Professional Documents
Culture Documents
Interconnecting Cisco
Networking Devices
Part 1
Version 1.0
Lab Guide
Text Part Number: 97-2507-01
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
Table of Contents
Lab Guide
Overview
Outline
Lab 1-1: Using Windows Applications as Network Tools
Activity Objective
Visual Objective
Required Resources
Command List
Job Aids
Task 1: Obtain the Current IP Address Information
Task 2: View the Network Properties of the PC Ethernet Adapter
Task 3: Test Connectivity to the Default Gateway Router
Task 4: View the ARP Bindings of IP Address to MAC Address
Lab 1-2: Observing the TCP Three-Way Handshake
Activity Objective
Visual Objective
Required Resources
Command List
Job Aids
Task 1: Prepare the Sniffer Software to Capture a TCP Flow
Task 2: Generate the TCP Flow to Be Captured
Task 3: Inspect the TCP Initialization Sequence
Lab 1-3: Observing Extended PC Network Information
Activity Objective
Visual Objective
Required Resources
Command List
Job Aids
Task 1: Obtain the Full Current IP Addressing Information
Task 2: Test Connectivity to the DNS Server
Task 3: Tracing Connectivity to the DNS Server
Lab 2-1: Connecting to Remote Lab Equipment
Activity Objective
Visual Objective
Required Resources
Command List
Job Aid
Task 1: Connect to Remote Console Server
Task 2: Connect to Remote VPN Router
Lab 2-2: Performing Switch Startup and Initial Configuration
Activity Objective
Visual Objective
Required Resources
Command List
Job Aids
Task 1: Connect to Your Assigned Workgroup Switch
Task 2: Verify That Switch Is Unconfigured and Reload
Task 3: Use System Configuration Dialog to Produce an Initial Configuration
Task 4: Add Default Gateway to Initial Configuration
Lab 2-3: Enhancing the Security of Initial Switch Configuration
Activity Objective
Visual Objective
Required Resources
Command List
Job Aids
Task 1: Add Password Protection to Console Port and Vty Lines
Task 2: Activate Password Encryption Service
Task 3: Apply a Login Banner
1
1
1
3
3
3
3
4
4
4
6
8
9
10
10
10
10
11
11
11
13
16
19
19
19
19
20
20
20
21
22
24
24
24
25
25
25
26
30
34
34
34
34
34
35
36
37
41
45
46
46
46
47
47
49
49
51
52
53
56
60
62
62
62
62
63
64
64
65
66
68
68
68
68
68
68
69
69
69
70
70
70
70
70
70
71
71
72
73
73
74
74
74
74
74
74
75
75
75
76
77
77
77
77
77
78
78
78
78
79
80
81
83
85
85
85
85
85
Job Aids
86
Task 1: Remove Any Residual Configuration from Your Router
86
Task 2: Reload the Router and Observe the Startup Output
87
Lab 4-6: Performing Initial Router Configuration
90
Activity Objective
90
Visual Objective
90
Required Resources
90
Command List
90
Job Aids
91
Task 1: Enter the Initial Configuration Using the setup Command
91
Task 2: Validate the Router Configuration
95
Lab 4-7: Enhancing the Security of Initial Router Configuration
96
Activity Objective
96
Visual Objective
96
Required Resources
96
Command List
97
Job Aids
98
Task 1: Add Password Protection to Console Port
98
Task 2: Activate Password Encryption Service
100
Task 3: Apply a Login Banner
101
Task 4: Enable SSH Protocol for Remote Management
102
Lab 4-8: Using Cisco SDM to Configure DHCP Server Function
105
Activity Objective
105
Visual Objective
105
Required Resources
105
Command List
106
Job Aids
106
Task 1: Configuring the Router to Support Web-Based Applications, a User with Privilege 15,
and Telnet and SSH
107
Task 2: Use Cisco SDM to Configure a DHCP Pool
108
Task 2: Using Tools to Correlate Network Information
112
Lab 4-9: Managing Remote Access Sessions
114
Activity Objective
114
Visual Objective
114
Required Resources
114
Command List
114
Job Aids
115
Task 1: Improve the Usability of the Router CLI
115
Task 2: Connect to Your Remote Workgroup via VPN Tunnel
117
Task 3: Using the Cisco IOS CLI Commands to Control Telnet and SSH Sessions
118
Lab 5-1: Connecting to the Internet
123
Activity Objective
123
Visual Objective
123
Required Resources
123
Command List
124
Job Aids
124
Task 1: Use Cisco SDM to Configure the Ethernet Connection to the Internet
124
Task 2: Use the CLI to Verify and Observe the Operation of PAT on Your Workgroup Router 130
Lab 5-2: Connecting to the Main Office
133
Activity Objective
133
Visual Objective
133
Required Resources
133
Command List
134
Job Aids
134
Task 1: Configure Your Workgroup Router Serial 0/0/0
135
Task 2: Test Connectivity to Your Assigned Remote Network
136
Task 3: Add a Static Route Entry for Your Remote Network
137
iii
139
139
139
139
140
140
140
142
144
144
144
144
145
145
145
148
150
150
150
150
151
151
151
154
157
157
157
157
158
159
159
162
165
165
165
166
166
166
170
170
171
173
173
175
179
183
183
183
184
184
185
186
186
187
187
187
187
188
188
188
189
190
191
192
194
197
199
201
204
207
210
213
216
223
226
227
vi
ICND1
Lab Guide
Overview
This guide presents instructions and other information concerning the lab activities for this
course. You can find the solutions in the lab activity Answer Key.
Outline
This guide includes these activities:
Answer Key
Activity Objective
In this activity, you will be able to use Windows applications and commands to investigate the
IP configuration of your PC, and your local network. After completing this activity, you will be
able to meet these objectives:
Using the Windows command ipconfig, determine the current network addressing
information of a PC.
Using the Windows command ping, determine test connectivity to the default gateway
router.
Using the Windows command arp a, view the ARP table of the local PC and determine
the association between the IP address and the MAC address of the default-gateway
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.03
Required Resources
These are the resources and equipment that are required to complete this activity:
Lab Guide
Command List
The table describes the commands that are used in this activity.
Windows Commands
Command
Description
arp -a
ipconfig
ping
ping (-t)
Job Aids
These job aids are available to help you complete the lab activity.
Activity Procedure
Complete these steps:
Step 1
Step 2
Choose run, and enter cmd in the Run window dialog box. Click OK to continue.
Step 3
From the Command window prompt, enter ipconfig. It is not necessary to capitalize
the command.
Step 4
Nonworking example 1: The output indicates no connectivity; probably the Ethernet cable is
not physically connected.
C:\Documents and Settings>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Nonworking example 2: The output indicates the PC is waiting to obtain its IP address
information automatically. This will be a transient output; it will either successfully get an
address or retry the ipconfig command periodically until it changes to one of the remaining
examples below.
4
DNS
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
.
.
.
.
:
: 0.0.0.0
: 0.0.0.0
:
Nonworking example 3: The output indicates the PC network adapter was unable to obtain an
IP address automatically, so the PC will use a generated link local address. Getting an address
may seem like success, but it really indicates that there is no connectivity to an IP address
server. This address will not be useful for network connectivity. If you see an IP address
beginning with 169.254.x.x, you do not have a valid address.
C:\Documents and Settings>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix
Autoconfiguration IP Address. .
Subnet Mask . . . . . . . . . .
Default Gateway . . . . . . . .
.
.
.
.
:
: 169.254.249.221
: 255.255.0.0
:
Working example 1: The output indicates that the PC either has a preconfigured IP address or
it successfully obtained its IP address automatically. Your IP address, subnet mask, or default
gateway will most likely be different than what is shown.
C:\Documents and Settings>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific
IP Address. . . . .
Subnet Mask . . . .
Default Gateway . .
DNS
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
.
.
.
.
:
:
:
:
cisco.com
192.168.1.105
255.255.255.0
192.168.1.1
Step 1
If you have a problem, ask your instructor for assistance. Continue only if you have
a valid IP address.
Step 2
Write the values you obtained from the ipconfig command in the spaces below, as
you will be using them in later tasks:
PC IP address
IP default gateway address
Lab Guide
Activity Verification
You have completed this task when you attain this result:
Activity Procedure
Complete these steps:
Step 1
From the Windows desktop, click the Local Area Connection shortcut on your
desktop.
Step 2
From the Local Area Connection status window, click the Properties button.
Step 3
At the Local Area Connection Properties window scroll down to the bottom and leftclick the Internet Protocol(TCP/IP) to highlight it. Then click the Properties
button.
Step 4
At the Internet Protocol (TCP/IP) Properties window, you might find the Obtain an
IP Address Automatically radio button already set, with all the fields blank, as
shown below.
Step 5
Alternatively, you might see the Use the Following IP Address radio button chosen,
and the fields configured with IP address information matching the output you
obtained from the ipconfig command.
Note
Step 6
Close all the dialog boxes and return to the Windows desktop.
Activity Verification
You have completed this task when you attain these results:
You used the Windows TCP/IP properties to view the current configuration for the local
area connection.
The values set in the TCP/IP properties were consistent with the information you obtained
using the ipconfig command.
Lab Guide
Activity Procedure
Complete these steps:
Step 1
From the Command window prompt, enter ping followed by the address of your
default gateway that you obtained in Task 1.
Step 2
The first example below is an unsuccessful ping. Should you get this output you
should ask your instructor for assistance.
Nonworking example: The output indicates that no reply was received from the target IP
address.
C:\Documents and Settings>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Request
Request
Request
Request
timed
timed
timed
timed
out.
out.
out.
out.
Working example: This indicates successful receipt of replies from the target IP address.
C:\Documents and Settings>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
192.168.1.1:
192.168.1.1:
192.168.1.1:
192.168.1.1:
bytes=32
bytes=32
bytes=32
bytes=32
time<1ms
time<1ms
time<1ms
time<1ms
TTL=255
TTL=255
TTL=255
TTL=255
Notice that by default the Windows command sends four ping packets (ICMP echo
requests).
Activity Verification
You have completed this task when you attain these results:
You used the Windows ping command to test the connectivity to your default gateway
router.
Activity Procedure
Complete these steps:
Step 1
From the Command window prompt, enter arp a. It is necessary to use the a
parameter to get the output of the ARP table.
Type
dynamic
Step 2
Your output should resemble the output in Step 1. If you did not get any values, it
may be that the ARP table has timed-out the entry and you need to repeat Step 1 of
the previous task.
Step 3
Activity Verification
You have completed this task when you attain this result:
You were able to view the binding of the IP address to the MAC address.
Lab Guide
Activity Objective
In this activity, you will use a packet sniffer software application to view the TCP initial
three-way handshake. After completing this activity, you will be able to meet these objectives:
Start the packet sniffer software application, to monitor the appropriate Ethernet interface
for recording the packet flow
Observe the initial packets of the TCP flow, especially the SYN packet, SYN ACK packet,
and finally the ACK packet
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.04
Required Resources
These are the resources and equipment that are required to complete this activity:
10
Command List
The table describes the applications that are used in this activity.
PC Applications
Windows Application
Description
Internet Explorer
Wireshark
Caution
Job Aids
These job aids are available to help you complete the lab activity.
Activity Procedure
Complete these steps:
Step 1
Open the Wireshark application by double-clicking its icon, which should be visible on your
desktop.
Lab Guide
11
Step 2
Step 3
Choose your local network Ethernet interface adapter. If this process is unclear, ask your
instructor for assistance. Click the Start button associated with the chosen interface. Make a
note of the IP address associated with your chosen Ethernet adapter, because it will be the
source IP address you will look for when examining captured packets.
Note your IP address here: _______________________________
12
Step 4
Step 5
You will look more closely at the capture windows after you have captured the TCP flow.
Step 6
You may see some packets filling up the uppermost window. This will depend on the level of
background activity on the network you are attached to.
Activity Verification
You have completed this task when you attain this result:
You have an open packet-capture window, associated with the Ethernet interface connected
to your default router.
Activity Procedure
Complete these steps:
Step 1
At the PC desktop double-click the Internet Explorer icon to launch the web
browser.
Step 2
Enter the destination name or address. Your instructor may provide you with a name
or address different from www.cisco.com. If so, write down this information in
the space provided: ___________________________________________________
Lab Guide
13
14
Step 3
Return to the already open Wireshark application and choose Capture > Stop from
the drop-down menu.
Step 4
If you have many TCP packets that are unrelated to your TCP connection, you may
need to use the filter capability of Wireshark.
Step 5
To use a preconfigured filter, click the Analyze tab. Then click Display Filters.
Step 6
In the Wireshark: Display Filter window, click TCP only then click the OK
button.
Step 7
In the top window of the Wireshark application, use the scroll bar to place the first
captured TCP packet at the top of the window. This should be the first packet in the
flow.
Step 8
Observe the Info column of the captured packets in the top window; look for three
packets similar to those shown below. Two groups of three packets are shown
highlighted as an example.
Step 9
Note the first packet number in the sequence you have identified in your capture
window. There is no need to find more than one sequence of packets. In the example
above, packet 1 and packet 12 both begin a sequence. You will observe the contents
of these packets in detail in the next task.
Write down the packet number of first packet in TCP sequence in the space provided:
________________________________________________________________________
Step 10
Lab Guide
15
Activity Verification
You have completed this task when you attain these results:
You have identified that you have captured the packet sequence described in Step 8.
You have noted the first packet in the sequence to be inspected in detail.
Activity Procedure
Complete these steps:
16
Step 1
In the top window of the Wireshark application click (anywhere) on the line
containing the first packet identified in the previous task. This will highlight the line
and make the two lower windows fill with the decoded information from that packet.
Step 2
In the example that follows. the Wireshark windows were adjusted to allow the
information to be viewed in a compact size. The middle window contains the
detailed decoding of the packet.
Step 3
Clicking the + icon on the left side will expand the view of the TCP information.
The view can be contracted by clicking the icon.
Step 4
Notice in this example that the (forward) sequence number is set to zero, and the
SYN bit is 1 (set) in the Flags field.
Step 5
Click the next packet in the sequence (top window) and the detailed information will
change to match the new values.
Step 6
Notice in the reply packet that the (backward) sequence number is set to 0, and that
the acknowledgment number appears and is set to 1. Also in the Flags field, the
acknowledgment bit and the SYN bit are 1 (set).
Step 7
Click the next packet in the sequence (top window) and the detailed information will
change to match the new values.
Lab Guide
17
Step 8
In the third and final packet in the exchange, notice that the (forward) sequence
number is now set to 1, the acknowledgment number is set to 1, and in the Flags
field, only the acknowledgment bit is 1 (set). At this point, the TCP connection is
said to be established, as both ends have synchronized their sequence and
acknowledgment numbers, as well as other parameters not discussed.
Step 9
Activity Verification
You have completed this task when you attain this result:
18
You have selected and decoded your three identified captured packets, and the values
match those shown and discussed in the examples within the task.
Activity Objective
In this activity, you will use PC tools to gather network-related information. After completing
this activity, you will be able to meet these objectives:
Using the Windows command ipconfig /all, determine IP addresses of the DNS servers
available to your PC
Using the IP address of one of the DNS servers from Task 1, test connectivity to the DNS
servers using the Windows ping command
Using the Windows command tracert /d, obtain the IP addresses of the routers traversed to
reach the DNS server tested in Task 2
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.05
Required Resources
These are the resources and equipment that are required to complete this activity:
Lab Guide
19
Command List
The table describes the commands that are used in this activity.
Windows Commands
Command
Description
ipconfig /all
ping
ping (-t)
Job Aids
These job aids are available to help you complete the lab activity.
Activity Procedure
Complete these steps:
20
Step 1
Step 2
Choose run, and enter cmd in the run window dialog box; click OK to continue.
Step 3
From the Command window prompt, enter ipconfig /all. It is necessary to add the
/all to get the full output.
Step 4
You will see from your own output that some extra, useful information is now
visible.
Step 5
Note the IP address of the first DNS server from the output of the prior step in the
space provided.
_________________________________________________________________
Activity Verification
You have completed this task when you attain this result:
You have obtained the IP address of a DNS server from the output of the ipconfig /all
command on your PC.
Activity Procedure
Complete these steps:
Step 1
From the Command window prompt, enter ping <DNS IP Address>. Your output
should be similar to the example below (which uses a fictitious IP address).
Step 2
A successful ping indicates both that the packets are being received and that the
return packets are being routed back to your PC successfully.
Step 3
Activity Verification
You have completed this task when you attain this result:
You have used the Windows ping command to successfully test connectivity to the IP
address of the DNS server you noted in Task 1.
Lab Guide
21
Activity Procedure
Complete these steps:
22
Step 1
Step 2
From the Command window prompt, enter tracert /d <DNS IP Address>. Your
output should be similar to the example below (which uses fictitious IP addresses).
Step 3
Now that you have seen that the route to the DNS server is working, use the
command without the /d parameter to see what the output looks like when symbolic
names are available. Your output should be similar to the example below (which
uses fictitious IP addresses).
Step 4
Close the Command window by clicking the X button in the top right corner.
Activity Verification
You have completed this task when you attain these results:
You have used the tracert /d command on your PC to suppress DNS lookup during the
trace to the destination address.
You have used the tracert command without the /d parameter on your PC to display the
symbolic names associated with specific IP addresses discovered during the trace to the
destination address.
Lab Guide
23
Activity Objective
In this activity, you will begin preparations for subsequent labs by testing and practicing the
connectivity for your assigned workgroup equipment, which you will use for the remaining lab
practice exercises in the course. After completing this activity, you will be able to meet these
objectives:
Connect to your assigned workgroup equipment using a console (terminal) server so that
switches and routers may be configured via the console ports.
Connect to your assigned workgroup equipment using the VPN client software so your PC
will be connected through an interface on your workgroup switch. This will allow the
configuration of your workgroup router using Cisco Router and Security Device Manager
(SDM).
Visual Objective
The figures illustrate what you will accomplish in this activity.
ICND1 v1.06
Your lab equipment is located remotely and will be accessed in two distinct ways.
The first method is by connecting using SSH connectivity. This provides access to a console
server (also known as a terminal server). The console server has serial connections to the
console ports of the Cisco switches and routers used in the labs. This first method sends packets
across the Internet. In these packets, the data is individually protected by encryption.
24
The second method is by connecting using a VPN. This provides access via a VPN router to the
same network that your workgroup switch is connected to. This second method sends packets
via an encrypted tunnel across the Internet.
Required Resources
These are the resources and equipment required to complete this activity:
Student pod consisting of one Cisco Catalyst 2960 switch and one Cisco 2811 router (or
functionally equivalent Cisco devices)
Lab Guide
Student PC or workstation with SSH and VPN client access to workstation pod devices
Command List
The table describes the applications and command used in this activity.
PC Application
Windows Applications
Description
Windows Command
ipconfig /all
Job Aid
This job aid is available to help you complete the lab activity:
Fill in this table of class-dependent network and connection information, using the values
provided by your instructor.
Instructor-Assigned Value
Lab Guide
25
TFTP Server IP
Address
Workgroup
TFTP Server IP
Address
10.2.2.1
10.6.6.1
10.3.3.1
10.7.7.1
10.4.4.1
10.8.8.1
10.5.5.1
10.9.9.1
Activity Procedure
Complete these steps:
Step 1
26
From the desktop of your PC, double-click the icon of the terminal emulator. In the
example, PuTTY is being used.
Step 2
Ensure that the SSH radio button is selected. Enter the IP address of the console
server in the Host Name field and click Open.
Step 3
Enter the SSH login name and password at the prompts, using those you have noted
in Table 1. You may see a PuTTY security warning if PuTTY does not have the host
key cached; answer Yes to proceed.
Lab Guide
27
28
Step 4
A banner message followed by a table showing item numbers used to connect to the
workgroups is displayed. Read the information regarding the escape sequence used
to return from a switch or router connection to the menus. To do this, press the
following keys simultaneously: Ctrl-Shift-6. Then release them and press x
(lowercase).
Step 5
Step 6
You are now at the Workgroup menu. Your choices are to choose 1 to connect to the
router, 2 to connect to the switch type, or exit to return to the previous menu. Type
exit to return to the previous menu. Type exit followed by the Enter key.
Step 7
Now type exit followed by the Enter key to end the SSH session.
Step 8
Depending on the terminal emulator used, the window may close, go blank, or
appear unchanged. However, the session has ended, and any keystrokes will be
ignored.
Step 9
Activity Verification
You have completed this task when you attain these results:
You were able to access the remote console server using the information provided in Table
1.
Lab Guide
29
You were able to access the Workgroup menu of your assigned pod.
You were able to navigate back to the main menu, end the terminal session, and close the
application.
Activity Procedure
Complete these steps:
30
Step 1
From your PC desktop, open the Cisco VPN client by clicking the VPN Client icon.
Step 2
Step 3
Step 4
Step 5
Type the VPN username and password you recorded in Table 1, and press Enter.
After a momentary pause, the VPN windows close. A small Padlock icon that was
placed in the system tray at the bottom right side of the screen goes from an open
padlock to a closed padlock. If the window does NOT close, manually minimize it.
Step 6
In order to view the changes to the IP addressing of the PC, it is necessary to open a
Command window and use the IPCONFIG command.
Step 7
When you do this you will observe that a second Ethernet adapter now has an IP
address and mask. Your output may be different, however this address and mask is
specific to the workgroup addressing used in the labs which follow. The VPN
adapter does NOT have a default gateway specified, as the packet forwarding
behavior has been modified such that networks that have been configured on the
VPN router will be forwarded through the tunnel. This will occur automatically, and
any not matching will be sent to the configured default gateway associated with the
other Ethernet adapter.
Step 8
You should be able to ping successfully the address 10.x.x.1, where x = 2 for WG A,
3 for WG B, and so forth, with x = 9 for WG H. If you are unsuccessful, you should
ask your instructor for assistance. Your output should be similar to the example
below.
from
from
from
from
10.10.10.1:
10.10.10.1:
10.10.10.1:
10.10.10.1:
bytes=32
bytes=32
bytes=32
bytes=32
time=9ms
time=8ms
time=9ms
time=8ms
TTL=127
TTL=127
TTL=127
TTL=127
Lab Guide
31
32
Step 9
In later labs you will use the VPN tunnel to allow the connection of a browser to
your workgroup router.
Step 10
In order to terminate your VPN connection, double-click the system tray Padlock
icon, which will open the VPN application window. You can also right-click the
padlock icon and choose Disconnect.
Step 11
Click the Disconnect icon in the top right of the VPN application window. This will
close the tunnel connection and remove the IP addressing changes to the PC.
Step 12
Step 13
Confirm that the PC has its original network IP address by using the IPCONFIG
command in the Command window.
Step 14
Having confirmed that the connection information has been removed, close any
remaining Windows applications.
Activity Verification
You have completed this task when you attain these results:
You were able to access the remote lab network, using the VPN client application and the
information recorded in Table 1.
You were able to confirm access using ping and web connectivity.
Lab Guide
33
Activity Objective
In this activity, you will connect to your workgroup switch and complete the initial device
configuration. After completing this activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
Switch IP
Address
Subnet Mask
SwitchA
10.2.2.11
255.255.255.0
SwitchB
10.3.3.11
255.255.255.0
SwitchC
10.4.4.11
255.255.255.0
SwitchD
10.5.5.11
255.255.255.0
SwitchE
10.6.6.11
255.255.255.0
SwitchF
10.7.7.11
255.255.255.0
SwitchG
10.8.8.11
255.255.255.0
SwitchH
10.9.9.11
255.255.255.0
ICND1 v1.07
Required Resources
These resources and equipment are required to complete this activity:
Command List
The table describes the commands that are used in this activity.
34
Description
configure terminal
copy running-config
destination
enable
end
erase startup-config
hostname hostname
interface vlan 1
ip default-gateway ip-address
line vty 0 15
login
reload
[no] shutdown
Job Aids
These job aids are available to help you complete the lab activity. The table contains the
required information to be entered during initial switch configuration.
Lab Guide
35
Value
Enable password
cisco
sanfran
Hostname
Refer to Table 2
Refer to Table 2
IP default gateway
vty password
sanjose
Hostname
Switch IP Address
Mask
SwitchA
10.2.2.11
255.255.255.0
SwitchB
10.3.3.11
255.255.255.0
SwitchC
10.4.4.11
255.255.255.0
SwitchD
10.5.5.11
255.255.255.0
SwitchE
10.6.6.11
255.255.255.0
SwitchF
10.7.7.11
255.255.255.0
SwitchG
10.8.8.11
255.255.255.0
SwitchH
10.9.9.11
255.255.255.0
Activity Procedure
Complete these steps:
36
Step 1
Connect via SSH to your workgroup switch using the information from Lab 2-1.
Step 2
At the first menu enter the item number that corresponds to your assigned
workgroup. This will be a number from between 1 and 8.
Step 3
At the workgroup menu, enter cls2. When you are prompted to confirm, press the
Enter key. This clears any previous open connection; you may need to do this in
later labs if your connection is terminated unexpectedly. Your display should be
similar to the example below.
************************
ICND WG_Z
**************************
************************
MENU
**************************
To exit ssh session and return to the menu press
<CTRL>+<SHFT>+<6> then <X>. To clear a connection to begin
a new console session type cls# (where # = the menu item number)
Type "exit" to return to main menu.
*****************************************************************
ITEM#
DEVICE NAME
-----------------------------------------------------------------
WorkGroup Z Router
WorkGroup Z Switch
exit
Connect to your workgroup switch by entering the menu number 2 and then pressing
Enter. Your display should be similar to this example.
Step 4
************************
ICND WG_Z
**************************
************************
MENU
**************************
To exit ssh session and return to the menu press
<CTRL>+<SHFT>+<6> then <X>. To clear a connection to begin
a new console session type cls# (where # = the menu item number)
Type "exit" to return to main menu.
*****************************************************************
ITEM#
DEVICE NAME
-----------------------------------------------------------------
WorkGroup Z Router
WorkGroup Z Switch
exit
Activity Verification
You have completed this task when you attain this result:
You were able to access your assigned workgroup switch on the remote lab network, using
the SSH client application and the information recorded in Table 1 of Lab 2-1.
Activity Procedure
Complete these steps:
Step 1
You will need to press Enter several times to get the switch to display the prompt. If
you see the output Switch> proceed to Step 3. If not, proceed to Step 2.
Lab Guide
37
Step 2
If your output resembles that displayed below, answer Yes to the question shown.
Press Enter twice.
--- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]: no
Switch>
Switch>
Step 3
You are currently in the user mode. To see the effect of entering a privileged
command in the user mode, enter the command erase startup-config. Your display
should be similar to the example below.
Switch>erase startup-config
^
% Invalid input detected at '^' marker.
Step 4
The output is the response to entering a privileged EXEC command when in user
mode. Enter the command enable. Your display should be similar to the example
below.
Switch>enable
Switch#
Step 5
Notice that the switch prompt changed from Switch> to Switch#. This indicates that
you are in enable EXEC mode. When you now enter the erase startup-config
command, it is accepted. Press the Enter key to confirm and press Enter again to get
the switch prompt. Your display should be similar to the example below.
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]<ENTER>
[OK]
Erase of nvram: complete
00:18:46: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram <ENTER>
Switch#
Step 6
Enter the reload command. The switch will prompt for confirmation. Confirm that
you want to proceed with the reload. You will then be presented with a lot of output,
giving the status of the switch during the reload process. Your display should be
similar to the example below. Some repeating text has been omitted to reduce the
output length.
Switch#reload
Proceed with reload? [confirm]<ENTER>
00:21:00: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
Base ethernet MAC Address: 00:1a:6d:44:6c:80
Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash...
flashfs[0]: 597 files, 19 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32514048
flashfs[0]: Bytes used: 8208384
flashfs[0]: Bytes available: 24305664
flashfs[0]: flashfs fsck took 9 seconds.
...done Initializing Flash.
38
Lab Guide
39
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C2960-24TT-L (PowerPC405) processor (revision B0) with 61440K/4088K bytes of
memory.
Processor board ID FOC1048ZE27
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address
: 00:1A:6D:44:6C:80
Motherboard assembly number
: 73-10390-03
Power supply part number
: 341-0097-02
Motherboard serial number
: FOC10483A1C
Power supply serial number
: DCA104382KM
Model revision number
: B0
Motherboard revision number
: C0
Model number
: WS-C2960-24TT-L
System serial number
: FOC1048ZE27
Top Assembly Part Number
: 800-27221-02
Top Assembly Revision Number
: C0
Version ID
: V02
CLEI Code Number
: COM3L00BRA
Hardware Board Revision Number : 0x01
Switch
-----*
1
Ports
----26
Model
----WS-C2960-24TT-L
SW Version
---------12.2(25)SEE2
SW Image
---------C2960-LANBASEK9-M
40
At the prompt, to terminate AutoInstall, press Enter to accept the default, which is
yesyou do want to terminate AutoInstall.
Now you are at the prompt to enter the initial configuration dialog. At this point you
have completed this task. Note that you will answer the question in Step 1 of next task.
--- System Configuration Dialog ---
Activity Verification
You have completed this task when you attain these results:
You were able to obtain the output similar that that given in Steps 6 through 8.
Activity Procedure
Complete these steps:
Step 1
You are ready to complete the initial configuration. At the prompt (from the last step
of the previous task repeated below), Enter yes and then press Enter. To continue
with the switch configuration. Throughout the following configuration, your entries
are shown in bolded text.
--- System Configuration Dialog ---
Step 2
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
First, would you like to see the current interface summary? [yes]: no
2007 Cisco Systems, Inc.
Lab Guide
41
Step 4
Enter the hostname for your assigned switch (for example SwitchJ ).
Enter all the passwords using the information in Lab 2-2, Table 1.
The enable secret is a password used to protect access to privileged EXEC and
configuration modes. This password, after entered, becomes encrypted in the
configuration.
The enable password is used when you do not specify an enable secret password, with
some older software versions and some boot images.
The virtual terminal password is used to protect access to the router over a network
interface.
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
2007 Cisco Systems, Inc.
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
interface? [yes]: no
Step 11
The setup process now outputs the Cisco IOS commands, which you should verify are
correct. Press the Spacebar when prompted with --More-- to get additional output.
Lab Guide
43
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
interface
!
end
Step 13
FastEthernet0/7
FastEthernet0/8
FastEthernet0/9
FastEthernet0/10
FastEthernet0/11
FastEthernet0/12
FastEthernet0/13
FastEthernet0/14
FastEthernet0/15
FastEthernet0/16
FastEthernet0/17
FastEthernet0/18
FastEthernet0/19
FastEthernet0/20
FastEthernet0/21
FastEthernet0/22
FastEthernet0/23
FastEthernet0/24
GigabitEthernet0/1
GigabitEthernet0/2
If the initial configuration displayed is correct, enter 2 to save this configuration to the
startup configuration in NVRAM and exit the setup mode.
Activity Verification
You have completed this task when you attain these results:
44
Your initial configuration output accurately matched the values assigned to your
workgroup switch.
You chose option 2 to save to NVRAM and exit the setup mode.
Activity Procedure
Complete these steps:
Step 1
To go from user EXEC mode to enable mode, enter the enable command. Then enter
the password when prompted.
Note
Step 2
Remember that you set the enable password to sanfran in the previous task.
From the enable mode, enter configure terminal command. This command is often
abbreviated to conf t. Your display should be similar to the example below.
SwitchX#configure terminal
Enter configuration commands, one per line.
SwitchX(config)#
Step 3
Enter the command ip default-gateway 10.x.x.3, where x.x represents the second and
third octets of the address assigned to your switch interface VLAN 1. Your display
should be similar to the example below.
Leave the configuration mode by entering the command end. Your display should be
similar to the example below.
SwitchX(config)#end
SwitchX#
1d00h: %SYS-5-CONFIG_I: Configured from console by console
Step 5
A common shorthand entry for copy running-config startup-config is copy run start.
Activity Verification
You have completed this task when you attain these results:
You have added the default gateway IP address to the running configuration
Lab Guide
45
Activity Objective
In this activity, you will increase the security of the initial switch configuration. After
completing this activity, you will be able to meet these objectives:
Increase the security of remote management of the switch by adding the SSH protocol to
the vty lines
Increase the security of the physical interfaces by configuring various methods of MAC
address security
Visual Objective
The figure illustrates what you will accomplish in this activity.
Switch IP
Address
Subnet Mask
SwitchA
10.2.2.11
255.255.255.0
SwitchB
10.3.3.11
255.255.255.0
SwitchC
10.4.4.11
255.255.255.0
SwitchD
10.5.5.11
255.255.255.0
SwitchE
10.6.6.11
255.255.255.0
SwitchF
10.7.7.11
255.255.255.0
SwitchG
10.8.8.11
255.255.255.0
SwitchH
10.9.9.11
255.255.255.0
46
ICND1 v1.08
Required Resources
These are the resources and equipment that are required to complete this activity:
Command List
The table describes the commands that are used in this activity.
Switch Cisco IOS Commands
Command
Description
? or help
In user EXEC mode, Cisco IOS Software lists the subset of commands
available at that privilege level.
banner login
configure terminal
enable
end
interface int-id
ip domain-name name
ip ssh version [1 | 2]
line console 0
Lab Guide
47
48
line vty 0 15
Enters the virtual terminal line configuration mode. Vty lines allow
access to the switch for remote network management. The number of
vty lines available depends on the Cisco IOS Software version. Typical
values are 0 to 4 and 0 to 15 (inclusive).
login
login local
Activates the login process on the console or vty lines to require using
the local authentication database
logout
password
ping ip-address
reload
service password-encryption
Enable the service which will encrypt all passwords in the running
configuration.
show ip arp
show ip ssh
show mac-address-table
dynamic
show mac-address-table
interface int-id
Displays only the MAC addresses in the table associated with the
specified interface.
show running-config
shutdown
no shutdown
Sets the port to access mode. Use the no version of this command to
reset default values.
switchport port-security
switchport port-security
maximum [number]
Sets the maximum number of secure MAC addresses for the interface.
Use the no version of this command to remove it.
switchport port-security
violation violation mode
Job Aids
These job aids are available to help you complete the lab activity.
none
cisco
sanfran
sanjose
Activity Procedure
Complete these steps:
Step 1
Connect to your remote workgroup switch via the console server, and enter the
necessary commands and passwords to get to the enable EXEC prompt.
Step 2
At the user EXEC prompt, enter the command enable, followed by the enable
password for your switch.
Step 3
At the privileged EXEC prompt (sometimes called the enable prompt) of your
assigned switch, enter config t.
Step 4
Access the console port configuration by entering the command line console 0.
Step 5
At the line console configuration mode, use the password sanjose for the console
line. Enter the command password sanjose.
Step 6
Enter the command login, which will require a password to be supplied to access the
switch via the console in the future.
Step 7
Step 8
Enter the command login, which will be applied to all 16 lines (0 through 15).
Step 9
Enter the command end, which will return you to the enable EXEC prompt.
Step 10
Enter the show running-config command and observe the output to see that you
have correctly configured line console 0 and vty lines 0 through 15. Your output
should be similar to the example below, where the line configuration is shown in
bold text. You will observe that the passwords for both the line console and vty lines
are stored in cleartext.
Lab Guide
49
SwitchX#show running-config
..
..Text omitted
..
!
line con 0
password sanjose
login
line vty 0 4
password sanjose
login
line vty 5 15
password sanjose
login
!
end
Step 11
You will now test your configured password by logging out of and back into the
switch via the console.
Step 12
Step 13
Step 14
Supply the password the you just configured to get to the user EXEC prompt.
Step 15
Enter the command and password to get to the enable EXEC prompt.
Step 16
Your output for Steps 12 though 15 should be similar to the example below.
SwitchX#logout
..
..empty lines omitted
..
SwitchX con0 is now available
Activity Verification
You have completed this task when you attain these results:
50
You inspected the configuration and observed that the line passwords are stored in
cleartext.
You tested the login process and password access to the console line successfully.
Activity Procedure
Complete these steps:
Step 1
From the enable EXEC prompt, enter the command to get to global configuration
mode.
Step 2
Step 3
Step 4
Enter the command to see the running configuration. Concentrate on the first few
lines and the last few lines of the configuration to see that the service passwordencryption command is now active and the effect it has on the line passwords. Your
output should be similar to the example below, with the bold text highlighting output
of particular interest.
SwitchX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#service password-encryption
SwitchX(config)#end
SwitchX#
00:38:45: %SYS-5-CONFIG_I: Configured from console by console
SwitchX#show running-config
Building configuration...
Current configuration : 1453 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
..
..Text omitted
..
!
!
line con 0
password 7 14041305060B392E
login
line vty 0 4
password 7 14041305060B392E
login
line vty 5 15
password 7 120A041918041F01
login
!
end
Step 5
Lab Guide
51
Activity Verification
You have completed this task when you attain these results:
You have displayed the running configuration and observed the encryption of the line
passwords
Activity Procedure
Complete these steps:
Step 1
Step 2
Enter the command banner login % and press the Enter key. The percent symbol
(%) is the opening delimiter of the text that will form the message.
Step 3
Note
Step 4
Do NOT use percent symbols as part of your banner message textthey will be interpreted
as the closing delimiter of your message.
SwitchX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#banner login %
Enter TEXT message. End with the character '%'.
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************%
SwitchX(config)#
52
Step 5
Step 6
Enter the command to display the running configuration. Your output should be
similar to the example below, which has been edited to show just the banner
configuration. Notice that your text delimiter has been replaced with a ^C, which is a
nontext control character.
!
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
Step 7
Use the logout command to end your console session. Then log back in to the enable
prompt. Observe the display to see your banner message being presented, prior to
password entry. Your output should be similar to the example below, which has
been edited to reduce space.
SwitchX#logout
********* Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************
User Access Verification
Password:
SwitchX>en
Password:
SwitchX#
Step 8
Activity Verification
You have completed this task when you attain these results:
You have configured a login banner message that clearly states that access to the switch is
restricted.
You have tested the login message, and it does give a warning prior to password prompt.
A defined hostname
A defined IP domain
Lab Guide
53
Activity Procedure
Complete these steps:
Step 1
At the enable EXEC prompt, enter the command to access the global configuration
prompt.
Step 2
The SSH protocol requires the use of a username and password pair. As this has not
yet been configured, you must configure it now. Enter the command username
username password password. In this example, you will use netadmin for both.
Obviously, in the real-world environment, a much stronger username and password
pair should be used.
Step 3
The generation of a SSH cryptographic key requires that both the hostname and
domain name be configured. You have configured the hostname, so it is necessary to
configure the domain name. Normally you would use your organization domain
name, but in the lab you will use cisco.com.
Step 4
Step 5
Enter the command crypto key generate rsa. You will be prompted for a key size;
512 is the default, but you will enter 1024 to produce a more secure key. Your
output should be similar to the example below, which is edited to include only the
lines pertaining to this task.
Enter the command ip ssh version 2 to enable the required SSH version.
Step 7
Step 8
Enter the command login local. This changes the login process to use the locally
configured username and password pairs.
Step 9
Enter the command transport input telnet ssh. This configures the 16 vty lines to
support both Telnet or SSH. Your output should be similar to the example below.
SwitchX(config)#line vty 0 15
SwitchX(config-line)#login local
SwitchX(config-line)#transport input telnet ssh
Step 10
Step 11
SwitchX#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
54
Step 12
To test your configuration, you need to make a VPN tunnel connection to the remote
lab using the method from Lab 2-1, Task 2. On your PC, open your SSH terminal
client application. Use the IP address of your workgroup switch and the username
and password pair that you configured in Step 2 of this task.
Step 13
Step 14
Step 15
Open the Windows Command window and enter the command telnet 10.x.x.11
(your workgroup switch IP address). Your output should be similar to the example
below.
Step 16
Enter the username and password in the new Telnet Command window that
automatically opens. Having established that Telnet is working simultaneously with
SSH, type logout at the user EXEC prompt and close your Command window by
typing exit at the Command window prompt. Your output should be similar to the
example below.
Lab Guide
55
Step 17
Activity Verification
You have completed this task when you attain these results:
You configured the vty lines to support the SSH version 2 protocol.
You successfully directly connected to your workgroup switch using SSH and Telnet, thus
proving that both are being supported simultaneously.
Activity Procedure
Access your SwitchX console port, where x identifies your pod. Complete the following steps
to configure port security on the workgroup switch:
Caution
You should have saved the current running configuration at the end of the previous lab. If
you are in doubt then save your running configuration to startup-config prior to reloading.
Step 1
Step 2
Step 3
Enter the command ping to test connectivity to the IP address in the table below.
You will complete the table in Steps 4 and 5.
MAC address
10.x.x.100
Unmanaged device
Step 4
Enter the command show ip arp. This will display the bindings between the IP
address and the MAC address. Enter the corresponding MAC address in the
table above. Your output should be similar to the example below.
SwitchX#show ip arp
Protocol Address
Internet 10.x.x.11
Internet 10.x.x.100
56
Age (min)
0
Hardware Addr
001a.6d44.6cc0
001a.2fe7.3089
Type
ARPA
ARPA
Interface
Vlan1
Vlan1
Step 5
Enter the command show mac-address-table int fa0/1. There should be one MAC
not associated with the IP address you just pinged. This is the MAC address of the
unmanaged device. Use this to complete the table from Step 3 above. Your output
should be similar to the example below.
Before you configure port security, you need to clear the dynamically learned MAC
address entries. Enter the command clear mac-address-table dynamic int fa0/1.
Step 7
Wait at least 10 seconds before entering the show mac-address-table int fa0/1 to
see the effect of this command. You will see that the MAC address of the
unmanaged device is still in the MAC address table. This is because this device is
periodically sending Layer 2 frames. Other Ethernet interfaces may be set to
periodically send keep-alive frames. However, you should see only the MAC
addresses being learned at this time. Your output should be similar to the example
below.
Step 9
Step 10
Step 11
Before port security features can be applied to an switchport, it has to be in nonauto-negotiation mode. Enter the command switchport mode access.
Step 12
Before activating port security, it is necessary to set the maximum number of MAC
addresses to an appropriate value if there are more than the default of 1. However, as
the intention is to trigger a MAC address violation, and in Step 5 you saw there were
two MAC addresses associated with this interface, no action is necessary.
Step 13
Another parameter that should be set before the activation of port security is what
action to take when more MAC addresses attempt to use the interface than have
been configured. This is known as the violation action. The default action is
shutdown, which will error-disable the interface. Initially you will use this default
value, so that you get experience resetting the interface.
Step 14
Enter the command switchport port-security mac-address sticky. This will cause
MAC addresses that are learned to be saved in the running configuration. If the
configuration is subsequently saved to startup-config, they will be remembered upon
a restart.
Lab Guide
57
Step 15
Enter the command switchport port-security. Entering the command without any
parameters activates port security. If this is not done, then port-security remains
disabled.
Step 16
Step 17
Enter the command end to leave configuration mode and return to the enable EXEC
prompt.
Step 18
Wait for 20 seconds before entering the command show running-config int fa0/1 to
display the portion of the running configuration for interface fa0/1. Your output
should be similar to the example below, which has some lines shown in bold for
emphasis.
Enter the show port-security int fa0/1 command to display the current port security
settings.
SwitchX#show port-security
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
Step 20
int fa0/1
: Enabled
: Secure-up
: Shutdown
: 0 mins
: Absolute
: Disabled
: 1
: 1
: 0
: 1
: 0017.5a78.be01:1
: 0
Enter the command show mac-address dynamic int fa0/1 to show the dynamic
MAC table entries for int fa0/1 only. You should not see any entries, because they
would have been converted to static (sticky) entries. Your output should be similar
to the example below.
Use the ping command to create a port-security violation, ping 10.x.x.100. Your
output should be similar to the example below.
58
Step 22
Enter the show port-security interface fa0/1 command to display the current port
security settings.
SwitchX#show port-security
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
int fa0/1
: Enabled
: Secure-shutdown
: Shutdown
: 0 mins
: Absolute
: Disabled
: 1
: 1
: 0
: 1
: 001a.2fe7.3089:1
: 1
Step 23
Step 24
Before you attempt to modify the port security setting, it is best to clear the MAC
table entries.
Step 25
Enter the command clear port-security sticky int fa0/1 access. Note: By restricting
the action of the clear command to only the interface that you are currently dealing
with, you avoid the risk of inadvertently impacting other interfaces.
Step 26
Step 27
Step 28
Step 29
Step 30
Step 31
Enter the command end to leave configuration mode and return to the enable EXEC
prompt.
Step 32
Wait 20 seconds before you test your configuration by using the ping command to
10.x.x.100.
Step 33
The example below shows the output of the show running-config int fa0/1
command. Your output should be similar.
Lab Guide
59
The example below shows the output of the show port-security int fa0/1 command.
SwitchX#show port-security
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
int fa0/1
: Enabled
: Secure-up
: Restrict
: 0 mins
: Absolute
: Disabled
: 2
: 2
: 0
: 2
: 001a.2fe7.3089:1
: 0
Step 35
Compare the bolded text with the output of Step 22, which should show that the port
is up and that the violation mode is now to Restrict rather than Shutdown the
interface.
Step 36
Activity Verification
You have completed this task when you attain these results:
The switch was configured to permit one dynamically learned MAC addresses on the first
access port (fa0/1)
The port was forced into a port-security violation resulting in it being error disabled
The configuration was then changed to support two dynamically learned addresses, and the
violation action was modified to restrict access and not shutdown the port
Activity Procedure
Complete these steps:
60
Step 1
At the enable EXEC prompt enter the command to access the global configuration
prompt.
Step 2
Enter the command interface range fa0/3 - 10. All the commands that follow will
be applied to the ports specified.
Step 3
Step 4
Enter the command interface range fa0/13 - 24 to replace the previous range
command.
Step 5
Step 6
Enter the command interface range gi0/1 - 2 to replace the previous range
command.
Step 7
Step 8
Step 9
Enter the command to display the running configuration to confirm that only the
intended interfaces were shut down.
Step 10
Step 11
Enter the command interface range fa0/1 - 24, gi0/1 - 2 to include all ports in the
range. Notice in this instance the interface ranges have been grouped into a single
command by using the , (comma) as a separator.
Step 12
Step 13
Step 14
Enter the command to display the running configuration to confirm that all the
interfaces were placed into access mode.
Step 15
When you are certain that all ports are in access mode, and all ports with the
exception of fa0/1, fa0/2, fa0/11, and fa0/12 are shut down, save your running
configuration to startup-config.
Activity Verification
You have completed this task when you attain these results:
Lab Guide
61
Activity Objective
In this activity, you will demonstrate and practice the use of the CLI features of your
workgroup switch. After completing this activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
Switch IP
Address
Subnet Mask
SwitchA
10.2.2.11
255.255.255.0
SwitchB
10.3.3.11
255.255.255.0
SwitchC
10.4.4.11
255.255.255.0
SwitchD
10.5.5.11
255.255.255.0
SwitchE
10.6.6.11
255.255.255.0
SwitchF
10.7.7.11
255.255.255.0
SwitchG
10.8.8.11
255.255.255.0
SwitchH
10.9.9.11
255.255.255.0
ICND1 v1.09
Required Resources
These are the resources and equipment that are required to complete this activity:
62
Command List
The table describes the commands that are used in this activity.
Switch Cisco IOS Commands
Command
Description
? or help
clock set
configure terminal
enable
exec time-out
history size
Sets the number of lines held in the history buffer for recall.
Two separate buffers are used, one for EXEC mode
commands and the other for configuration mode
commands.
[no] ip domain-lookup
line console 0
line vty 0 15
logging synchronous
show clock
show history
show interfaces
show running-config
show terminal
show version
Lab Guide
63
Job Aids
These job aids are available to help you complete the lab activity.
Current Passwords
Switch Console Login
sanjose
cisco
sanfran
netadmin
netadmin
Activity Procedure
Complete these steps:
Step 1
Connect to your workgroup switch using the information from Lab 2-1.
Step 2
Enter the help command (?). At the user EXEC prompt, you should see a partial list
of commands available. Your output should resemble the example below.
Exec commands:
access-enable
clear
connect
..
..Text omitted
..
set
show
ssh
systat
telnet
--More--
Step 3
Step 4
Step 5
Notice the prompt which indicates that the switch mode was > and is now #.
Step 6
Enter the help (?) command at the privileged EXEC mode prompt. Use help to
determine the keyword command that manages the system clock.
Step 7
Step 8
Enter the clock ? command. You should see the context-sensitive help. Your output
should resemble the example below.
SwitchX#clock ?
set Set the time and date
64
Step 9
Set the system clock to the current time and date. Remember to use context-sensitive
help to guide you through the process.
Step 10
At the switch# prompt, enter sh? You should see another example of the context
sensitive help. Your output should resemble the example below.
SwitchX#sh?
show
Step 11
Press the Tab key. You should see the command-completion feature in action.
When enough letters of a command or keyword have been entered, the Tab key will
complete the word and place a space so that it is ready to receive any further input.
Step 12
Enter the show clock command. Your output should reflect the changes you made
using the clock set command in Step 9. Your output should be similar to the
example below.
SwitchX#show clock
10:45:25.073 UTC Tue Jul 10 2007
Activity Verification
You have completed this task when you attain this result:
You used the system help facility and the command-completion facility.
Activity Procedure
Complete these steps:
Step 1
Enter the following comment line at the prompt: This command changes the
clock speed for the router. Enter the text without the quotes ().
Enter the following comment line, preceded by the exclamation point (!): !ths
comand changuw the clck sped for the swch,. An exclamation point (!) before the
text line indicates that you are entering a comment.
Enter Ctrl-P or press the Up Arrow key to see the previous line.
Step 4
Use the editor commands Ctrl-A, Ctrl-F, Ctrl-E, and Ctrl-B to move along the line
and the Backspace key to delete unwanted characters.
Step 5
Using the editing commands, correct the comment line to read !This command
changes the clock speed for the switch.
Activity Verification
You have completed this task when you attain this result:
You used the built-in editor and used those keystrokes for cursor navigation.
Lab Guide
65
Activity Procedure
Complete these steps:
Step 1
Enter the command show terminal. Your output should be similar to the example
below, which has been edited to reduce unwanted lines.
SwitchX#sh terminal
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
..
..Text omitted
..
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
66
Step 2
The size of the history buffers is 10. You could change this by using the command
terminal history size 100. However, this value would have to be entered every time
you log out of and back into the switch. The history size can be set in the
configuration, associated with the console and vty lines.
Step 3
Step 4
Step 5
Step 6
While you are in the console line mode, it is a good idea to change the EXEC
timeout from the 15-minute value to 60 minutes. Enter the command exec-timeout
60.
Step 7
Step 8
Step 9
Enter the commands to configure the history size to 100 and to synchronize the
messages.
Step 10
Step 11
Step 12
Step 13
Use the history recall to enter the show terminal command. Your output should be
similar to the example below, which has been edited to reduce unwanted lines.
SwitchX#sh term
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
..
..Text omitted
..
Editing is enabled.
History is enabled, history size is 100.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
Step 14
Enter the show running-config command to confirm that the configuration changes
just made are correct.
Step 15
When you are satisfied that your running configuration reflects the changes, then
save it to startup-config.
Step 16
Activity Verification
You have completed this task when you attain these results:
You have verified that the history buffer value is set to 100 lines on the console and vty
lines
You have verified that logging synchronous is configured on the console and vty lines
Lab Guide
67
Activity Objective
In this activity, you convert decimal and binary numbers. After completing this activity, you
will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.010
Required Resources
There are no resources for this lab activity.
Command List
There are no commands used in this lab activity.
Job Aids
There are no job aids for this lab activity.
68
Activity Preparation
There is no preparation for this lab activity.
27
26
25
24
23
22
21
20
Decimal
128
64
32
16
Binary
48
48 = 32 +16 =
00110000
146
222
119
135
60
27
26
25
24
23
22
21
20
Binary
128
64
32
16
Decimal
11001100
128 + 64 + 8 + 4 = 204
10101010
11100011
10110011
00110101
10010111
Activity Verification
You have completed this lab when you attain these results:
Lab Guide
69
Activity Objective
In this activity, you classify network addresses with IPv4 and IPv6. After completing this
activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
0.124.0.0?
23.75.345.200?
2007 Cisco Systems, Inc. All rights reserved.
255.255.255.255?
ICND1 v1.011
Required Resources
There are no resources for this lab activity.
Command List
There are no commands used in this activity.
Job Aids
There are no job aids for this lab activity.
70
Activity Preparation
There is no preparation for this lab activity.
Step 1
Base 2
27
26
25
24
23
22
21
20
Decimal
128
64
32
16
Binary
145
10010001
32
00100000
59
24
Step 2
Base 2
27
26
25
24
23
22
21
20
Decimal
128
64
32
16
Binary
200
42
129
16
Step 3
Base 2
27
26
25
24
23
22
21
20
Decimal
128
64
32
16
Binary
14
82
19
54
Lab Guide
71
Step 1
Base 2
27
26
25
24
23
22
21
20
Binary
128
64
32
16
Decimal
11011000
216
00011011
00111101
10001001
Step 2
Base 2
27
26
25
24
23
22
21
20
Binary
128
64
32
16
Decimal
11000110
00110101
10010011
00101101
Step 3
Base 2
27
26
25
24
23
22
21
20
Binary
128
64
32
16
Decimal
01111011
00101101
01000011
01011001
72
Binary IP Address
Decimal IP Address
Address
Class
10010001.00100000.00111011.00011000
145.32.59.24
Class B
11001000.00101010.10000001.00010000
200.42.129.16
00001110.01010010.00010011.00110110
14.82.19.54
11011000.00011011.00111101.10001001
216.27.61.137
10110011.00101101.01000011.01011001
179.45.67.89
11000110.00110101.10010011.00101101
198.53.147.45
Number of
Bits in
Network ID
16
Maximum
Number of
Hosts
(2h 2)
Valid or Invalid
23.75.345.200
216.27.61.134
102.54.94
255.255.255.255
142.179.148.200
200.42.129.16
0.124.0.0
Activity Verification
You have completed this lab when you attain these results:
Lab Guide
73
Activity Objective
In this activity, you determine the number of bits to borrow from the host ID to create the
required number of subnets for a given IP address. After completing this activity, you will be
able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.012
Required Resources
There are no resources for this lab activity.
Command List
There are no commands used in this activity.
Job Aids
There are no job aids for this lab activity.
74
Activity Preparation
There is no preparation for this lab activity.
2
5
12
24
40
5
8
14
20
35
Lab Guide
75
10
14
20
40
80
Activity Verification
You have completed this lab when you attain these results:
76
Given a Class A, B, or C network, you can identify the number of bits to borrow to create a
given number of subnets
Given a Class A, B, or C network, you can determine the number of hosts on the network,
given a number of subnets and number of bits to borrow
Activity Objective
In this activity, you calculate subnet masks. After completing this activity, you will be able to
meet these objectives:
Given a network address, determine the number of possible network addresses and the
binary subnet mask to use
Given a network IP address and subnet mask, determine the range of subnet addresses
Identify the host addresses that can be assigned to a subnet and the associated broadcast
addresses
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.013
Required Resources
There are no resources for this lab activity.
Command List
There are no commands used in this activity.
Lab Guide
77
Job Aids
There are no job aids for this lab activity.
Activity Preparation
There is no preparation for this lab activity.
Number of Hosts
per Subnet
(2h 2)
/20
/21
/22
/23
/24
/25
/26
/27
/28
/29
/30
78
Step
Description
Example
1.
2.
3.
4.
5.
6.
7.
8.
Subnet Address
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
...
Lab Guide
79
Description
Example
1.
2.
3.
4.
5.
6.
7.
8.
Subnet Address
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
Description
Example
1.
2.
3.
4.
5.
6.
7.
8.
Subnet Address
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
Lab Guide
81
2. How many subnets can you define with the specified mask?
_________________________________________________________________________
3. How many hosts will be in each subnet?
_________________________________________________________________________
4. Use the eight-step method to define the subnets.
Step
Description
Example
1.
2.
3.
4.
5.
6.
7.
8.
Subnet Address
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
82
Description
1.
2.
3.
Example
5.
6.
7.
8.
Lab Guide
83
Subnet
Number
Subnet Address
Directed-Broadcast
Address
0
1
2
3
4
5
6
7
Activity Verification
You have completed this lab when you attain these results:
Given a network address, you can determine the number of possible network addresses and
the binary subnet mask to use
Given a network IP address and subnet mask, you can apply the mask to determine the
range of subnet addresses
You can apply subnet masks to identify the host addresses that can be assigned to a subnet and
the associated broadcast addresses.
84
Activity Objective
In this activity, you will connect to your remote workgroup router, ensure that it is
unconfigured, and examine the startup process. After completing this activity, you will be able
to meet these objectives:
Decline the initial configuration dialog request when the restart process completes
Visual Objective
The figure illustrates what you will accomplish in this activity.
Router IP
Address
Subnet Mask
RouterA
10.2.2.3
255.255.255.0
RouterB
10.3.3.3
255.255.255.0
RouterC
10.4.4.3
255.255.255.0
RouterD
10.5.5.3
255.255.255.0
RouterE
10.6.6.3
255.255.255.0
RouterF
10.7.7.3
255.255.255.0
RouterG
10.8.8.3
255.255.255.0
RouterH
10.9.9.3
255.255.255.0
ICND1 v1.014
Required Resources
These are the resources and equipment that are required to complete this activity:
Command List
The table describes the commands that are used in this activity.
2007 Cisco Systems, Inc.
Lab Guide
85
Description
enable
erase startup-config
Reload
Job Aids
These job aids are available to help you complete the lab activity.
Current Passwords
Router console login
None
None
None
None
None
sanjose
cisco
sanfran
netadmin
netadmin
Activity Procedure
Complete these steps:
Step 1
Connect to your workgroup router using the access information from Lab 2-1, also
refer to visual objective for IP address information.
Step 2
If prompted for a username and password, user cisco for both. If not proceed to next
step.
Step 3
If the prior step did not result in being enabled, enter the command to get to the
enable prompt.
Step 4
Enter the command erase startup-config, Confirm that you do wish to continue.
Your output should be similar to the example below.
Username: cisco
Password:
yourname#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
86
Activity Verification
You have completed this task when you attain this result:
Activity Procedure
Complete these steps:
Step 1
Enter the command reload. Confirm the question to continue with reload using the
ENTER key. Your output should resemble the example below
yourname#reload
Proceed with reload? [confirm]
.
Step 2
Observe the output as the reload progresses. You will have to wait a few minutes for
all the output and a final prompt. Your output should be similar to the example
below, which has been edited to reduce the length of some lines.
TYPE
C2811 Mainboard
Onboard VPN
Onboard USB
public buffer pools
public particle pools
Lab Guide
87
Step 3
Answer no to the question Would you like to enter the initial configuration
dialog? Wait until the output has completed before pressing the Enter key to get a
prompt.
State
Activity Verification
You have completed this task when you attain these results:
Lab Guide
89
Activity Objective
In this activity, you will perform the initial minimal configuration. After completing this
activity, you will be able to meet these objectives:
Use the setup command to apply a minimal configuration for router operation
Visual Objective
The figure illustrates what you will accomplish in this activity.
Router IP
Address
Subnet Mask
RouterA
10.2.2.3
255.255.255.0
RouterB
10.3.3.3
255.255.255.0
RouterC
10.4.4.3
255.255.255.0
RouterD
10.5.5.3
255.255.255.0
RouterE
10.6.6.3
255.255.255.0
RouterF
10.7.7.3
255.255.255.0
RouterG
10.8.8.3
255.255.255.0
RouterH
10.9.9.3
255.255.255.0
ICND1 v1.015
Required Resources
These are the resources and equipment that are required to complete this activity:
Command List
The table describes the commands that are used in this activity.
90
Description
configure terminal
setup
show running-config
show startup-config
Job Aids
These job aids are available to help you complete the lab activity.
Current Passwords
Router console login
none
none
none
none
none
sanjose
cisco
sanfran
netadmin
netadmin
Activity Procedure
Complete these steps:
Step 1
If you are not continuing from Lab 4-5m then connect to your workgroup router
using the access information from Lab 2-1 and refer to the visual objective for IP
address and subnet mask information.
Step 2
Enter the enable command to get into the privileged EXEC mode.
Step 3
At the enable prompt enter the command setup. This command starts the initial
configuration dialog.
Step 4
Lab Guide
91
Enter no to the question Would you like to enter basic management setup?
Enter yes to the question First, would you like to see the current interface
summary? Your output should look similar to the following display:
First, would you like to see the current interface summary? [yes]: yes
Interface
FastEthernet0/0
FastEthernet0/1
Serial0/0/0
Serial0/0/1
IP-Address
unassigned
unassigned
unassigned
unassigned
OK?
YES
YES
YES
YES
Method
unset
unset
unset
unset
Status
administratively
administratively
administratively
administratively
down
down
down
down
Protocol
down
down
down
down
Enter your assigned workgroup router hostname at the prompt Enter host name,
where x in the example below is your workgroup letter (A, B, C, D, E, F, G or H).
Enter the enable secret password at the prompt Enter enable secret.
The enable secret is a password used to protect access to privileged EXEC and
configuration modes. This password, after entered, becomes encrypted in the
configuration.
Enter the vty password at the prompt Enter virtual terminal password.
The virtual terminal password is used to protect access to the router over a network
interface.
92
Step 13
Enter the IP address of your assigned workgroup router. (See the visual objective for
this lab.)
Enter the subnet mask of your assigned workgroup router. Notice that the Cisco IOS
Software can calculate the IP addressing class.
interface? [no]:no
interface? [no]:no
interface? [no]:no
The setup process outputs the configuration script that can be applied depending on
your answer to the question that follows. Notice that by default the router has only
five (0 to 4) vty lines preconfigured. You may recall that the switch had 16 ( 0 to
15). You will need to press the Spacebar when prompted with --More-- to get
additional output.
Lab Guide
93
Step 28
Observe the output displayed. You may see that the running Cisco IOS version
announces that the hostname does not match the latest CLI standards; however, the
name is accepted.
Building configuration...
[OK]
*Apr 24 00:37:02.203: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state
to up
Use the enabled mode 'configure' command to modify this configuration.
RouterX#
*Apr 24 00:37:04.867: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
Activity Verification
You have completed this task when you attain these results:
94
You have entered your workgroup router configuration information using the setup
command
You have selected the option to save and exit on completion of the configuration dialog
Activity Procedure
Complete these steps:
Step 1
Enter the command show running-config. Observe the output, validate that the
passwords are set and match those you entered in Task 1, also check that the
interface FastEthernet 0/0 has the IP address assigned for your workgroup router and
does not have the shutdown command applied to the interface. Below is an excerpt
from the output; your display should be similar.
..Text omitted!
..
!
interface FastEthernet0/0
ip address 10.x.x.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
..Text omitted!
Step 2
Enter the command show startup-config. Observe the output and validate that the
information you verified in Step 1 above matches. This demonstrates that the setup
command saved the configuration to both the running configuration and startup
configuration.
Activity Verification
You have completed this task when you attain these results:
Your output of the show running-config command matched your input in Task 1.
Lab Guide
95
Activity Objective
In this activity, you will increase the security of the router following its initial configuration.
After completing this activity, you will be able to meet these objectives:
Increase the remote management security of the router by adding the SSH protocol to the
vty lines
Visual Objective
The figure illustrates what you will accomplish in this activity.
Router IP
Address
Subnet Mask
RouterA
10.2.2.3
255.255.255.0
RouterB
10.3.3.3
255.255.255.0
RouterC
10.4.4.3
255.255.255.0
RouterD
10.5.5.3
255.255.255.0
RouterE
10.6.6.3
255.255.255.0
RouterF
10.7.7.3
255.255.255.0
RouterG
10.8.8.3
255.255.255.0
RouterH
10.9.9.3
255.255.255.0
ICND1 v1.016
Required Resources
These are the resources and equipment that are required to complete this activity:
96
Command List
The table describes the commands that are used in this activity.
Command
Description
banner login
configure terminal
enable
end
exit
ip domain-name name
ip ssh version [1 | 2]
line console 0
line vty 0 4
login
login local
logout
password
service password-encryption
show ip ssh
show running-config
Lab Guide
97
Job Aids
These job aids are available to help you complete the lab activity.
Current Passwords
Router console login
none
cisco
sanfran
none
sanjose
sanjose
cisco
sanfran
netadmin
netadmin
Activity Procedure
Complete these steps:
98
Step 1
Connect to your remote workgroup router via the console server. You will need to
use the VTY password configured earlier to get to the user EXEC mode.
Step 2
Enter the enable command and password to get to the enable EXEC prompt.
Step 3
Step 4
Step 5
At the line console configuration mode, enter the command password password.
Use the same password that is set for the vty lines.
Step 6
Enter the command login, which will require a password to be supplied to access the
router via the console in future.
Step 7
Step 8
Enter the show running-config command and observe the output to see that you
have correctly configured line console 0 and vty lines 0-4. Your output should be
similar to the example below, where the line configuration is shown in bold text.
You will observe that the passwords for both the line console and vty lines are stored
in cleartext.
RouterX#show running-config
..
..Text omitted
..
!
line con 0
password sanjose
login
line aux 0
line vty 0 4
password sanjose
login
!
end
Step 9
Test your configured password by logging out of and back into the router via the
console.
Step 10
Step 11
Step 12
Supply the password that you just configured to get to the user EXEC prompt.
Step 13
Enter the command and password to get to the enable EXEC prompt.
Step 14
Your output for Steps 10 though 13 should be similar to the example below.
RouterX#logout
..
..empty lines omitted
..
RouterX con0 is now available
Activity Verification
You have completed this task when you attain these results:
You inspected the configuration and observed that the line passwords are stored in cleartext
You tested the login process and password access to the console line successfully
Lab Guide
99
Activity Procedure
Complete these steps:
Step 1
From the enable EXEC prompt enter the command to get to global configuration
mode.
Step 2
Step 3
Step 4
Enter the command to see the running configuration. Concentrate on the first few
lines and the last few lines of the configuration, to see that your command is now
active and the effect it has on the line passwords. Your output should be similar to
the example below, with bold text highlighting output of particular interest.
RouterX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterX(config)#service password-encryption
RouterX(config)#end
RouterX#
*Mar 16 20:19:40.509: %SYS-5-CONFIG_I: Configured from console by console
RouterX#show running-config
Building configuration...
Current configuration : 940 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
..
..Text omitted
..
!
!
line con 0
password 7 051807012B435D0C
login
line aux 0
line vty 0 4
password 7 051807012B435D0C
login
!
scheduler allocate 20000 1000
!
end
Step 5
100
Activity Verification
You have completed this task when you attain these results:
You have displayed the running configuration and observed the encryption of the line
passwords.
Activity Procedure
Complete these steps:
Step 1
Step 2
Enter the command banner login %. The percent sign is the opening delimiter of
the text that will form the message.
Step 3
Enter text to form your message followed by %. Do NOT include a percent sign in
your text; it will be interpreted as the closing delimiter of your message. Below is an
example of the output of the configuration of a banner message.
RouterX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterX(config)#banner login %
Enter TEXT message. End with the character '%'.
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
RouterX(config)#end
Step 4
Enter the command to display the running configuration. Your output should be
similar to the example below, which has been edited to show just the banner
configuration. Notice that your text delimiter has been replaced with a ^C, which is a
nontext control character.
!
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
Step 5
Use the logout command to end your console session. Then log back in to the enable
prompt. Observe the display to see your banner message being presented, prior to
password entry. Your output should be similar to the example below, which has
been edited to reduce space.
Lab Guide
101
RouterX#logout
********* Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************
User Access Verification
Password:
RouterX>en
Password:
RouterX#
Step 6
Activity Verification
You have completed this task when you attain these results:
You have configured a login banner message which clearly states that access is restricted to
the router
You have tested the login message, and it does give a warning prior to password prompt
Activity Procedure
Complete these steps:
102
Step 1
At the enable EXEC prompt enter the command to access the global configuration
prompt.
Step 2
The SSH protocol requires the use of a username and password pair. These have not
yet been configured, so you will do that now. Enter the command username
netadmin password netadmin. It this example, you use a simple username, but in a
real-world environment, a much stronger username and password must be used.
Step 3
Step 4
Enter the command crypto key generate rsa. You are prompted for a key size; 512
is the default, but you will enter 1024. Your output should be similar to the example
below, which is edited to include only those lines pertaining to this task.
Enter the command ip ssh version 2 to specify the required SSH version.
Step 6
Step 7
Enter the command login local. This changes the login process to use the locally
configured username and password pairs.
Step 8
Enter the command transport input telnet ssh. This configures the five vty lines to
support both Telnet or SSH. Your output should be similar to the example below.
RouterX(config)#line vty 0 4
RouterX(config-line)#login local
RouterX(config-line)#transport input telnet ssh
Step 9
Step 10
RouterX#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Step 11
To test your configuration you need to make a VPN tunnel connection to the remote
lab using the method from Lab 2-1. You may get a security warning regarding the
crypto key; accept the key by clicking the Yes button in the popup window.
Step 12
On your PC, open your SSH terminal client application. Use the IP address of your
workgroup router (10.x.x.3), and the username and password pair that you
configured in Step 2 of this task.
Step 13
Lab Guide
103
Step 14
Open the Windows Command window and enter the command telnet 10.x.x.3 (enter
the IP address of your workgroup router). Your output should be similar to the
example below.
Step 15
Enter the username and password in the new Telnet Command window that
automatically opens. Having established that Telnet is working simultaneously with
SSH, type logout at the user EXEC prompt and close your Command window by
typing exit at the Command window prompt. Your output should be similar to the
example below.
Step 16
Activity Verification
You have completed this task when you attain these results:
104
You configured the vty lines to support the SSH version 2 protocol
You successfully connected directly to your workgroup router using SSH and Telnet, thus
proving both are being supported simultaneously
Activity Objective
In this activity, you will use Cisco SDM to configure DHCP server functionality on your
workgroup router. After completing this activity, you will be able to meet these objectives:
You will use Cisco SDM to verify at least one DHCP client has received an address from
the pool just created
You will use Cisco IOS commands to locate the switch port through which the DHCP
client is attaching to your workgroup switch
Visual Objective
The figure illustrates what you will accomplish in this activity.
Router IP Address
Switch IP Address
10.2.2.3 /24
10.2.2.11 /24
10.3.3.3 /24
10.3.3.11 /24
10.4.4.3 /24
10.4.4.11 /24
10.5.5.3 /24
10.5.5.11 /24
10.6.6.3 /24
10.6.6.11 /24
10.7.7.3 /24
10.7.7.11 /24
10.8.8.3 /24
10.8.8.11 /24
10.9.9.3 /24
10.9.9.11 /24
ICND1 v1.017
Required Resources
These are the resources and equipment that are required to complete this activity:
Lab Guide
105
Command List
The table describes the commands that are used in this activity.
Router and Switch Cisco IOS Commands
Command
Description
ping
show ip arp
Job Aids
This job aid is available to help you complete the lab activity.
Table 1: DHCP Server Pool Information
106
Work
group
DHCP Pool
Name
DHCP Pool
Network/Mask
Starting IP
Ending IP
Default
Router
Lease Time
(Days:
Hrs:Mins)
wgA_clients
10.2.2.0/24
10.2.2.150
10.2.2.199
10.2.2.3
0:0:5
wgB_clients
10.3.3.0/24
10.3.3.150
10.3.3.199
10.3.3.3
0:0:5
wgC_clients
10.4.4.0/24
10.4.4.150
10.4.4.199
10.4.4.3
0:0:5
wgD_clients
10.5.5.0/24
10.5.5.150
10.5.5.199
10.5.5.3
0:0:5
wgE_clients
10.6.6.0/24
10.6.6.150
10.6.6.199
10.6.6.3
0:0:5
wgF_clients
10.7.7.0/24
10.7.7.150
10.7.7.199
10.7.7.3
0:0:5
wgG_clients
10.8.8.0/24
10.8.8.150
10.8.8.199
10.8.8.3
0:0:5
wgH_clients
10.9.9.0/24
10.9.9.150
10.9.9.199
10.9.9.3
0:0:5
Current Passwords
Router console login
sanjose
cisco
sanfran
netadmin
netadmin
sanjose
cisco
sanfran
netadmin
netadmin
Activity Procedure
Complete these steps:
Step 1
Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the enable EXEC prompt.
Step 2
The current configurations have the HTTP service already enabled. However, it is
preferable to use the secure HTTP services (HTTPS). To enable the HTTP/HTTPS
server on your workgroup router, enter the ip http secure-server command.
Step 3
The ability to support the secure server depends on the Cisco IOS version running on the
router. If HTTPS were not supported, then the HTTP server could still be enabled.
It is also necessary to configure the HTTPS services with the method to be used for
authentication. To enable the workgroup router HTTP/HTTPS server authentication
method, enter the ip http authentication local command in global configuration
mode.
Lab Guide
107
Activity Procedure
Complete these steps:
108
Step 1
Step 2
Open a Windows Internet Explorer window and enter your workgroup router IP
address in the Address bar in the form of a URL; for example, https://10.x.x.3.
Step 3
In the new window that opens, enter your netadmin username and password.
Step 4
You may see this message. If so, click Yes to it and any subsequent security
windows.
Step 5
Step 6
Step 7
New options will appear on the left side of the window. Choose Additional Tasks
(the bottom option).
Lab Guide
109
110
Step 8
In the Additional Tasks pane, open the DHCP tab, and choose DHCP Pools.
Step 9
Step 10
In the Add DHCP Pool window, add the information from Table 1 for your specific
workgroup. When you have finished click the OK button.
Step 11
The Commands Delivery window opens, indicating the status of the transfer of
configuration commands to your workgroup router. When the status indicates
Configuration delivered to router, click the OK button.
Step 12
Wait a few minutes for any clients on your network to obtain an address. Then click
the DHCP Pool Status button.
Lab Guide
111
Step 13
Your DHCP Pool Status should have a similar output, indicating that a client has an
address in the pool range. You may have to use the Refresh button in the main
window to get your display updated.
Step 14
Step 15
Activity Verification
You have completed this task when you attain these results:
You connected to your workgroup router and opened the Cisco SDM window.
You used Cisco SDM to confirm that a client obtained an address from the pool.
Activity Procedure
Complete these steps:
Step 1
Step 2
RouterX#ping 10.10.10.150
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
112
Step 3
Note the hardware address (MAC address) of your DHCP client in the space below.
Step 5
Step 6
Using the MAC address from the previous step, identify the port on the switch,
which the DHCP client attaches to the network, and record it in the space below.
Step 8
You have located the switchport through which the DHCP client is entering your
network. If your network consists of any number of switches and routers, you can
use the same process to trace the physical location of any device, given its IP and
MAC (hardware address) addresses.
Step 9
You should close any open connections and the VPN tunnel.
Activity Verification
You have completed this task when you attain these results:
You used the IP address of the DHCP client identified in Task 1, in a ping command.
You used the information from the output of the ping command to identify the MAC
address of that DHCP client.
You used the workgroup switch mac-address-table command to identify the port through
which the DHCP client is accessing the network.
Lab Guide
113
Activity Objective
In this activity, you will use Telnet and SSH connections to access Cisco routers and switches.
After completing this activity, you will be able to meet these objectives:
Be able to initiate, suspend, resume and close a Telnet session from a Cisco router or
switch
Be able to initiate, suspend, resume and close a SSH session from a Cisco router or switch
Visual Objective
The figure illustrates what you will accomplish in this activity.
Router IP Address
Switch IP Address
10.2.2.3 /24
10.2.2.11 /24
10.3.3.3 /24
10.3.3.11 /24
10.4.4.3 /24
10.4.4.11 /24
10.5.5.3 /24
10.5.5.11 /24
10.6.6.3 /24
10.6.6.11 /24
10.7.7.3 /24
10.7.7.11 /24
10.8.8.3 /24
10.8.8.11 /24
10.9.9.3 /24
10.9.9.11 /24
ICND1 v1.018
Required Resources
These are the resources and equipment that are required to complete this activity:
Command List
The table describes the commands that are used in this activity.
114
Description
Ctrl-Shift-6 x
disconnect [session]
exit
Sets the number of line held in the history buffer for recall.
Two separate buffers are used, one for EXEC mode
commands and the second for configuration mode
commands.
ip domain-lookup
line console 0
logging synchronous
logout
resume
show sessions
show users
ssh ip_address
telnet ip_address
Job Aids
Activity Procedure
Complete these steps:
Step 1
Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the enable mode.
Lab Guide
115
Step 2
The size of the history buffers is 20. You could change this by using the command
terminal history size 100. However, this value would have to be entered every time
you log out of and back into the switch. The history size can be set in the
configuration, associated with the vty and console lines.
Step 3
Step 4
Step 5
Enter the command history size 100 to change the history buffer size.
Step 6
Step 7
Step 8
Step 9
Enter the commands to configure the history size to 100 and to synchronize the
messages.
Step 10
Step 11
Step 12
Step 13
Use the history recall to enter the show terminal command. Your output should be
similar to the example below, which has been edited to reduce unwanted lines.
RouterX#show terminal
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
..
..Text omitted
..
Editing is enabled.
History is enabled, history size is 100.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are pad telnet rlogin lapb-ta mop v120 ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
Step 14
Step 15
When you are satisfied that your running configuration reflects the changes. save it
to startup-config.
Activity Verification
You have completed this task when you attain these results:
116
You have verified that the history buffer value is set to 100 lines on the console and vty
lines.
You have verified that logging synchronous is configured on the console and vty lines.
Activity Procedure
Complete these steps:
Step 1
Step 2
From your PC, use PuTTY to connect to the IP address of your workgroup router
and get to the enable EXEC prompt. Use the username and password netadmin
during this activity.
Step 3
Get to the enable EXEC prompt and enter the command show sessions. Your output
should look similar to the following display:
Enter the command show users to see the current users connected to your
workgroup router. Your output should look similar to the following display:
RouterX#sh users
Line
User
*322 vty 0
netadmin
Interface
User
Host(s)
idle
Mode
Idle
Location
00:00:00 10.10.10.134
Idle
Peer Address
Step 5
The user netadmin is associated with the address of your PC, because of the VPN
connection you made in Step 2 of this task.
Step 6
Step 7
Enter the command line vty 0 4 to get to the VTY line configuration mode.
Step 8
Enter the command exec-timeout 30 to extend the idle timer period to 30 minutes.
Step 9
Return to the EXEC prompt by entering the command end. Your output should look
similar to the following display:
Lab Guide
117
RouterX#conf t
Enter configuration commands, one per line.
RouterX(config)#line vty 0 4
RouterX(config-line)#exec-timeout 30
RouterX(config-line)#end
RouterX#
Activity Verification
You have completed this task when you attain these results:
You connected from your PC to your remote workgroup router using PuTTY via VPN
tunnel.
You increased the idle timeout of the router vty lines to 30 minutes.
You used the show sessions command to verify that the router has no open sessions at this
time.
You used the show users command to identify that you are the only user currently
connected to your router.
Activity Procedure
Complete these steps:
Step 1
From your workgroup router, open a Telnet session to your assigned workgroup
switch, using the telnet ip_address command.
Step 2
Enter the command to get to the enable EXEC prompt. Your output should look
similar to the following display:
RouterX#telnet 10.10.10.11
Trying 10.10.10.11 ... Open
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************
User Access Verification
Username: netadmin
Password:
SwitchX>enable
Password:
SwitchX#
118
Step 3
Step 4
Enter the command line vty 0 15 to get to the VTY line configuration mode.
Step 5
Enter the command exec-timeout 30 to extend the idle timer period to 30 minutes.
Step 6
Return to the EXEC prompt by entering the command end. Your output should look
similar to the following display:
SwitchX#conf t
Enter configuration commands, one per line.
SwitchX(config)#line vty 0 15
SwitchX(config-line)#exec-timeout 30
SwitchX(config-line)#end
SwitchX#
Step 7
Enter the escape sequence Ctrl-Shift-6, x to suspend the session and get the
RouterX# prompt.
Step 8
Enter the command show sessions to display the currently active sessions. Your
output should look similar to the following display with the exception that the
escape sequence has been indicated in bold text:
SwitchX#<cntrl+shift+6,x>
RouterX#show sessions
Conn Host
* 1 10.10.10.11
Address
10.10.10.11
Byte
0
RouterX#
Step 9
Enter the command ssh ip_address to open a second connection to your workgroup
switch using the SSH protocol.
Note: You need to enter the password associated with the username netadmin.
Your output should look similar to the following display:
RouterX#ssh 10.10.10.11
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************
Password:
SwitchX>
Step 10
Enter the escape sequence Ctrl-Shift-6, x to suspend the session and get the
RouterX# prompt.
Step 11
Enter the command show sessions to display the currently active sessions. Your
output should look similar to the following display with the exception that the
escape sequence has been indicated in bold text:
SwitchX><ctrl+shift+6,x>
RouterX#show sessions
Conn Host
1 10.10.10.11
* 2 10.10.10.11
Address
10.10.10.11
10.10.10.11
Byte
0
0
RouterX#
Step 12
Enter the command resume 1 to resume your first connection to the workgroup
switch. Notice that this session has the enable prompt.
<ENTER>
RouterX#resume 1
[Resuming connection 1 to
<ENTER>
SwitchX#show users
Line
User
* 1 vty 0
netadmin
2 vty 1
netadmin
2007 Cisco Systems, Inc.
10.10.10.11 ... ]
Host(s)
idle
idle
Idle
Location
00:00:00 10.10.10.3
00:00:22 10.10.10.3
Lab Guide
119
Interface
User
Mode
Idle
Peer Address
SwitchX#
Step 13
From your switch, Telnet to your workgroup router without prefixing the address
with Telnet, and notice that you were automatically enabled on the router. Your
output should look similar to the following display:
SwitchX#10.10.10.3
Trying 10.10.10.3 ... Open
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
User Access Verification
Username: netadmin
Password:
RouterX#
Step 14
Enter the command show sessions to display any sessions associated with this
connection. Your output should look similar to the following display:
RouterX#show sessions
% No connections open
RouterX#
Note
At this point in the activity, you have established a Telnet connection from the router to the
switch and a Telnet connection from the switch to the router. Also, you have an SSH
connection from the router to the switch.
Step 15
Your current view is at the router user EXEC via your initial Telnet connection
through the switch. If at this point you use a single escape sequence, you will return
to the Router# prompt (session 1). However, if you use two escape sequences
followed by pressing x, you will return to the switch.
Step 16
Enter the sequence Ctrl-Shift-6, Ctrl-Shift-6, x, and notice that the x is used only
once at the end. You are returned to your switch. Your output should look similar to
the following display:
Byte
0
SwitchX#
Step 17
Enter the escape sequence Ctrl-Shift-6, x, to suspend the original session initiated
from the router and get the RouterX# prompt. Your output should look similar to the
following display:
SwitchX#<ctrl-shift-6, x>
RouterX#sh sessions
Conn Host
* 1 10.10.10.11
2 10.10.10.11
Step 18
120
Address
10.10.10.11
10.10.10.11
Byte
0
0
Observe the output. The asterisk (*) is by the number 1. This indicates that this is the
active session. If you press the Enter key without adding any other text, the session
will automatically be resumed.
Step 19
Press the Enter key twice. The first resumes the connection to the switch, and the
second is interpreted at the switch to resume its session to the router. You will need
to press Enter a third time to get the router prompt. Your output should look similar
to the following display:
RouterX#<ENTER>
[Resuming connection 1 to 10.10.10.11 ... ]
<ENTER>
[Resuming connection 1 to 10.10.10.3 ... ]
<ENTER>
RouterX#
Step 20
Close the connection to the router by using the disconnect command. Entering the
command without any numerical value is interpreted as closing the last created
connection. You will need to confirm your requested action. Your output should
look similar to the following display:
SwitchX#disconnect
Closing connection to 10.10.10.3 [confirm]
SwitchX#
Step 22
Remove the modification to the EXEC timeout value by setting it back to its default
value of 10 minutes. Your output should look similar to the following display:
SwitchX#conf t
Enter configuration commands, one per line.
SwitchX(config)#line vty 0 15
SwitchX(config-line)#exec-timeout 10
SwitchX(config-line)#end
SwitchX#
Step 23
Use the sequence Ctrl-Shift-6, x, to return to your router and enter the show
sessions command. Your output should look similar to the following display:
SwitchX#<ctrl-shift-6, x>
RouterX#show sessions
Conn Host
* 1 10.10.10.11
2 10.10.10.11
Step 24
Address
10.10.10.11
10.10.10.11
1
to 10.10.10.11 [confirm]
2
to 10.10.10.11 [confirm]
Remove the modification to the EXEC timeout value by setting it back to its default
value of 10 minutes. Your output should look similar to the following display:
RouterX#conf t
Enter configuration commands, one per line.
RouterX(config)#line vty 0 4
RouterX(config-line)#exec-timeout 10
RouterX(config-line)#end
RouterX#
Step 26
Byte
0
0
Use the disconnect command to close both connections to the switch. Your output
should look similar to the following display:
RouterX#disconnect
Closing connection
RouterX#disconnect
Closing connection
RouterX#
Step 25
Close your SSH connection to your workgroup router by using the logout command.
Then close your VPN connection.
Lab Guide
121
Activity Verification
You have completed this task when you attain these results:
122
You initiated Telnet connections between your workgroup router and switch.
You initiated SSH connection between your workgroup router and switch.
You used the show sessions command to identify current connections and their values
including active session and session numbers.
You used the show users command to identify currently connected users to your
workgroup router and switch.
You used the escape sequence to suspend the connection (session) that you were using
(active).
You used the resume command to choose which of your open connections (sessions) you
would use.
You returned the exec-timeout command value to 10 minutes on your workgroup router
and switch.
You terminated the VPN tunnel from your PC to your remote workgroup.
Activity Objective
In this activity, you will be able to configure your WAN Ethernet interface to use a DHCP
obtained IP address, and will provide PAT. After completing this activity, you will be able to
meet these objectives:
Using Cisco SDM to configure the WAN Ethernet interface to use a DHCP obtained IP
address
Using Cisco SDM to configure the router to support PAT of the inside Ethernet interface to
through the WAN Ethernet interface
Using Cisco SDM to verify that the configuration matches the requirements of the lab
Using the CLI to test and observe that PAT is taking place through the WAN Ethernet
interface
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.019
Required Resources
These are the resources and equipment that are required to complete this activity:
Lab Guide
123
Command List
The table describes the commands that are used in this activity.
Router Cisco IOS Commands
Command
Description
ping ip_address
Job Aids
There are no job aids for this lab activity.
Activity Procedure
Complete these steps:
124
Step 1
Step 2
Open an Internet Explorer window and enter your workgroup router IP address in
the Address field in the form of a URL; for example, https://10.x.x.3.
Step 3
In the new window that opens, enter your username netadmin and password
netadmin.
Step 4
You may see this window; if so, click Yes to it and any subsequent security
windows.
Lab Guide
125
126
Step 5
Step 6
Step 7
Choose the Create Connection tab, and click the Ethernet PPPoE or
Unencapsulated Routing radio button.
Step 8
Click the Create New Connection button at the bottom of the pane.
Step 9
At the Welcome to the Ethernet WAN Configuration Wizard window, click the Next
button at the bottom of the pane.
Step 10
At the Encapsulation window, make no choices. Click the Next button at the bottom
of the pane to proceed.
Lab Guide
127
128
Step 11
At the IP address window, make no choices. Only the Dynamic (DHCP Client)
radio button should be set. Click Next to proceed.
Step 12
At the Advanced Options window, check the Port Address Translation check box,
You should see FastEthernet0/0 appear automatically in the LAN Interface to Be
Translated box. Click the Next button at the bottom of the pane to proceed.
Step 13
Review the information in the Summary window. Click the Finish button to finalize
the wizard.
Step 14
The configuration commands are transferred. Click the OK button to close the
Commands Delivery Status window.
Lab Guide
129
Step 15
In the Edit Interface/Connection tab that opened up following the previous step,
choose FastEthernet0/1 .
Step 16
Observe that the IP address is set and that it has (DHCP) following the value. Notice
also that in the lower pane, NAT has a value of Outside.
Note
Step 17
You may need to click the Refresh button to force an update of the display.
Close both your Cisco SDM session and your VPN connection.
Activity Verification
You have completed this task when you attain these results:
You have verified that the FastEthernet0/1 interface has an address obtained using DHCP.
You have verified in Step 15 that your FastEthernet0/0 interface has been identified as
being an inside interface in the PAT configuration.
You have verified in Step 15 that your FastEthernet0/1 interface has been identified as
being an outside interface in the PAT configuration.
Task 2: Use the CLI to Verify and Observe the Operation of PAT
on Your Workgroup Router
In this task you will connect to your workgroup via the SSH connection. You will use CLI
commands to ping the DHCP provided default gateway IP address. Then observe the PAT
information stored by the workgroup router by using the clear and show ip nat translations
commands.
130
Activity Procedure
Complete these steps:
Step 1
Step 2
At the enable prompt, enter the show dhcp lease command. Your output should look
similar to the following display, but will be different for each pod.
Use the clear ip nat translation * command to clear any residual NAT information
before proceeding to the next step.
Step 4
Use the show ip nat translations command to verify that there is no data to display.
Using the IP address of the default router obtained in your output, use the ping
command to test connectivity.
Step 6
Use the show ip nat translations command to observe if any translation was made.
Your output should look similar to the following display:
Step 7
You may be surprised that no entry was made for the ping that you just successfully
completed. The reason for this is in the behavior of the ping process, which uses the IP
address of the outgoing interface as the source IP address in the packets it uses. For the
test that you just did, the outgoing interface (FastEthernet0/1) has the IP address
172.20.x.254, which does not need to be translated. In order to test this, you need to go to
your workgroup switch and repeat the ping command, then return to your router to view the
translation entry.
At your workgroup switch user EXEC prompt enter the ping command to the
default router IP address you used in Step 5. Your output should look similar to the
following display:
SwitchX>ping 172.20.21.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.21.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
SwitchX>
Lab Guide
131
Step 8
Return to your workgroup router and enter the show ip nat translations command.
Outside local
172.20.21.254:33
Outside global
172.20.21.254:33
Step 9
Observe that in your output, the inside local IP address was your workgroup switch,
and the inside global IP address was your FastEthernet0/1 interface.
Step 10
Activity Verification
You have completed this task when you attain these results:
132
You were able to get the DHCP obtained IP address of the default gateway.
You tested the operation of PAT, using a ping locally generated on your workgroup router.
The show ip nat translation command failed to show any translation because of the
behavior of the ping packets (use of source IP addresses).
You retested the ping, from your workgroup switch and using the show ip nat translation
command. This sequence of packets did generate a translation.
Activity Objective
In this activity, you will configure the serial connection and configure a static route. After
completing this activity, you will be able to meet these objectives:
Configure a static route to a given IP network which can be reached via the serial interface
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.020
Required Resources
These are the resources and equipment that are required to complete this activity:
Lab Guide
133
Command List
The table describes the commands that are used in this activity.
Router Cisco IOS Commands
Command
Description
description description
encapsulation ppp
shutdown
no shutdown
ping ip_address
show ip route
traceroute ip_addess
Job Aids
This job aid is available to help you complete the lab activity.
Table 1: Serial WAN Information
134
Workg
roup
WAN Interface
s0/0/0 IP Address
Mask 255.255.255.0
Remote WAN
interface IP address
(Next-Hop Router)
Remote Network
Reachable via s0/0/0
Remote Host
Reachable via s0/0/0
10.140.1.2
10.140.1.1
192.168.21.0
192.168.21.200
10.140.2.2
10.140.2.1
192.168.22.0
192.168.22.200
10.140.3.2
10.140.3.1
192.168.23.0
192.168.23.200
10.140.4.2
10.140.4.1
192.168.24.0
192.168.24.200
10.140.5.2
10.140.5.1
192.168.25.0
192.168.25.200
10.140.6.2
10.140.6.1
192.168.26.0
192.168.26.200
10.140.7.2
10.140.7.1
192.168.27.0
192.168.27.200
10.140.8.2
10.140.8.1
192.168.28.0
192.168.28.200
Current Passwords
Router console login
sanjose
cisco
sanfran
netadmin
netadmin
sanjose
cisco
sanfran
netadmin
netadmin
Activity Procedure
Complete these steps:
Step 1
Connect to your assigned workgroup router console port, and get to the EXEC
enable prompt.
Step 2
Enter the command config terminal to get to the global configuration prompt.
Step 3
Enter the command interface s0/0/0 to get to the interface configuration mode of
your first serial interface.
Step 4
Enter the command encapsulation ppp to enable the use of PPP instead of the
default encapsulation of HDLC.
Step 5
Enter the command ip address ip_address 255.255.255.0, where you supply your
WAN IP address from Table 1 at the beginning of this lab.
Step 6
Enter the command description Link to Main Office to associate text with the
interface.
Step 7
Step 8
Wait a few moments for the status messages to stop. Then enter the command end to
exit to EXEC prompt.
Step 9
Your output for Steps 3 through 8 should look similar to the following display:
RouterX(config)#int s0/0/0
RouterX(config-if)#encapsulation ppp
RouterX(config-if)#ip address 10.140.10.2 255.255.255.0
RouterX(config-if)#description Link to Main Office
RouterX(config-if)#no shutdown
*Mar 26 21:10:35.451: %SYS-5-CONFIG_I: Configured from console by console
RouterX#
*Mar 26 21:10:35.983: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
RouterX#
Lab Guide
135
Enter the command show interface s0/0/0 to display the current status of your serial
interface.
Step 11
Notice the bolded lines in the example below, which should be similar to your
output.
If your serial interface line protocol is NOT up, then recheck that you entered your
information correctly.
Activity Verification
You have completed this task when you attain these results:
You have correctly configured a username and password pair for PPP to use.
You have configured your interface to use the assigned IP address from Table 1 in this Lab.
You have verified using the show interface command that your serial interface is up, with
the line protocol up.
Activity Procedure
Complete these steps:
Step 1
Enter the ping remote_host command using the assigned IP address of the remote
host from Table 1 above. Your output should look similar to the following display:
RouterX#ping 192.168.21.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.200, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Step 2
Enter the traceroute remote_host command, using the same IP address you used in
Step 1 above. Your output should look similar to the following display:
RouterX#traceroute 192.168.21.200
Type escape sequence to abort.
Tracing the route to 192.168.21.200
136
The output should indicate that the packets are being sent to the Internet IP
address via FastEthernet 0/1.
Step 4
Enter the command show ip route to view the current information held in the route
table. Your output should look similar to the following display:
RouterX#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.20.21.254 to network 0.0.0.0
C
C
C
C
S*
Step 5
Notice in the example the two lines that are bolded. These indicate that the only
place that the router can send packets with destination addresses that are not found
on directly connected networks is via the default route. Recall that the default route
is indicated using 0.0.0.0.
Activity Verification
You have completed this task when you attain these results:
You observed using the traceroute command where your packets were being sent.
You observed using the show ip route commands that there is no entry in the routing table
that matches the network you were trying to reach. Also, the routing table has an entry for
forward unknown destinations, known as the gateway of last resort.
Activity Procedure
Complete these steps:
Step 1
At the enable EXEC prompt, enter the command conf t to get to global
configuration mode.
Step 2
Lab Guide
137
Enter the command end to exit the configuration mode and return to the EXEC
prompt.
Step 4
Enter the command show ip route to view the current information held in the route
table. Your output should look similar to the following display:
RouterX#show ip route
..
..Text omitted
..
Gateway of last resort is 172.20.21.254 to network 0.0.0.0
172.20.0.0/24 is subnetted, 1 subnets
172.20.21.0 is directly connected, FastEthernet0/1
192.168.21.0/24 [1/0] via 10.140.10.1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C
10.10.10.0/24 is directly connected, FastEthernet0/0
C
10.140.10.1/32 is directly connected, Serial0/0/0
C
10.140.10.0/24 is directly connected, Serial0/0/0
S*
0.0.0.0/0 [254/0] via 172.20.21.254
RouterX#
C
S
Step 5
RouterX#ping 192.168.21.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
RouterX#
Step 6
RouterX#traceroute 192.168.21.200
Type escape sequence to abort.
Tracing the route to 192.168.21.200
1 10.140.10.1 12 msec *
12 msec
Step 7
Notice that because the remote network is only one hop away, there is only one line
in the traceroute output.
Step 8
Activity Verification
You have completed this task when you attain these results:
138
You configured a static route entry pointing to the next hop router IP address of your serial
0/0/0 interface in the configuration of your workgroup router.
You used the show ip route command to verify that there is now an entry to your remote
network.
You used the traceroute command to verify that the path taken was through the IP subnet
used on the serial 0/0/0 interface.
Activity Objective
In this activity, you will enable the use of the dynamic routing protocol RIP. After completing
this activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.021
Required Resources
These are the resources and equipment that are required to complete this activity:
Lab Guide
139
Command List
The table describes the commands that are used in this activity.
Commands
Command
Description
configure terminal
end
[no] ip route
network network_prefix
router rip
show ip protocol
show ip route
traceroute ip_address
version {1 | 2}
Job Aids
Table 1: Remote Host Information
Workgr
oup
192.168.21.200
192.168.121.200
192.168.221.200
192.168.22.200
192.168.122.200
192.168.222.200
192.168.23.200
192.168.123.200
192.168.223.200
192.168.24.200
192.168.124.200
192.168.224.200
192.168.25.200
192.168.125.200
192.168.225.200
192.168.26.200
192.168.126.200
192.168.226.200
192.168.27.200
192.168.127.200
192.168.227.200
192.168.28.200
192.168.128.200
192.168.228.200
These addresses can be used as destination addresses in the ping or traceroute commands.
These are valid only for the workgroup specified.
Activity Procedure
Complete these steps:
Step 1
At the EXEC prompt, enter the show ip route command to display the current route
table entries. Your output should look similar to the following display:
RouterX#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.20.21.254 to network 0.0.0.0
C
S
C
C
C
S*
Step 2
Enter the configure terminal command to get to the global configuration mode.
Step 3
Enter the command router rip to configure the RIP routing protocol.
Step 4
Enter the network 10.0.0.0 command to enable RIP on interfaces whose IP address
matches the network address, in this case network 10.0.0.0.
Step 5
Enter the command end to exit the configuration mode. Your output should look
similar to the following display:
RouterX#config terminal
Enter configuration commands, one per line.
RouterX(config)#router rip
RouterX(config-router)#network 10.0.0.0
RouterX(config-router)#end
Step 6
RouterX#show ip protocol
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 0 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 1, receive any version
Interface
Send Recv Triggered RIP Key-chain
FastEthernet0/0
1
1 2
Serial0/0/0
1
1 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
Routing Information Sources:
Gateway
Distance
Last Update
Distance: (default is 120)
Step 7
Notice that the output indicates that this router will send version 1 updates, but
will recognize and use version 1 and 2 updates.
Lab Guide
141
Enter the commands necessary to configure RIP to use version 2. Your output
should look similar to the following display:
Step 8
RouterX#conf t
Enter configuration commands, one per line.
RouterX(config)#router rip
RouterX(config-router)#version 2
RouterX(config-router)#end
Step 9
RouterX#show ip protocol
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 28 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface
Send Recv Triggered RIP Key-chain
FastEthernet0/0
2
2
Serial0/0/0
2
2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
Routing Information Sources:
Gateway
Distance
Last Update
10.140.10.1
120
00:00:01
Distance: (default is 120)
Notice that RIP will now send and receive only version 2 updates.
Step 10
Activity Verification
You have completed this task when you attain these results:
Activity Procedure
Complete these steps:
Step 1
Enter the show ip route command to via the current route table entries. Your output
should look similar to the following display:
RouterX#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
..
..Text omitted
..
142
C
C
C
R
S*
Step 2
Notice that there are more network entries learned via RIP updates. These are
indicated in the display with an R. However a static route is still being used as the
entry for the route to 192.168.2x.0 (where x represents your pod number) network.
This is indicated with an S. This route therefore does not take advantage of the
dynamic updates available using RIP. Recall that the routing table uses the
administrative distance to determine which route should populate the route table.
The value for RIP is 120 and for a static route is 1.
Step 3
Enter the conf terminal command to enter the global configuration mode.
Step 4
Step 5
Step 6
Enter the show ip route 192.168.2x.0 command to display only the information for
the route specified. Your output should look similar to the following display:
Enter the traceroute 192.168.22x.200 command to use the ICMP protocol to follow
the path taken to reach the host on the network. Your output should look similar to
the following display:
RouterX#traceroute 192.168.221.200
Type escape sequence to abort.
Tracing the route to 192.168.221.200
1 10.140.10.1 16 msec 12 msec 12 msec
2 192.168.131.253 16 msec * 12 msec
Step 8
Activity Verification
You have completed this task when you attain these results:
Lab Guide
143
Activity Objective
In this activity, you will use Cisco Discovery Protocol to obtain information about directly
attached Cisco devices, also you will disable Cisco Discovery Protocol from running on
selected interfaces. After completing this activity, you will be able to meet these objectives:
Verify that Cisco Discovery Protocol is running on your workgroup router and switch
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.022
Required Resources
These are the resources and equipment that are required to complete this activity:
144
Command List
The table describes the commands that are used in this activity.
Router Cisco IOS Commands
Command
Description
show cdp
Job Aids
There are no job aids are available for this lab activity.
Activity Procedure
Complete these steps:
Step 1
Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the EXEC enable prompt.
Step 2
Enter the show cdp command to verify that Cisco Discovery Protocol is enabled
and to display global information.
RouterX#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
2007 Cisco Systems, Inc.
Lab Guide
145
Step 3
Enter the show cdp interface command to display the interfaces that are running
Cisco Discovery Protocol. Your output should look similar to the following display:
Enter the show cdp neighbors command to display any known Cisco devices. Your
output should look similar to the following display:
Holdtme
167
Capability
R S I
137
S I
Platform
2811
Port ID
Ser 1/0
Using the information gathered in the previous step, enter the show cdp entry
MainRouter command to view the detailed Cisco Discovery Protocol information
of the Cisco router learned through the serial interface. Your output should look
similar to the following display:
146
Step 6
Observe in your display that the IP address of the remote device is output, as is the
router platform and software information.
Step 7
Using the IP address from your output in Step 5, you could attempt to log in to
router MainRouter; however, this would be unsuccessful because MainRouter has an
ACL preventing unauthorized access.
Step 8
Enter the show cdp neighbors detail command to display the same information that
show cdp entry did. However, the neighbors detail command will display all
known neighbors without requiring any other parameters. Your output should look
similar to the following display:
RouterX#show cdp neighbors detail
------------------------Device ID: MainRouter
Entry address(es):
IP address: 10.140.10.1
Platform: Cisco 2811, Capabilities: Router Switch IGMP
Interface: Serial0/0/0, Port ID (outgoing port): Serial1/0
Holdtime : 167 sec
Version :
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
advertisement version: 2
VTP Management Domain: ''
------------------------Device ID: SwitchX.cisco.com
Entry address(es):
IP address: 10.10.10.11
Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/2
Holdtime : 135 sec
Version :
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2,
RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 28-Jul-06 11:57 by yenanh
advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27,
value=00000000FFFFFFFF010221FF000000000000001A6D446C80FF0000
VTP Management Domain: ''
Native VLAN: 1
Duplex: half
Step 9
From the output of the cdp commands or by knowing the topology, you can
determine which interfaces connect to your network infrastructure. Any interfaces
that do not connect to the infrastructure should have Cisco Discovery Protocol
disabled because it offers the potential for assisting hackers to gain knowledge of
your network. From the perspective of the workgroup routers perspective, interfaces
fa0/1 and serial 0/0/1 should have Cisco Discovery Protocol disabled.
Step 10
At the global configuration mode, enter interface fa0/1 and then enter the no cdp
enable command to disable Cisco Discovery Protocol only on this interface.
Step 11
Enter the same sequence of commands to disable Cisco Discovery Protocol on your
serial 0/0/1 interface, then return to the enable EXEC prompt.
Step 12
Enter the show cdp interface command to verify that only Fa0/0 and s0/0/0 are
running Cisco Discovery Protocol at this time. Your output should look similar to
the following display:
Lab Guide
147
Encapsulation PPP
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Step 13
Activity Verification
You have completed this task when you attain these results:
You observed the Cisco Discovery Protocol output for your directly attached Cisco
neighbors.
You disabled Cisco Discovery Protocol on the interfaces that do not connect to your
network infrastructure.
Activity Procedure
Complete these steps:
Step 1
Connect to your remote workgroup switch via the console server, and enter the
necessary commands and passwords to get to the EXEC enable prompt.
Step 2
Enter the show cdp command to verify that Cisco Discovery Protocol is enabled and
also to display global information. Your output should look similar to the following
display with the exception that some text has been omitted to save space.
148
Step 3
Enter the show cdp neighbor command to view directly connected Cisco devices.
Your output should look similar to the following display:
Local Intrfce
Fas 0/2
Holdtme
Capability
150
R S I
Platform
2811
Port ID
Fas 0/0
Step 4
Notice that the only neighbor found is your workgroup router. This confirms your
network diagram as the only interface that should run Cisco Discovery Protocol is
Fa0/2.
Step 5
Enter the necessary commands to have only interface fa0/2 running Cisco Discovery
Protocol. Your output should look similar to the following display:
SwitchX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#interface range fa0/1 - 24, gi0/1 - 2
SwitchX(config-if-range)#no cdp enable
SwitchX(config-if-range)#interface fa0/2
% Command exited out of interface range and its sub-modes.
Not executing the command for second and later interfaces
SwitchX(config-if)#cdp enable
SwitchX(config-if)#end
Step 6
Enter the show cdp interface command to verify your changes have been
implemented. Your output should look similar to the following display:
Enter the show cdp traffic command to view information regarding the nature of the
Cisco Discovery Protocol updates being sent and received. This can be useful should
you suspect that there are some problems with the Cisco Discovery Protocol process.
Your output should look similar to the following display:
Having verified the operation and also your configuration changes, save your
configuration to startup-config.
Activity Verification
You have completed this task when you attain these results:
You observed the cdp command output on your workgroup switch for your directly
attached Cisco neighbors.
You disabled Cisco Discovery Protocol on the interfaces that do not connect to your
network infrastructure.
You used the show cdp traffic command and verified that there were no errors in the Cisco
Discovery Protocol update process.
Lab Guide
149
Activity Objective
In this activity, you will be able to make changes to control your router startup behavior. After
completing this activity, you will be able to meet these objectives:
Display the configuration register, modify it to a specified value, and return it to its original
value
Modify the sequence of Cisco IOS file loaded at startup, using a sequenced list of boot
system commands
Observe a reload and verify which of the boot statements was processed to obtain the
running Cisco IOS binary file
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.023
Required Resources
These are the resources and equipment that are required to complete this activity:
150
Command List
The table describes the commands that are used in this activity.
Router Cisco IOS Commands
Command
Description
config-register value
show flash
show running-config
show startup-config
show version
Job Aids
The following job aid is available to help you complete the lab activity.
Table 1: TFTP Server IP Address Information
Workgroup
TFTP Server IP
Address
Workgroup
TFTP Server IP
Address
10.2.2.1
10.6.6.1
10.3.3.1
10.7.7.1
10.4.4.1
10.8.8.1
10.5.5.1
10.9.9.1
Lab Guide
151
Activity Procedure
Complete these steps:
Step 1
Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the EXEC enable prompt.
Step 2
Enter the show version command and press the Spacebar to complete the output.
Your output should look similar to the following display:
RouterX#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
RouterX uptime is 2 minutes
System returned to ROM by reload at 23:05:39 UTC Fri Mar 30 2007
System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"
This product contains cryptographic features and is subject to United
..
..Text omitted
..
Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
Processor board ID FTX1050A3Q6
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Step 3
Write down the value of the configuration register (exactly as it appears) in the line
below.
Step 4
RouterX#conf t
Enter configuration commands, one per line.
RouterX(config)#config-register 0x2104
Step 5
Exit the global configuration mode and enter the show version command to display
the new value. Your output should look similar to the following display:
RouterX(config)#^Z
RouterX#
RouterX#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
RouterX uptime is 8 minutes
System returned to ROM by reload at 23:05:39 UTC Fri Mar 30 2007
..
152
..Text omitted
..
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102 (will be 0x2104 at next reload)
RouterX#
Step 6
You will see that your new value will not be active until the next reload.
Step 7
You can (optionally) enter the show running-config command to look for the
config-register parameter; however, it will not be displayed as it is NOT part of the
running configuration.
Step 8
Enter the commands necessary to restore your configuration register to the value you
recorded in Step 3. When you have done this, you should enter the show version
command and verify that the configuration register has been restored to its original
value.
Step 9
It can sometimes seem confusing when viewing output to distinguish which display
is the running configuration and which is the startup configuration.
Step 10
Enter the show running-config command and use q to quit the output after the first
screen is displayed. Your output should look similar to the following display:
RouterX#show running-config
Building configuration...
Current configuration : 2170 bytes
!
version 12.4
..
..Text omitted
..
--More--q
Step 11
Notice that the output starts with the words Building configuration. This is
because the running configuration is NOT a file. It is the stored parameter values
within the executing Cisco IOS program.
Step 12
Enter the show startup-config command and use q to quit the output after the first
screen is displayed. Your output should look similar to the following display:
RouterX#sh startup-config
Using 2170 out of 245752 bytes
!
version 12.4
..
..Text omitted
..
--More--q
Step 13
Notice that the output in the example displayed has the words Using 2170 out of
245752 bytes, which indicates that a certain amount of the NVRAM is being used
to hold the configuration file.
Activity Verification
You have completed this task when you attain these results:
You observed and recorded the current value of the configuration register.
Lab Guide
153
You modified the configuration register value, displayed the output of the show version
command, and identified that it had been changed but that this change would not be active
until after the router was restarted.
You displayed and identified the differences in the output between showing the running
configuration and the startup configuration when using the show commands.
Task 2: Observe the Flash File System and Add Boot System
Commands
In this task you will determine the Cisco IOS system file being used. You will then add three
boot system commands that modify the default behavior of file choice at startup. Changes to
the booting process flow should be used with extreme caution, as errors may leave your router
potentially unreachable over the network. This is why usually this process is done only by
senior network administrators.
Activity Procedure
Complete these steps:
Step 1
Enter the show flash: command to output the files that are currently stored in the
flash memory. Your output should look similar to the following display:
RouterX#show flash:
-#- --length-- -----date/time-----1
36232088 Mar 28 2007 17:27:46
2
1823 Dec 14 2006 08:25:40
3
4734464 Dec 14 2006 08:26:10
4
833024 Dec 14 2006 08:26:26
5
1052160 Dec 14 2006 08:26:46
6
1038 Dec 14 2006 08:27:02
7
102400 Dec 14 2006 08:27:24
8
491213 Dec 14 2006 08:27:48
path
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
+00:00
c2800nm-advipservicesk9-mz.124-12.bin
sdmconfig-2811.cfg
sdm.tar
es.tar
common.tar
home.shtml
home.tar
128MB.sdf
You should note that the Cisco IOS binary file is identified with a .bin extension.
The other files (in the example display above) are related to the Cisco SDM
configuration program. It is possible to have multiple Cisco IOS images in flash
memory. Write the file name of Cisco IOS binary file in the space below; in the
example, it is c2800nm-advipservicesk9-mz.124-12.bin.
Step 3
The first found binary file in flash determines the Cisco IOS image loaded at a
restart. This order can be modified by using the boot system flash filename.bin
configuration commands.
Caution
154
Extreme care should be taken when using boot system commands because an error may
leave the router unable to start, which can lead to significant downtime while the boot
process is restored. For this reason, only senior network administrators usually modify the
Cisco IOS flash files and modify the boot sequence.
Step 4
At the global configuration prompt, enter the boot system tftp filename
tftp_address, where filename is the name you noted in Step 2 and tftp_address is the
IP address of your workgroup TFTP server, which can be found in Table 1. By
entering this command first, the router on reload attempts to locate and load its
Cisco IOS file from the TFTP server specified. Your output should look similar to
the following display:
Enter boot system flash filename, where filename is the name you copied in Step 2.
If this command is processed, the router will attempt to load the Cisco IOS file from
flash memory using the filename specified. Your output should look similar to the
following display:
Step 8
Enter show run command, and observe the output to verify that your boot system
commands are accurately entered. Your output should look similar to the following
display but should show your workgroup hostname and filenames:
..
..Text omitted
..
hostname RouterX
!
boot-start-marker
boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.x.x.1
boot system flash c2800nm-advipservicesk9-mz.124-12.bin
boot system flash
boot-end-marker
!
Step 9
Step 10
Enter copy run start command to save your running configuration to NVRAM.
Note
The reload process will take a variable amount of time, with the low end being approximately
5 to 8 minutes, depending on router hardware and the performance of the TFTP server. A
reload from flash memory takes 2 to 3 minutes for same router hardware.
Step 11
Enter and confirm the reload command. Observe the output displayed during the
reload. In the space below, write the location that you believe provided the Cisco
IOS file to load.
Step 12
RouterX#reload
Proceed with reload? [confirm]<ENTER>
*Apr 6 18:17:24.619: %SYS-5-RELOAD: Reload requested by console. Reload
Reason: Reload Command.
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
2007 Cisco Systems, Inc.
Lab Guide
155
..
..Text omitted
..
<ENTER><ENTER>
*Apr 6 18:22:16.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^
When your router has finished reloading, press Enter twice to ensure that you are at
a login prompt. Enter the information to get to the privileged EXEC mode.
Step 14
Enter show version command and observe the display to confirm the location of the
Cisco IOS file. Your output should look similar to the following display:
RouterX#sh version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
RouterX uptime is 1 minute
System returned to ROM by reload at 18:17:24 UTC Fri Apr 6 2007
System image file is "tftp://10.x.x.1/c2800nm-advipservicesk9-mz.124-12.bin"
..
..TEXT omitted
..
--More--q
Step 15
If there was a problem with the TFTP download, then you may have the following
line in the show version command display:
Activity Verification
You have completed this task when you attain these results:
156
You observed and recorded the current Cisco IOS binary file stored in flash memory.
You added three boot systems commands to modify the startup behavior of the router on
reload in the following order:
First, attempt to locate a specified Cisco IOS file via a TFTP server.
If unsuccessful, attempt to locate a specified Cisco IOS file from flash memory.
Finally, locate the first found Cisco IOS file from flash memory.
You reloaded your router and observed the output to determine which of the boot system
commands resulted in the system file used at startup.
You used the show version command to verify which method was actually being used.
Activity Objective
In this activity, you will use Cisco IOS copy and debug commands. After completing this
activity, you will be able to meet these objectives:
Ensure that the router is lightly loaded before using debugging commands
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.024
Required Resources
These are the resources and equipment that are required to complete this activity:
Lab Guide
157
Command List
The table describes the commands that are used in this activity.
Router Cisco IOS Commands
158
Command
Description
debug ip icmp
debug ip rip
no debug all
delete flash:filename
more flash:filename
ping ip_address
show debugging
show flash
show processes
show startup-config
Job Aids
These following job aid is available to help you complete the lab activity.
Table 1: TFTP Server IP Address Information
Work
group
TFTP Server IP
Address
Work
group
TFTP Server IP
Address
10.2.2.1
10.6.6.1
10.3.3.1
10.7.7.1
10.4.4.1
10.8.8.1
10.5.5.1
10.9.9.1
Activity Procedure
Complete these steps:
Step 1
Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the user EXEC prompt.
Step 2
Step 3
RouterX#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Step 4
Step 5
At the prompt, enter your workgroup assigned TFTP server IP address from Table 1.
Step 6
At the prompt, accept the default name based on your router hostname by using the
Enter key.
Step 7
Your output from these steps should look similar to the following display:
Lab Guide
159
Step 8
Enter the show run int s0/0/0 to display only the configuration for your serial
interface. Your output should look similar to the following display:
Enter the copy tftp run command to copy from the TFTP server to your running
configuration.
Step 10
Use the IP address of your workgroup TFTP server when prompted for the address.
Step 11
Use the filename descript-confg when prompted for the source filename.
Step 12
Step 13
Your output from these steps should look similar to the following display:
Enter the show run int s0/0/0 to display only the configuration for your serial
interface. Your output should look similar to the following display:
160
Step 15
Your display should show that a description statement has overwritten the prior
description on the serial interface.
Step 16
Enter the copy tftp flash command to copy from the TFTP server to your local flash
memory.
Step 17
Enter the IP address of your workgroup TFTP server when prompted for the address.
Step 18
Enter the filename descript-confg when prompted for the source filename.
Step 19
Step 20
Your output from these steps should look similar to the following display:
Enter the show flash command to display the files stored in flash memory.
Step 22
You should see the filename of the file you just uploaded displayed.
Step 23
Step 24
Your output from these steps should look similar to the following display:
RouterX#more flash:descript-confg
! This file demonstrates the way the IOS removes remarks
! from configuration files
! and allows parts of a configuration to be updated
!*********************[
interface serial 0/0/0
description Connection to Main Office
interface serial 0/0/1
description Unused Interface
end
Step 25
Notice that the file contains only a small number of configuration commands that
were added to (or merged with) the existing running configuration. Also notice that
the file contains comments. These comments are ignored and not stored in the
running configuration.
Step 26
Enter the delete flash:descript-confg command to remove the file that you just
uploaded from flash memory. Your output should look similar to the following
display:
RouterX#delete flash:descript-confg
Delete filename [descript-confg]?
Delete flash:descript-confg? [confirm]
Step 27
Enter the command and subsequent parameters to copy the file descript-confg to
startup-config. Your output should look similar to the following display:
Enter the show startup command to display the contents of the startup-config file.
Your output should look similar to the following display:
RouterX#show startup
Using 289 out of 245752 bytes! This file demonstrates the way the IOS removes
remarks
! from configuration files
! and allows parts of a configuration to be updated
!*********************[
interface serial 0/0/0
2007 Cisco Systems, Inc.
Lab Guide
161
Notice that your starting configuration has been completely replaced by the small
configuration file. This demonstrates that copying to the startup file is a replacement
(or overwrite) operation. If your router were to restart now, it would not have any
functioning interfaces!
Step 30
Step 31
Use show startup to verify that the partial configuration in your startup-config file
has been replaced by the full configuration from the running configuration.
Activity Verification
You have completed this task when you attain these results:
You uploaded the configuration file to flash memory, and used the more command to
output the file as text.
You uploaded the configuration file to the startup-config file and verified that it had
overwritten all previous configuration entries.
Activity Procedure
Complete these steps:
Step 1
Step 2
Enter the command show processes to display information about the CPU
utilization. Quit the display after the first page is output. Your output should look
similar to the following display:
RouterX#show processes
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID QTy
PC Runtime (ms)
Invoked
uSecs
Stacks TTY Process
1 Cwe 400A7A2C
0
4
0 5456/6000
0 Chunk Manager
2 Csp 4008C430
4
1614
2 2528/3000
0 Load Meter
3 M*
0
7832
379196
20 7200/12000 0 Exec
..
..Text omitted
..
162
Step 3
You should review the first line of the output, which indicates the CPU utilization
over three time periods. This is bolded text in the example above. Your display
should indicate a very low value also.
Step 4
Enter the show debugging command to verify that no other debug commands are
active. Your output should indicate that there are is no active debugging taking
place.
Step 5
Enter the debug ip icmp command to turn on debugging of ICMP messages. Your
output should look similar to the following display:
RouterX#debug ip icmp
ICMP packet debugging is on
Step 6
Repeat Step 4; your display should look something like the following:
RouterX#sh debugging
Generic IP:
ICMP packet debugging is on
Step 7
Enter ping 10.x.x.1 to send ICMP echo request packets to your assigned TFTP
server IP address. Your output should look similar to the following display:
RouterX#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RouterX#
*Apr 3 19:44:43.699: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
*Apr 3 19:44:43.703: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
*Apr 3 19:44:43.703: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
*Apr 3 19:44:43.703: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
*Apr 3 19:44:43.707: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
Step 8
Enter the debug ip rip command to turn on the debugging of RIP routing packets.
Step 9
Wait a few minutes to observe some RIP routing protocol updates being sent and
received. Your output should look similar to the following display:
RouterX#
*Apr 3 20:12:01.355:
(10.10.10.3)
*Apr 3 20:12:01.355:
*Apr 3 20:12:01.355:
*Apr 3 20:12:01.355:
*Apr 3 20:12:01.355:
*Apr 3 20:12:01.355:
*Apr 3 20:12:01.355:
*Apr 3 20:12:01.355:
RouterX#
*Apr 3 20:12:06.083:
*Apr 3 20:12:06.083:
*Apr 3 20:12:06.083:
RouterX#
*Apr 3 20:12:27.295:
*Apr 3 20:12:27.295:
*Apr 3 20:12:27.295:
*Apr 3 20:12:27.295:
*Apr 3 20:12:27.295:
RouterX#
Lab Guide
163
Step 10
Enter the command to display how many debug commands are active. Your output
should look similar to the following display:
RouterX#show debugging
Generic IP:
ICMP packet debugging is on
IP routing:
RIP protocol debugging is on
Step 11
Activity Verification
You have completed this task when you attain these results:
164
You observed that your router had a very low CPU utilization using the show processes
command.
You used debug commands to observe the output of ICMP packets and RIP routing
protocol updates.
You used the show debug command to verify which, if any, debug commands were active
on your router.
Activity Objective
In this activity, you will assume that you are taking over the reconfiguration of a branch
network from an administrator who has not completed the configuration. In fact, there may be
misconfiguration of some of the settings. You will use the knowledge and experience gained
from the earlier labs to complete the reconfiguration, correction, and testing. After completing
this activity, you will be able to meet these objectives:
Complete the configuration of your assigned workgroup switch using information provided
in checklist below
Complete the configuration of your workgroup router using information provided in the
checklists below
See the routes indicated in the visual objective after enabling dynamic routing on your
workgroup router
Perform tests to validate that your final configuration meets the new topology information
Visual Objective
The figure illustrates what you will accomplish in this activity.
ICND1 v1.024
Lab Guide
165
Required Resources
These are the resources and equipment that are required to complete this activity:
Your new assigned pod access information for this lab provided in the Job Aids section
Command Lists
Refer to the command lists associated with the prior lab associated with the task you are
completing.
Job Aids
These job aids are available to help you complete the lab activity.
Switch
Hostname
VLAN 1
IP Address Mask /24
Router
Hostname
Fa0/0
IP Address Mask /24
AA
SwitchAA
10.22.22.11
RouterAA
10.22.22.3
BB
SwitchBB
10.33.33.11
RouterBB
10.33.33.3
CC
SwitchCC
10.44.44.11
RouterCC
10.44.44.3
DD
SwitchDD
10.55.55.11
RouterDD
10.55.55.3
EE
SwitchEE
10.66.66.11
RouterEE
10.66.66.3
FF
SwitchFF
10.77.77.11
RouterFF
10.77.77.3
GG
SwitchGG
10.88.88.11
RouterGG
10.88.88.3
HH
SwitchHH
10.99.99.11
RouterHH
10.99.99.3
166
Workgroup
s0/0/0 IP Address
Mask /24
Workgroup
s0/0/0 IP Address
Mask /24
AA
10.140.11.2
EE
10.140.55.2
BB
10.140.22.2
FF
10.140.66.2
CC
10.140.33.2
GG
10.140.77.2
DD
10.140.44.2
HH
10.140.88.2
Workgroup:
hostname SwitchXX
Interface
vlan 1
IP default gateway
ip default-gateway ip_address
Enable password
cisco
Enable secret
sanfran
service password-encryption
line vty 0 15
login local
Console line
line console 0
login
Console password
sanjose
Verify
2) Configure to Use SSH ONLY (Lab 2-3, Task 4)
Username and password
netadmin
netadmin
IP domain-name
cisco.com
SSH version
Vty lines
line vty 0 15
Verify
show run
fa0/1
Switchport mode
switchport port-security
Verify
Lab Guide
167
Done
Workgroup:
no cdp enable
Verify
Workgroup:
hostname RouterXX
Interface
interface fa0/0
Enable password
Enable secret
Verify
2) Enhanced Configuration (Lab 4-7, Lab 6-1, Task 1)
Use password encryption
service password-encryption
line vty 0 4
login local
Console line
line console 0
login
Console password
password sanjose
no cdp enable
Verify
3) Configure to Use SSH ONLY (Lab 4-7, Task 4)
IP domain name
cisco.com
ip ssh version 2
Vty lines
line vty 0 4
Verify
168
Done
Workgroup:
ip http server
ip http secure-server
5) Configure DHCP Server (Lab 4-8, Task 2) Support clients on Fa0/0 interface
Pool name
Branchxx-clients
150
199
005
10.xx.xx.3
Verify
6) Configure Internet Access (Lab 5-1)
Interface
fa0/1
fa0/1
fa0/0
Verify
7) Configure Connection to Main Office (Lab 5-2)
Interface
s0/0/0
Encapsulation
encapsulation ppp
Verify
8) Configure RIPv2 Routing (Lab 5-3)
Routing protocol
router rip
RIP version 2
version 2
network 10.0.0.0
Verify
9) Configure Boot Startup (Lab 6-2)
TFTP server address is .1 host on your local network.
10.nn.nn.1
Boot order should be specified as: Cisco IOS file in flash; Cisco
IOS file from TFTP server; first found Cisco IOS file in flash
Verify
Lab Guide
169
Activity Verification
You have completed this task when you attain these results:
You have connected to the remote lab and attached to your workgroup devices using the
same menus used in previous labs.
You have connected to the remote lab using the new VPN client profile to support using
Cisco SDM for configuration of your workgroup router.
170
In phase 3, use Cisco IOS commands to test the functionality of the switch and router working
together to support the overall configuration. These may be ping commands or explicit show
commands that demonstrate that, for example, that a DHCP client has received an address. If
you encounter problems in this phase, you will have to consider where to look to remedy the
problem. You should assume that the network around you is correctly configured and will work
if your configuration matches the values supplied in the job aids and tables. If you have tried to
fix your problems without success, ask your instructor for assistance.
Use the information provided in the Tables 1 and 2 and transfer it to the visual objective so that
you have your IP addressing information ready to reference as you proceed through the switch
and router task sheets.
Activity Verification
You have completed this task when you attain this result:
You have read through the instructions and have prepared the necessary reference
information ready to proceed to the next task.
Activity Verification
You have completed this task when you attain these results for your branch:
Your basic switch configuration properties match those assigned to your workgroup.
Your switch SSH configuration properties match those assigned to your workgroup.
Your switch port security configuration properties match those assigned to your
workgroup.
You secured your switch to match the properties assigned to your workgroup.
Your basic router configuration properties match those assigned to your workgroup.
Your router password configuration properties match those assigned to your workgroup.
Your router SSH configuration properties match those assigned to your workgroup.
Your router DHCP server configuration properties match those assigned to your
workgroup.
Lab Guide
171
172
Your router Internet access configuration properties match those assigned to your
workgroup.
Your router main office connection configuration properties match those assigned to your
workgroup.
Your router dynamic routing configuration properties match those assigned to your
workgroup.
Your router boot system configuration properties match those assigned to your workgroup.
You tested your branch for successful connectivity, routing, and DHCP server services.
Answer Key
The correct answers and expected solutions for the activities that are described in this guide
appear here.
Labs 1-1, 1-2, 1-3, and 2-1 contained their answers within the labs and resulted in no
configuration changes.
Lab Guide
173
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.3
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 0 4
password sanjose
no login
line vty 5 15
password sanjose
no login
!
end
174
F70D0101
6E65642D
2A864886
39333033
302D0603
63617465
77675F73
01050003
E5FF660A
68C4A873
13558C75
45CD05B0
FF040530
636F2E63
1FC9DD49
C9DD49E6
D1D81ADA
9694B3B8
145BE58D
35F3B42A
04050030
43657274
F70D0109
30313030
55040313
2D313833
775F612E
818D0030
41932329
25A2F06C
561A6BB0
50D144BA
030101FF
6F6D301F
E672A630
72A6300D
FA16C868
24ABBEAC
4040040A
B16BFD69
Lab Guide
175
Lab Guide
177
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
line con 0
password 7 111A180B1D1D1809
login
line vty 0 4
password 7 111A180B1D1D1809
login local
line vty 5 15
password 7 111A180B1D1D1809
login local
!
end
178
F70D0101
6E65642D
2A864886
39333033
302D0603
63617465
77675F73
01050003
E5FF660A
68C4A873
13558C75
45CD05B0
FF040530
636F2E63
1FC9DD49
C9DD49E6
D1D81ADA
9694B3B8
145BE58D
35F3B42A
04050030
43657274
F70D0109
30313030
55040313
2D313833
775F612E
818D0030
41932329
25A2F06C
561A6BB0
50D144BA
030101FF
6F6D301F
E672A630
72A6300D
FA16C868
24ABBEAC
4040040A
B16BFD69
Lab Guide
179
Lab Guide
181
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
line con 0
password 7 111A180B1D1D1809
login
line vty 0 4
password 7 111A180B1D1D1809
login local
line vty 5 15
password 7 111A180B1D1D1809
login local
!
end
182
27
26
25
24
23
22
21
20
Decimal
128
64
32
16
Binary
48
48 = 32+16 = 00110000
146
146 = 128+16+2
= 10010010
222
222 = 128+64+16+8+4+2
= 1101110
119
119 = 64+32+16+4+2+1
= 01110111
135
135 = 128+4+2+1
= 10000111
60
60 = 32+16+8+4
= 00111100
27
26
25
24
23
22
21
20
Binary
128
64
32
16
Decimal
11001100
128+64+8+4 = 204
10101010
128+32+8+2 = 170
11100011
128+64+32+2+1 = 227
10110011
128+32+16+2+1 = 179
00110101
32+16+4+1 = 53
10010111
128+16+4+2+1 = 151
Lab Guide
183
27
26
25
24
23
22
21
20
Decimal
128
64
32
16
Binary
145
10010001
32
00100000
59
00111011
24
00011000
10010001.00100000.00111011.00011000
Step 1
Base-2
27
26
25
24
23
22
21
20
Decimal
128
64
32
16
Binary
200
11001000
42
00101010
129
10000001
16
00010000
11001000.00101010.10000001.00010000
Step 2
Base-2
27
26
25
24
23
22
21
20
Decimal
128
64
32
16
Binary
14
00001110
82
01010010
19
00010011
54
00110110
184
00001110.01010010.00010011.00110110
Step 1
Base-2
27
26
25
24
23
22
21
20
Binary
128
64
32
16
Decimal
11011000
216
00011011
27
00111101
61
10001001
137
216.27.61.137
Step 2
Base-2
27
26
25
24
23
22
21
20
Binary
128
64
32
16
Decimal
11000110
198
00110101
53
10010011
147
00101101
45
198.53.147.45
Step 3
Base-2
27
26
25
24
23
22
21
20
Binary
128
64
32
16
Decimal
01111011
123
00101101
45
01000011
67
01011001
89
123.45.67.89
Lab Guide
185
Binary IP Address
Decimal IP Address
Address
Class
Number of
Bits in
Network ID
10010001.00100000.00111011.00011000
145.32.59.24
Class B
16
216-2 =
65,534
11001000.00101010.10000001.00010000
200.42.129.16
Class C
24
28-2 = 254
00001110.01010010.00010011.00110110
14.82.19.54
Class A
224-2 =
16,777,214
11011000.00011011.00111101.10001001
216.27.61.137
Class C
24
28-2 = 254
10110011.00101101.01000011.01011001
179.45.67.89
Class B
16
216-2 =
65,534
11000110.00110101.10010011.00101101
198.53.147.45
Class C
24
28-2 = 254
186
Decimal IP Address
Valid or Invalid
23.75.345.200
Invalid
216.27.61.134
Valid
102.54.94
Invalid
255.255.255.255
Invalid
142.179.148.200
Valid
200.42.129.16
Valid
0.124.0.0
Invalid
27-2 = 126
25-2 = 30
12
24-2 = 14
24
23-2 = 6
40
22-2 = 2
213-2 = 8,190
213-2 = 8,190
14
212-2 = 4,094
20
211-2 = 2,046
35
210-2 = 1,022
10
220 2 = 1,048,574
14
220 2 = 1,048,574
20
219 2 = 524,286
40
218 2 = 262,142
80
217 2 = 131,070
Lab Guide
187
Number of
Hosts per
Subnet
(2h 2)
/20
255.255.240.0
11111111.11111111.11110000.00000000
4,094
/21
255.255.248.0
11111111.11111111.11111000.00000000
2,046
/22
255.255.252.0
11111111.11111111.11111100.00000000
1,022
/23
255.255.254.0
11111111.11111111.11111110.00000000
510
/24
255.255.255.0
11111111.11111111.11111111.00000000
254
/25
255.255.255.128
11111111.11111111.11111111.10000000
126
/26
255.255.255.192
11111111.11111111.11111111.11000000
62
/27
255.255.255.224
11111111.11111111.11111111.11100000
30
/28
255.255.255.240
11111111.11111111.11111111.11110000
14
/29
255.255.255.248
11111111.11111111.11111111.11111000
/30
255.255.255.252
11111111.11111111.11111111.11111100
Description
Example
1.
00000000
2.
11110000
3.
0000 0000
188
1111 0000
Step
Description
Example
4.
5.
6.
7.
8.
Subnet Address
Directed-Broadcast
Address
172.25.0.0
172.25.1.0 to 172.25.14.0
172.25.15.0
172.25.16.0
172.25.17.0 to 172.25.30.0
172.25.31.0
172.25.32.0
172.25.33.0 to 172.25.46.0
172.25.47.0
172.25.48.0
172.25.49.0 to 172.25.62.0
172.25.63.0
172.25.64.0
172.25.65.0 to 172.25.78.0
172.25.79.0
172.25.80.0
172.25.81.0 to 172.25.92.0
172.25.95.0
172.25.94.0
172.25.95 to 172.25.108.0
172.25.109.0
172.25.110.0
172.25.111.0 to 172.25.124.0
172.25.125.0
Description
Example
1.
00000000
2.
11100000
3.
000 00000
Lab Guide
189
Step
Description
Example
111 00000
4.
5.
6.
7.
8.
Subnet Address
Directed-Broadcast
Address
192.168.1.0
192.168.1.1 to 192.168.1.30
192.168.1.31
192.168.1.32
192.168.1.33 to 192.168.1.62
192.168.1.63
192.168.1.64
192.168.1.65 to 192.168.1.94
192.168.1.95
192.168.1.96
192.168.1.97 to 192.168.1.126
192.168.1.127
192.168.1.128
192.168.1.129 to 192.168.1.158
192.168.1.159
192.168.1.160
192.168.1.161 to 192.168.1.190
192.168.1.191
Description
Example
1.
10000001
2.
11110000
3.
1000 0001
190
1111 0000
Step
Description
Example
4.
5.
6.
7.
8.
Subnet Address
Directed-Broadcast
Address
192.168.111.0
192.168.111.1 to 192.168.111.126
192.168.111.127
192.168.111.128
192.168.111.129 to 192.168.111.142
192.168.111.143
192.168.111.144
192.168.111.145 to 192.168.111.158
192.168.111.159
192.168.111.160
192.168.111.161 to 192.168.111.174
192.168.111.175
192.168.111.176
192.168.111.177 to 192.168.111.190
192.168.111.191
192.168.111.192
192.168.111.193 to 192.168.111.206
192.168.111.207
192.168.111.208
192.168.111.209 to 192.168.111.222
192.168.111.223
Description
Example
1.
01110000.00000000
2.
11111110.00000000
Lab Guide
191
Step
Description
Example
3.
0111000 0.00000000
1111111 0.00000000
4.
5.
6.
7.
8.
Subnet Address
Directed-Broadcast
Address
172.25.0.0
172.25.0.1 to 172.25.1.254
172.25.1.255
172.25.2.0
172.25.2.1 to 172.25.3.254
172.25.3.255
172.25.4.0
172.25.4.1 to 172.25.5.254
172.25.5.255
172.25.6.0
172.25.6.1 to 172.25.7.254
172.25.7.255
172.25.8.0
172.25.8.1 to 172.25.9.254
172.25.9.255
...
192
Step
Description
Example
1.
00000000.10000001
2.
11111111.10000000
3.
1 0000001
1 0000000
4.
5.
6.
7.
8.
Subnet Address
Directed-Broadcast
Address
172.20.0.0
172.20.0.1 to 172.20.0.126
172.20.0.127
172.20.0.128
172.20.0.129 to 172.20.0.254
172.20.0.255
172.20.1.0
172.20.1.1 to 172.20.1.126
172.20.1.127
172.20.1.128
172.20.1.129 to 172.20.1.254
172.20.1.255
172.20.2.0
172.20.2.1 to 172.20.2.126
172.20.2.127
172.20.2.128
172.20.2.129 to 172.20.2.254
172.20.2.255
...
Lab Guide
193
TYPE
C2811 Mainboard
Onboard VPN
Onboard USB
public buffer pools
public particle pools
--- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]: no
State
Lab Guide
195
196
Lab Guide
197
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
no ip http secure-server
!
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password sanjose
login
!
scheduler allocate 20000 1000
!
end
198
Lab Guide
199
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
no ip http secure-server
!
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
line con 0
password 7 14041305060B392E
login
line aux 0
line vty 0 4
password 7 071C204244060A00
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
200
Lab Guide
201
revocation-check none
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
ip http authentication local
ip http secure-server
!
202
04050030
43657274
32333135
03132649
37313535
81890281
1E852852
172E1FF3
8CA089EC
C0831824
301C0603
0603551D
1D060355
06092A86
16856A52
5F3325D1
EC00C4B5
E777ACAC
Lab Guide
203
revocation-check none
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
ip http authentication local
ip http secure-server
!
2007 Cisco Systems, Inc.
04050030
43657274
32333135
03132649
37313535
81890281
1E852852
172E1FF3
8CA089EC
C0831824
301C0603
0603551D
1D060355
06092A86
16856A52
5F3325D1
EC00C4B5
E777ACAC
Lab Guide
205
206
Lab Guide
207
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
ip http authentication local
ip http secure-server
!
dialer-list 1 protocol ip permit
!
208
04050030
43657274
32333135
03132649
37313535
81890281
1E852852
172E1FF3
8CA089EC
C0831824
301C0603
0603551D
1D060355
06092A86
16856A52
5F3325D1
EC00C4B5
E777ACAC
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Lab Guide
209
revocation-check none
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
description Link to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip route 192.168.21.0 255.255.255.0 10.140.10.1
2007 Cisco Systems, Inc.
04050030
43657274
32333135
03132649
37313535
81890281
1E852852
172E1FF3
8CA089EC
C0831824
301C0603
0603551D
1D060355
06092A86
16856A52
5F3325D1
EC00C4B5
E777ACAC
Lab Guide
211
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
212
Lab Guide
213
revocation-check none
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
description Link to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
router rip
214
04050030
43657274
32333135
03132649
37313535
81890281
1E852852
172E1FF3
8CA089EC
C0831824
301C0603
0603551D
1D060355
06092A86
16856A52
5F3325D1
EC00C4B5
E777ACAC
version 2
network 10.0.0.0
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Lab Guide
215
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
description Link to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
router rip
2007 Cisco Systems, Inc.
04050030
43657274
32333135
03132649
37313535
81890281
1E852852
172E1FF3
8CA089EC
C0831824
301C0603
0603551D
1D060355
06092A86
16856A52
5F3325D1
EC00C4B5
E777ACAC
Lab Guide
217
version 2
network 10.0.0.0
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SwitchX
218
!
enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr.
enable password 7 05080F1C2243
!
username netadmin password 7 030A5E1F070B2C4540
no aaa new-model
ip subnet-zero
!
no ip domain-lookup
ip domain-name cisco.com
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-1833200768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1833200768
revocation-check none
rsakeypair TP-self-signed-1833200768
!
!
crypto ca certificate chain TP-self-signed-1833200768
certificate self-signed 01
3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101
53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886
02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033
30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603
26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465
33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73
63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A
8FB4A8EE 142FAEC4 744CB8BE 021BDAE5 BF005CA6 99D0BDC7 68C4A873
E460FAE5 1435B900 43505E02 3F0F5E4B D61D6787 59B6AE32 13558C75
42C15C96 D078A449 669E4B58 CD5857D0 1B570F43 008B811F 45CD05B0
F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530
301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63
0603551D 23041830 16801414 679B7C0E C82E65FB 8953EC84 1FC9DD49
1D060355 1D0E0416 04141467 9B7C0EC8 2E65FB89 53EC841F C9DD49E6
06092A86 4886F70D 01010405 00038181 006C7E92 A7F96199 D1D81ADA
0660013D 4A91A319 6D6DBD61 B5147AAA FF0FCF26 3DF20CA7 9694B3B8
F8942F5F E53466BB 04E12200 25432AFE A09DDFCF A07A5A4A 145BE58D
5B085A4E 895C45BC 4DF264BC BFE32124 F4AA3BDB B9CF2CC2 35F3B42A
44531337 B03B7055 48A0B320 0A6C3173 C0
quit
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5a78.be01
switchport port-security mac-address sticky 001a.2fe7.3089
!
2007 Cisco Systems, Inc.
04050030
43657274
F70D0109
30313030
55040313
2D313833
775F612E
818D0030
41932329
25A2F06C
561A6BB0
50D144BA
030101FF
6F6D301F
E672A630
72A6300D
FA16C868
24ABBEAC
4040040A
B16BFD69
Lab Guide
219
interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/4
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/5
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/6
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/7
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/8
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/9
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/10
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/11
switchport mode access
no cdp enable
!
interface FastEthernet0/12
switchport mode access
no cdp enable
!
interface FastEthernet0/13
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/14
switchport mode access
shutdown
no cdp enable
!
220
interface FastEthernet0/15
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/16
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/17
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/18
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/19
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/20
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/21
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/22
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/23
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/24
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet0/1
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet0/2
switchport mode access
shutdown
no cdp enable
!
interface Vlan1
2007 Cisco Systems, Inc.
Lab Guide
221
222
Lab Guide
223
04050030
43657274
32333135
03132649
37313535
81890281
1E852852
172E1FF3
8CA089EC
C0831824
301C0603
0603551D
1D060355
06092A86
16856A52
5F3325D1
EC00C4B5
E777ACAC
shutdown
clock rate 2000000
!
router rip
version 2
network 10.0.0.0
!
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 051807012B435D0C
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 051807012B435D0C
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Lab Guide
225
226
Lab Guide
227
subject-name cn=IOS-Self-Signed-Certificate-3575601183
revocation-check none
rsakeypair TP-self-signed-3575601183
!
!
crypto pki certificate chain TP-self-signed-3575601183
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
69666963 6174652D 33353735 36303131 3833301E 170D3037 30353034
31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33
30313138 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030
8100E3CA 6B4F5C16 545F1796 C3600BE9 433F7C87 CB676A33 D42BF42A
25582787 6028AE73 F3EAFD24 EA37AFEE CF6F101D 14EF2CCF 8EF4085C
E1758915 13A5499E 378275C7 3BBE4F32 009DB10E 5039EB40 2C43D4EA
A0EFEB26 23E4045E EAFE99BE 88C4DA01 357684AC 65572494 ABDC6A99
D8530203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF
551D1104 0B300982 07526F75 74657258 301F0603 551D2304 18301680
916FE499 69EDA5C0 C15FDB83 17F62591 45301D06 03551D0E 04160414
6FE49969 EDA5C0C1 5FDB8317 F6259145 300D0609 2A864886 F70D0101
81810070 7B5F8CB1 BB014CBA 3E317573 C2303187 3534E5C7 71FDDDE5
A0498B71 49FE6A9A 5A5F6703 091EBDDC B828F955 4851F005 B214B407
87AC8E94 52F130E9 73E28BD9 EC4A028B 6424BCF2 EF0A993C 1BA75BED
E1129982 E1A40C9C 98F43F91 363474F2 97E3BBFF E60A7AA5 01327A27
quit
username netadmin privilege 15 password 7 0505031B2048430017
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
ip address 10.140.100.2 255.255.255.0
encapsulation ppp
no cdp enable
!
interface Serial0/0/1
no ip address
shutdown
no cdp enable
!
router rip
version 2
228
04050030
43657274
32313439
03132649
35373536
81890281
A6433BAF
2ED0E54B
1407B634
AA85D645
30120603
14E0035D
E0035D91
04050003
EC4D6331
4A0E67C0
E3E0D217
EA69FCE6 0C4D36
network 10.0.0.0
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login
************* Warning **********************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************
!
line con 0
exec-timeout 60 0
password 7 08324D4003161612
logging synchronous
login
history size 100
line aux 0
line vty 0 4
logging synchronous
login local
history size 100
transport input ssh
!
scheduler allocate 20000 1000
!
end
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SwitchXX
!
enable secret 5 $1$LLvt$3gBuRQzm6eAcGfQjsgHC01
enable password 7 01100F175804
!
2007 Cisco Systems, Inc.
Lab Guide
229
04050030
43657274
0D010902
31303030
04031325
38303930
582E6369
00308189
87906C24
EFED87E4
400D6821
E2BEEDC3
01FF301C
301F0603
A7301D06
300D0609
026C6F29
CF1836A3
CD6EFA78
894E3588
interface FastEthernet0/3
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/4
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/5
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/6
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/7
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/8
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/9
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/10
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/11
switchport mode access
no cdp enable
!
interface FastEthernet0/12
switchport mode access
no cdp enable
!
interface FastEthernet0/13
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/14
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/15
switchport mode access
shutdown
2007 Cisco Systems, Inc.
Lab Guide
231
no cdp enable
!
interface FastEthernet0/16
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/17
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/18
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/19
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/20
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/21
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/22
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/23
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/24
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet0/1
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet0/2
switchport mode access
shutdown
no cdp enable
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
232
ip default-gateway 10.10.10.3
ip http server
ip http secure-server
!
control-plane
!
banner login
********** Warning
*************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************
!
line con 0
exec-timeout 60 0
password 7 04480A08052E5F4B
logging synchronous
login
history size 100
line vty 0 4
password 7 03175A01091C24
logging synchronous
login local
history size 100
transport input ssh
line vty 5 15
password 7 001712080E541803
logging synchronous
login local
history size 100
transport input ssh
!
end
Lab Guide
233
234