifying EIGRPSince EIGRP has a better administrative distance then IGRP and RIP, all the routing tables should have EIGRP found routes (D). Use the show ip route command and other EIGRP show commands to verify EIGRP.


2621A#show ip route










D 172.16.30.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0


2621A#

Notice the route that begins with D. These are EIGRP routes.



Routing Protocol is "eigrp 10"





EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0

EIGRP maximum hop count 100

EIGRP maximum metric variance 1

Redistributing: eigrp 10


Maximum path: 4


172.16.0.0



172.16.20.1 90 00:12:28

Distance: internal 90 external 170

2621A#



2621B#show ip route

[output cut]



D 172.16.20.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0

2621B#


2811A#show ip route

[output cut]




2811A#

15. From 2621 Router A, use the show ip eigrp neighbors command to see the EIGRP neighbor table. This table holds information about the router’s directly connected neighbors.

2621A#show ip eigrp neighbor

IP-EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) cnt Num

0 172.16.20.1 S0/0 12 02:28:04 20 200 0 1

2621A#

16. From 2621 Router A, use the show ip eigrp topology command to see the EIGRP topology table. This table shows the entire network as 2621 Router A understands it.

2621A#show ip eigrp topology

IP-EIGRP Topology Table for AS(10)/ID(172.16.20.2)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status


via 172.16.20.1 (2172416/28160), Serial0/1/1


via Connected, Serial0/0

2621A#


Individual Lab: Single Area OSPF


This section will discuss the OSPF routing process.OSPF an open standards routing protocol that has been implemented by a wide variety of

network vendors, including Cisco. The benefit of an approach based on open standards is that equipment from multiple vendors can interoperate as long as their implementations are com-pliant with the appropriate Requests for Comments (RFCs). This does not mean that vendors are forced to restrict their implementations to only the features documented in the RFCs. On the contrary, Cisco and others have added features to their versions of OSPF that may not be found in other vendors’ implementations. Knowing which features are standards based and which are proprietary becomes important when deploying multivendor OSPF networks.

N Stands for open shortest path first

NN Uses the concept of an area, which is a grouping of contiguous OSPF networks and hosts

N Is a link-state routing protocol

NN Has no maximum hop count

N Has an administrative distance of 110

NN Includes equal-cost multipath routing

N Supports VLSM and discontiguous networks


This program only supports a single area OSPF network, which will always be area 0.



Individual Lab: Single Area OSPF 613

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and Single Area OSPF.








Lab Steps





enable

config t

hostname 2621A

line vty 0 4

password todd

login


ip address 172.16.20.2 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2811A

line vty 0 1180

password todd

login


ip address 172.16.20.1 255.255.255.0


no shutdown


ip address 172.16.30.1 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2621B

line vty 0 4

password todd

login


ip address 172.16.30.2 255.255.255.0


no shutdown

exit

exit

copy run start


Router>enable

Router#config t














[OK]

2621A#


Router>enable

Router#config t





2811A(config-line)#int s0/1/1












[OK]

2811A#

3. Double-click. After the console screen comes up, perform the following commands.

Router>enable

Router#config t



Clock Rate













[OK]

2621B#


The command to activate the OSPF routing process is as follows:

2621A(config)#router ospf ?

<1-65535>

A value in the range 1– 65535 identifies the OSPF Process ID, which is a unique number on this router that groups a series of OSPF configuration commands under a specific running process. Different OSPF routers do not have to use the same Process ID in order to communicate. It’s purely a local value and its number is basically irrel-evant. The only time an OPSF number would matter is when you have multiple OSPF Autonomous Systems(AS) connecting together on the same network.

This lab will be pretty simple as far as OSPF goes. We’ll start the process on each router, then configure the interfaces to be in OSPF area 0. This is much more complicated then any of the other routing protocols we have configured, but simple nonetheless for OSPF. However, since EIGRP has a better administrative distance then OSPF, we need to also disable the EIGRP routing processes on each router.

You will start the OSPF process by issuing the following command, as an example:


After starting the OSPF process (and disabling EIGRP on each router), you need to identify the interfaces on which to activate OSPF communications and the area in which each resides. This will also configure the networks you will advertise to others. This is achieved with the following command as an example:

2621A(config-router)#network 10.0.0.0 0.255.255.255 area ?

<0-4294967295> OSPF area ID as a decimal value

A.B.C.D OSPF area ID in IP address format


A 0 (zero) octet in the wildcard mask indicates that the corresponding octet in the net-work must match exactly. A 255, on the other hand, indicates that you do not care what the corresponding octet is in the network number. A network and wildcard mask combi-nation of 1.1.1.1 0.0.0.0 would match 1.1.1.1 only and nothing else. This is useful if you want to activate OSPF on a specific interface in a very clear and simple fashion. If you insist on matching a range of networks, the network and wildcard mask combination of 1.1.0.0 0.0.255.255 would match anything in the range 1.1.0.0–1.1.255.255. It’s simpler and safer to stick to using wildcard masks of 0.0.0.0 and identifying each OSPF interface individually.

Remember that OSPF routers will only become neighbors if their interfaces share a network that is configured to belong to the same area number. The format of the area number is either a decimal value from the range 0–4294967295 or a value represented in standard dotted-decimal notation. Area 0.0.0.0 is a legitimate area, for example, and is identical to area 0. Again, we only support area 0 in this module at this time.

4. Configure 2621 Router A to advertise both directly connected networks with OSPF. The router OSPF number does not matter; use whatever feels good to you. The number can even all be the same on all routers, or they can be different. In this lab we will use different numbers.





5. Configure 2621 Router B to advertise both directly connected networks with OSPF.

2621B(config)#config t


Anatomy of a Command: Network 172.16.20.2 0.0.0.0 area 0

Network 172.16.20.2 0.0.0.0 area 0—tells the OSPF process to advertise the interface 172.16.20.2 into area 0.

172.16.20.2 The network number.

0.0.0.0 The wildcard mask of 0.0.0.0 tells the process to match each octet exactly.

0 The final argument is the area number. It indicates the area to which the interfaces identified in the network and wildcard mask portion belong. It tells the OSPF process to advertise the interface 172.16.20.2 into area 0.

The combination of the two first two numbers identifies the interfaces that OSPF will operate on and that will also be included in its OSPF Link State Advertisements (LSA).




Now, let’s go over what we have configured on 2621 Router B. Please understand that all we are doing is advertising OSPF networks and this lab is showing the many ways to accomplish the same thing.

The command network 172.16.30.2 0.0.0.0 area 0 tells the OSPF process to adver-tise the interface 172.16.30.2 into area 0. The wildcard mask of 0.0.0.0 tells the pro-cess to match all four octets exactly.

6. Configure the 2811 A router to advertise all directly connected networks with OSPF.






Verify OSPF

7. The show ip ospf command is used to display OSPF information for one or all OSPF processes running on the router. Information contained therein includes the Router ID, area information, SPF statistics, and LSA timer information. Here is a sample output from 2621 Router A:

2621A#show ip ospf














Area ranges are






Flood list length 0

2621A#

8. The information displayed by the show ip ospf database command indicates the number of links and the neighboring Router ID. The output is broken down by area. Here is a sample output from 2621 Router A:

2621A#show ip ospf database

OSPF Router with ID (172.16.20.2) (Process ID 100)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

172.16.20.2 172.16.20.2 475 0x80000003 0x0030F9 3

172.16.30.1 172.16.30.1 475 0x80000003 0x0030F9 3

172.16.30.2 172.16.30.2 475 0x80000003 0x0030F9 3

2621A#

9. The show ip ospf interface command displays all interface-related OSPF infor-mation. Data is displayed about OSPF information for all interfaces or for specified interfaces. Information includes the interface IP address, area assignment, Process ID, Router ID, network type, cost, priority, DR/BDR (if applicable), timer intervals, and adjacent neighbor information. Here is a sample output:

2621A#show ip ospf interface



Process ID 100, Router ID 172.16.20.2, Network Type POINT_TO_POINT, Cost: 64

Transmit Delay is 1 sec, State POINT_TO_POINT,

No designated router on this network

No backup designated router on this network




Next 0x0(0)/0x0(0)




Adjacent with neighbor 172.16.30.1


2621A#


Notice in the above output that the hello timer is set to 10 seconds and the dead timer is set to 40. If two or more routers are connected together, the timers must be set exactly the same.

10. The show ip ospf neighbor command is very useful. It summarizes the pertinent OSPF information regarding neighbors and the adjacency state. If a DR or BDR exists, that information is also displayed. Here is an output from 2621 Router A:



172.16.30.1 1 FULL/DROTHER 00:00:36 172.16.20.1 serial

2621A#

11. The show ip protocols command is useful whether you’re running OSPF, EIGRP, IGRP, RIP, BGP, ISIS, or any other routing protocol you can configure on your router. It provides an excellent overview of the actual operation of all currently running protocols.


Routing Protocol is "ospf 100"



Router ID 172.16.20.2


Maximum path: 4


172.16.20.2 0.0.0.0 area 0

172.16.40.0 0.0.0.255 area 0



172.16.30.1 110 00:00:09

172.16.30.2 110 00:00:09


2621A#

12. Based upon this output, you can determine the OSPF Process ID, OSPF Router ID, type of OSPF area, networks and areas configured for OSPF, and OSPF Router IDs of neighbors.


Individual Lab: OSPF DR and BDR ElectionsYou need to fully understand the terms neighbors and adjacencies because they’re really crucial to the DR and BDR election process. The election process happens when a broad-cast or nonbroadcast multi-access network is connected together. (Think Ethernet or Frame Relay.)






N The expected configuration


Individual Lab: OSPF DR and BDR Elections 623



Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and OSPF DR BDR.


Neighbors Routers that share a common segment become neighbors on that segment. These neighbors are elected via the Hello protocol. Hello packets are sent periodically out of each interface using IP multicast. Two routers won’t become neighbors unless they agree on the following:

Area-ID The idea here is that the two routers interfaces have to belong to the same area on a particular segment. And of course, those interfaces have to belong to the same subnet.

Authentication OSPF allows for the configuration of a password for a specific area. Although authentication between routers isn’t required, you have the option to set it if you need to do so. Also, keep in mind that in order for routers to become neighbors, they need to have the same password on a segment if you’re using authentication.

Hello and Dead Intervals OSPF exchanges Hello packets on each segment. This is a keep-alive system used by routers to acknowledge their existence on a segment and for electing a designated router (DR) on both broadcast and nonbroadcast multi-access segments.

The Hello interval specifies the amount of seconds between Hello packets. The Dead interval is the number of seconds that a router’s Hello packets can go without being seen before its neighbors declare the OSPF router dead (down). OSPF requires these intervals to be exactly the same between two neighbors. If any of these intervals are different, the routers won’t become neighbors on that segment. You can see these timers with the show ip ospf interface command.

Adjacencies In the election process, adjacency is the next step after the neighboring process. Adjacent routers are routers that go beyond the simple Hello exchange and pro-ceed into the database exchange process. In order to minimize the amount of information exchanged on a particular segment, OSPF elects one router to be a designated router (DR) and one router to be a backup designated router (BDR) on each multi-access segment.

The BDR is elected as a backup router in case the DR goes down. The idea behind this is that routers have a central point of contact for information exchange. Instead of each router exchanging updates with every other router on the segment, every router exchanges informa-tion with the DR and BDR. The DR and BDR then relay the information to everybody else.

DR and BDR Elections DR and BDR election is accomplished via the Hello protocol. Hello packets are exchanged via IP multicast packets on each segment.

However, only segments that are broadcast and nonbroadcast multi-access networks (examples are Ethernet and Frame Relay) will perform DR and BDR elections. Point-to-point links, like a serial WAN for example, will not have a DR election process.

On a broadcast or nonbroadcast multi-access network, the router with the highest OSPF priority on a segment will become the DR for that segment. This priority is shown with the show ip ospf interface command. The default priority for a router interface is one. If all routers have the default priority set, the router with the highest Router ID (RID) will win.

The RID is determined by the highest IP address on any interface at the moment of OSPF startup. This can be overridden with a loopback (logical) interface. If you set a router’s interface to a priority value of zero, that router won’t participate in the DR or BDR election on that interface. The state of the interface with priority zero will then be DROTHER.


Lab Steps

1. Double-click 2621 Router A in order to bring up the console screen.

2. Configure the hostname.

Router>enable

Router#config t


3. Configure the router with OSPF.



4. Configure interface Fa0/0 for the 2621 Router A router.






5. Use the menu to change to the console for the 2621 Router B.


Router>enable

Router#config t





8. Configure interface Fa0/0 for the 2621 B router.






9. Use the menu to change to the console for the 2811 Router A.



Router>enable

Router#config t





12. Configure interface Fa0/0 for the 2811 A router.





2811A(config-if)#copy run start

13. Use the menu to change to the console for the 2811 Router B.


Router>enable

Router#config t





16. Configure interface Fa0/0 for the 2811 B router.






17. In 2621 Router A verify the RID of your router. Use the show ip ospf command on the router to gather this information.

2621A#show ip ospf















Area ranges are





Flood list length 0

2621A#

18. Enter the command show ip ospf interface fa0/0 to verify area ID, DR, BDR information and the hello and dead timers of the interface connected to the 10.1.1.0 network.

2621A#show ip ospf interface fa0/0




Transmit Delay is 1 sec, State DROTHER, Priority 1

Designated Router (ID) 10.10.10.4 , Interface address 10.10.10.4

Backup Designated router (ID) 10.10.10.3 , Interface address 10.10.10.3




Next 0x0(0)/0x0(0)




Adjacent with neighbor 10.10.10.3(Backup Designated Router)

Adjacent with neighbor 10.10.10.2(Other Designated Router)

Adjacent with neighbor 10.10.10.4(Designated Router)


2621A#


19. By looking at the show ip ospf interface fa0/0 output, which router is the DR? Which router is the BDR?

20. Verify the network type of your router. Since the connection is on an Ethernet LAN, the Network Type is BROADCAST. What would the Network Type be if you were viewing a serial connection? Answer: point-to-point.

21. The priority of all routers, by default, is 1. If you were to change the priority to 0, then the router would never participate in the election process for the LAN (remember that elections do not occur on serial point-to-point links).

22. Change the priority of a router that you choose to become the new DR. Choose any router that is not the DR at this moment.

23. Enable the debugging process that allows you to see the DR and BDR election take place. Use the command debug ip ospf adjacency on the router that will become the DR.

24. For the router that was chosen to become the new DR, set your priority of the FastEthernet 0/0 interface to 3. Here is how you do that:

config t

int fa0/0

ip ospf priority 3

25. Now shut down all the Fa0/0 interfaces of all four routers.

26. Now enable all four routers’ fa0/0 interfaces with the no shut command.

27. The election should take place and the router you have chosen with the highest priority should now be the DR.

28. Type show ip ospf interface fa0/0 to verify the DR and BDR information.

Hopefully you also noticed the debug output of the election process. The priority of a router’s interface can be set all the way up to 255.

Individual Lab: Configuring VLANs


Configuring VLANs is the easy part of the job. It is trying to understand which users you want in each VLAN that is time consuming. Once you have decided the number of VLANs you want to create and the users that will be members of each VLAN, you can create your VLAN. We will set up VLANs on 3550 Switch A and 3560 Switch A. We will test intraVLAN routing and then use router 2811 A to create interVLAN routing.

Individual Lab: Configuring VLANs 629










Network Layout

On the Network Visualizer screen, click on the Labs menu and then choose Individual, VLANS and then VLANS and InterVLAN.


Lab Steps

Setting Up VLANS

1. Double-click 3550 Switch A to bring up the console screen.

Switch>enable

Switch#config t

Switch#hostname 3550A

3550A#exit

2. To configure VLANs on the 3550 series switch, you can configure the VLANs from the VLAN database. You do this from privileged mode, not configuration mode. Type vlan database:

3550A#vlan database

3. To configure VLANs on the 3550 switch, use the vlan # name name command. The following shows an example of creating three VLANs.

3550A(vlan)#vlan 2 name Sales

VLAN 2 added:

Name: Sales

3550A(vlan)#vlan 4 name Marketing

VLAN 4 added:

Name: Marketing

3550A(vlan)#vlan 7 name Research

VLAN 7 added:

Name: Research

3550A(vlan)#exit

APPLY completed.

Exiting....

3550A#

4. You must apply your changes to the switch. You can either use the apply command or use the exit command which will then apply the changes.



6. Once the VLANs are created, verify your configuration with the show vlan command.

3550A#show vlan


---- -------------------------------- --------- -------------------------------


Fa0/6, Fa0/7, Fa0/8, Fa0/9

Fa0/10

2 Sales active

4 Marketing active

7 Research active





[output cut]

7. You can configure each port to be in a VLAN by using the switchport access vlan # command. You can only configure VLANs one port at a time. In the follow-ing example, we configure interface 1 to VLAN 2, interface 5 to VLAN 7, and inter-face 10 to VLAN 4.

3550A#config t

















3550A(config)#exit





[OK]

3550A#


3550A#show vlan


---- -------------------------------- --------- -------------------------------


Fa0/8, Fa0/9



7 Research active Fa0/5





[output cut]

Interface fa0/1 is a member of VLAN 2, interface fa0/05 a member of VLAN 5, and interface fa0/10 is a member of VLAN 4.

10. Another command you can use to see the ports assigned to a VLAN is show running-config.

3550A#show run

[output cut]

!




!




!




!

[output cut]

3550A#


11. Now let us move on to 3560 Switch A. By using the console menu, change to the 3560 Switch A console screen.

12. Add a hostname to 3560 Switch A.

switch>enable

switch#config t

switch#hostname 3560A

3560A#exit

13. Initially, let us issue the show vlan command to verify that there are no VLANs associated with 3560 Switch A.

3560A#show vlan


---- -------------------------------- --------- -------------------------------


Fa0/6, Fa0/7, Fa0/8, Gi0/1





[output cut]

No VLANs!

14. We now need to configure two ports, one for each VLAN by using the switchport access vlan # command. You can only configure VLANs one port at a time. In the following example, we configure interface 2 to VLAN 2 and interface 8 to VLAN 4.














3560A(config)#exit




[OK]

3560A#

16. We can verify what we did with the two ports with the show run command.

3560A#show run

[output cut]

!




!




!

[output cut]

3560A#

Setting Up Trunk PortsNow that we have set up VLANs on both switches, we will now set up trunking, first start-ing with 3550 Switch A. Trunk links are 100 or 1000 Mbps point-to-point links between two switches, between a switch and router, or between a switch and server. Trunked links carry the traffic of multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps links, nor would you want to. Remember that an access link is a port on a switch that is a member of only one VLAN.


In this network 3560 Switch A is connected to 3550 Switch A via interface Fa0/3 on each device. That is what we are going to use to set our trunk port between the two switches.

17. Move to 3550 Switch A through the console menu.

18. To configure trunking on a 3550 port, use the interface command switchport mode trunk command. In this lab we will set it up for interface Fa0/3.

3550A#config t


3550A(config-if)#switchport trunk encapsulation ?

dot1q Interface uses only 802.1q trunking encapsulation when trunking

isl Interface uses only ISL trunking encapsulation when trunking

negotiate Device will negotiate trunking encapsulation with peer on interface



19. By default, traffic from all VLANs is sent over a trunk link. To change the VLANs per-mitted to send traffic on a trunk link, use the switchport trunk allowed vlan except # command. The command allows traffic from all VLANs except the VLANs listed. Earlier we set up VLAN 7; for now we do not want to allow VLAN 7 to send traffic across the trunk link.

3550A(config-if)#switchport trunk allowed vlan except 7

20. The above command sets the trunking interface to allow traffic from all VLANs except for VLAN 7.


21. To verify your trunk ports, use the show running-config command.


3550A(config)#exit

3550A#show run

[output cut]

!


switchport trunk allowed vlan 1-6,8-1005



!

[output cut]

22. Notice in the above output that all VLANs are allowed except for VLAN 7.


24. To configure trunking on a 3560 port, use the interface command switchport mode trunk command. In this lab we will configure interface fa0/3.

3560A#config t


3560A(config)#switchport trunk encapsulation dot1q


25. To verify your trunk port, use the show running-config command.


3560A(config)#exit

3560A#show run

[output cut]

!




!

[output cut]

Configuring VTP DomainEvery Catalyst switch is configured by default to be a VTP server. To configure VTP, first configure the domain name you want to use, as discussed in the next section. Once you configure the VTP information on a switch, you need to verify the configuration.



27. Use the vtp global configuration mode command to set this information. In the follow-ing example, we explicitly set 3550 Switch A to be a VTP server, which it already is, and then set the VTP domain to routersim.

3550A(config)#vtp mode server

Device mode already VTP SERVER.



3550A(config)#

28. After you configure the VTP information, you can verify it with the show vtp status command.


VTP Version : 2




VTP Operating Mode : Server







Local updater ID is 172.16.10.17 on interface Vl1 (lowest numbered VLAN interface found)

3550A#



30. Set the switch to a VTP client and then set the VTP domain to routersim.


3560A(config)#vtp mode client

Device mode already VTP CLIENT



3560A(config)#exit




VTP Version : 2




VTP Operating Mode : Client







Local updater ID is 172.16.10.3 on interface Vl1 (lowest numbered VLAN interface

found)

3560A#


32. VLAN information should now be propagated from 3550 Switch A to 3560 Switch A. Confirm this with the show vlan command.

3560A#show vlan


---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6, Fa0/7

Gi0/1



7 Research active





VLAN 7 will not be allowed to pass any traffic on the trunk link because we issued the command switchport trunk allowed vlan except 7 in step 18.


IntraVLAN and InterVLAN RoutingIn previous labs we have set up VLANs 2 and 4 for the 3550 and 3560 switches. We will first set up the proper subnetting so that we can place Hosts A and C in VLAN 2 and Hosts B and D in VLAN 4. We will then have you test this by communicating with the VLANs. Then we will set up interVLAN routing so that Hosts from VLANs 2 and 4 can communicate with each other. Network devices in different VLANs cannot communicate with each other without sending traffic through a router. In this lab we will use 2811 A router to perform the 802.1q routing so that we can route traffic between the two VLANs.

Two new subnets will be needed. We will use subnets 172.16.20.0/24 and 172.16.30.0/24. Router 2811 A FastEthernet 0/0 interface will stay at 172.16.10.1/24; however, the IP address needs to be moved to a subinterface, which we’ll do in a minute.

33. We should now configure our hosts. VLAN 2 will have a subnet of 172.16.20.0/24 and VLAN 4 will have a subnet of 172.16.30.0/24. We will now change the current IP addresses of the hosts so they are in their proper VLAN. Change the IP addresses and default gateways of the four hosts.

Host IP Address New Default Gateway Subnet Mask

A 172.16.20.2 172.16.20.1 255.255.255.0

B 172.16.30.3 172.16.30.1 255.255.255.0

C 172.16.20.3 172.16.20.1 255.255.255.0

D 172.16.30.2 172.16.30.1 255.255.255.0

34. Right mouse click Host A.




NN IP Address

NN Subnet Mask

NN Default Gateway


subnet mask when you split up an IP network it is used to determine what section or subnet the IP address of the networked device belongs to. An IP address has two parts, the network address and the host address.

Let us examine IP address 172.16.10.6. Assuming this is part of a Class B network, the first two numbers (172.16) represent the Class B network address, and the second two numbers (10.6) identify a particular host on this network.


IP Address: 172.16.20.2

Subnet Mask: 255.255.255.0



On Host B configure:

NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.30.3

Subnet Mask: 255.255.255.0




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.20.3

Subnet Mask: 255.255.255.0




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.30.2

Subnet Mask: 255.255.255.0


41. Click the OK button and then the Close button. Now double-click Host A.


42. Verify you have set up the VLANs correctly by pinging from Host A to Host C.

C:\>ping 172.16.20.3










C:\>

Once you can ping, you know you have configured at least one VLAN correctly. At this time, Host A and Host C cannot ping anything else in the network except each other.

43. At this point you should not be able to ping Host B even though it is connected to the same switch.

C:\>ping 172.16.30.3


Request timed out.

Request timed out.

Request timed out.

Request timed out.





C:\>

44. Verify you have set up the VLANs correctly by pinging from Host B to Host D.

C:\>ping 172.16.30.2










C:\>


Once you can ping, you know you have configured both VLANs correctly. At this time, Host B and Host D cannot ping anything else in the network except each other.

45. To have the hosts ping outside their own VLAN, you must setup some type of routing. You also need to setup a trunk link between the switch and the router. Use the 2811 Router A FastEthernet 0/0 interface and create 802.1q routing. Create three subinterfaces, one for each VLAN. To establish a trunk link between 3550 Switch A and the 2811 router, config-ure FastEthernet 0/4, on 3550 Switch A as a trunk port with 802.1q encapsulation.

2811A>enable

2811A#config t

2811A(config)#int fa0/0.1



2811A(config-subif)#int fa0/0.2






2811A(config-subif)#exit

2811A(config)#exit




[OK]

2811A#

3550A#config t




46. Verify your sub-interface configurations with the show run command.


[output cut]

!


no ip address


!


Individual Lab: Configuring VLANs on a 1900 Switch 645


ip address 172.16.10.1 255.255.255.0

!



ip address 172.16.20.1 255.255.255.0

!



ip address 172.16.30.1 255.255.255.0

!

[output cut]

47. At this point, the hosts should be able to ping all hosts and 2811 Router A.

Individual Lab: Configuring VLANs on a 1900 Switch


Configuring VLANs is the easy part of the job. It is trying to understand which users you want in each VLAN that is time consuming. Once you have decided the number of VLANs you want to create and the users that will be members of each VLAN, you can create your VLAN. You can create up to 64 VLANs on a 1900 switch.










Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, 1900 Switch VLANs.


Lab Steps

1. Double-click switch 1900 A to bring up the console screen.

2. To configure VLANs on the 1900 series switch, choose “k” from the initial user inter-face menu to get into IOS configuration. Press “k” to enter the CLI mode, and enter global configuration mode using the enable command and then config t.


User Interface Menu

[M] Menus

[K] Command Line

Enter Selection: k



3. Use the vtp global configuration mode command to set this information. In the follow-ing example, we set the switch to a VTP server and the VTP domain to routersim.

A Catalyst is configured by default to be a VTP server, as are all switches. To config-ure VTP, first configure the domain name you want to use, as discussed in the next section. Once you configure the VTP information on a switch, you need to verify the configuration.

Vtp is a protocol used between switches to simplify the management of VLANs. You can make configuration changes on one switch and have those changes automatically communicated to all the other switches in the network. You can designate one switch as the VTP Server and the others as VTP clients. The VTP Server then communicates changes to the VTP clients.


1900A(config)#vtp ?

client VTP client

domain Set VTP domain name

password Set VTP password

pruning VTP pruning

server VTP server

transparent VTP transparent

trap VTP trap

1900A(config)#vtp server



1900A(config)#exit

1900A#show vtp

VTP version: 1


Configuration revision: 3

Maximum VLANs supported locally: 1005

Number of existing VLANs: 7

VTP domain name : routersim

VTP password :

VTP operating mode : Server

VTP pruning mode : Disabled

VTP traps generation : Enabled


1900A#


5. To configure VLANs on an IOS-based switch, use the vlan [vlan#] name [vlan name] command. The following will demonstrate how to configure VLANs on the switch by creating three VLANs for three different departments.

>en

#config t



1900A(config)#vlan 2 name sales

1900A(config)#vlan 3 name marketing

1900A(config)#vlan 4 name mis

1900A(config)#exit


Once the VLANs are created, verify your configuration with the show vlan command.

1900A#show vlan


--------------------------------------

1 default Enabled 1-12,A,B,AUI

2 sales Enabled

3 marketing Enabled

4 mis Enabled





--------------------------------------

[output cut]


7. You can configure each port to be in a VLAN by using the vlan-membership command. You can only configure VLANs one port at a time. In the following example, we config-ure interface 2 to VLAN 2, interface 4 to VLAN 3, and interface 5 to VLAN 4.

1900A#config t



1900A(config-if)#vlan-membership ?

dynamic Set VLAN membership type as dynamic

static Set VLAN membership type as static

1900A(config-if)#vlan-membership static ?

<1-1005> ISL VLAN index







1900A(config)#exit


1900A#show vlan


--------------------------------------

1 default Enabled 1,3,6-12,A,B,AUI

2 sales Enabled 2

3 marketing Enabled 4

4 mis Enabled 5





--------------------------------------

[output cut]

9. Another command you can use to see the ports assigned to a VLAN is show vlan-membership. Notice that this command shows each port on the switch, which VLAN the port is a member of, and the membership type (static or dynamic).

1900A#show vlan-membership

Port VLAN Membership Type

-----------------------------

1 1 Static

2 2 Static


3 1 Static

4 3 Static

5 4 Static

6 1 Static

7 1 Static

8 1 Static

9 1 Static

10 1 Static

11 1 Static

12 1 Static

AUI 1 Static

A 1 Static

B 1 Static

1900A#

Configuring Trunk PortsTrunk links are 100 or 1000 Mbps point-to-point links between two switches, between a switch and router, or between a switch and server. Trunked links carry the traffic of mul-tiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps links.

trunk port assigned to a port, allowing that port to carry traffic for any or all of the VLANs accessible by a particular switch. It marks frames with special identifying tags (i.e. 802.1Q) as they pass between switches, so each frame can be routed to its intended VLAN.

10. To configure trunking on a FastEthernet port, use the interface command trunk [parameter]. The following switch output shows the trunk configuration on interface 26 to trunk on.

1900A#config t



1900A(config-if)#trunk ?

auto Set DISL state to AUTO

desirable Set DISL state to DESIRABLE

nonegotiate Set DISL state to NONEGOTIATE

off Set DISL state to OFF

on Set DISL state to ON

1900A(config-if)#trunk on

11. The following list describes the different options available when setting a trunk interface.

NN The interface will become trunk only if the connected device is set to on or desirable


NN If a connected device is either on, desirable, or auto, it will negotiate to become a trunk port.

NN The interface becomes a permanent ISL trunk port and will not negotiate with any attached device.

NN The interface is disabled from running trunking and tries to convert any attached device to be on-trunk as well.

NN The interface becomes a permanent ISL trunk port. It can negotiate with a con-nected device to convert the link to trunk mode.

12. To verify your trunk ports, use the show trunk command. If you have more than one port trunking and want to see statistics on only one trunk port, you can use the show trunk [port_number] command.

FastEthernet port 0/26 is identified by trunk A and port 0/27 is identified by trunk B. Below we demonstrate how to view the trunk port on interface 26:

1900A#show trunk ?

A Trunk A

B Trunk B

1900A#show trunk a

DISL state: On, Trunking: On, Encapsulation type: ISL

Notice in this output that DISL is on, trunking is on, and ISL is the VLAN-encapsulation type on trunk links.

Configuring Inter-Switch Link (ISL) RoutingTo support ISL routing on one FastEthernet 2600 interface, the router’s interface is divided into logical interfaces, one for each VLAN. These are called subinterfaces and Cisco also calls this router-on-a-stick.

isl routing in a switched network, it allows you to identify VLAN membership of a frame as it travels between switches.

Each of the hosts in their VLAN must use the same subnet addressing. To configure the router-on-a-stick for inter-VLAN routing, you need to complete three steps:

NN Enable ISL trunking on the switch port the router connects to

NN Enable ISL encapsulation on the router’s subinterface

NN Assign an IP address to the subinterface and other logical addressing if applicable (IP, for example)

13. To create a subinterface from global configuration mode, choose the FastEthernet interface, a period, and then a number. You will now be in the (config-subif) prompt for the interface. We will use a 2621 router in this lab.

14. Move to the console screen for 2621 Router A.


15. Before we work with a subinterface we need to make sure the main interface of f 0/0 is up. Then let us go to the subinterface fa0/0.1.

Router>enable

Router#config t

2621A#hostname 2621A

2621A#(config-if)int fa0/0


16:27:04 %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

16:27:04 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

2621A(config-if)#int fa0/0.1


16. To configure ISL routing on a subinterface, use the encapsulation isl [vlan-number] command. You can then assign an IP address to the subinterface. This is a unique sub-net and all the hosts on that VLAN should be in that same subnet.

2621A(config-subif)#encapsulation isl 1


Grade MeBefore you remove VTP, you might want to click the Grade Me button to check your work.

18. To delete the VTP information configured on a 1900 switch, you must use the delete vtp command. The following switch output shows how to delete the VTP NVRAM database.

1900A#delete ?



1900A#delete vtp

This command resets the switch with VTP parameters set to factory defaults. All other parameters will be unchanged.

Reset system with VTP parameters set to factory defaults, [Y]es or [N]o? YesOnce you type in the command, you will be prompted to set the VTP information back

to the factory default configuration.

Individual Lab: Standard IP Access-Lists 653

Individual Lab: Standard IP Access-Lists


This lab will have you block access to network 172.16.40.0 from Host F. Access-lists can be tricky because if you do not create your lists correctly, you can bring the network down. In this lab we will need to configure routers, hosts, and switches before we set up access-lists.

standard IP access lists uses source addresses for filtering packets. A collection of permit and deny conditions is applied to IP addresses.





N The expected configuration


N The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X



Lab Steps

Copy and Paste Script

Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into User mode, copy and paste the script into the

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Access-Lists, and Standard IP Access.





enable

config t

hostname 2621A

line vty 0 4

password todd

login


ip address 172.16.40.1 255.255.255.0


no shutdown


ip address 172.16.20.2 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2811A

line vty 0 1180

password todd

login


ip address 172.16.20.1 255.255.255.0


no shutdown


ip address 172.16.30.1 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2621B

line vty 0 4

password todd

login


ip address 172.16.50.1 255.255.255.0


no shutdown


ip address 172.16.30.2 255.255.255.0


no shutdown

exit

exit

copy run start



Router>enable

Router#config t

















[OK]

2621A#


Router>enable

Router#config t


















[OK]

2811A#


Router>enable

Router#config t

















[OK]

2621B#

Clock Rate

You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, you still need to explicitly set the clock rate. In our lab the DCE side of the connection is inter-face serial 0/1/1 and serial 0/0/1.


4. We need to add a routing protocol such as RIP. Add RIP for each router with a net-work of 172.16.0.0.

2621A#config t




2621B#config t




2811A#config t




Configuring Hosts E and F




NN IP Address

NN Subnet Mask

NN Default Gateway


IP Address: 172.16.40.3

Subnet Mask: 255.255.255.0






NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.50.3

Subnet Mask: 255.255.255.0



Configuring SwitchesWe now need to configure 2950 Switch A and 2960 Switch A.

13. Bring up the console for switch 2950 A.



switch>enable

switch#config t






2950A(config)#



2950A(config)#exit

2950A#

IP Default-Gateway

This is used on devices where no routing information is provided by the router that tells you how to get to the next, directly connected device. It tells us what pathway to use to send packets to the next, directly connected device. In the previous set of commands the ip default-gateway is 172.16.40.1 because that is the IP address of interface f0/0 on A.



16. Change to the console so you can work with 2960 Switch A.

17. Configure 2960 Switch A with an IP address and default-gateway.

switch>enable

switch#config t







2960A(config)#exit

2960A#

18. Close the console screen.

19. Double-click Host F on the network.


20. Verify that you can ping to 2950 Switch A and that you can ping Host E from Host F.

C:\ping 172.16.40.2










C:\>ping 172.16.40.3










C:\>


21. From the Host F menu, bring up the console for A.

22. Create an access-list that blocks access from host F trying to get to network 172.16.40.0.

2621A#config t



That’s all were going to do for the list. Remember that IP standard access-lists should be created closest to the destination network, which is why we built that access-list on 2621 Router A. It is directly connected to network 172.16.40.0.


23. After creating an access-list for 2621 Router A, we now need to add the access-list to the serial 0/0 interface of 2621 Router A.



This applied the access-list 10 to the serial 0/0 interface of 2621 Router A and filtered any incoming packets.

24. Check to see that Host F can no longer ping to 172.16.40.2 and 172.16.40.3.

C:\>ping 172.16.40.2


Request timed out.

Request timed out.

Request timed out.

Request timed out.

C:\>

C:\>ping 172.16.40.3


Request timed out.

Request timed out.

Request timed out.

Request timed out.

C:\>


25. If the access-list is correct, all other devices should still be able to reach network 172.16.40.0. Ping from 2621 Router B and verify that you can reach 172.16.40.2 and 172.16.40.3.

2621B#ping 172.16.40.2



!!!!!


2621B#

2621B#ping 172.16.40.3



!!!!!


2621B#

Verifying Standard IP Access-ListsPinging and telneting through the internetwork is a really good way to verify the network and access-lists. However, using the Cisco IOS commands is also a good way to verify the lists.

26. Bring up the console for 2621 Router A and type show access-list to see the list configured on the router.




deny 172.16.50.3

permit any

2621A#

27. You can also type either show ip access-list or show access-list 10 to gather specific list configurations.



deny 172.16.50.3

permit any

2621A#

28. To see which interface has access-lists applied, use the show ip interface command.


[output cut]






MTU is 1514 bytes





[output cut]

29. The show running-config is useful to see both the access-list and to verify the inter-face where the access-list is applied.

2621A#show run

[output cut]

!

interface Serial0/0


ip address 172.16.20.2 255.255.255.0


ip access-group 10 in

!

[output cut]

Applying an Access-List to a VTY LineYou will have a difficult time trying to stop users from telnetting into a router because any active port on a router is fair game for VTY access. However, you can use a standard IP access list to control access by placing the access-list on the VTY lines themselves.

To perform this function:

30. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.

31. Apply the access list to the VTY line with the access-class command.

This lab will have you stop Host F from telnetting into 2621 Router A.


2621A#config t







34. Verify that Host F can telnet into 2621 Router A.

C:\>telnet 172.16.20.2

Connecting To 172.16.20.2 ...



Password:

2621A>

35. Exit from your telnet session.

2621A>exit

Connection to host lost.

C:\>

36. Connect to 2621 Router A and block Telnet access for Host F, but allow all other devices to telnet to 2621 Router A.

2621A#config t



37. Apply the access-list directly to the VTY lines and not to an interface.


2621A(config-line)#access-class 20 in


2621A#

38. Verify that Host F can no longer telnet into 2621 Router A.

C:\>telnet 172.16.20.2


C:\>


39. Use the Host F menu to go to the 2621 Router B console.

40. Verify that 2621 Router B can still telnet into 2621 Router A.

2621B#telnet 172.16.20.2

Trying 172.16.20.2 ... Open



Password:

2621A>

Individual Lab: Extended IP Access-Lists


In this lab we will create a new access-list that is more succinct on 2621 Router A. We want Host F to use the services on the 172.16.40.0 network, but we do not want them to telnet into 2950 Switch A.

When you have finished with this lab ...

Individual Lab: Extended IP Access-Lists 669









Lab Steps

Copy and Paste ScriptSteps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into User mode, copy and paste the script into the

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, Access-Lists, and Extended IP Access.





enable

config t

hostname 2621A

line vty 0 4

password todd

login


ip address 172.16.40.1 255.255.255.0


no shutdown


ip address 172.16.20.2 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2811A

line vty 0 1180

password todd

login


ip address 172.16.20.1 255.255.255.0


no shutdown


ip address 172.16.30.1 255.255.255.0


no shutdown

exit

exit

copy run start

enable

config t

hostname 2621B

line vty 0 4

password todd

login


ip address 172.16.50.1 255.255.255.0


no shutdown


ip address 172.16.30.2 255.255.255.0


no shutdown

exit

exit

copy run start



Router>enable

Router#config t

















[OK]

2621A#


Router>enable

Router#config t


















[OK]

2811A#


Router>enable

Router#config t

















[OK]

2621B#

4. We need to add a routing protocol such as RIP. Add RIP for each router with a network of 172.16.0.0.

2621A#config t




2621B#config t

Clock Rate

You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the con-nection is interface serial 0/1/1 and serial 0/0/1.





2811A#config t




Configuring Hosts E and F




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.40.3

Subnet Mask: 255.255.255.0







NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address: 172.16.50.3

Subnet Mask: 255.255.255.0



Configuring SwitchesWe now need to configure 2950 Switch A and 2960 Switch A.

13. Bring up the console for 2950 Switch A.


switch>enable

switch#config t







2950A(config)#



2950A(config)#exit

2950A#

IP Default-Gateway

This is used on devices where no routing information is provided by the router that tells you how to get to the next, directly connected device. It tells us what pathway to use to send packets to the next, directly connected device. In the previous set of com-mands the ip default-gateway is 172.16.40.1 because that is the IP address of interface f0/0 on 2621 Router A.


16. Change to the console so you can work with 2960 Switch A.

17. Configure 2960 Switch A with an IP address and default-gateway.

switch>enable

switch#config t







2960A(config)#exit

2960A#

18. Close the console screen and bring up the Host F console.

19. Verify that Host F can now ping 172.16.40.2 and 172.16.40.3.

C:\ping 172.16.40.2










C:\>ping 172.16.40.3










C:\>


20. Create an access-list on 2621 Router A to block telnet access into the 172.16.40.0 net-work, but still allow Host F to ping Host E.

2621A#config t

2621A(config)#access-list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet

2621A(config)#access-list 110 permit ip any any

This access-list blocked source address 172.16.50.3 from telneting into 172.16.40.0.

21. Apply this access-list to the serial interface 0/0 of 2621 Router A to filter the packets coming into the router.




2621A#

22. Test the access-list by trying to telnet 172.16.40.2 From Host F (remember, you cannot telnet to a host). All other devices should be able to telnet to 172.16.40.2.

C:\>telnet 172.16.40.2


C:\>

Verifying Extended IP Access-listsWe will use the same command as we did to verify the IP Standard Access-lists. Go to 2621 Router A (if you created the list on 2621 Router A) and verify your access list. Remember that ping and telnet are really good tools to verify your network as well.

23. From 2621 Router A, type the show access-list command to see the configured list.




permit ip any any

2621A#

24. Use the show access-list 110 command to see only list 110.





permit ip any any

2621A#

25. You can also use show ip access-list to see only the IP access-list configured on your router.

2621A#show ip access-list



permit ip any any

2621A#

26. Verify which interface has an access-list set by using the show ip interface command on 2621 Router A.






MTU is 1514 bytes





[output cut]

2621A#

Removing Extended IP Access-lists


2621A#config t





You can just type no access-list 110 to remove the access-list, but you must type the whole command from the interface to remove the list from the interface on the router.


29. Verify that you have removed the extended IP access-list.


[output cut]

!

interface Serial0/0


ip address 172.16.20.2 255.255.255.0


!

[output cut]

Individual Lab: Network Address Translation (NAT) and Port Address TranslationWhen Do You Use NAT?

At times NAT decreases the overwhelming amount of Public IP addresses required in your networking environment. And NAT comes in really handy when two companies that have duplicate internal addressing schemes merge. NAT is also great to have around when an organization changes its Internet Service Provider (ISP) and the networking manager doesn’t want to hassle with changing the internal address scheme.

Here’s a list of situations when it’s best to have NAT on your side:

NN You need to connect to the Internet and your hosts do not have globally unique IP addresses.

NN You change to a new ISP that requires you to renumber your network.

NN You require two Intranets with duplicate addresses to merge.


Advantages and Disadvantages of Implementing NAT


Conserves legally registered addresses Translation introduces switching path delays

Reduces address overlap occurrence Loss of end-to-end IP traceability



Increases flexibility when connecting to Internet

Certain applications will not function with NAT enabled

Eliminates address renumbering as network changes

Initially, you will configure NAT on 2811 Router A to translate the private IP address of 192.168.10.0 to a public address of 171.16.10.0.




N The name of the command entered for this lab


N Your configuration


N A score of the number of correct answers out of the total possible


Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, NAT-PAT, and NAT-PAT.


Command Summary for NAT/PAT Lab

Command Purpose

IP nat inside source list acl pool name Translates IPs that match the ACL from the pool

IP nat inside source static inside_addr outside_addr

Statically maps an inside address to an outside address

IP nat pool name Creates an address pool

IP nat inside Sets an interface to be an inside interface

IP nat outside Sets an interface to be an outside interface

Show ip nat translations Shows current NAT translations

Setting up the NAT LabYou will set up IP addresses on Router interfaces, plus, turn on EIGRP on every router. Configure Routers with the IP addresses listed below:

Router IP Address Scheme


2811 A S0/0/0 171.16.10.1/24

2811 B F0/0 192.168.10.1/24

2811 B S0/0/0 171.16.10.2/24

2811 C F0/0 192.168.10.2/24

2811 C F0/1 192.168.20.1/24

2811 Router D F0/1 192.168.20.2/24


Lab Steps

1. Double-click 2811 Router A in order to bring up the console screen. Configure Router.

Router>enable

Router#config t












[OK]

2811A#

2. Use the console menu to bring up the console screen for 2811 Router B .


Router>enable

Router#config t





2811B(config-if)#int fa0/0







2811B(config-router)#no auto-summary





[OK]

2811B#


4. Use the console menu to bring up the console screen for 2811 Router C.


Router>enable

Router#config t


2811C(config-if)#int fa0/0



2811C(config-if)#int fa0/1











[OK]

2811C#

Auto-summary

The process of taking subnets like 192.168.10.4/30 or 192.168.10.56/29 and summarizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29 the networks are summarized to their Class C base network address of 192.168.10.0/24.

Summarization occurs at classful network boundaries. Classful network boundaries occur when one class of networks meet a different class of networks, thus a network boundary. If subnet 192.168.10.4/30 or 192.168.10.56/29 were crossing over to another router connected by the 10.1.1.0/24 network, the classful network boundary is between the 10.0.0.0/8 and 192.168.10.0/24 networks.

No Auto-summary

The process of taking the subnets 192.168.10.4/30 or 192.168.10.56/29 and not sum-marizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29, the networks are never summarized to their Class C base network address of 192.168.10./24 when classful network boundaries are encountered.


6. Use the console menu to bring up the console screen for 2811 Router D.


Router>enable

Router#config t


2811D(config-if)#int fa0/1


2811D(config-if)#no shutdown




2811D(config-router)#ctrl+z




[OK]

2811D#

8. After you configure Routers, you should be able to ping from router to router. Verify that you can ping from 2811 Router A to 2811 Router D and from 2811 Router D router to 2811 Router A. If you cannot, STOP!, troubleshoot your network.

2811A#ping 192.168.20.2



!!!!!


2811A#

2811D#ping 171.16.10.1



!!!!!


2811D#

9. You can also verify your EIGRP routes with the show ip route command.

2811A#show ip route

[output cut]



D 192.168.20.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0

D 192.168.10.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0


2811A#

2811B#show ip route

[output cut]





2811B#

2811C#show ip route

[output cut]





2811C#

2811D#show ip route

[output cut]





2811D#

Dynamic NATWe will now show you how to configure NAT to translate from real ISP assigned addresses to private addresses so that the inside network can communicate to the Internet.

10. In this step, you’ll configure a dynamic NAT pool on 2811 Router B. Create a pool of addresses called RouterSim on 2811 Router B. The pool should contain a range of addresses of 171.16.10.50 through 171.16.10.55.

2811B(config)#ip nat pool RouterSim 171.16.10.50 171.16.10.55 net 255.255.255.0

11. Create access-list 1. This list permits traffic from the 192.168.20.0 and 192.168.10.0 network to be translated.



12. Map the access list to the pool that was created.

2811B(config)#ip nat inside source list 1 pool RouterSim


13. Configure f0/0 as an inside NAT interface.

2811B(config)#int f0/0


14. Configure serial 0/0/0 as an outside NAT interface.



15. Bring up the console for 2811 Router D. Telnet from 2811 Router D to 2811 Router A—do not disconnect.

2811D#telnet 171.16.10.1

Trying 171.16.10.1 ... Open



2811D#

We received this message because we did not set up a telnet password on 2811 Router A.

16. Go to 2811 Router A and set up a telnet password.

2811A#config t

2811ARouter(config)#line vty 0 1180

2811ARouter(config-line)#password todd2

Try step 15 again and if you are successful, move on to step 18.

17. Bring up the console for 2811 Router C. Telnet from 2811 Router C to 2811 Router A—do not disconnect.

2811C#telnet 171.16.10.1

18. Go back to 2811 Router A and execute the command show users. (This shows who is accessing the VTY lines).

2811A#show users


0 con 0 idle 00:00:00

2 vty 0 idle 00:00:40 171.16.10.50

* 3 vty 1 idle 00:00:17 171.16.10.51


2811A#

Notice that there is a one-to-one translation. Which means you must have a real IP address for every host that wants to get to the Internet, which is not always possible.


19. Leave the session open on 2811 Router A and connect back to 2811 Router B.

20. Bring up the console for 2811 Router B and view your current translations by entering the show ip nat translation command. You should see something like this:

2811B#show ip nat translations


--- 171.16.10.50 192.168.20.2 --- ---

--- 171.16.10.51 192.168.10.2 --- ---

2811B#

Oh my gosh, this really works!

Remember that the “inside local is before translation” and the “inside global is after translation”, and how you are known on the Internet.

21. Exit out of the telnet session from 2811 Router D.

22. If you turn on debug ip nat on 2811 Router B and then ping through Router from 2811 Router D, you will see the actual NAT process take place, which will look some-thing like this:

2811B#debug ip nat

2811D#ping 171.16.10.1

2811B#

Feb 27 17:16:18.256: NAT*: s=192.168.20.2->171.16.10.52, d=171.16.10.1 [1]

Feb 27 17:16:18.260: NAT*: s=171.16.10.1->171.16.10.52, d=192.168.20.2 [1]

Do not exit out of the telnet sessions for 2811 Router C and 2811 Router D.

Configuring PATYou will now configure Port Address Translation (PAT) on 2811 Router B. We will use PAT because we don’t want a one-to-one translation, but instead we want to just use one IP address for every user on the network.

23. Terminate the telnet sessions on 2811 Router C and 2811 Router D by using the exit command.

24. On 2811 Router B, delete the translation table and remove the dynamic NAT pool.

2811B#clear ip nat translation *

2811B#config t

2811B(config)#no ip nat pool RouterSim 171.16.10.50 171.16.10.55 netmask 255.255.255.0

2811B(config)#no ip nat inside source list 1 pool RouterSim


25. On 2811 Router B, create a NAT pool with one address called Lammle. The pool should contain a single address: 171.16.10.100. Enter the command below:

2811B(config)#ip nat pool Lammle 171.16.10.100 171.16.10.100 netmask 255.255.255.0

26. Create access-list 2. It should permit networks 192.168.20.0 and 192.168.10.0 to be translated.



27. Map the access-list 2 to the new pool, allowing PAT to occur by using the overload command.

2811B(config)#ip nat inside source list 2 pool Lammle overload

28. Bring up the console for 2811 Router D and telnet to 2811 Router A. Then bring up 2811 Router C and telnet to 2811 Router A.

29. From 2811 Router A use the show users command. The output should look something like this:

2811A>show users


0 con 0 idle 00:00:00

2 vty 0 idle 00:00:29 171.16.10.100

* 3 vty 1 idle 00:00:21 171.16.10.100


2811A>

30. From 2811 Router B use the show ip nat translations command.

2811B#show ip nat translations


tcp 171.16.10.100:1723 192.168.10.2:1723 171.16.10.1:23 171.16.10.1:23

tcp 171.16.10.100:1723 192.168.20.2:1723 171.16.10.1:23 171.16.10.1:23

2811B#

Exit out of the telnet session from 2811 Router D.

31. Also make sure that the debug ip nat command is on 2811 Router B. If you ping from 2811 Router D to 2811 Router A, the output will look like this:

01:12:36: NAT: s=192.168.10.2->171.16.10.100, d=171.16.10.1 [35]

01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [35]

01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [36]

01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [36]

01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [37]

Individual Lab: VLSM with Summarization 691

01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [37]

01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [38]

01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [38]

01:12:37: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [39]

01:12:37: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2

Individual Lab: VLSM with SummarizationThe following lab will have you configure a medium size network into block sizes of 32 (/27) using the EIGRP routing protocol and summarizing the classless boundaries. The switches will not be configured in this lab and they will behave just like hubs. You will configure each router in the lab with the appropriate IP addressing.











Routers 2811 A through 2811 E should be configured in the 192.168.10.32/27 network and routers 2811 F through 2811 J will be configured in the 192.168.10.64/27 network. In each network there are four block sizes of four (the WAN links) and two block sizes of eight (the LANs).

To connect routers 2811 A and 2811 F across the backbone, we will use the 10.1.1.0/24 network. This is called discontiguous networking because we have one class of network

Network Layout

On the Network Visualizer screen, click on the Labs menu then choose Individual, VLSM, and VLSM and Summarization.


(192.168.10.0) connecting across to the same network address through the 10.0.0.0 network—and this will not work by default. RIPv1 and IGRP can never work in this type of network. In order to use VLSM with discontiguous networking in your network, you must use one the fol-lowing routing protocols: RIPv2, EIGRP, OSPF or ISIS (these are considered classless routing protocols). This lab will have you use EIGRP as the classless routing protocol.

Here is the IP addressing scheme used in this lab for routers 2811 A through 2811 E: (notice how the four block sizes of four, and two block sizes of eight fit in one block size of 32—VLSM network addressing).

Router Block Sizes

2811 Router A S0/0/0: 192.168.10.37/30 (subnet 36, block size of 4)


F0/0: 10.1.1.1/24

2811 Router B S0/0/0: 192.168.10.41/30 (subnet 40, block size of 4)


2811 Router C S0/0/0: 192.168.10.45/30 (subnet 44, block size of 4)


2811 Router D S0/0/0: 192.168.10.42/30 (connected to s0/0/0 of 2811 Router B)


2811 Router E S0/0/0: 192.168.10.46/30 (connected to s0/0/0 of 2811 Router C)


2811 Router F S0/0/0: 192.168.10.69/30 (subnet 64, block size of 4)


F0/0: 10.1.1.2/24

2811 Router G S0/0/0: 192.168.10.73/30 (subnet 72, block size of 4)


2811 Router H S0/0/0: 192.168.10.77/30 (subnet 76, block size of 4)


2811 Router I S0/0/0: 192.168.10.74/30 (connected to s0/0/0 of 2811 Router G)


2811 Router J S0/0/0: 192.168.10.78/30 (connected to s0/0/0 of 2811 Router H)

F0/0: 192.168.10.89 (subnet 88, block size of 8)


Lab Steps

Copy and Paste ScriptSteps 1-20 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 20, you can copy and paste the fol-lowing script into the console for each router. After you get into User mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.

After pasting the script into the console, you will see the prompt Destination filename[startup-config]?. At this point, press Enter.

2811 Router A 2811 Router B 2811 Router C

enable

config t

hostname 2811A

int s0/0/0

ip address 192.168.10.37 255.255.255.252

no shut

int s0/0/1

ip address 192.168.10.33 255.255.255.252

no shut

int f0/0

ip address 10.1.1.1 255.255.255.0

no shut

exit

exit

copy run start

enable

config t

hostname 2811B

int s0/0/0

ip address 192.168.10.41 255.255.255.252

no shut

int s0/0/1

ip address 192.168.10.34 255.255.255.252

no shut

exit

exit

copy run start

enable

config t

hostname 2811C

int s0/0/0

ip address 192.168.10.45 255.255.255.252

no shut

int s0/0/1

ip address 192.168.10.38 255.255.255.252

no shut

exit

exit

copy run start


2811 Router D 2811 Router E 2811 Router F

enable

config t

hostname 2811D

int s0/0/0

ip address 192.168.10.42 255.255.255.252

no shut

int f0/0

ip address 192.168.10.49 255.255.255.248

no shut

exit

exit

copy run start

enable

config t

hostname 2811E

int s0/0/0

ip address 192.168.10.46 255.255.255.252

no shut

int f0/0

ip address 192.168.10.57 255.255.255.248

no shut

exit

exit

copy run start

enable

config t

hostname 2811F

int s0/0/0

ip address 192.168.10.69 255.255.255.252

no shut

int s0/0/1

ip address 192.168.10.65 255.255.255.252

no shut

int f0/0

ip address 10.1.1.2 255.255.255.0

no shut

exit

exit

copy run start

2811 Router G 2811 Router H 2811 Router I

enable

config t

hostname 2811G

int s0/0/0

ip address 192.168.10.73 255.255.255.252

no shut

int s0/0/1

ip address 192.168.10.66 255.255.255.252

no shut

exit

exit

copy run start

enable

config t

hostname 2811H

int s0/0/0

ip address 192.168.10.77 255.255.255.252

no shut

int s0/0/1

ip address 192.168.10.70 255.255.255.252

no shut

exit

exit

copy run start

enable

config t

hostname 2811I

int s0/0/0

ip address 192.168.10.74 255.255.255.252

no shut

int f0/0

ip address 192.168.10.81 255.255.255.248

no shut

exit

exit

copy run start


2811 Router J

enable

config t

hostname 2811J

int s0/0/0

ip address 192.168.10.78 255.255.255.252

no shut

int f0/0

ip address 192.168.10.89 255.255.255.248

no shut

exit

exit

copy run start

1. Double-click on 2811 Router A to bring up the console screen.


Router>en

Router#config t














3. Change to the console for 2811 Router B.


Router>en

Router#config t




2811B(config)#int s0/0/0








5. Change to the console for 2811 Router C.


Router>en

Router#config t



2811C(config)#int s0/0/0








7. Change to the console for 2811 Router D.


Router>en

Router#config t






2811D(config-if)#int fa0/0




2811D(config-if)#ctrl+z



9. Change to the console for 2811 Router E.

10. Configure 2811 Router E.

Router>en

Router#config t


Router(config)#hostname 2811E

2811E(config)#int s0/0/0



2811E(config-if)#int fa0/0



2811E(config-if)#ctrl+z

2811E#copy run start

11. Change to the console for 2811 Router F.

12. Configure 2811 Router F.

Router>en

Router#config t


Router(config)#hostname 2811F

2811F(config)#int s0/0/0



2811F(config-if)#int s0/0/1



2811F(config-if)#int fa0/0



2811F(config-if)#ctrl+z

2811F#copy run start

13. Change to the console for 2811 Router G.

14. Configure 2811 Router G.

Router>en

Router#config t


Router(config)#hostname 2811G


2811G(config)#int s0/0/0



2811G(config-if)#int s0/0/1



2811G(config-if)#ctrl+z

2811G#copy run start

15. Change to the console for 2811 Router H.

16. Configure 2811 Router H.

Router>en

Router#config t


Router(config)#hostname 2811H

2811H(config)#int s0/0/0



2811H(config-if)#int s0/0/1



2811H(config-if)#ctrl+z

2811H#copy run start

17. Change to the console for 2811 Router I.

18. Configure 2811 Router I.

Router>en

Router#config t


Router(config)#hostname 2811I

2811I(config)#int s0/0/0



2811I(config-if)#int fa0/0



2811I(config-if)#ctrl+z

2811I#copy run start


19. Change to the console for 2811 Router J.

20. Configure 2811 Router J.

Router>en

Router#config t


Router(config)#hostname 2811J

2811J(config)#int s0/0/0



2811J(config-if)#int fa0/0



2811J(config-if)#ctrl+z

2811J#copy run start

Configuring HostsWe will now configure all the hosts in the network.




NN IP Address

NN Subnet Mask

NN Default Gateway


IP Address:192.168.10.50

Subnet Mask: 255.255.255.248




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address:192.168.10.58

Subnet Mask: 255.255.255.248




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address:192.168.10.82

Subnet Mask: 255.255.255.248




NN IP Address

NN Subnet Mask

NN Default Gateway

IP Address:192.168.10.90

Subnet Mask: 255.255.255.248



Verify ConfigurationsFrom each router and each host, ping the directly connected neighbor and make sure that it is successful. If not, troubleshoot each problem. Remember, you cannot ping past a directly


connected neighbor until a routing protocol is configured. In addition, use the command show ip route on each router to see the routing table.

Only the directly connected networks will show in the routing tables until a routing pro-tocol is configured. In this lab a representative sample of testing connectivity is performed, so not all possibilities are shown.

31. Display the console for 2811 Router D and ping Host A.

2811D#ping 192.168.10.50



!!!!!


2811D#

32. Go to 2811 Router E and ping Host B.

2811E>ping 192.168.10.58



!!!!!


2811E>

33. Go to 2811 Router I and ping Host C.

2811I>ping 192.168.10.82



!!!!!


2811i>

34. Go to 2811 Router J and ping Host D.

2811J>ping 192.168.10.90



!!!!!


2811J>

35. Go to 2811 Router A and ping s0/0/1 on 2811 Router B.

2811A>ping 192.168.10.34




!!!!!


36. From 2811 Router A and ping s0/0/1 on 2811 Router C.

2811A>ping 192.168.10.38



!!!!!


37. From 2811 Router A enter a show ip route command to view the directly connected devices.

2811A>show ip route






2811A>

Configuring EIGRP with Discontiguous NetworkingYou will now configure the classless routing protocol EIGRP on each router. EIGRP is an advanced Distance Vector routing protocol that supports VLSM and discontiguous networks. In addition, it can be used to manually summarize contiguous network boundaries, which is what we have.

Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary hybrid routing protocol. It uses the properties of both distance vector and link state and uses an administrative distance of 90, so it will automatically overwrite RIP (which has a default administrative distance of 120) routes in the routing table. Also, it uses autonomous sys-tems (AS) to create groups of routers that share routing information. The major difference between IGRP and EIGRP is that EIGRP uses three different tables to create a stable rout-ing environment and additionally EIGRP only sends updates when needed, whereas IGRP broadcasts routing table entries every 90 seconds.

Remember that although EIGRP is considered a classless routing protocol (which means it sends subnet mask information with each route update), it is configured in a classful manner. What this means is that you turn off all subnet bits and host bits to add each network statement—which is why the network statement is 192.168.10.0, not 192.168.10.32, 192.168.10.36, etc. for each subnet. EIGRP will find the subnets; you don’t type subnets in with the network statement.


Router A is directly connected to the 192.168.10.0 network, but also the 10.1.1.0/24 network is directly connected off of F0/0. What is the network statement we will use? Remember, ALL subnet bits and host bits are off!

Add EIGRP with AS 10 to each router, using the correct network statement. Also, add the network statement of network 192.168.10.0 under EIGRP 10 for each router, except for routers A and F, which will need the network 10.0.0.0 statement as well.

38. From each router global configuration prompt, add the routing protocol EIGRP with an AS number of 10:

2811A>en

2811A#config t




2811A(config-router)#

2811B>en

2811B#config t



2811B(config)#auto-summary

2811B(config-router)#

2811C>en

2811C#config t



2811C(config)#auto-summary

2811C(config-router)#

2811D>en

2811D#config t



2811D(config)#auto-summary

2811D(config-router)#

2811E>en

2811E#config t

2811E(config)#router eigrp 10

2811E(config-router)#network 192.168.10.0

2811E(config)#auto-summary

2811E(config-router)#

2811F>en

2811F#config t





2811F(config-router)#

2811G>en

2811G#config t

2811G(config)#router eigrp 10

2811G(config-router)#network 192.168.10.0

2811G(config)#auto-summary

2811G(config-router)#

2811H>en

2811H#config t

2811H(config)#router eigrp 10

2811H(config-router)#network 192.168.10.0

2811H(config)#auto-summary

2811H(config-router)#

2811I>en

2811I#config t

2811I(config)#router eigrp 10

2811I(config-router)#network 192.168.10.0

2811I(config)#auto-summary

2811I(config-router)#

2811J>en

2811J#config t

2811J(config)#router eigrp 10

2811J(config-router)#network 192.168.10.0

2811J(config)#auto-summary

2811J(config-router)#

39. Now that we have added our directly connected networks under EIGRP (remember, add networks, not subnets!), we need to configure 2811 Router A and 2811 Router F to work using discontiguous networking. Take a look at the routing table of each router and notice that you can see the subnets in the routing table from each contiguous net-work only (routers A through E and routers F through J). This is because discontiguous networking does not work by default.


2811A#show ip route

2811F(config-router)#ctrl+z

2811F#show ip route


40. We need to add the no auto-summary command to routers 2811 A and 2811 F to have this work.

2811A#config t


2811A(config-router)#no auto-summary

2811F#config t


2811F(config-router)#no auto-summary

41. Now, let’s take a look at the routing tables of each router and notice that ALL subnets are now listed in each router’s routing table.

2811J#show ip route

[output cut]


D 10.1.1.0 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0


D 192.168.10.44/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.68/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.32/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0



D 192.168.10.36/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.40/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.64/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.48/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.80/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.72/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

D 192.168.10.56/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0

42. This is a small network and the routing tables are manageable.. However, if we had more routers, our routing tables would be rather large, which takes up memory and router processing parsing the routing table. What can we do to make our routing table smaller, more efficient, yet still keep all our connectivity from end to end? You guessed it! Summarization baby!

Configuring SummarizationNow that we have configured the internetwork from end to end using VLSM and discon-tiguous networking, and EIGRP with the no auto-summary command to support the discon-tiguous network, it is time to configure summarization.


Summarization would be done on the boundaries of each contiguous configured net-work (routers 2811 A and 2811 F). Summarization is used by EIGRP under the interface configuration using the ip summary-address eigrp 10 network mask command.

Before we add the summary commands to routers 2811 A and 2811 F, we need to know what network and mask to add to the summary command. Remember, summary addresses are configured in block sizes, just like subnets. The summary address for 2811 Router A would be 192.168.10.32, since we are starting at subnet 32; however, what is our summary mask? Well, what is the block size of our contiguous networks? Thirty-two (32). What mask provides a block size of 32? A /27, which is 255.255.255.224; this is our summary mask.

43. For the 2811 F configuration, we would start at subnet 192.168.10.64, which is also a summary mask of /27, since the contiguous networks fit in a block size of 32.

Here is our configuration on both routers:

2811A#config t


2811A(config-if)#ip summary-address eigrp 10 192.168.10.32 255.255.255.224

2811F#config t

2811F(config)#int fa0/0

2811F(config-if)#ip summary-address eigrp 10 192.168.10.64 255.255.255.224

At this point, we have disabled automatic summarization under EIGRP since we need to support discontiguous networking. We then configured manual summarization at contiguous classful boundaries.

Verifying Summarization

44. If we take a look at the routing tables now, we can see that 2811 Router A is summa-rizing the contiguous network with a 192.168.10.32/27 route into the 2811 Router F’s routing tables, which is then sent to the other routers connected to 2811 Router F.

2811F>en

2811F#show ip route

[output cut]



D 192.168.10.80/29 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1


D 192.168.10.72/30 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1

D 192.168.10.76/30 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0



D 192.168.10.88/29 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0



2811F#

45. For 2811 Router A, the routing table now looks like this, which is sent to all routers connected to 2811 Router A.

2811A#show ip route

[output cut]






D 192.168.10.44/30 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0

D 192.168.10.40/30 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1

D 192.168.10.48/29 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1


D 192.168.10.56/29 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0

2811A#

Our routing tables are smaller, more efficient, and easier for IP to parse.

Net Assessment

Lab 1.1: Introduction to Net Assessment

Net Assessment allows you to test and evaluate your problem solving and troubleshooting network skills. We have created a powerful and flexible tool for all to use, including teach-ers, students, individuals, etc. There are six basic steps in fully utilizing Net Assessment:

NN Load Net Assessment

NN Load a fully configured network (Master network)

NN Create a template that allows you to specify the configurations you want to test

NN Create and distribute test networks that have their configurations altered in some way

NN Ask others to troubleshoot/problem-solve the network

NN Evaluate Test network against Master network

Net Assessment only works with CCNA networks.

Several options are available to assist you in determining what configurations will be placed in the Test network. It depends on the audience for which the Test network is being created. The following are some examples.

For Instructors

Scenario 1 Provide an empty network to students with instructions only. With this pro-gram you can insert instructions into a network by importing a file like a Microsoft Word file. Click on the Insert icon on the toolbar. When the dialog box appears select a file that includes instructions. You can embed any file that you wish; however, the student must have the same program on their computer.

Lab 1.1: Introduction to Net Assessment 711

When students open the Test network they will see a document object on the Network Visualizer screen. They double-click the object and the instructions open up. When they create, configure, and save the Test network, they return it to the instructor for evaluation. This program can automatically evaluate the Test network. An instructor would then load the Master network and evaluate Test networks one at a time or all at once. An instructor can also view and/or print results one at a time or all at once.

Scenario 2 Provide a partially configured network to students, along with instructions. In this situation, an instructor has manually removed part of the configurations and expects students to problem solve and finish creating a fully configured network.

Scenario 3 Provide a fully configured network to students where the program has randomly changed some of the configurations. This is an ideal situation for troubleshooting. An instruc-tor can provide a randomized Test network to students in two different ways:

NN They can choose specific configurations they want the program to randomly change values.

NN They can choose specific configurations they want the program to randomly remove when the Test network is generated.

712 Net Assessment

From the total pool of configurations, have the program randomly change and/or remove a specific number of values. For example, an instructor can indicate they want any five configurations (out of a total of 25 configurations) changed by the program.

For IndividualsIndividuals can also use Net Assessment to evaluate their skills. You have several options available to you. For example, you can load a Master network and have the program ran-domly change a specific number of configurations. You would then generate a Test network and try to restore the network with the same values found in the Master network. You can also have the program randomly remove values. You can make it more complex by desig-nating a specific number of values to be randomly changed and a specific number of values to be randomly removed.

You will not know what configurations have been altered until you open the Test network. At that point it will not be apparent as to what values have been changed or removed until you go through your Test network. Almost anything in the network that had been originally configured is fair game for being changed by our program.

When you have gone through the Test network and corrected any problems, you can compare it with the Master network and evaluate your work. Our Report section will display expected answers and your answers.

Lab 1.2: Making Changes and Inserting InstructionsBefore you start working with Net Assessment there are two important things that need to be mentioned about making changes to the file.

Changes to the Master File Once you have created a Net Assessment template and saved the Master network, you cannot make any changes to the network. So, be sure that you have the network configured the way you want. Making additional changes and saving the Master network will cause the templates to be removed.

Inserting Instructions You can insert instructions into the Master network but this needs to be done before you create any Net Assessment templates. Instructions are not required for you to work with Net Assessment, but a convenient way to instruct others as to what to do with a Test network that you generate. Unlike the Master network, you have another

Lab 1.2: Making Changes and Inserting Instructions 713

option with instructions in that you can insert them into a Test network at any time and save the file.

Lab Steps

1. Use a third-party program to create instructions. This can be a text editor, word pro-cessor, html editor, spread sheet program, etc. The important thing to keep in mind is that the person using the Test network must have the same program on their computer that was used to create the instructions. Save the file as you normally would do.

2. Using this program, load your Master network. There is nothing special about this net-work and any one will do. Make sure you have fully configured the network and plan no changes.

3. There are two ways to insert a document.

NN Using the menu, click Insert and then File.

714 Net Assessment

NN Click the Insert button on the button bar.

4. Find your instruction file on your computer and then click the Close button on the dia-log box. An object will appear on the network with file name of your instruction file.

Lab 1.3: Loading Net Assessment 715

5. When the user gets the Test network, the network topology will look the same as the Master network. It will also display the instructions object. If they double-click on that object, instructions will display within a few minutes.

Lab 1.3: Loading Net AssessmentNet Assessment can be loaded three ways.

NN On any Network Visualizer screen, click on the toolbar button that looks like a paper and pencil.

NN From any Network Visualizer screen you can click on Tools and then Net Assessment in the drop-down menu.

716 Net Assessment

NN Right-mouse click on any Network Visualizer screen and select Net Assessment from the pop-up menu.

The Net Assessment screen will appear.

Lab 1.4: Creating a Net Assessment Template 717

Lab 1.4: Creating a Net Assessment TemplateA fully configured network can potentially have several dozen or hundreds of configurations. If you want to test others on a concept it makes sense to use a manageable number of configu-rations. You need a way to accomplish this and a template allows you to create a small list of configurations. Selecting items for a template does not change any configuration values in the Master network. It just creates a list of values that you will alter in a future step.

Lab Steps

1. After the Net Assessment screen appears you will want to load a fully configured network or what we refer to as a Master network. There is nothing special about this network and any one will do. Click on the file folder on the menu or click File menu and then Open.


3. Click on the file Configured Network.rsm and click Open. You can confirm that you loaded this Master network because the title of the file will be at the top of the Net Assessment screen and also listed as Name of the Master network.

718 Net Assessment

4. Click the Add button in the section Assessment Template, located in the upper left quadrant of the screen.

5. The Assessment Template screen will appear. Put a name in for the template you are creating. For this example, enter Scenario1.


You can create several templates for the same Master network. Each tem-plate can refer to different logical segments of configurations in the network. For example, you could have different templates that test (among others) for:

NN Passwords

NN IP addresses

NN Routing Protocol

NN Routing Protocol Network

6. On the Assessment Template screen you will see a list of devices that are in the Master network. In this example you will see an expandable tree for the:

NN 2621 A router

NN 2621 B router

NN 2811 A router

NN 3550 A switch

7. Let’s begin with 3550 Switch A. Eventually we will ping from 3550 Switch A to 2621 Router A. We want to change the ip-default gateway on 3550 Switch A so that you cannot successfully ping. Click on the plus sign (+) next to 3550 Switch A and an expanded list of current configurations for that device will display.

8. Click on the box IP Default-Gateway so that there is a check mark present.

9. Click on the plus sign next to 2621 Router B.

10. Click on the plus sign next to Protocols.

11. Click on the plus sign next to RIP.

720 Net Assessment

12. Click on the box Networks so that there is a check mark present. We will eventually alter the RIP network so that you cannot successfully ping from 2621 Router B to 2621 Router A.

We have now selected configurations from two devices that we will alter so that we can generate a Test network. These configurations will have to be corrected in the Test network in order for a ping to successfully work between 3550 Switch A to 2621 Router A, and from 2621 Router B to 2621 Router A.

13. Click the Save Values button and the Assessment Template screen will close.

14. You will then see a new entry in the Assessment Template field (Scenario1).


15. This step is optional and is not required. You can password protect your Master network. The password prevents others from loading a Master network and making changes. On the upper right hand side of the Net Assessment screen is a password field. Type in a password.

16. Save Your Network. When you click on the Save Values button, the newly created template is only stored in memory. You will need to save the Master network to perma-nently store the new template. Click on the Diskette on the menu bar. Then click the Save button and overwrite your existing Master network.

722 Net Assessment

Lab 1.5: Net Assessment—Editing ValuesAfter you create a Net Assessment template, you are one step from generating a Test net-work. In Net Assessment lab 1.4 we create a template called Scenario1 in which a couple configuration types were chosen. Up to this point we have only decided as to the configu-ration types that will be tested for in the Lab network. We now need to alter some of the configurations. In this lab we will manually alter values; however, other labs in this section provide more sophisticated and automatic ways to alter configurations.

Lab Steps

1. Make sure that the newly created template is still highligted.

Lab 1.5: Net Assessment—Editing Values 723

2. Click on the Edit Value button on the top right side of the Net Assessment screen.

3. On the Edit Values screen you will see a tree-like structure that lists all the devices you chose while creating a template. Actual configuration values (from the Master network) for each chosen configuration will be displayed. You can quickly see all values by the clicking the box at the bottom left position of the screen, titled Expand all values.

724 Net Assessment

Make sure that you only have values in the Edit Values section that you want to alter.

Do not select values for a template that are extraneous. These additional values will be used in the score calculation and skew an accurate assessment. For example, you want to test students on four passwords that will be altered. However, you also have an IP address, mask, and IP default-gateway listed in the Edit Values section. Let’s say that you do nothing to alter these values. When the Test network is evaluated you will receive credit for the correct IP address, mask, and ip default-gateway because these values will not have been altered and will match the Master network values.

4. Change the RIP network value from 172.16.0.0 to 172.14.0.0.

5. Change the IP Default-Gateway from 172.16.10.1 to 172.14.10.1

After you make a change in a file the background color changes from white to yellow. This provides feedback to you as to what fields have been altered.

Save Your Network. Click the Save Values button. When you click on the Save Values but-ton, the altered values are only stored in memory. You will need to save the Master network to permanently save these changes. Click on the Diskette on the menu bar. Then click the Save button and overwrite your existing Master network.

Lab 1.6: Net Assessment—Creating A Test Network 725

Lab 1.6: Net Assessment—Creating A Test NetworkCreating a Test Network is relatively straight forward. If you have first selected an assess-ment template, you can click the Create Test Network button on the Net Assessment screen. The assumption is that you have already determined how you want to alter values in the creation of a Test network, so you do not have to view the Edit Values screen.

Lab Steps

1. Make sure that the newly created template is still highlighted.

2. On the Net Assessment Screen, click the button that says Create Test Network.

726 Net Assessment

A dialog box will appear with a suggested name for the Test network. It will be the name of the Master network plus “_test.rsm”. In the example we have been using, the name of the master file is Configured Network. The suggested file name would be “Configured Network _test.rsm”. However, you can name the Test network anything you wish.

3. In this case, name it Scenario1 so that the full file name is Scenario1_test.rsm.

If you are an instructor you might want to have each student save their Test network with some type of unique identifier when they finishing working on it. For example, you create a Test network called Scenario1_test.rsm. When Bill T. finishes working with his Test network, you have him save it as Billt_Scenario1_test.rsm or perhaps Scenario1_test_Billt.rsm.

Lab 1.7: Net Assessment—Assessing A Test NetworkOne or more Test networks can be evaluated at the same time, against the same Master network.

Lab Steps

1. Bring up the Net Assessment screen.

2. After the Net Assessment screen appears, load the Master network. Click on the file folder on the menu or click the File menu and then Open.

Lab 1.7: Net Assessment—Assessing A Test Network 727


4. Click on the file Configured Network.rsm and click OK. You can confirm that you loaded this Master network because the title of the file will be at the top of the Net Assessment screen and also listed as Name of the Master network.

5. In the Assessment section (bottom left side of the screen), click the Add button. A dia-log box will appear. Find and select Scenario1_test.rsm. We came up with this name in lab 16.6. The name of this file will display in the Assessment section window.

728 Net Assessment

6. Click the Assess button.

We have not made any changes to the Test network. Therefore, we should expect two incorrect configurations.

7. Click the View button to view a detailed report. You will see a column labelled Expected Answer. Those configurations are derived from the Master network. The column Your Answer are the configurations entered and saved in the Test network. In this example we did not make any changes in the Test network.

Lab 1.8: Advanced Values Editing 729

Lab 1.8: Advanced Values EditingIn Net Assessment lab 1.5 we used a straightforward process in editing values so that a Test network could be generated. We had you manually change a couple values. We did that so we could provide a quick and easy to understand method in changing values. However, Net Assessment provides you with more sophisticated and powerful methods in altering values.

There are five ways to affect values:

730 Net Assessment

NN Change a selected value

NN Randomize a selected value

NN Remove a selected value

NN Auto-select and randomize any value(s)

NN Auto-select and remove any value(s)

The first three options can be performed by the user. The last two options are performed by the program after you select the number of values to be affected.

Options Can Be Used Together

These options can be used in any combination and are not mutually exclusive. For example, you can manually change a couple values, select a couple other values to be randomly changed by the program, and a couple other values to be removed by the program. The auto-select options can also be used with other options. The following are some examples.

Scenario 1 You manually change two values and select three other values to be randomly changed by the program. There will be a total of five values affected when a Test network is created.

Scenario 2 You manually change two values, select one value to be randomly changed, and select four other values to be removed when the Test network is generated. There will be a total of seven values affected.

Scenario 3 You choose three specific values to be randomly changed by the program. You also use the auto-select option to randomly select and randomly change two additional values. There will be a total of five values affected when a Test network is created.

Scenario 4 You use the auto-select options to randomly select and change five values and randomly select and remove five additional values. There will be a total of ten values affected when a Test network is created.

Lab 1.9: Edit Values—Changing A Selected ValueYou can manually change values so that they appear differently in the Test network. Place your cursor in a field and type in a new value. Fields that you change will display a yellow background. There are also drop down fields that you can change values. For example, you

Lab 1.9: Edit Values—Changing A Selected Value 731

may want to change the VTP Operating mode from Server to Client. Click on the down arrow next to the word Server and a drop down list will appear. Select Client. This option would typically be used by an instructor because if you are an individual testing yourself, you would know what values have been changed.

The following are some examples of how to use this option:

Scenario 1 For example, you have an IP address 192.168.1.1 and you want it to appear as 192.168.11.2 in the Test network when it is created. Find the IP Address configuration, place your cursor in the corresponding field containing this value and make the change.

Scenario 2 Another use is entering bogus information that you expect the user to remove in the Test network. For example, you have two OSPF networks that the student should enter into the Test network but you don’t want to display them. You can simply manually remove these values. However, in place of these two values you could place two network values that should be removed by the student.

Let’s say you have two values from the Master network:

OSPF network 192.168.20.4 0.0.0.3 area 0


You want two bogus network values in place of these. In those two fields you could substitute the following values:



The last two values from above will display in the Test network. However, remember that when you compare the Master network with the Test network, it will still have the values of:



If those are not found in the Test network, these are marked as incorrect answers.

732 Net Assessment

During any of these processes the configuration values in the Master net-work are never changed. Changes are only reflected in the Test network.

Lab 1.10: Edit Values—Randomizing A Selected ValueYou can select specific values that you want the program to randomly change when the Test network is created. Find the values that you want to randomly change and click the Randomize check box that is to the right of the value. If you are an instructor you may have values that you do not want to manually change every time you create a Test network from a Master network’s Assessment Template. You may prefer, instead, to have the pro-gram randomly change specific values every time you create a Test network. In the follow-ing example, IP Default-Gateway and VTP Password have been selected to be randomized. The IP Default Gateway may display a value like 192.168.10.15 and the VTP Password might display a value like Cisco when the Test network is generated.

Lab 1.11: Edit Values—Removing A Selected Value 733

This option provides security in the Test networks that you generate for a class. Instead of giving every student the same test, every student can be tested on the same specified con-figurations but receive a different and random value for each one.

You can manually change some values and have the program randomly change others; these two options are not mutually exclusive. During any of these processes the configuration values in the Master network are never changed. Changes are only reflected in the Test network.

If you are testing yourself, you can use this option but you will know beforehand which values are being randomized.

Lab 1.11: Edit Values—Removing A Selected ValueYou can select specific values that you want the program to remove when the Test network is created. Find the values that you want to remove and click the Remove check box that is to the right of the value. If you are an instructor you may want to test problem solving skills of your students. For example, an access list needs to be created by students in a Test network. You have access list 10 fully configured in the Master network but want to remove some elements like the IP Access Group In and IP Access Group Out configurations. As you see below the Remove checkbox has been selected for these two values. When the Test network is generated these two values will not appear.

734 Net Assessment

You can manually change some values, have the program randomly change others, and select specific values to be removed; these three options are not mutually exclusive and can be used in combination together. During any of these processes the configuration values in the Master network are never changed. Changes are only reflected in the Test network.

If you are testing yourself, you can use this option but you will know beforehand which values are being removed.

Lab 1.12: Edit Values—Auto-Selecting and Randomizing Any ValueYou can have the program randomly select and randomly change any value that displays in the Edit Values screen. Decide how many values you want to randomize and increment the counter to match that number. For example, you may have 20 values that appear in the Values Editor. You can set the counter between 1 and 20. A number of one means that only one of the 20 values will be randomly selected and changed to a random value, by the pro-gram. In the following example the counter has been changed to 5.

This option is ideal if you are testing yourself. You can set the counter to a specific number and create a Test network. You will not know what values have been altered until you open the Test network. At that point it will not be apparent as to what has changed until you go through your Test network. Almost anything in the network that had been originally configured is fair game for being changed by our program.

You can manually select, randomize, and remove values and still use this auto-select option.

These options are not mutually exclusive and can be used in combination with each other. However, keep in mind that if you use other options such as selecting a few values to be randomly removed, those values will not be in the pool of possible values that will be

Lab 1.13: Edit Values—Auto-Selecting and Removing Any Value 735

changed by this option. During this process the configuration values in the Master network are never changed. Changes are only reflected in the Test network.

Exceeding the Number of ConfigurationsIf you set the counter(s) to a number that exceeds the possible number of configurations on the Edit Value screen, the program will not affect more than the total number of configura-tions on the screen.

Lab 1.13: Edit Values—Auto-Selecting and Removing Any ValueYou can have the program randomly select and randomly remove any value that displays in the Edit Values screen. Decide how many values you want removed and increment the counter to match that number. For example, you may have 20 values that appear in the Values Editor. You can set the counter between 1 and 20. A number of one means that only one of the 20 values will be randomly selected and removed by the program. In the following example the counter has been changed to 3.

This option is ideal if you are testing yourself. You can set the counter to a specific number and create a Test network. You will not know what values have been removed until you open the Test network. At that point it will not be apparent as to what has been removed until you go through your Test network. Almost anything in the network that had been originally configured is fair game for being removed by our program.

You can manually select, randomize, and remove values and still use this auto-select option.

736 Net Assessment

These options are not mutually exclusive and can be used in combination with each other. However, keep in mind that if you use other options such as selecting a few values to be randomly removed, those values will not be in the pool of possible values that will be changed by this option. During this process the configuration values in the Master network are never changed. Changes are only reflected in the Test network.

Exceeding the Number of ConfigurationsIf you set the counter(s) to a number that exceeds the possible number of configurations on the Edit Value screen, the program will not affect more than the total number of configura-tions on the screen.

Create Your Own Custom Labs

Lab 1.1: Creating a Custom Lab

You can create your own labs. You can then make your labs available for others to use. This involves a three step process:

NN Create and configure a network

NN Insert instructions

NN Save your network into the folder Custom Networks and make it available to others

Lab Steps

1. Open a Network Visualizer screen.

2. Place the desired devices on the screen.

3. Connect the devices.

4. Configure the devices.

5. Use a third-party program to create instructions. This can be a text editor, word pro-cessor, html editor, spread sheet program, etc. The important thing to keep in mind is that the person using labs/networks that you create must have the same program on their computer that was used to create the instructions. Save the file as you normally would do.

6. There are two ways to insert a document.

NN Using the menu, click Insert and then File.

Lab 1.1: Creating a Custom Lab 739

NN Click the Insert button on the button bar.

740 Create Your Own Custom Labs

7. Find your instruction file on your computer and then click the Close button on the dia-log box. An object will appear on the network with file name of your instruction file.

8. Save your network. There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.

Lab 1.1: Creating a Custom Lab 741

9. You will want to save your file to the custom networks folder. It can be found off the root folder (program files\routersim\ccnavl3\custom networks). Any network saved to this folder will display on the Network Visualizer menu.

N You can save your files alphabetically - If you save your files alphabetically, that is how they will be sorted and displayed when presented on the Custom Labs menu.

NN You can save your files with a numbering scheme. You can number your files which will allow you to specify the order of display, regardless of the alphabetical spelling of the file name. For example, let us say you have four network files that are being saved to the custom networks folder. You assign a number to the title of these files in this manner:

10_Cisco IOS

20_Defining and describing a network

30_CLI (command line interface)

40_Configuring an ISR router

742 Create Your Own Custom Labs

10. Close and re-open a Network Visualizer screen and you can now view your custom labs under the menus Labs, Custom.

11. You can distribute your custom labs to others so that they show up on their menus.

Network It is straightforward to distribute the files if you have a network install. Save all the custom labs to the custom networks folder on the server. When anyone launches this program from their workstation, the custom labs will display on their Labs menu.

Standalone You can also distribute the files to others or place these files yourself on standalone systems. Copy all the custom labs to the folder custom networks.