Professional Documents
Culture Documents
#$$ressing Table
!e%ice Inter&ace ,a-.,a-.1 (-.-.(-.-.1 ,a-.1 (-.-.(-.-.1 Lo,a-.1 ,a-.1.11 ,a-.1.0(-.-.(-.-.1 I' #$$ress 192.168.10.1 192.168.11.1 10.1.1.1 10.3.3.1 192.168.20.1 10.1.1.2 10.2.2.1 209.165.200.225 N/A 192.168.11.3 192.168.30.1 10.3.3.2 10.2.2.2 (ubnet )ask 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.224 N/A 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 !e&ault *atewa N/A N/A N/A N/A N/A N/A N/A 209.165.200.226 N/A N/A N/A N/A N/A
+1
+/
+0
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 1 o+ 35
Learning 2b3ecti%es
5pon co"pletion o+ this la*# yo( 0ill *e a*le to/ Ca*le a net0or1 accor&ing to the topology &iagra" ,rase the start(p con+ig(ration an& reloa& a ro(ter to the &e+a(lt state 2oa& the ro(ters an& s0itches 0ith s(pplie& scripts 6in& an& correct all net0or1 errors 3oc("ent the correcte& net0or1
(cenario
7o( ha%e *een as1e& to correct con+ig(ration errors in the co"pany net0or1. 6or this la*# &o not (se login or pass0or& protection on any console lines to pre%ent acci&ental loc1o(t. 5se ciscoccna +or all pass0or&s in this scenario. Note/ 8eca(se this la* is c("(lati%e# yo( 0ill *e (sing all the 1no0le&ge an& tro(*leshooting techni9(es that yo( ha%e ac9(ire& +ro" the pre%io(s "aterial to s(ccess+(lly co"plete this la*.
+e4uire"ents
!2 is the spanning:tree root +or ;2AN 11# an& !3 is the spanning:tree root +or ;2AN 30. !3 is a ;') ser%er 0ith !2 as a client. 'he serial lin1 *et0een <1 an& <2 is 6ra"e <elay. =a1e s(re that each ro(ter can ping their o0n 6ra"e <elay inter+ace. 'he serial lin1 *et0een <2 an& <3 (ses 432C encaps(lation. 'he serial lin1 *et0een <1 an& <3 (ses ))). 'he serial lin1 *et0een <1 an& <3 is a(thenticate& (sing C4A). <2 "(st ha%e sec(re login proce&(res *eca(se it is the $nternet e&ge ro(ter.
All %ty lines# e-cept those *elonging to <2# allo0 connections only +ro" the s(*nets sho0n in the topology &iagra"# e-cl(&ing the p(*lic a&&ress. 4int/ <2> telnet 1-.1.1.1 .source5inter&ace loopback 'rying 10.1.1.1 ... ? Connection re+(se& *y re"ote host !o(rce $) a&&ress spoo+ing sho(l& *e pre%ente& on all lin1s that &o not connect to other ro(ters. <o(ting protocols "(st *e sec(re&. All <$) ro(ters "(st (se =35 a(thentication. <3 "(st not *e a*le to telnet to <2 thro(gh the &irectly connecte& serial lin1. <3 has access to *oth ;2AN 11 an& 30 %ia its 6ast ,thernet port 0/0.
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 2 o+ 35
'he '6') ser%er sho(l& not get any tra++ic that has a so(rce a&&ress o(tsi&e the s(*net. All &e%ices ha%e access to the '6') ser%er. All &e%ices on the 192.168.10.0 s(*net "(st *e a*le to get their $) a&&resses +ro" 34C) on <1. 'his incl(&es !1. <1 "(st *e accessi*le %ia !3=. All a&&resses sho0n in the &iagra" "(st *e reacha*le +ro" e%ery &e%ice.
Instructor Notes
!t(&ents are pro%i&e& 0ith the con+ig(rations to loa& into the ro(ters. 'he con+ig(rations in the st(&ent la* &o not contain the lines in re&. As the instr(ctor# these lines are pro%i&e& here +or yo( so that yo( can g(i&e st(&ents thro(gh the tro(*leshooting process. 'he la* as presente& here pro%i&es tro(*leshooting an& pro*le" sol%ing practice an& con+ir"ation +or "any o+ the s1ills presente& thro(gho(t the CCNA co(rses. An alternate starting con+ig(ration is a%aila*le +or a less e-tensi%e la*. 'he alternate con+ig(ration has +e0er tro(*leshooting points an& allo0s st(&ents to co"plete the la* in a shorter ti"e +ra"e.
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 3 o+ 35
no shutdown ! interface %ast*thernet#.1 ip address 19 !16"!11!1 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ no shutdown ! interface /erial#.#.# ip address 1#!1!1!1 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ encapsulation frame-relay clockrate 1 "### frame-relay map ip 1#!1!1!1 #1 frame-relay map ip 1#!1!1! #1 broadcast no frame-relay inverse-arp no shutdown frame-relay intf-type dce ! $he router acting as the %rame Relay switch must have its serial ! interface designated on the 01* side of the connection! ! interface /erial#.#.1 ip address 1#!-!-!1 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ encapsulation ppp ppp authentication chap no shutdown ! ! router rip version passive-interface default no passive-interface %ast*thernet#.# no passive-interface %ast*thernet#.1 no passive-interface /erial#.#.# no passive-interface /erial#.#.1 ! &nterfaces must be put into a non-passive state to propagate R&' ! 2pdates when the passive interface default command is entered! network 1#!1!1!# network 1#!#!#!# ! $he network 10.1.1.0 command will actually work! 3owever4 R&' will ! change it to 1#!#!#!#! &ssue the show run command to confirm this! network 19 !16"!1#!# network 19 !16"!11!# no auto-summary ! ip classless ! no ip http server ip http server ! $he 3$$' server was most likely disabled for security reasons! ! 3owever4 for /0, to be accessible4 the 3$$' server must be enabled! !
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 4 o+ 35
ip access-list standard Anti-spoofing permit 19 !16"!1#!# #!#!#! 55 deny any ip access-list standard 5$+ permit 1#!#!#!# #! 55! 55! 55 permit 19 !16"!1#!# #!#!#! 55 permit 19 !16"!11!# #!#!#! 55 permit 19 !16"! #!# #!#!#! 55 permit 19 !16"!-#!# #!#!#! 55 ! line con # e6ec-timeout # # logging synchronous line au6 # line vty # 7 access-class 5$+ in login local ! end !-----------------------------------------! R !-----------------------------------------no service password-encryption ! hostname R ! security passwords min-length 6 enable secret ciscoccna ! aaa new-model ! aaa authentication login 891A8(A2$3 local aaa authentication login local(auth local ! $he authentication list name is case-sensitive4 therefore vty lines ! try to authenticate against a list that does not e6ist! 1ase and ! spelling errors are among the most common! aaa session-id common ! ip cef ! no ip domain lookup ! key chain R&'()*+ key 1 key-string cisco username ccna password # ciscoccna ! interface 8oopback# description /imulated &/' 1onnection ip address #9!165! ##! 75 55! 55! 55! 7 ! interface %ast*thernet#.# no ip address shutdown duple6 auto speed auto
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 5 o+ 35
! interface %ast*thernet#.1 ip address 19 !16"! #!1 55! 55! 55!# ip access-group $%$' out ip access-group Anti-spoofing in ip nat outside duple6 auto speed auto ! ! interface /erial#.#.# ip address 1#!1!1! 55! 55! 55!# ip address 1#!1!1! 55! 55! 55! 5 ip nat inside encapsulation frame-relay no keepalive frame-relay map ip 1#!1!1!1 #1 broadcast frame-relay map ip 1#!1!1! #1 ! :ithout this command4 this router will not be able to ping its own ! interface no frame-relay inverse-arp ! interface /erial#.#.1 ip address 1#! ! !1 55! 55! 55!# ip address 1#! ! !1 55! 55! 55! 5 ! After using the . 7 subnet so fre;uently4 subnet masks are easily ! mistyped! ip access-group R--telnet in ip nat inside ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ clockrate 1 "### ! ! router rip version passive-interface default no passive-interface /erial#.#.# no passive-interface /erial#.#.1 network 1#!#!#!# network 19 !16"! #!# default-information originate no auto-summary ! ip classless ip route #!#!#!# #!#!#!# #9!165! ##! 6 ! no ip http server ip nat inside source list <A$ interface %ast*thernet#.# overload ! ip access-list standard Anti-spoofing permit 19 !16"! #!# #!#!#! 55 deny any ip access-list standard <A$ permit 1#!#!#!# #! 55! 55! 55 permit 19 !16"!#!# #!#! 55! 55
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 6 o+ 35
! ip access-list e6tended R--telnet deny tcp host 1#! ! ! host 1#! ! !1 e; telnet deny tcp host 1#!-!-! host 1#! ! !1 e; telnet deny tcp host 19 !16"!11!- host 1#! ! !1 e; telnet deny tcp host 19 !16"!-#!1 host 1#! ! !1 e; telnet permit ip any any ! ip access-list standard $%$' permit 19 !16"! #!# #!#!#! 55 ! control-plane ! line con # e6ec-timeout # # logging synchronous line au6 # e6ec-timeout 15 # logging synchronous login authentication local(auth transport output telnet line vty # 7 e6ec-timeout 15 # logging synchronous login authentication local(auth transport input telnet ! end !-----------------------------------------! R!-----------------------------------------no service password-encryption ! hostname R! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model ! ip cef ! no ip domain lookup ! key chain R&'()*+ key 1 key-string cisco username R1 password # ciscoccna username ccna password # ciscoccna ! interface %ast*thernet#.1 no shutdown ! interface %ast*thernet#.1!11 encapsulation dot1= 11 ip address 19 !16"!11!- 55! 55! 55!#
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age
o+ 35
! interface %ast*thernet#.1!-# encapsulation dot1= -# ip address 19 !16"!-#!1 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ ip access-group Anti-spoofing in no snmp trap link-status ! ! interface /erial#.#.# ip address 1#!-!-! 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ encapsulation ppp clockrate 1 5### ppp authentication chap ! interface /erial#.#.1 ip address 1#! ! ! 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ ! All of the other routers are using authentication! $herefore4 without ! this command on each interface that sends R&' updates4 this router ! will not be able to participate in R&'! ! router rip version passive-interface default no passive-interface %ast*thernet#.1!11 no passive-interface %ast*thernet#.1!-# no passive-interface /erial#.#.# no passive-interface /erial#.#.1 network 1#!#!#!# network 19 !16"!11!# network 19 !16"!-#!# no auto-summary ! ip classless ! ip http server ! ip access-list standard Anti-spoofing permit 19 !16"!-#!# #!#!#! 55 deny any ip access-list standard 5$+ permit 1#!#!#!# #! 55! 55! 55 permit 19 !16"!1#!# #!#!#! 55 permit 19 !16"!11!# #!#!#! 55 permit 19 !16"! #!# #!#!#! 55 permit 19 !16"!-#!# #!#!#! 55 ! control-plane
ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ no snmp trap link-status
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 8 o+ 35
! line con # e6ec-timeout # # logging synchronous line au6 # e6ec-timeout 15 # logging synchronous line vty # 7 access-class 5$+ in e6ec-timeout 15 # logging synchronous login local ! end !----------------------------------------! /1 !----------------------------------------no service password-encryption ! hostname /1 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain 11<A($roubleshooting vtp mode transparent vtp password ciscoccna ip subnet->ero ! no ip domain-lookup ! no file verify auto spanning-tree mode pvst spanning-tree e6tend system-id ! vlan internal allocation policy ascending ! vlan 1# ! interface %ast*thernet#.1 switchport access vlan 1# switchport mode access ! interface %ast*thernet#. switchport access vlan 1# switchport mode access ! interface range %ast*thernet#.-- 7 ! interface ?igabit*thernet#.1 shutdown ! interface ?igabit*thernet#. shutdown !
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 9 o+ 35
interface 5lan1 no ip address no ip route-cache ! interface 5lan1# ip address dhcp no ip route-cache ! ip default-gateway 19 !16"!1#!1 ip http server ! control-plane ! line con # e6ec-timeout # # logging synchronous line vty # 7 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! / !----------------------------------------no service password-encryption ! hostname / ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain 11<A($roubleshooting vtp mode transparent vtp mode client ! <9$*@ Aecause the server was already configured4 the 58A< information ! will not be passed to /witch- until there is a new revision! $his can ! be caused by creating and then deleting a 58A< on /witch 4 the 5$' ! server! vtp password ciscoccna ip subnet->ero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree e6tend system-id spanning-tree vlan 11 priority 75B6 spanning-tree vlan -# priority "6B ! vlan internal allocation policy ascending ! interface %ast*thernet#.1
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 10 o+ 35
switchport access vlan 11 switchport mode access ! interface %ast*thernet#. switchport access vlan 11 switchport mode access ! interface %ast*thernet#.switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface %ast*thernet#.7 switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface range %ast*thernet#.5- 7 shutdown ! interface ?igabit*thernet#.1 shutdown ! interface ?igabit*thernet#. shutdown ! interface 5lan1 no ip address no ip route-cache ! interface 5lan11 ip address 19 !16"!11! 55! 55! 55!# no ip route-cache ! ip http server ! control-plane ! line con # e6ec-timeout # # logging synchronous line vty # 7 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! /!----------------------------------------no service password-encryption ! hostname /! security passwords min-length 6
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 11 o+ 35
enable secret ciscoccna ! no aaa new-model vtp domain 11<A(troubleshooting vtp domain 11<A($roubleshooting ! $he 5$' mode is case-sensitive4 so a typo like this will prevent 5$' ! from working properly! $he switch should display an error about a ! domain mismatch when the trunk links come up! vtp mode server vtp password ciscoccna ip subnet->ero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree e6tend system-id spanning-tree vlan 11 priority "6B spanning-tree vlan -# priority 75B6 ! vlan internal allocation policy ascending ! vlan 114-# ! &t is a common mistake to forget to create 58A<s4 especially if they ! are already allowed on trunk links! ! interface %ast*thernet#.1 switchport trunk allowed vlan -# switchport trunk allowed vlan 114-# ! 58A< 11 must be allowed on the trunk to R- to obtain connectivity to ! R switchport mode trunk ! interface %ast*thernet#. switchport access vlan -# switchport mode access ! interface %ast*thernet#.switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface %ast*thernet#.7 switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface range %ast*thernet#.5- 7 shutdown ! interface ?igabit*thernet#.1 shutdown ! interface ?igabit*thernet#. shutdown
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 12 o+ 35
! interface 5lan1 no ip address no ip route-cache ! interface 5lan-# ip address 19 !16"!-#! 55! 55! 55!# no ip route-cache ! ip default-gateway 19 !16"!-#!1 ip http server ! control-plane ! line con # e6ec-timeout 5 # logging synchronous line vty # 7 password ciscoccna login line vty 5 15 no login ! end
Task /: ,in$ an$ 1orrect #ll Network Errors Task 0: Veri& that +e4uire"ents #re ,ull )et
8eca(se ti"e constraints pre%ent tro(*leshooting a pro*le" on each topic# only a select n("*er o+ topics ha%e pro*le"s. 4o0e%er# to rein+orce an& strengthen tro(*leshooting s1ills# yo( sho(l& %eri+y that each re9(ire"ent is "et. 'o &o this# present an e-a"ple o+ each re9(ire"ent @+or e-a"ple a show or $ebug co""an&A. <e"in& st(&ents o+ the "any co""an&s they ha%e (se& thro(gho(t this co(rse an& others to %eri+y an& tro(*leshoot. !o"e co""on an& (se+(l co""an&s incl(&e/ show ip route show ip interface brief show spanning-tree show vtp status show interface serial debug ppp authentication show ip access-lists show ip dhcp binding show frame-relay map show run debug ppp authentication ping telnet
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 13 o+ 35
'his tas1 is intentionally le+t %ag(e *eca(se there are "any 0ays to %eri+y the re9(ire"ents. 8elo0 is an e-a"ple +or re9(ire"ent 1. <e9(ire"ent 1 states that !2 sho(l& *e the root +or ;2AN 11 an& that !3 sho(l& *e the root +or ;2AN 30. $ss(ing the sho0 spanning:tree co""an& allo0s (s to con+ir" that these s0itches ha%e *een con+ig(re& correctly. / Cshow spanning-tree 58A<##11 /panning tree enabled protocol rstp Root &0 'riority 75"B Address ##1c!5Bec! 7"# $his bridge is the root 3ello $ime sec ,a6 Age Aridge &0
# sec
%orward 0elay 15
'riority 75"B Dpriority 75B6 sys-id-e6t 11E Address ##1c!5Bec! 7"# 3ello $ime sec ,a6 Age # sec %orward 0elay 15 Aging $ime -## Role ---0esg 0esg 0esg /ts --%:0 %:0 %:0 1ost --------19 19 19 'rio!<br -------1 "! 1 "!1 "!7 $ype --------------------' p ' p ' p
58A<##-# /panning tree enabled protocol rstp Root &0 'riority 76#6 Address ##1c!5Bec!17"# 1ost 19 'ort - D%ast*thernet#.-E 3ello $ime sec ,a6 Age # sec Aridge &0 'riority Address 3ello $ime Aging $ime
%orward 0elay 15
"B# Dpriority "6B sys-id-e6t -#E ##1c!5Bec! 7"# sec ,a6 Age # sec %orward 0elay 15 -## 'rio!<br -------1 "!"!7 ' $ype --------------------' p p
&nterface Role /ts 1ost ---------------- ---- --- --------%a#.Root %:0 19 %a#.7 Altn A8) 19 1
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 14 o+ 35
boot-end-marker ! security passwords min-length 6 enable secret 5 ciscoccna ! ip cef ! ip dhcp pool Access1 network 19 !16"!1#!# 55! 55! 55!# default-router 19 !16"!1#!1 ! no ip domain lookup frame-relay switching ! key chain R&'()*+ key 1 key-string cisco username R- password # ciscoccna username ccna password # ciscoccna ! interface %ast*thernet#.# ip address 19 !16"!1#!1 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ duple6 auto speed auto ! interface %ast*thernet#.1 ip address 19 !16"!11!1 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ duple6 auto speed auto ! interface /erial#.#.# ip address 1#!1!1!1 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ encapsulation frame-relay no keepalive clockrate 1 "### frame-relay map ip 1#!1!1!1 #1 frame-relay map ip 1#!1!1! #1 broadcast no frame-relay inverse-arp frame-relay intf-type dce ! interface /erial#.#.1 ip address 1#!-!-!1 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ encapsulation ppp ppp authentication chap ! ! router rip version
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 15 o+ 35
! ip classless ! ip http server ! ip access-list standard Anti-spoofing permit 19 !16"!1#!# #!#!#! 55 deny any ip access-list standard 5$+ permit 1#!#!#!# #! 55! 55! 55 permit 19 !16"!1#!# #!#!#! 55 permit 19 !16"!11!# #!#!#! 55 permit 19 !16"! #!# #!#!#! 55 permit 19 !16"!-#!# #!#!#! 55 ! line con # e6ec-timeout 5 # logging synchronous line au6 # line vty # 7 access-class 5$+ in login local ! end !-----------------------------------------! R !-----------------------------------------no service password-encryption ! hostname R ! security passwords min-length 6 enable secret ciscoccna ! aaa new-model ! aaa authentication login local(auth local aaa session-id common ! ip cef ! no ip domain lookup ! ! key chain R&'()*+ key 1 key-string cisco
passive-interface default no passive-interface %ast*thernet#.# no passive-interface %ast*thernet#.1 no passive-interface /erial#.#.# no passive-interface /erial#.#.1 network 1#!#!#!# network 19 !16"!1#!# network 19 !16"!11!# no auto-summary
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 16 o+ 35
username ccna password # ciscoccna ! interface 8oopback# ip address #9!165! ##! 75 55! 55! 55! 7 ! interface %ast*thernet#.1 ip address 19 !16"! #!1 55! 55! 55!# ip access-group $%$' out ip access-group Anti-spoofing in ip nat outside duple6 auto speed auto ! interface %ast*thernet#.# no ip address shutdown duple6 auto speed auto ! interface /erial#.#.# ip address 1#!1!1! 55! 55! 55! 5 ip nat inside encapsulation frame-relay no keepalive frame-relay map ip 1#!1!1!1 #1 broadcast frame-relay map ip 1#!1!1! #1 no frame-relay inverse-arp ! interface /erial#.#.1 ip address 1#! ! !1 55! 55! 55! 5 ip access-group R--telnet in ip nat inside ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ clockrate 1 "### ! ! router rip version passive-interface default no passive-interface %ast*thernet#.1 no passive-interface /erial#.#.# no passive-interface /erial#.#.1 network 1#!#!#!# network 19 !16"! #!# default-information originate no auto-summary ! ip classless ip route #!#!#!# #!#!#!# #9!165! ##! 6 ! no ip http server ip nat inside source list <A$ interface %ast*thernet#.# overload ! ip access-list standard Anti-spoofing permit 19 !16"! #!# #!#!#! 55
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 1 o+ 35
deny any ip access-list standard <A$ permit 1#!#!#!# #! 55! 55! 55 permit 19 !16"!#!# #!#! 55! 55 ! ip access-list e6tended R--telnet deny tcp host 1#! ! ! host 1#! ! !1 e; telnet deny tcp host 1#!-!-! host 1#! ! !1 e; telnet deny tcp host 19 !16"!11!- host 1#! ! !1 e; telnet deny tcp host 19 !16"!-#!1 host 1#! ! !1 e; telnet permit ip any any ! ip access-list standard $%$' permit 19 !16"! #!# #!#!#! 55 ! control-plane ! line con # e6ec-timeout 5 # logging synchronous line au6 # e6ec-timeout 15 # logging synchronous login authentication local(auth transport output telnet line vty # 7 e6ec-timeout 15 # logging synchronous login authentication local(auth transport input telnet ! end !-----------------------------------------! R!-----------------------------------------no service password-encryption ! hostname R! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model ! ip cef ! no ip domain lookup ! ! key chain R&'()*+ key 1 key-string cisco username R1 password # ciscoccna username ccna password # ciscoccna ! interface %ast*thernet#.1
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 18 o+ 35
! interface %ast*thernet#.1!11 encapsulation dot1= 11 ip address 19 !16"!11!- 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ no snmp trap link-status ! interface %ast*thernet#.1!-# encapsulation dot1= -# ip address 19 !16"!-#!1 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ ip access-group Anti-spoofing in no snmp trap link-status ! ! interface /erial#.#.# ip address 1#!-!-! 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ encapsulation ppp clockrate 1 5### ppp authentication chap ! interface /erial#.#.1 ip address 1#! ! ! 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ ! router rip version passive-interface default no passive-interface %ast*thernet#.1!11 no passive-interface %ast*thernet#.1!-# no passive-interface /erial#.#.# no passive-interface /erial#.#.1 network 1#!#!#!# network 19 !16"!11!# network 19 !16"!-#!# no auto-summary ! ip classless ! ip http server ! ip access-list standard Anti-spoofing permit 19 !16"!-#!# #!#!#! 55 deny any ip access-list standard 5$+ permit 1#!#!#!# #! 55! 55! 55 permit 19 !16"!1#!# #!#!#! 55 permit 19 !16"!11!# #!#!#! 55
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 19 o+ 35
permit 19 !16"! #!# #!#!#! 55 permit 19 !16"!-#!# #!#!#! 55 ! control-plane ! line con # e6ec-timeout 5 # logging synchronous line au6 # e6ec-timeout 15 # logging synchronous line vty # 7 access-class 5$+ in e6ec-timeout 15 # logging synchronous login local ! end !----------------------------------------! /1 !----------------------------------------no service password-encryption ! hostname /1 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain 11<A($roubleshooting vtp mode transparent vtp password ciscoccna ip subnet->ero ! no ip domain-lookup ! no file verify auto spanning-tree mode pvst spanning-tree e6tend system-id ! vlan internal allocation policy ascending ! vlan 1# ! interface %ast*thernet#.1 switchport access vlan 1# switchport mode access ! interface %ast*thernet#. switchport access vlan 1# switchport mode access ! interface range %ast*thernet#.-- 7 ! interface ?igabit*thernet#.1 shutdown
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 20 o+ 35
! interface ?igabit*thernet#. shutdown ! interface 5lan1 no ip address no ip route-cache ! interface 5lan1# ip address dhcp no ip route-cache ! ip default-gateway 19 !16"!1#!1 ip http server ! control-plane ! ! line con # e6ec-timeout 5 # logging synchronous line vty # 7 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! / !----------------------------------------no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname / ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain 11<A($roubleshooting vtp mode client vtp password ciscoccna ip subnet->ero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree e6tend system-id spanning-tree vlan 11 priority 75B6 spanning-tree vlan -# priority "6B !
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 21 o+ 35
vlan internal allocation policy ascending ! interface %ast*thernet#.1 switchport access vlan 11 switchport mode access ! interface %ast*thernet#. switchport access vlan 11 switchport mode access ! interface %ast*thernet#.switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface %ast*thernet#.7 switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface range %ast*thernet#.5- 7 shutdown ! interface ?igabit*thernet#.1 shutdown ! interface ?igabit*thernet#. shutdown ! interface 5lan1 no ip address no ip route-cache ! interface 5lan11 ip address 19 !16"!11! 55! 55! 55!# no ip route-cache ! ip http server ! control-plane ! line con # e6ec-timeout 5 # logging synchronous line vty # 7 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! /!----------------------------------------no service password-encryption !
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 22 o+ 35
hostname /! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain 11<A($roubleshooting vtp mode /erver vtp password ciscoccna ip subnet->ero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree e6tend system-id spanning-tree vlan 11 priority "6B spanning-tree vlan -# priority 75B6 ! vlan internal allocation policy ascending ! 5lan 114-# ! interface %ast*thernet#.1 switchport trunk allowed vlan 114-# switchport mode trunk ! interface %ast*thernet#. switchport access vlan -# switchport mode access ! interface %ast*thernet#.switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface %ast*thernet#.7 switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface range %ast*thernet#.5- 7 shutdown ! interface ?igabit*thernet#.1 shutdown ! interface ?igabit*thernet#. shutdown ! interface 5lan1 no ip address no ip route-cache ! interface 5lan-#
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 23 o+ 35
! ip default-gateway 19 !16"!-#!1 ip http server ! control-plane ! ! line con # e6ec-timeout 5 # logging synchronous line vty # 7 password ciscoccna login line vty 5 15 no login ! end
Task 5: 1lean 7p
,rase the con+ig(rations an& reloa& the ro(ters. 3isconnect an& store the ca*ling. 6or )C hosts that are nor"ally connecte& to other net0or1s @s(ch as the school 2AN or to the $nternetA# reconnect the appropriate ca*ling an& restore the 'C)/$) settings.
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 24 o+ 35
#lternate 1on&igurations
'hese con+ig(rations can *e (se& as the starting point. 'here are +e0er errors in these con+ig(rations. Again# the sa"e tro(*leshooting "etho&s an& co""an&s sho(l& *e (se& to isolate an& resol%e the pro*le"s. 'he correcte& net0or1 con+ig(rations are the sa"e as +or the original con+ig(rations. !-----------------------------------------! R1 !-----------------------------------------no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! security passwords min-length 6 enable secret 5 ciscoccna ! ip cef ! ip dhcp pool Access1 network 19 !16"!1#!# 55! 55! 55!# default-router 19 !16"!1#!1 ! no ip domain lookup frame-relay switching ! key chain R&'()*+ key 1 key-string cisco !,ust create a key chain to be used for R&' authentication to work! ! username R- password # ciscoccna username ccna password # ciscoccna ! interface %ast*thernet#.# ip address 19 !16"!1#!1 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ no shutdown ! interface %ast*thernet#.1 ip address 19 !16"!11!1 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ no shutdown ! interface /erial#.#.# ip address 1#!1!1!1 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 25 o+ 35
encapsulation frame-relay clockrate 1 "### frame-relay map ip 1#!1!1!1 frame-relay map ip 1#!1!1! no frame-relay inverse-arp no shutdown frame-relay intf-type dce #1 #1 broadcast
! interface /erial#.#.1 ip address 1#!-!-!1 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ encapsulation ppp ppp authentication chap no shutdown ! ! router rip version passive-interface default no passive-interface %ast*thernet#.# no passive-interface %ast*thernet#.1 no passive-interface /erial#.#.# no passive-interface /erial#.#.1 ! &nterfaces must be put into a non-passive state to propagate R&' ! 2pdates when the passive interface default command is entered! network 1#!#!#!# network 19 !16"!1#!# network 19 !16"!11!# no auto-summary ! ip classless ! no ip http server ip http server ! $he 3$$' server was most likely disabled for security reasons! ! 3owever4 for /0, to be accessible4 the 3$$' server must be enabled! ! ip access-list standard Anti-spoofing permit 19 !16"!1#!# #!#!#! 55 deny any ip access-list standard 5$+ permit 1#!#!#!# #! 55! 55! 55 permit 19 !16"!1#!# #!#!#! 55 permit 19 !16"!11!# #!#!#! 55 permit 19 !16"! #!# #!#!#! 55 permit 19 !16"!-#!# #!#!#! 55 ! line con # e6ec-timeout # # logging synchronous line au6 # line vty # 7 access-class 5$+ in login local
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 26 o+ 35
! end !-----------------------------------------! R !-----------------------------------------no service password-encryption ! hostname R ! security passwords min-length 6 enable secret ciscoccna ! aaa new-model ! aaa authentication login 891A8(A2$3 local aaa authentication login local(auth local ! $he authentication list name is case-sensitive4 therefore vty lines ! try to authenticate against a list that does not e6ist! 1ase and ! spelling errors are among the most common! aaa session-id common ! ip cef ! no ip domain lookup ! key chain R&'()*+ key 1 key-string cisco username ccna password # ciscoccna ! interface 8oopback# description /imulated &/' 1onnection ip address #9!165! ##! 75 55! 55! 55! 7 ! interface %ast*thernet#.# ip address 19 !16"! #!1 55! 55! 55!# ip access-group $%$' out ip access-group Anti-spoofing in ip nat outside duple6 auto speed auto ! interface %ast*thernet#.1 no ip address shutdown duple6 auto speed auto ! interface /erial#.#.# ip address 1#!1!1! 55! 55! 55!# ip address 1#!1!1! 55! 55! 55! 5 ip nat inside encapsulation frame-relay no keepalive frame-relay map ip 1#!1!1!1 #1 broadcast frame-relay map ip 1#!1!1! #1
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 2 o+ 35
no frame-relay inverse-arp ! interface /erial#.#.1 ip address 1#! ! !1 55! 55! 55!# ip address 1#! ! !1 55! 55! 55! 5 ! After using the . 7 subnet so fre;uently4 subnet masks are easily ! mistyped! ip access-group R--telnet in ip nat inside ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ clockrate 1 "### ! ! router rip version passive-interface default no passive-interface /erial#.#.# no passive-interface /erial#.#.1 network 1#!#!#!# network 19 !16"! #!# default-information originate no auto-summary ! ip classless ip route #!#!#!# #!#!#!# #9!165! ##! 6 ! no ip http server ip nat inside source list <A$ interface %ast*thernet#.# overload ! ip access-list standard Anti-spoofing permit 19 !16"! #!# #!#!#! 55 deny any ip access-list standard <A$ permit 1#!#!#!# #! 55! 55! 55 permit 19 !16"!#!# #!#! 55! 55 ! ip access-list e6tended R--telnet deny tcp host 1#! ! ! host 1#! ! !1 e; telnet deny tcp host 1#!-!-! host 1#! ! !1 e; telnet deny tcp host 19 !16"!11!- host 1#! ! !1 e; telnet deny tcp host 19 !16"!-#!1 host 1#! ! !1 e; telnet permit ip any any ! ip access-list standard $%$' permit 19 !16"! #!# #!#!#! 55 ! control-plane ! line con # e6ec-timeout # # logging synchronous line au6 # e6ec-timeout 15 # logging synchronous login authentication local(auth
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 28 o+ 35
transport output telnet line vty # 7 e6ec-timeout 15 # logging synchronous login authentication local(auth transport input telnet ! end !-----------------------------------------! R!-----------------------------------------no service password-encryption ! hostname R! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model ! ip cef ! no ip domain lookup ! key chain R&'()*+ key 1 key-string cisco username R1 password # ciscoccna username ccna password # ciscoccna ! interface %ast*thernet#.1 no shutdown ! interface %ast*thernet#.1!11 encapsulation dot1= 11 ip address 19 !16"!11!- 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ no snmp trap link-status ! interface %ast*thernet#.1!-# encapsulation dot1= -# ip address 19 !16"!-#!1 55! 55! 55!# ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ ip access-group Anti-spoofing in no snmp trap link-status ! ! interface /erial#.#.# ip address 1#!-!-! 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ encapsulation ppp clockrate 1 5### ppp authentication chap
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 29 o+ 35
! interface /erial#.#.1 ip address 1#! ! ! 55! 55! 55! 5 ip rip authentication mode md5 ip rip authentication key-chain R&'()*+ ! All of the other routers are using authentication! $herefore4 without ! this command on each interface that sends R&' updates4 this router ! will not be able to participate in R&'! ! router rip version passive-interface default no passive-interface %ast*thernet#.#!11 no passive-interface %ast*thernet#.#!-# no passive-interface /erial#.#.# no passive-interface /erial#.#.1 network 1#!#!#!# network 19 !16"!11!# network 19 !16"!-#!# no auto-summary ! ip classless ! ip http server ! ip access-list standard Anti-spoofing permit 19 !16"!-#!# #!#!#! 55 deny any ip access-list standard 5$+ permit 1#!#!#!# #! 55! 55! 55 permit 19 !16"!1#!# #!#!#! 55 permit 19 !16"!11!# #!#!#! 55 permit 19 !16"! #!# #!#!#! 55 permit 19 !16"!-#!# #!#!#! 55 ! control-plane ! line con # e6ec-timeout # # logging synchronous line au6 # e6ec-timeout 15 # logging synchronous line vty # 7 access-class 5$+ in e6ec-timeout 15 # logging synchronous login local ! end !----------------------------------------! /1 !----------------------------------------no service password-encryption ! hostname /1
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 30 o+ 35
! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain 11<A($roubleshooting vtp mode transparent vtp password ciscoccna ip subnet->ero ! no ip domain-lookup ! no file verify auto spanning-tree mode pvst spanning-tree e6tend system-id ! vlan internal allocation policy ascending ! vlan 1# ! interface %ast*thernet#.1 switchport access vlan 1# switchport mode access ! interface %ast*thernet#. switchport access vlan 1# switchport mode access ! interface range %ast*thernet#.-- 7 ! interface ?igabit*thernet#.1 shutdown ! interface ?igabit*thernet#. shutdown ! interface 5lan1 no ip address no ip route-cache ! interface 5lan1# ip address dhcp no ip route-cache ! ip default-gateway 19 !16"!1#!1 ip http server ! control-plane ! line con # e6ec-timeout # # logging synchronous line vty # 7 password ciscoccna login line vty 5 15
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 31 o+ 35
no login ! end !----------------------------------------! / !----------------------------------------no service password-encryption ! hostname / ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain 11<A($roubleshooting vtp mode transparent vtp mode client ! <9$*@ Aecause the server was already configured4 the 58A< information ! will not be passed to /witch- until there is a new revision! $his can ! be caused by creating and then deleting a 58A< on /witch 4 the 5$' ! server! vtp password ciscoccna ip subnet->ero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree e6tend system-id spanning-tree vlan 11 priority 75B6 spanning-tree vlan -# priority "6B ! vlan internal allocation policy ascending ! interface %ast*thernet#.1 switchport access vlan 11 switchport mode access ! interface %ast*thernet#. switchport access vlan 11 switchport mode access ! interface %ast*thernet#.switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface %ast*thernet#.7 switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface range %ast*thernet#.5- 7 shutdown !
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 32 o+ 35
interface ?igabit*thernet#.1 shutdown ! interface ?igabit*thernet#. shutdown ! interface 5lan1 no ip address no ip route-cache ! interface 5lan11 ip address 19 !16"!11! 55! 55! 55!# no ip route-cache ! ip http server ! control-plane ! line con # e6ec-timeout # # logging synchronous line vty # 7 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! /!----------------------------------------no service password-encryption ! hostname /! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain 11<A(troubleshooting vtp domain 11<A($roubleshooting ! $he 5$' mode is case-sensitive4 so a typo like this will prevent 5$' ! from working properly! $he switch should display an error about a ! domain mismatch when the trunk links come up! vtp mode server vtp password ciscoccna ip subnet->ero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree e6tend system-id spanning-tree vlan 11 priority "6B spanning-tree vlan -# priority 75B6
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 33 o+ 35
! vlan internal allocation policy ascending ! vlan 114-# ! &t is a common mistake to forget to create 58A<s4 especially if they ! are already allowed on trunk links! ! interface %ast*thernet#.1 switchport trunk allowed vlan -# switchport trunk allowed vlan 114-# ! 58A< 11 must be allowed on the trunk to R- to obtain connectivity to ! R switchport mode trunk ! interface %ast*thernet#. switchport access vlan -# switchport mode access ! interface %ast*thernet#.switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface %ast*thernet#.7 switchport trunk native vlan 99 switchport trunk allowed vlan 114-# switchport mode trunk ! interface range %ast*thernet#.5- 7 shutdown ! interface ?igabit*thernet#.1 shutdown ! interface ?igabit*thernet#. shutdown ! interface 5lan1 no ip address no ip route-cache ! interface 5lan-# ip address 19 !16"!-#! 55! 55! 55!# no ip route-cache ! ip default-gateway 19 !16"!-#!1 ip http server ! control-plane ! line con # e6ec-timeout 5 # logging synchronous line vty # 7 password ciscoccna login
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 34 o+ 35
All contents are Copyright 1992200 Cisco !yste"s# $nc. All rights reser%e&. 'his &oc("ent is Cisco )(*lic $n+or"ation.
)age 35 o+ 35