Bestselling laB simulation software
CCNA RI
AL
®
MA
TE
Virtual Lab D
T i TA N i u m E d i T i o N 3 . 0
TE
William Tedder
GH
• Work with Practice Scenarios Based on CCNA Exam Objectives
CO
PY
RI
• Set Up Custom Network Configurations Easily with Drag-and-Drop Functionality
SeriouS SkillS.
• Hone Your Skills for the Exams with over 150 Hands-On Labs • Use an Unlimited Number of Switches, Routers, and Hosts in Your Virtual Network • Get Useful Feedback with the Valuable Net Assessment Tool
Senior Acquisitions Editor: Jeff Kellum Development Editor: Tom Cirtin Technical Editor: Troy McMillan Production Editor: Christine O’Connor Editorial Manager: Pete Gaughan Production Manager: Tim Tate Vice President and Executive Group Publisher: Richard Swadley Vice President and Publisher: Neil Edde Supervising Producer, Vertical Websites: Richard Graves Book Designers: Judy Fung and Bill Gibson Compositor: Craig Woods, Happenstance Type-O-Rama Proofreader: Josh Chase, Word One New York Project Coordinator, Cover: Katherine Crocker Cover Designer: Ryan Sneed Copyright © 2012 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-118-43199-3 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. [Insert any third-party trademark language.] All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. 10 9 8 7 6 5 4 3 2 1
Contents Introduction to CCNA Virtual Lab, Titanium Edition 3.0 Labs
v
Network Environment
1
Lab 1.1: Loading a Network Layout Lab 1.2: Adding a Device to the Network Visualizer Screen Host Lab 1.3: Connecting Devices Lab Steps Lab 1.4: Network Cables Cable Thickness Lab 1.5: Disconnecting Devices Lab Steps Lab 1.6: Entering Configurations and Changing Console Screens Changing Console Screens Lab 1.7: Clearing A Network Visualizer Screen Lab 1.8: Network Configurations Window Password Lookups Lab 1.9: Preferences Background Color Other colors ICND1: Cisco IOS
2 4 4 7 7 9 12 13 13 15 16 17 18 21 21 22 23 25
Lab 1.1 RouterSim and Cisco Devices Lab Steps Lab 1.2: Logging In and Out of a Cisco Router Lab Steps Lab 1.3: Overview of Router Modes Router Modes Lab Steps Lab 1.4: Editing and Help Features Lab Steps Lab 1.5: Using Shortcut Commands and Tab Completion in Gathering Basic Router Information Lab Steps Lab 1.6: Setting Passwords Lab Steps Lab 1.7: Encrypting Your Passwords Lab Steps Lab 1.8: Saving Your Configurations
26 26 29 30 32 33 34 37 38 43 44 48 49 52 53 56
vi
Contents
Lab 1.9: Setting Router Banners Lab 1.10: Configuring Interfaces for the 2621 Router Lab Steps Lab 1.11: Configuring Interfaces for the 2811 Router Lab Steps Lab 1.12: Configuring Interfaces for the 3560 Switch Lab Steps Lab 1.13: Bringing Up an Interface Lab Steps Lab 1.14: Configuring an IP Address on an Interface Lab Steps Lab 1.15: Serial Interface Commands Lab Steps Lab 1.16: Setting the Router Hostnames Lab Steps Lab 1.17: Setting Interface Descriptions Lab Steps Lab 1.18: Verifying Your Configuration Lab Steps Lab 1.19: do Command Lab Steps IP Routing
57 59 60 62 64 66 68 69 70 73 73 75 77 78 78 79 80 81 82 86 87 91
Lab 2: Introduction to IP Routing Lab 2.1: Configuring the SDM for the 2811 Router Lab Steps Lab 2.2: Connecting to the SDM using the 2811 Router Lab Steps Lab 2.3: Configuring an Interface with SDM Lab Steps Lab 2.4: Configuring a DHCP Pool with SDM Lab Steps Lab 2.5: Configuring Other Items with SDM Lab Steps Lab 2.6: Verifying Your Configurations with SDM Lab Steps Lab 2.7: Configuring the Routers Lab Steps Lab 2.9: Configuring Static Routing Lab Steps Lab 2.10: Verifying Static Routing Lab Steps Practice Scenario: Basic Cisco Router Operations Lab 2.11: Configuring and Verifying the Hosts Lab Steps
92 94 95 98 99 104 106 109 111 114 116 119 120 121 122 127 129 130 131 134 137 137
Contents
vii
Lab 2.12: Configuring Default Routing Lab Steps Lab 2.13: Verifying Default Routing Practice Scenario: Basic Cisco Router Operations Lab 2.14: Configuring RIPv2 Lab Steps Lab 2.16: Using Traceroute Lab Steps Lab 2.17: Using Debug with a RIPv2 Network Lab Steps Lab 2.18: Configuring and Verifying a Loopback Interface Lab Steps Lab 2.19: Using ARP (Address Resolution Protocol) Lab Steps
142 143 145 147 149 151 151 152 156 157 157 158 161 162
Managing a Cisco Internetwork Lab 3: Introduction to Managing a Cisco Internetwork Lab 3.1: Password Recovery Techniques Lab Steps Lab 3.11: Configuring IGRP Routing Lab Steps Lab 3.12: Verifying IGRP Routing Lab Steps Lab 3.2: Backing Up the Cisco IOS Lab Steps Lab 3.3: Restoring or Upgrading the Cisco Router IOS Lab Steps Lab 3.4: Backing Up the Cisco Configuration Lab Steps Lab 3.5: Restoring the Cisco Router Configuration from a TFTP Server Lab Steps Lab 3.6: Using the Cisco Discovery Protocol to Gather Information about Neighbor Devices Lab Steps Lab 3.7: Using Telnet Lab Steps Lab 3.8: Using Secure Shell in Place of Telnet Lab Steps Lab 3.9: Verifying Secure Shell in Place of Telnet Lab Steps Lab 3.10: Creating a Hosts Table on a Router and Resolve Host Names to IP Addresses Lab Steps
165 166 168 169 172 174 177 178 179 180 181 182 182 183 185 185 186 187 191 192 197 198 200 201 202 202
viii
Contents
Configuring the Catalyst Switch Lab 4: Introduction to Configuring the Catalyst Switch Lab 4.1: Connecting to the 1900 Switch and Setting Passwords Lab Steps Lab 4.2: Configuring the 1900 Switch Set the Hostname Lab Step Configure the IP Address Configure Interfaces Configure Interface Descriptions View Interface Descriptions Lab 4.3: Configuring the 1900 Switch Port Duplex Lab Steps Lab 4.4: Verifying 1900 Switch IP Connectivity Lab Steps Lab 4.5: Erasing the 1900 Switch Configuration Lab Steps Lab 4.6: Utilizing the 2950 and 2960 Switch Lab 4.7: Setting Passwords on the 2950/2960 Switch Lab Steps Lab 4.8: Configuring the 2950/2960 Switch Set the Hostname Lab Steps Configure the IP Address Configure Interfaces Lab 4.9: Verifying 2950/2960 Switch IP Connectivity Lab 4.10: Saving and Erasing 2950/2960 Switch Configuration Lab Steps Lab 4.11: Utilizing the 3550 and 3560 Switch Lab 4.12: Setting Passwords on the 3550/3560 Switch Lab Steps Lab 4.13: Configuring the 3550/3560 Switch Set the Hostname Lab Steps Configure the IP Address Configure Interfaces Lab 4.14: Verifying 3550/3660 Switch IP Connectivity Lab 4.15: Saving and Erasing the 3550/3560 Switch Configuration NAT
205 206 207 207 212 212 213 213 214 216 217 218 219 220 221 222 223 224 225 227 229 230 231 231 232 237 239 240 241 241 242 244 245 246 246 247 253 255 257
Lab 5: Introduction to Network Address Translation (NAT) Lab 5.1: Configuring Your Routers Setting up the NAT Lab creates an address pool Lab Steps
258 259 260 261
Contents
Switch Security
ix
267 Lab 6.1: Configuring Switch Security Lab 6.2: Verifying Switch Security Lab Steps Individual Labs (Comprehensive) Lab Steps Launching SDM Via Host A Configure IP Address Using SDM Configure DHCP Pool with the SDM Using the SDM to Configure Other Items Verify Router Configurations Individual Lab: Configuring Routers Lab Steps Individual Lab: Configuring the 1900 Switch Lab Steps Setting the Hostname Configuring an IP Address Configuring Interfaces Configuring Interface Descriptions Configuring Port Duplex Grade Me Erasing the Configuration Individual Lab: Configuring 2950 Switch Lab Steps Setting the Hostname Configuring IP Address Information Configuring Interfaces Verifying the IP Connectivity Grade Me Saving and Erasing Your Configurations Individual Lab: Configuring the 2960 Switch Lab Steps Setting the Hostname Configuring IP Address Information Configuring Interfaces Verifying the IP Connectivity Grade Me Saving and Erasing Your Configuration Individual Lab: Static Routing Lab Steps Individual Lab: Telnet Lab Steps Individual Lab: Using the Cisco Discovery Protocol to Gather Information about Neighbor Devices Lab Steps
268 271 272 275 278 280 284 288 292 295 297 299 303 304 308 308 309 311 312 313 313 314 316 318 319 321 326 327 327 328 328 331 331 332 336 337 337 338 340 346 348 356 358
x
Contents
Individual Lab: Working with a Router Interface Lab Steps Configuring an IP Address on an Interface Serial Interface Setting An Interface Description Individual Lab: Configuring Hosts Lab Steps ICND2
363 364 366 367 370 371 372 383
RIP - IPv6 Lab 1.1: Configuring RIP Routing Lab Steps Lab 1.2: Verifying RIP Routing Lab Steps Lab 1.3: Configuring IPv6 Static Routing Address Types Unicast Types IPv6 Bits Lab Steps Lab 1.4: Verifying IPv6 Static Routing Lab Steps Practice Scenario: Basic Cisco Router Operations Troubleshooting IPv6 Static Routing (use Practice Scenario: … Troubleshooting Ipv6 … ) Turn On Hostnames Scenario Task Lab 1.5: Configuring RIP IPv6 Routing (RIPng) Lab Steps Lab 1.6: Verifying RIP IPv6 Routing (RIPng) Lab Steps Cisco Wide Area Networks (WAN) Lab 2: Introduction to Cisco Wide Area Network Support Lab 2.1: Configuring PPP Encapsulation Lab Steps Lab 2.2: Verifying PPP Encapsulation Lab Steps Lab 2.3: Configuring PPP Authentication with CHAP Lab Steps Lab 2.4: Verifying PPP with Authentication Lab Steps
384 384 385 388 389 392 392 393 393 394 397 398 401 401 401 401 402 403 403 404 404 406 406 411 412 413 414 415 416 417 419 419 420
Contents
Lab 2.5: Understanding Frame Relay Configuration Frame Relay Uses Virtual Circuits Configuring Frame Relay Encapsulation Frame Relay DLCI Frame Relay LMI Subinterfaces with Frame Relay Lab 2.6: Configuring Frame Relay Switching Lab Steps Lab 2.7: Configuring Frame Relay with Subinterfaces Lab Steps Lab 2.8: Verifying Frame Relay Lab Steps EIGRP
xi
423 423 423 423 424 424 425 426 429 430 431 431 435
Lab 3: Introduction to EIGRP Lab 3.1: Configuring EIGRP Routing Lab Steps Lab 3.2: Verifying EIGRP Routing Lab 3.3: Configuring EIGRP Wild Card Masks Lab Steps Lab 3.4: Verifying EIGRP Wild Card Mask Configurations Lab Steps Lab 3.5: Configuring EIGRP Authentication Lab Steps Lab 3.6: Verifying EIGRP Authentication Lab Steps Lab 3.7: Configuring Advanced Commands with EIGRP OSPF
436 436 437 440 445 445 446 447 449 450 452 452 456 459
Lab 4: Introduction to OSPF Lab 4.1: Configuring Single Area OSPF Lab Steps Lab 4.2: Verifying Single Area OSPF Lab 4.3: OSPF Authentication Lab Steps Lab 4.4: Stub Area Configuration Lab Steps Lab 4.5: Totally Stub Lab Steps Lab 4.6: OSPF DR and BDR Elections Lab Steps
460 460 462 465 468 469 473 474 476 476 478 479
xii
Contents
Virtual LANs (VLANs) Lab 5: Introduction to Virtual LANs Lab 5.1: Configuring VLANs on a 1900 Switch Lab Steps Lab 5.3: Configuring VLANs on a 3550 Switch Lab Steps Lab 5.4: Configuring Trunk Ports and VTP Domain on a 3550 Switch Lab Steps Configure VTP Domain Lab 5.5: Configuring VLANs on a 3560 Switch Lab Steps Lab 5.6: Configuring Trunk Ports and VTP Domain on a 3550 Switch Configure Trunk Ports Lab Steps Configure VTP Domain Lab 5.7: IntraVLAN and InterVLAN Routing Lab Steps Access Lists
483 484 485 486 489 490 493 493 494 495 496 498 498 498 499 500 501 505
Lab 6: Introduction to Managing Traffic with Access Lists Lab 6.1: Standard IP Access-Lists Lab 6.2: Verifying Standard IP Access-Lists Lab Steps Lab 6.3: Applying an Access-List to a VTY Line Lab Steps Lab 6.4: Extended IP Access-Lists Lab Steps Lab 6.5: Verifying Extended IP Access-lists Lab Steps Lab 6.6: Removing Extended IP Access-lists Lab Steps Practice Scenario: NAT and ACLs Configuring ACLs for Telnet and SSH Turn On Hostnames Scenario Task
506 507 512 513 514 515 516 517 519 520 521 521 522 522 524 524 524
Contents
NAT/PAT
xiii
525 Lab 7.1: Configuring Dynamic NAT Lab Steps Lab 7.2: Configuring PAT Lab Steps Lab 7.3: NAT/PAT Final Configuration Exercise Lab Steps
VLSM with Summarization Lab 8.1: VLSM with Summarization Lab—Configuring Routers Lab Steps Lab 8.2: VLSM with Summarization Lab—Configuring Hosts Lab Steps Lab 8.4: VLSM with Summarization Lab—Configuring EIGRP with Discontiguous Networking Lab Steps Lab 8.5: VLSM with Summarization Lab—Configuring Summarization Lab Steps Individual Labs (Comprehensive) Introduction to Individual Labs Grading Individual Lab: RIP Routing Lab Steps Verify Configurations RIPv2 Verify Configurations Individual Lab: IPv6 Static Routing Lab Steps Verifying IPv6 Static Routing Individual Lab: RIP IPv6 Routing (RIPng) Lab Steps Verifying RIP IPv6 Routing (RIPng) Individual Lab: PPP Encapsulation Lab Steps Verifying PPP Encapsulation Configuring PPP Authentication with CHAP Verifying PPP with Authentication Individual Lab: Frame Relay Switching Understand Frame Relay
526 527 529 530 531 532 537 538 540 545 546 547 549 552 553 555 556 556 557 559 563 566 567 568 571 572 576 578 580 582 585 588 590 591 594 596
xiv
Contents
Configuring Frame-Relay Lab Steps Configuring Frame Relay with Subinterfaces Verifying Frame Relay Individual Lab: EIGRP Routing Lab Steps Verifying EIGRP Individual Lab: Single Area OSPF Lab Steps Verify OSPF Individual Lab: OSPF DR and BDR Elections Lab Steps Individual Lab: Configuring VLANs Lab Steps Setting Up VLANS Setting Up Trunk Ports Configuring VTP Domain IntraVLAN and InterVLAN Routing Individual Lab: Configuring VLANs on a 1900 Switch Lab Steps Configuring Trunk Ports Configuring Inter-Switch Link (ISL) Routing Grade Me Individual Lab: Standard IP Access-Lists Lab Steps Configuring Hosts E and F Configuring Switches Verifying Standard IP Access-Lists Applying an Access-List to a VTY Line Individual Lab: Extended IP Access-Lists Lab Steps Configuring Hosts E and F Configuring Switches Verifying Extended IP Access-lists Removing Extended IP Access-lists Individual Lab: Network Address Translation (NAT) and Port Address Translation Setting up the NAT Lab Lab Steps Dynamic NAT Configuring PAT Individual Lab: VLSM with Summarization Lab Steps Configuring Hosts
598 598 599 600 602 605 610 612 614 619 622 625 628 631 631 635 637 640 645 647 650 651 652 653 654 658 659 665 666 668 670 674 675 678 679 680 683 684 687 689 691 694 700
Contents
Verify Configurations Configuring EIGRP with Discontiguous Networking Configuring Summarization Verifying Summarization Net Assessment
xv
701 703 706 707 709
Lab 1.1: Introduction to Net Assessment For Instructors For Individuals Lab 1.2: Making Changes and Inserting Instructions Lab Steps Lab 1.3: Loading Net Assessment Lab 1.4: Creating a Net Assessment Template Lab Steps Lab 1.5: Net Assessment—Editing Values Lab Steps Lab 1.6: Net Assessment—Creating A Test Network Lab Steps Lab 1.7: Net Assessment—Assessing A Test Network Lab Steps Lab 1.8: Advanced Values Editing Lab 1.9: Edit Values—Changing A Selected Value Lab 1.10: Edit Values—Randomizing A Selected Value Lab 1.11: Edit Values—Removing A Selected Value Lab 1.12: Edit Values—Auto-Selecting and Randomizing Any Value Exceeding the Number of Configurations Lab 1.13: Edit Values—Auto-Selecting and Removing Any Value Create Your Own Custom Labs Lab 1.1: Creating a Custom Lab Lab Steps
710 710 712 712 713 715 717 717 722 722 725 725 726 726 729 730 732 733 734 735 735 737 738 738
Introduction to CCNA Virtual Lab, Titanium Edition 3.0 Labs This program contains all the labs available for CCNA Virtual Lab, Titanium Edition 3.0.
Navigation When you load the online documentation, a tree list on the left side of the screen allows you to quickly navigate from one section and lab topic to another. Click on a book to expand the list of labs for that section. You will then see a “?” icon to the left of each topic. Click a topic title to display lab content on the right side of the screen.
xviii
Introduction
Types of Labs CCNA Labs and Supporting Material ICND1 and ICND2 Labs The presentation of CCNA™ labs has been reorganized into two different areas. Individuals preparing for the Cisco® ICND (640-822) exam can easily bring up documentation and networks for the 75 labs that help prepare them. Those preparing for the Cisco® ICND 2 (640-816) exam can now find these 78 labs and networks organized in the same section. Practice Scenarios Studying for the Cisco® CCNA™ exam is challenging. Trying to figure out which exam topics to study for is difficult. This program assists you by providing Practice Scenarios. We have designed our practice scenarios based on CCNA™ exam topics. Testing yourself with our practice scenarios will give you the confidence needed in preparing for the Cisco® CCNA™ exam. After you go through accumulative and/or Individual labs you can test your problem-solving and troubleshooting skills. In the lab documentation we present Practice Scenarios which are interspersed in the lab documentation. With these scenarios you are presented with partially or incorrectly configured networks and your task is to read the instructions and correct the situation. These are gradable labs. They can be found in two places on our menu tree. They are interspersed among the accumulative labs. After you read about a concept and go through hands-on lab(s), you are then presented with a practice scenario that tests your problem-solving and troubleshooting skills. They can also be found in their own section so that you can quickly choose any of the labs, instead of hunting for them in the accumulative labs. Individual Labs We also offer CCNA™ labs that stand on their own, are comprehensive and self-contained, and do not require configurations from prior labs. These labs are typically longer than the accumulative labs because you are starting with a non-configured network each time you bring up an Individual lab. You are totally configuring the network for each lab, from beginning to finish. We provide step-by-step instructions for these labs. These are gradable labs. Net Assessment This feature allows you to test and evaluate your CCNA™ problem-solving and trouble shooting network skills. This is a powerful and flexible tool for all to use, including teachers, students, individuals, etc. You can grade yourself or if you are an instructor, you can grade your students. There are eight labs that walk you through an example in utilizing Net Assessment. Net Assessment also provides you with more sophisticated and powerful methods in altering values. That is covered in seven additional labs. Accumulative Labs We provide step-by-step labs that, for the most part, build on each other. Fourteen different network layouts are presented within these labs. When you start working with a new section and encounter a new network layout, you are asked to save your work. It is suggested that you save your network layout with another name so that you always have a non-configured network to fall back on. An example would be saving the original network layout, Standard Layout, as My Standard Layout.
Introduction
Network Layouts Loading a Network Layout 1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Find and click on the file name and then click OK.
Custom Labs With CCNA Virtual Lab, Titanium Edition 3.0, you can create your own labs. You can then make your labs available for others to use. They will appear off the main menu of the Network Visualizer screen. You can also imbed instructions into your labs/network. Use a third-party program to create instructions. This can be a text editor, word processor, HTML editor, spreadsheet program, etc.
xix
Network Environment
Lab 1.1: Loading a Network Layout There are three types of network layouts that you can load with this program. Accumulative Labs In our lab documentation we provide step-by-step labs that, for the most part, build on each other. Within the accumulative labs there are a handful of different network layouts that you will load. The network layouts are specific to the tasks you will encounter in the labs. 1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Find and click on the file name and then click Open.
Individual Labs We also offer labs that stand on their own, are self-contained, and do not require configurations from prior labs. These labs are typically larger than the accumulative labs because you are starting with a non-configured network each time you bring up an Individual lab. You are totally configuring the network for each lab, from beginning to finish. We provide step-by-step instructions for these labs. Some labs require extensive configurations, Instead of manually entering the configurations, you have the ability to copy
Lab 1.1: Loading a Network Layout
3
and paste script into the console. This saves you time so that you do not have to manually type in each command if you do not care to do so.
Practice Scenarios Studying for the Cisco® CCNA exam is challenging. Trying to figure out which exam topics to study for is difficult. We assist you by providing Practice Scenarios. We have designed our practice scenarios based on the CCNA exam topics. Testing yourself with our practice scenarios will give you the confidence needed in preparing for the Cisco® CCNA exam. After you go through accumulative and/or Individual labs you can test your problemsolving and troubleshooting skills. In the lab documentation we present Practice Scenarios which are interspersed in the lab documentation. With these scenarios you are presented with partially or incorrectly configured networks and your task is to read the instructions and correct the situation. They can be found in two places on our menu tree. They are interspersed among the accumulative labs. After you read about a concept and go through hands-on lab(s), you are then presented with a practice scenario that tests your problem-solving and troubleshooting skills. They can also be found in their own section so that you can quickly choose any of the labs, instead of hunting for them in the accumulative labs.
4
Network Environment
Custom Networks With this program, you can create your own labs. You can then make your labs available for others to use. You can distribute your custom labs to others so that they show up on their menus. They can be loaded from the Network Visualizer menu.
Lab 1.2: Adding a Device to the Network Visualizer Screen This program offers several devices that you can interact with in our network layouts or networks that you want to create. The following is a list of these devices and their features.
Host 1900 Switch
It has 12 10BaseT switched ports and two FastEthernet switched ports.
2621 Router It has Enterprise edition 12.x software. The 2621 has two FastEthernet interfaces and two serial interfaces. 2811 Router It has Enterprise edition 12.4 software, four serial ports and two FastEthernet ports. 2950 Switch It has 12 FastEthernet, 10/100 ports to help you build your LANs and VLANs. 2960 Switch
It has eight FastEthernet ports and one GigabitEthernet port.
3550 Switch
It has 10 FastEthernet, 10/100 ports.
3560 Switch
It has eight FastEthernet ports and one GigabitEthernet port.
Lab 1.2: Adding a Device to the Network Visualizer Screen
5
These devices are represented by device buttons at the top of the Network Visualizer screen. Description of Toolbar Buttons New Network Visualizer screen
Load a network
Save a network
Print network layout
Clear all devices off the Network Visualizer screen
Insert a file into the network. For example, this could be a text file, Microsoft Word file, PDF file, graphic file, etc. Insert a host onto the Network Visualizer screen
Insert a new 2621 router onto the Network Visualizer screen
Insert a new 2811 router onto the Network Visualizer screen
Insert a new 1900 switch onto the Network Visualizer screen
Insert a new 2950 switch onto the Network Visualizer screen
Insert a new 2960 switch onto the Network Visualizer screen
Insert a new 3550 switch onto the Network Visualizer screen
Insert a new 3560 switch onto the Network Visualizer screen
6
Network Environment
(continued) Description of Toolbar Buttons Display the Net Assessment window
Display the Net Configs window
Display the Net Packet Monitor window
To add one or more of any device, click the device button that corresponds to the host, router, or switch. A new object will appear in the left corner of the Network Visualizer screen. Drag and drop it wherever you want. Devices are labeled sequentially. For example, if you click on the 2811 device button, 2811 Router A will appear on the screen. If you click the device button again, 2811 Router B will appear on the screen. The next one would be 2811 Router C, and so on. There is an unlimited amount of devices that can be added to a Network Visualizer screen. You are only limited by your computer resources.
Lab 1.3: Connecting Devices
7
Lab 1.3: Connecting Devices Once you have placed devices onto the Network Visualizer screen, only a couple steps are required to connect them. They need to be connected so that the program knows they are in the same network. All devices must be connected into the same network for you to both configure and test for connectivity. In the following example, we will connect serial interface 0/0/0 of the 2811 Router A to serial interface 0/0/1 of 2811 Router B.
Lab Steps 1.
Right-mouse click 2811 Router A. A graphical representation of its ports will appear. It will appear on top of 2811 Router A.
8
Network Environment
2.
Place your mouse over interface serial 0/0/0 and click your left mouse key.
3.
As soon as you click a port, the large graphic disappears and you will see a line attached to the cursor. Move the cursor over to 2811 Router B and click the right mouse button.
4.
When the graphical representation of the ports for 2811 Router B appears, click on interface serial 0/0/1.
Lab 1.4: Network Cables
The large graphic will disappear and you should see 2811 Router A and 2811 Router B connected with a serial cable. You have the option of viewing interface labels. On the Network Visualizer screen click View and Hostnames.
Lab 1.4: Network Cables This program provides three different types of cables that can be used when creating networks.
9
10
Network Environment
Straight-Through is GREEN in color in our program and provides connectivity from hosts to switches and from routers to switches. This is a twisted-pair cable that uses RJ-45 connectors.
Cross-Over is WHITE in color in our program and is used to connect switch to switch and router to router on an Ethernet port. This cannot be used to connect hosts to switches or switches to routers.
Lab 1.4: Network Cables
11
Serial WAN is RED in color in our program and is represented by a lightning bolt. This is used to simulate a serial WAN connection and can only be connected to serial interfaces on a router. These are point-to-point only and can connect from router to router only via their serial ports. They cannot be used to connect to switches or hosts.
WAN connection A network connection through routers which connects two geographically distanced networks together. It typically connects several local area networks (LANs), usually through the Internet.
12
Network Environment
Cable Thickness You can change the thickness of cables used in your network. On the Network Visualizer menu, click the View menu, put your mouse over the menu item Line Thickness, and then select one of the three levels of line thickness.
Here is a network that is displays the smallest thickness of cables.
Lab 1.5: Disconnecting Devices
13
Here is a network that displays the largest thickness of cables.
Lab 1.5: Disconnecting Devices Any network cable can be disconnected. If you want to remove several cables from a device, you will need to do so, one by one. In the following example, we will disconnect the serial cable between 2811 Router A and 2811 Router B.
Lab Steps 1.
Place your cursor over 2811 Router A and click your right mouse button.
14
Network Environment
2.
Place your cursor above the cable connector for interface serial 0/0/0 and click your left mouse button.
3.
You will be asked to confirm you removing the cable from the port. Click the Yes button.
4.
The cable will now be removed and you will have two disconnected routers.
Lab 1.6: Entering Configurations and Changing Console Screens
15
Lab 1.6: Entering Configurations and Changing Console Screens Configurations are entered through a console screen. Only one console screen displays at a time, however, you can display a separate console screen for any router or switch in your network.
1.
Place a couple 2811 routers onto a Network Visualizer screen.
2.
Place your cursor over 2811 Router A and double-click you left mouse button. A console screen will appear.
16
Network Environment
3.
When you first start out with a network you will need to press Enter to display the User mode. From there you can change modes and enter configurations, ping, telnet, and perform show commands.
4.
Type enable and press Enter to go to the Privileged mode.
5.
Type config t and press Enter so that you can enter Global Configuration mode. You will enter your configurations in this mode and in other modes such as Interface mode.
Changing Console Screens You can use the menu system on the console screen to view the consoles for any device on the Network Visualizer screen. In the following example we have a 3550 and 3560 switch on the Network Visualizer screen.
Lab 1.7: Clearing A Network Visualizer Screen
17
In this example you want to go from the console of the 3550 Switch A, to the console of the 3560 Switch A. Click View on the menu, put your mouse over Console, go down and find the desired type of device (in this case it is Switch 3560), and then choose 3560 Switch A.
Lab 1.7: Clearing A Network Visualizer Screen There are two ways to clear a Network Visualizer screen. NN
Click the Edit menu and then select Clear.
18
NN
Network Environment
You can also click the trash can icon on the tool bar.
You will be asked to confirm that you want to clear the current network layout.
Lab 1.8: Network Configurations Window You can view the configurations for all devices on your Network Visualizer screen. To view the Network Configs screen, click the Tools menu, and then Net Configs.
Lab 1.8: Network Configurations Window
Or click the Net Configs button on the button bar.
19
20
Network Environment
And the Net Configs screen will appear ...
Lab 1.9: Preferences
21
Password Lookups You may forget passwords that you enter while configuring devices. You can look them up by clicking the Net Configs button.
You can display the console screen for any device listed in the Net Configs window. Double-click on the name of any device.
Lab 1.9: Preferences There are two preferences that you can set for the look and feel of this program. N
Background color of the Network Visualizer screen
NN
Autosize the Network Visualizer screen when you load a network
22
Network Environment
The Preferences window can be displayed by clicking Tools on the Network Visualizer screen, then Preferences.
Background Color You can easily change the background of your Network Visualizer screen. Eighteen basic colors are available in choosing the background color. If you click the Default button, your screen will display a dark Navy blue.
Lab 1.9: Preferences
Other colors If you want to choose another color, click on the Other button.
23
ICND1: Cisco IOS
Lab 1.1 RouterSim and Cisco Devices In this program you now have the option of also using traditional Cisco® graphical devices. You can create networks from scratch using several types of devices, however, you cannot mix them. The program will display all RouterSim devices or all Cisco® graphical devices. You can load existing network layouts and easily change their appearance.
Lab Steps 1.
On the Network Visualizer menu click View and then select Cisco Devices from the drop down menu.
Lab 1.1 RouterSim and Cisco Devices
Network Layout Load CiscoIOS Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file CiscoIOS Layout.rsm and click Open. You should see the following non-configured network:
By default you will see Routersim devices on any network layout that comes with this program.
27
28
ICND1: Cisco IOS
The network shown at the top of lab quickly changes and Cisco® devices are displayed. If you display the device list, it will now display Cisco® devices.
2.
You can change back and display RouterSim devices. On the Network Visualizer menu click View and then select RouterSim Devices from the drop down menu.
Lab 1.2: Logging In and Out of a Cisco Router
Lab 1.2: Logging In and Out of a Cisco Router In this lab you bring up a router console and learn how to log in using the enable and disable commands.
29
30
ICND1: Cisco IOS
Network Layout Load the network layout you have been working with for labs in section 1.
Lab Steps 1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen. You interact with each device through the console screen. You will enter all your CLI commands such as configuring a device, testing connectivity, and displaying output.
Connectivity When testing for connectivity in a network, it refers to the ability of a source device such as a router to connect to a remote device, or another router. If you ping a remote router and it is unsuccessful, you have no connectivity. If your ping is successful, you have connectivity.
Lab 1.2: Logging In and Out of a Cisco Router
Output Information that is displayed on the console screen after you enter a show command. For example, if you enter the command show run, you get the following output: Building configuration... Current configuration : 874 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! [output cut]
31
32
2.
ICND1: Cisco IOS
Press Enter and the Router> prompt will appear. You are now in the User mode. This mode is mostly used to view statistics, though it is also a stepping-stone to logging into Privileged mode. You can only view and change the configuration of a Cisco router in Privileged mode, which you enter with the enable command. Router> Router>enable Router#
3.
You now end up with a Router# prompt, which indicates you are in Privileged mode. You can both view and change the configuration in Privileged mode. You can go back from Privileged mode to user mode by using the disable command. Router#disable Router>
4.
At this point you can type logout to exit the console. Router>logout Router con0 is now available Press Return to get started.
5.
Or you could just type logout or exit from the Privileged mode prompt to log out. Router>enable Router#logout Router con0 is now available Press RETURN to get started.
Lab 1.3: Overview of Router Modes It is important to understand the different prompts you can find when configuring a router so you can know where you are at any time within Configuration mode. In this lab, the prompts that are used on a Cisco router will be demonstrated. Always check your prompts before making any changes to a router’s configuration.
Lab 1.3: Overview of Router Modes
33
Network Layout Load the network layout you have been working with for labs in section 1.
Router Modes Depending on what you want to do, you can go to different mode levels interacting with interfaces and devices. Most commands are mode specific. That means that many commands work in one mode but not another. That is why you have to change modes, depending on what command you want to enter. However, with the do command you can now enter privileged mode commands in Global Configuration mode. This works on the 2811 router (IOS version 12.4) and the 2960 and 3560 switch (IOS version 12.2 SE). The following chart displays the different modes you will encounter.
ICND1: Cisco IOS
34
Mode
Prompt
Typical Use
User
Router>
Usually the first login prompt when logged in to a Cisco router. Minimal, fundamental set of non configuration commands in this mode. Only basic router information is given in this mode. Show commands can be given which will result in output displayed in the console screen. Only information about the device is given.
Privileged
Router#
This mode is accessed by using the enable command from user mode. You can quit privilege mode by using the disable command. Can be and should be protected by an
enable or enable secret password.
All router functionality can be accessed from this level. Ping interfaces. Telnet to devices. Show commands that display routing information, interface protocols, and the systems entire running configuration. Global Configuration
Router(config#)
Configure or make changes that affect the entire router. Change your device host name. Change passwords. Set up access lists.
Interface
Router(config-if#)
Allows you to configure specific interfaces.
Routing-Configuration
Router(config-router) Allows you to configure the routing protocol.
Lab Steps 1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.
2.
Press Enter and the Router> prompt will appear. You are now in the User mode.
Lab 1.3: Overview of Router Modes
3.
35
Change to the Privileged mode. Router> Router>enable
4.
To configure a device from the CLI, you can make global changes to the router by typing configure terminal (config t for short), which puts you in Global Configuration mode and changes what is known as the running-config. You can type config from the Privileged mode prompt and then just press Enter to take the default of terminal. Router#config Configuring from terminal, memory, or network [terminal]?enter Enter configuration commands, one per line. End with CTRL/Z. Router(config)#
At this point you make changes that affect the router as a whole, hence the term Global Configuration mode. Notice the prompt is now Router(config)#. 5.
To make changes to an interface, you use the interface command from Global Configuration mode. Router(config)#interface ? Async Async interface BRI ISDN Basic Rate Interface BVI Bridge-Group Virtual Interface CTunnel CTunnel interface Dialer Dialer interface FastEthernet FastEthernet IEEE 802.3 Group-Async Async Group interface Lex Lex interface Loopback Loopback interface MFR Multilink Frame Relay bundle interface Multilink Multilink-group interface Null Null interface Tunnel Tunnel interface Vif PGM Multicast Host interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing range interface range command Router(config)#interface fastethernet 0/0 Router(config-if)#
Notice the prompt changed to Router(config-if)# to tell you that you are in interface configuration.
36
6.
ICND1: Cisco IOS
Sub interfaces allow you to create virtual interfaces within the router. The prompt then changes to Router(config-subif)#. Router(config)#int f0/0.? <0-4294967295> FastEthernet interface number Router(config)#int f0/0.1 Router(config-subif)#
Type exit to go back to Global Configuration mode. Router(config-subif)#exit Router(config)#
7.
To configure User mode passwords, use the line command. The prompt then becomes Router(config-line)#. Enter configuration commands, one per line. End with CTRL/Z. Router(config)#line ? <0-70> First Line number aux Auxiliary line console Primary terminal line tty Terminal controller vty Virtual terminal Router(config)#line console 0 Router(config-line)#
The line console 0 command is known as a major, or global, command, and any command typed from the (config-line) prompt is known as a subcommand. 8.
Type exit to go back to Global Configuration mode. Router(config-line)#exit Router(config)#
9.
The line vty 0 1180 command is used to control inbound telnet connections. This is part of a series of commands that you use to set passwords for interfaces so that you can set up interface security and telnet from one device to another. Router(config)#line vty 0 1180 Router(config-line)#
10. Type exit to go back to Global Configuration mode. Router(config-line)#exit Router(config)#
11. To configure routing protocols like RIP, use the prompt (config-router)#. Router(config)#router rip Router(config-router)#
Lab 1.4: Editing and Help Features
37
It is not important that you understand what each of these commands do at this time. These will all be explained later in greater detail. What you need to understand is the different prompts available. This program supports the line console and line vty commands.
12. Type control+z to go back to Global Configuration mode. Control+z is noted as ctrl+z. Router(config-router)#ctrl+z Router#
Lab 1.4: Editing and Help Features You can use the Cisco® advanced editing features to help you configure your router or switch. This lab will teach you how and where to use a question mark (?) from the CLI as well as how to use keystrokes to help you edit your command strings.
Network Layout Load the network layout you have been working with for labs in section 1.
38
ICND1: Cisco IOS
Lab Steps 1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.
2.
Press enter and the Router> prompt will appear. You are now in the User mode.
3.
Change to the Privileged mode. Router> Router>enable
4.
By using a question mark (?) at any prompt, you can see the list of commands available from that prompt. Router#? Exec commands: access-enable access-profile access-template archive bfe cd clear clock cns configure connect copy debug delete dir disable disconnect enable erase exit help --More--
Create a temporary Access-List entry Apply user-profile to interface Create a temporary Access-List entry manage archive files For manual emergency modes setting Change current directory Reset functions Manage the system clock CNS subsystem Enter configuration mode Open a terminal connection Copy from one file to another Debugging functions (see also 'undebug') Delete a file List files on a filesystem Turn off privileged commands Disconnect an existing network connection Turn on privileged commands Erase a filesystem Exit from the EXEC Description of the interactive help system
At this point, you can press the spacebar to get another page of information, or you can press Enter to go one command at a time. You can also press any other key to quit and Enter to return to the prompt.
Lab 1.5 Using Shortcut Commands and Tab Completion
39
Supported Commands in CCNA Virtual Lab, Titanium Edition 3.0 Commands supported in this program were specifically chosen to represent the most important commands needed in configuring networks and in preparing for the CCNA exam. When you enter a help command such as ?, you will see a complete list of IOS commands. However, not all are available and supported in this program. To view supported commands for CCNA Virtual Lab, Titanium Edition 3.0:
1.
Bring up a console screen.
2.
Click the View menu.
3.
Click Supported Commands.
5.
To find commands that start with a certain letter, use the letter and the question mark (?) with no space between them. Router#c? clear clock cns configure connect copy cd Router#c
Notice that by typing “c?”, we receive a response of all the commands that start with “c”. Also notice that the Router# prompt appeared with our command still present. This is helpful when you have long commands and need the next possible command.
40
6.
ICND1: Cisco IOS
To find the next command in a string, type the first command and then a question mark. Set the router’s clock by typing clock ? and following the help screens; set the router’s time and date. Router#clock ? set Set the time and date Router#clock set ? hh:mm:ss Current Time Router#clock set 10:30:10 ? <1-31> Day of the month MONTH Month of the year Router#clock set 10:30:10 28 ? MONTH Month of the year Router#clock set 10:30:10 28 december ? <1993-2035> Year Router#clock set 10:30:10 28 december 2007 ?
Router#
By typing the clock command, then a space and a question mark, you will get a list of the next possible commands and what they do. Notice that we just kept typing a command, a space, and then a question mark until < cr> (carriage return) was our only option. 7.
Type show clock to see the time and date you have set.
8.
If you are typing commands and receive this: Router#clock set 10:30:10 % Incomplete command.
Then you know that the command string is not complete. Just press the up arrow key to view the last command entered, then continue with the command by using your question mark. 9.
Also, if you receive this error: Router#clock shut 10:30:10 28 8 ^ % Invalid input detected at '^' marker.
You have entered the command incorrectly. The caret (^) marks the point where you have entered the command incorrectly. This is very helpful. 10. You may receive an error when you type in a command that the program cannot match
with any known command. For example, Router#sh s % Ambiguous command:
"sh s"
Lab 1.5 Using Shortcut Commands and Tab Completion
41
It means you did not enter all the keywords or values required by this command. Use the question mark to find the command you need. Router#sh s? scp sessions slm smas smf snapshot snmp spanning-tree stacks standby startup-config subscriber-polocy subsys
11. Type show access-list 10. Don’t press Enter. 12. Notice the cursor is at the end of the line. Type Ctrl+ A. This takes you to the begin-
ning of the line. 13. Type Ctrl+ E. This should take you back to the end of the line. 14. Type Ctrl+ A, then type Control+ F. This should move you forward one character. 15. Type Ctrl + B, which will move you back one character. 16. Press Enter, then type Ctrl + P. This will repeat the last command. 17. Press the up arrow on your keyboard. This will also repeat the last command. 18. Use the show history command to see the last 10 commands entered on the router. Router#sh history
19. Use the show terminal command to verify the terminal history size. Router#sh terminal
20. The terminal history size command, used from Privileged mode, can change the
size of the history buffer. Router#terminal history size ? <0-256> Size of history buffer Router#terminal history size 25
ICND1: Cisco IOS
42
21. Verify the change with the show terminal command. Router#sh terminal
22. Type terminal no editing . This turns off advanced editing. Repeat steps 9-13 to see
that the shortcut editing keys have no effect. 23. Type terminal editing and press Enter to re-enable advanced editing. 24. Type sh run, then press your tab key. This will finish typing the command for you.
Editing Command Table The following table displays the editing commands: Command
Description
?
Gives you a help screen
Moves your cursor to the beginning of the line
Deletes a single character
Moves your cursor to the end of the line
Moves forward one character
Redisplays a line
Erases a line
Erases a word
Ends configuration mode and returns to EXEC
Moves back one word
Moves forward one word
backspace
Deletes a single character
tab
Finishes typing a command for you
Lab 1.5 Using Shortcut Commands and Tab Completion
43
Lab 1.5: Using Shortcut Commands and Tab Completion in Gathering Basic Router Information In this lab you will learn about shortcut commands and the tab completion function. You will use these concepts and commands used to gather basic information about a Cisco router.
Network Layout Load the network layout you have been working with for labs in section 1.
44
ICND1: Cisco IOS
Lab Steps 1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.
2.
Press Enter and the Router> prompt will appear. You are now in the user mode.
3.
Change to the privileged mode. Router> Router>en
Shortcut Commands Most Cisco IOS commands do not have to be completely spelled out. To facilitate being able to more quickly enter commands, you only have to enter part of a command, plus, each word in a command can be abbreviated. For example the command enable can be shortened to en. Another example is the command show running-configurations. You can abbreviate that and just type in sh run. A final example is when you have the command show interfaces. You only need to type in sh int. The router or switch knows what you mean and correctly interprets and carries out that command. You do need to type in enough letters for each word in a command for the router or switch to correctly understand and interpret what you are trying to do. If you do not, you will receive feedback that one or more of your words are ambiguous. The reason for that is that letters in one or more of the words in your command can be used to spell out different words. In that case the device does not know what you want to do; there are too many possibilities. For example, type the following: Router>#s ver I get 2811A#s ver Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9) T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc.[output cut] Router>A#s v % Ambiguous command: “show v” 2811 Router A recognized “s” to mean “show” but it did not recognize “v”.
Lab 1.5: Using Shortcut Commands and Tab Completion
Enter the following command: Router>#s v? vc-group version vlan-range vlan-switch vlans voice voip vpdn vrrp vsp vtemplate vtp In this case “v” could be the first letter in 12 different words. On a real 2800 device you would get the output with 12 different words. This program does not have 12 different words; therefore, your output will be different. Try this: 2811A#s v? Version Router>#s ver Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9) T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. [output cut] The 2811 A router recognized “s” to mean “show” but it did not recognize “v”. Enter the following command: Router>#s v? % incomplete command Try this: 2811A#s ve? Now you only have one word, so, the command s ve will work, along with sh ver, show ver, etc.
45
46
4.
ICND1: Cisco IOS
The command show version will provide basic configuration for the system hardware as well as the software version, the names and sources of configuration files, and the boot images. Router#sh ver [press the tab key] Router#sh version Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Router uptime is 4 weeks, 6 days, 18 hours, 29 minutes System returned to ROM by power-on System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. Cisco 2811 (revision 53.51) with 249856K/12288K bytes of memory. Processor board ID FTX1048A54G 2 FastEthernet interfaces 4 Serial(sync/async) interfaces DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 Router#
The version number can be found on the first line of ouput ... Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1).
Lab 1.5: Using Shortcut Commands and Tab Completion
47
Tab Completion Function Most of the time you will use shortcut commands to configure devices because they are quick and convenient. However, if for any reason you want to enter all the words in a command, there is an alternative to manually entering every character. You can use the Tab Completion function to spell out any word. Just type part of the word and then press your tab key. It will complete the word. As shown in the earlier command in this lab you can type “sh ver” and press the tab key. The word “version” will be spelled out.
The show version command gives you how long the router has been running, how it was restarted, the IOS filename running, the model hardware and processor versions, and the amount of DRAM. Also, the configuration register value is listed last. The above router has 256 megabytes of RAM and 64 megabytes of Flash. 5.
You can view the router files by typing the command show running-config or show startup-config from privileged mode. The sh run command, which is the shortcut for show running-config, tells us that we are viewing the current configuration. Router#sh run Building configuration... Current configuration : 874 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router [cut]
6.
The sh start command, which is the shortcut for the show startup-config command, shows us the configuration that will be used the next time the router is reloaded and also shows us the amount of NVRAM used to store the startup-config file. Router#sh start Building configuration... Current configuration : 874 bytes ! version 12.4 service timestamps debug datetime msec
48
ICND1: Cisco IOS
service timestamps log datetime msec no service password-encryption ! hostname Router [cut]
7.
You can delete the startup-config file by using the command erase startup-config. Once you perform this command, you will receive an error if you try to view the startupconfig file. Router#erase startup-config Erasing the nvram file system will remove all configuration files! Continue? [confirm] (press Enter) [OK] Erase of nvram: complete Router# 00:13:30: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of ... [cut]
8.
Verify that you have erased the startup configuration. Router#sh start startup-config is not present Router#
Lab 1.6: Setting Passwords There are five passwords used to secure Cisco routers. NN
NN
The first two passwords discussed in this lab are used to set your enable password, which is used to secure privileged mode. This will prompt a user for a password when the enable command is used. The other three are used to configure a password when user mode is accessed either through the console port, the auxiliary port, or Telnet.
Lab 1.6: Setting Passwords
49
Network Layout Load the network layout you have been working with for labs in section 1.
Lab Steps 1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.
2.
Press Enter and the Router> prompt will appear. You are now in the user mode.
3.
Change to the privileged mode. Router> Router>enable
4.
Set the two enable passwords on your router. You set the enable passwords from Global Configuration mode. Router(config)#enable ? last-resort Define enable action if no TACACS servers respond
ICND1: Cisco IOS
50
password secret use-tacacs
Assign the privileged level password Assign the privileged level secret Use TACACS to check enable passwords
The enable secret and enable password commands are the only enable passwords that are supported in our program at this time. Router(config)#enable secret todd Router(config)#enable password cisco
Since the enable secret supercedes the enable password, don’t bother to use the enable password since it will never be used if the enable secret is set. 5.
Set your user mode passwords by using the line command. Router(config)#line ?
<0-1502> First Line number aux
Auxiliary line
console
Primary terminal line
tty
Terminal controller
vty
Virtual terminal
x/y
Slot/Port for Modems
x/y/z
Slot/Subslot/Port for Modems
NN
NN
NN
NN
Router(config)#line Aux is used to set the user-mode password for the auxiliary port. This is typically used for configuring a modem on the router but can be used as a console as well.
Console is used to set a console user-mode password. Vty is used to set a Telnet password on the router. If the password is not set, then Telnet cannot be used by default. This program does not support the tty and x/y and x/y/y modem line commands.
To configure the user mode passwords, you configure the line you want and use either the login or no login command to tell the router to prompt for authentication. 6.
Set the auxiliary password on your router. To configure the auxiliary password, go to global configuration mode and type line aux?. Notice that you only get a choice of 0–0 because there is only one port. Router#config t Enter configuration Router(config)#line <0-0> First Line Router(config)#line
commands, one per line. aux ? number aux 0
End with CTRL/Z.
Lab 1.6: Setting Passwords
51
Router(config-line)#login % Login disabled on line 65, until 'password' is set Router(config-line)#password todd Router(config-line)#login
It is important to remember the login command, or the auxiliary port won’t prompt for authentication. However, in the newer IOS that we are now running, the login command cannot be set until you set a password. The reason they added this feature is because if you set the login command and not a password, you are locked out from that line. 7.
Set your console password on your router. To set the console password, use the line console 0 command. However, notice that when we tried to type line console 0 ? from the aux line configuration, we got an error. You can still type line console 0 and it will accept it; however, the help screens do not work from that prompt. Type Exit to get back one level if you want to use the help option. Router(config-line)#line console ? % Unrecognized command Router(config-line)#exit Router(config)#line console ? <0-0> First Line number Router(config)#line console 0 Router(config-line)#login % Login disabled on line 0, until 'password' is set Router(config-line)#password todd1 Router(config-line)#login
Since there is only one console port, we can only choose line console 0. The new login feature works on the console line too. 8.
Set the optional console port commands on your router. There are a few other important commands to know for the console port. The exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, or to never time out. To have fun with your friends at work, set it to 0 1, which makes the console time out in 1 second! The way to fix that is to continually press the down arrow key while changing the timeout time with your free hand. Logging synchronous is a nice command, and I think it should be a default command, but it is not. What this command provides is to stop console messages from popping up and disrupting input you are trying to type. This command makes reading your input messages much easier.
Here is an example of how to configure both commands: Router(config)#line con 0 Router(config-line)#exec-timeout ? <0-35791> Timeout in minutes
52
ICND1: Cisco IOS
Router(config-line)#exec-timeout 0 ? <0-2147483> Timeout in seconds Router(config-line)#exec-timeout 0 0 Router(config-line)#logging synchronous
9.
Set your Telnet password on your router. To set the user-mode password for Telnet access into the router, use the line vty command. Router(config)#line vty 0 ? <1-4> Last Line number Router(config)#line vty 0 1180 Router(config-line)#password todd2
Notice we did not use the login command with this line configuration. The login command is set by default on the VTY lines, which stops anyone telneting into the router until you set a password. If you try to telnet into a router that does not have a VTY password set, you will receive an error stating that the connection is refused because the password is not set. You can tell the router to allow Telnet connections without a password by using the no login command. By setting this next command, you will not be prompted for password when telneting into the router. This is not recommended, but this is how you would do that: Router(config-line)#line vty 0 4 Router(config-line)#no login Router(config-line)#ctrl+z Router#
After your routers are configured with an IP address, you can use the Telnet program to configure and check your routers. You can use the Telnet program by typing telnet from any command prompt (DOS or Cisco).
Lab 1.7: Encrypting Your Passwords Only the enable secret password is encrypted by default. You need to manually configure the user mode and enable passwords.
Lab 1.7: Encrypting Your Passwords
53
Network Layout Load the network layout you have been working with for labs in section 1.
Lab Steps 1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.
2.
Press Enter and the Router> prompt will appear. You are now in the user mode. Change to the privileged mode. Router> Router>enable
3.
Notice that you can see all the passwords except the enable secret when performing a show running-config command on a router. Router#sh run Building configuration...
54
ICND1: Cisco IOS
Current configuration : 874 bytes ! version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! enable secret 5 $1$F/gZ$mNTwylb4ZJ4J1WW97nUJG. enable password cisco ! [output cut] line con 0 password todd1 logging synchronous login line aux 0 password todd login line vty 0 4 password todd2 login line vty 5 15 password todd2 login ! ! end Router#
The line ... enable secret 5 $1$F/gZ$mNTwylb4ZJ4J1WW97nUJG shows an encrypted enable password. 4.
To manually encrypt your passwords, use the service password-encryption command. Here is an example of how to perform manual password encryption. Router#config t Enter configuration commands, one per line. Router(config)#service password-encryption Router(config)#exit
End with CTRL/Z.
Lab 1.7: Encrypting Your Passwords
5.
55
The show running-config command, you can see the enable password and the line passwords are all encrypted. If you don’t type show running-config, it does not encrypt the passwords. Router#show running-config [cut] hostname Router ! enable secret 5 $1$F/gZ$mNTwylb4ZJ4J1WW97nUJG. enable password 7 05080F1C2243 ! [cut] ! line con 0 password 7 111D16011343 logging synchronous login line aux 0 password 7 044F04020B login line vty 0 4 password 7 051F090B251E login line vty 5 15 password 7 105A061D0145 login !
6.
Since the service password-encryption is a router process, you do not want to keep this running in the background. Once you perform a show running-config and see the encrypted passwords, turn off the process. After entering the command no service password-encryption, your passwords will still be encrypted until they are reset. Router#config t Router(config)#no service password-encryption Router(config)#ctrl+z
56
ICND1: Cisco IOS
Lab 1.8: Saving Your Configurations If you have made changes to a device you will want to permanently save the configurations. Your running configuration is only in memory and if something happened; for example, if you lost power to a device, you would lose all unsaved entries. That is why you want to save your running configurations (DRAM) to the permanently stored startup configurations (NVRAM). You can manually save the file from DRAM to NVRAM by using the copy running-config startup-config command. You can also use the shortcut copy run start.
Network Layout Load the network layout you have been working with for labs in section 1.
Lab Steps 1.
Save the configuration on 2811 Router A. Router#copy run start Destination filename [startup-config]?enter Building configuration...
Lab 1.9: Setting Router Banners
This will now place the file you created into NVRAM, which will be used the next time the router is booted up. 2.
You can view this file with the show startup config command. Router#show start
Lab 1.9: Setting Router Banners You can set a banner on a Cisco® router so that when either a user logs into the router or an administrator telnets into the router, for example, a banner will give them information you want them to have. Another reason for having a banner is to add a security notice to users dialing into your internetwork.
Network Layout Load the network layout you have been working with for labs in section 1.
57
58
ICND1: Cisco IOS
The command to use is from global configuration mode and shown below: Router(config)#banner ? LINE c banner-text c, where 'c' is a delimiting character exec Set EXEC process creation banner incoming Set incoming terminal line banner login Set login banner motd Set Message of the Day banner prompt-timeout Set Message for login authentication timeout slip-ppp Set Message for SLIP/PPP This program only supports the MOTD banner.
1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.
2.
The Message of the Day is the most used and gives a message to every person dialing in or connecting to the router, via Telnet, auxiliary port, or console port. Router(config)#banner motd ? LINE c banner-text c, where 'c' is a delimiting character Router(config)#banner motd # Enter TEXT message. End with the character '#'. If you are not authorized to be in RouterSim.com network, then you must disconnect immediately. # Router(config)#ctrl+z Router# 00:25:12: %SYS-5-CONFIG_I: Configured from console by console Router#exit Router con0 is now available Press RETURN to get started. If you are not authorized to be in RouterSim.com network, then you must disconnect immediately. Router>
Lab 1.10: Configuring Interfaces for the 2621 Router
Lab 1.10: Configuring Interfaces for the 2621 Router Interface configuration is one of the most important configurations of the router. Without interfaces, the router is useless. Interface configurations must be exact to be able to communicate with other devices. Interface configuration will be presented for three different devices (in labs 1.10 - 1.12) so that you can see differences among the interfaces: N
2621 Router
NN
2811 Router
N
3560 Switch
Network Layout Load the network layout you have been working with for labs in section 1.
59
ICND1: Cisco IOS
60
Interfaces correspond to the physical ports available on a device. In this instance the 2621 router has two serial ports and two Fast Ethernet ports: NN
s0/0
NN
s0/1
NN
fa0/0
NN
fa0/1
As you read through the following steps you will notice a correspondence between interface and port names. This means you have to use the same names or shortcut commands as the names of the ports.
Lab Steps 1.
On the Network Visualizer screen, double-click on 2621 Router A. This will bring up a console screen.
2.
Press Enter and the Router> prompt will appear. You are now in the user mode.
3.
Change to the privileged mode. Router> Router>enable
4.
Change to the Global Configuration mode. Router#config Configuring from terminal, memory, or network [terminal]?enter Enter configuration commands, one per line. End with CTRL/Z. Router(config)#
Lab 1.10: Configuring Interfaces for the 2621 Router
5.
61
Type interface ? to see all the interfaces available on the router. Router(config)#interface Async BRI BVI CTunnel Dialer FastEthernet Group-Async Lex Loopback MFR Multilink Null Tunnel Vif Virtual-Template Virtual-TokenRing range
? Async interface ISDN Basic Rate Interface Bridge-Group Virtual Interface CTunnel interface Dialer interface FastEthernet IEEE 802.3 Async Group interface Lex interface Loopback interface Multilink Frame Relay bundle interface Multilink-group interface Null interface Tunnel interface PGM Multicast Host interface Virtual Template interface Virtual TokenRing interface range command
The output will vary depending on the type of router device you are connected to. 6.
Type the command interface serial ?. To configure the 2621 router interfaces, the configuration would be interface type slot/port. The output below shows a 2621 router with 2 serial interfaces, which are labeled 0/0 and 0/1. The first option is the slot and the second option is the port. Each 2621 has two slots that can be filled with physical interfaces. The routers we use in this program only have interfaces in slot 0. Router(config)#interface serial ? <0-1> Serial interface number Router(config)#int serial 0 % Incomplete command. Router(config)#int serial 0? / Router(config)#int serial 0/? <0-1> Serial interface number
7.
At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to choose serial port 1, for example, would be: Router(config)#interface serial 0/1 Router(config-if)#exit
62
8.
ICND1: Cisco IOS
The 2621 router also has two FastEthernet 10/100BaseT ports. For example, the FastEthernet interface configuration is shown below: Router(config)#interface fastethernet ? <0-1> FastEthernet interface number Router(config)#int fastethernet 0 % Incomplete command. Router(config)#int fastethernet 0? / Router(config)#int fastethernet 0/? <0-1> FastEthernet interface number
Notice that you cannot type int fastethernet 0/. You must type the full command, which is type slot/port, or int fastethernet 0/0. You can type the shortcut int fa 0/0 as well. 9.
At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to choose Fast Ethernet port 1, for example, would be: Router(config)#int fastethernet 0/1 Router(config-if)#exit Router(config)#>ctrl+z
Lab 1.11: Configuring Interfaces for the 2811 Router Interface configuration is one of the most important configurations of the router. Without interfaces, the router is useless. Interface configurations must be exact to be able to communicate with other devices. Interface configuration will be presented for three different devices (in labs 1.10 - 1.12) so that you can see differences among the interfaces: NN
2621 Router
NN
2811 Router
NN
3560 Switch
Lab 1.11: Configuring Interfaces for the 2811 Router
Network Layout Load the network layout you have been working with for labs in section 1.
Interfaces correspond to the physical ports available on a device. In this instance the 2811 router has four serial ports and two Fast Ethernet ports: NN
s0/0/0
NN
s0/0/1
NN
s0/1/0
NN
s0/1/1
NN
fe0/0
NN
fe0/1
63
64
ICND1: Cisco IOS
As you read through the following steps you will notice a correspondence between interface and port names. This means you have to use the same names or shortcut commands as the names of the ports.
Lab Steps 1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.
2.
Press Enter and the Router> prompt will appear. You are now in the user mode.
3.
Change to the privileged mode. Router> Router>enable
4.
Change to the Global Configuration mode. Router#config Configuring from terminal, memory, or network [terminal]?enter Enter configuration commands, one per line. End with CTRL/Z. Router(config)#
5.
Type interface ? to see all the interfaces available on the router. Router(config)#interface ? Async Async interface BVI Bridge-Group Virtual Interface CDMA-Ix CDMA Ix interface CTunnel CTunnel interface Dialer Dialer interface
Lab 1.11: Configuring Interfaces for the 2811 Router
FastEthernet Group-Async Lex Loopback MFR Multilink Null Port-channel Serial Tunnel Vif Virtual-PPP Virtual-Template Virtual-TokenRing XTagATM range
65
FastEthernet IEEE 802.3 Async Group interface Lex interface Loopback interface Multilink Frame Relay bundle interface Multilink-group interface Null interface Ethernet Channel of interfaces Serial Tunnel interface PGM Multicast Host interface Virtual PPP interface Virtual Template interface Virtual TokenRing Extended Tag ATM interface interface range command
The output will vary depending on the type of router device you are connected to. 6.
Type the command interface serial ?. To configure the 2811 router interfaces, the configuration would be interface type router/slot/port. The output below shows a 2811 router with 2 serial interfaces, which are labeled 0/0/0 and 0/0/1. The first option is the router, the second option is the slot, and the third option is the port. Each 2811 has two slots that can be filled with physical interfaces. Router(config)#interface serial ? <0-2> Serial interface number Router(config)#int serial 0 % Incomplete command. Router(config)#int serial 0? / Router(config)#int serial 0/? <0-1> Serial interface number Router(config)#int serial 0/0? . / : <0-19> Router(config)#int serial 0/0/ <0-1> Serial interface number
7.
At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to choose serial port 1, for example, would be: Router(config)#interface serial 0/0/1 Router(config-if)#exit
66
8.
ICND1: Cisco IOS
The 2811 router also has two FastEthernet 10/100BaseT ports. For example, the FastEthernet interface configuration is shown below: Router(config)#interface fastethernet ? <0-2> FastEthernet interface number Router(config)#int fastethernet 0 % Incomplete command. Router(config)#int fastethernet 0? / Router(config)#int fastethernet 0/? <0-1> FastEthernet interface number
Notice that you cannot type int fastethernet 0/. You must type the full command, which is type slot/port, or int fastethernet 0/0. You can type the shortcut int fa 0/0 as well. 9.
At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to implement FastEthernet port 1, for example, would be: Router(config)#int fastethernet 0/1 Router(config-if)#exit Router(config)#>ctrl+z
Lab 1.12: Configuring Interfaces for the 3560 Switch Interface configuration is one of the most important configurations of the switch. Without interfaces, the switch is useless. Interface configurations must be exact to be able to communicate with other devices. Interface configuration will be presented for three different devices (in labs 1.10 - 1.12) so that you can see differences among the interfaces: NN
2621 Router
NN
2811 Router
NN
3560 Switch
Lab 1.12: Configuring Interfaces for the 3560 Switch
67
Network Layout Load the network layout you have been working with for labs in section 1.
Interfaces correspond to the physical ports available on a device. In this instance the 3560 switch has eight Fast Ethernet ports. As you read through the following steps you will notice a correspondence between interface and port names. This means you have to use the same names or shortcut commands as the names of the ports.
68
ICND1: Cisco IOS
Lab Steps 1.
On the Network Visualizer screen, double-click on 3560 Switch A. This will bring up a console screen.
2.
Press Enter and the Switch> prompt will appear. You are now in the user mode.
3.
Change to the privileged mode. Switch> Switch>enable
4.
Change to the Global Configuration mode. Switch#config Configuring from terminal, memory, or network [terminal]?enter Enter configuration commands, one per line. End with CTRL/Z. Switch(config)#
5.
Type interface ? to see all the interfaces available on the router. Switch(config)#interface ? Async Async interface BVI Bridge-Group Virtual Interface CTunnel CTunnel interface Dialer Dialer interface FastEthernet FastEthernet IEEE 802.3 Filter Filter interface Filtergroup Filter Group interface GigabitEthernet GigabitEthernet IEEE 802.3z Group-Async Async Group interface Lex Lex interface Loopback Loopback interface Null Null interface Port-channel Ethernet Channel of interfaces Portgroup Portgroup interface Pos-channel POS Channel of interfaces Tunnel Tunnel interface Vif PGM Multicast Host interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing
Lab 1.13: Bringing Up an Interface
Vlan fcpa range
69
Catalyst Vlans Fiber Channel interface range command
The output will vary depending on the type of router device you are connected to. 6.
The 3560 switch has eight Fast Ethernet 10/100BaseT ports. For example, the Fast Ethernet interface configuration is shown below: Switchconfig)#interface fastethernet ? <0-0> FastEthernet interface number Switch(config)#int fastethernet 0 % Incomplete command. Switch(config)#int fastethernet 0? / Switch(config)#int fastethernet 0/? <1-8> FastEthernet interface number
Notice that you cannot type int fastethernet 0/. You must type the full command, which is type slot/port, or int fastethernet 0/0. You can type the shortcut int fa 0/0 as well. 7.
At this point you must choose the interface you want to configure. Once you do that, you will be in interface configuration for that interface. The command to implement FastEthernet port 1, for example, would be: Switch(config)#int fasthernet 0/1 Switch(config-if)#exit Switch(config)#>ctrl+z
Lab 1.13: Bringing Up an Interface By default, interfaces are shut down and turned off. That means that packets cannot travel through the device to another connected device. You can turn an interface on with the no shutdown command. You can turn off or shut down an interface with the shutdown command. You can check the status of an interface by using the show interface command. If an interface is shut down, it will display administratively down when using the show interface command, and the show running-config command will also show the interface as shut down.
70
ICND1: Cisco IOS
Network Layout Load the network layout you have been working with for labs in section 1.
Lab Steps 1.
On the Network Visualizer screen, double-click 2621 Router A. This will bring up a console screen.
2.
Press Enter and the Router> prompt will appear. You are now in the user mode.
3.
Change to the privileged mode. Router> Router>enable
4.
Type show interface fastethernet 0 and see that it is administratively down. Router#show int fa0/0 FastEthernet0/0 is administratively down, line protocol is up [output cut]
Lab 1.13: Bringing Up an Interface
5.
71
Bring up interface FastEthernet 0/0 with the no shutdown command. Router#config t Enter configuration commands, one per line. End with CTRL/Z. Router(config)#int fa0/0 Router(config-if)#no shutdown Router(config-if)#ctrl+z 00:57:08: %LINK-3-UPDOWN: Interface Fastethernet 0/0, changed state to up 00:57:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface Fastethernet 0/0, changed state to up Router#sh int fa0/0 Fastethernet 0/0 is up, line protocol is up
6.
Configure the router to enable all interfaces by issuing the no shutdown command on all interfaces.
Interface and Connection States There are four possible states that you can have in examining if interfaces are turned on and devices properly connected.
FastEthernet Interface FastEthernet0/0 is administratively down, line protocol is down sibilities with this current state.
NN
NN
There are a couple pos-
The two devices are not connected and each f0/0 interface on both routers is explicitly shutdown. The two devices are connected and each f0/0 interface on both routers is explicitly shutdown.
FastEthernet0/0 is up, line protocol is down If the two devices are connected this output means that one interface is turned up and the other interface f0/0 is shut down. Router(config)#int f0/0 Router(config-if)#no shut 23:03:18 %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
ICND1: Cisco IOS
72
23:03:18 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
FastEthernet0/0 is up, line protocol is up This means that the routers are connected and the interfaces are turned on for both routers with the no shut command.
Serial Interface Serial0/0 is administratively down, line protocol is down with this current state.
NN
NN
There are a couple possibilities
The two devices are not connected and each s0/0 interface on both routers is explicitly shutdown. The two devices are connected and each s0/0 interface on both routers is explicitly shutdown.
Serial0/0 is down, line protocol is down If the two devices are connected this output means that one interface is turned up and the other interface s0/0 is shut down. Router(config)#int s0/0 Router(config-if)#no shut 23:03:18 %LINK-3-UPDOWN: Interface Serial0/0, changed state to up 23:03:18 %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
Serial0/0 is up, line protocol is up This means that the routers are connected and the interfaces are turned on for both routers with the no shut command.
Lab 1.14: Configuring an IP Address on an Interface
Lab 1.14: Configuring an IP Address on an Interface You don’t have to use IP on your routers; however, IP is typically used on all routers and it certainly is used in this program. To configure IP addresses on an interface, use the ip address command from interface configuration mode.
Network Layout Load the network layout you have been working with for labs in section 1.
Lab Steps 1.
Configure the FastEthernet 0/0 interface on 2621 Router A with the IP address of 172.16.10.2/24. Router#config t Router(config)#int fa0/0
73
74
ICND1: Cisco IOS
Router(config-if)#ip address 172.16.10.2 255.255.255.0 Router(config-if)#no shut
Notice that in order to enable an interface, we use the no shut command. Remember to look at the command show interface fa0/0, for example, which will show you if it is administratively shut down or not. Showrunning-config will also show you if the interface is shut down.
IP address Unique identification number for a device that is located on a network. An IP address is equivalent to the address of your home. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 172.16.10.6 could be an IP address.
2.
If you want to add a second subnet address to an interface, then you must use the secondary command.
Subnet Address Is a range of logical addresses within the address space of an organization. This allows you to take one network and turn it into many more, smaller networks. This allows for less network traffic on each network and faster and more efficient networks.
If you type another IP address and press Enter, it will replace the existing IP address and mask. To add a secondary IP address, use the secondary command. Router(config-if)#ip address 172.16.20.2 255.255.255.0 secondary Router(config-if)#ctrl+z
3.
You can verify both addresses are configured on the interface with the show runningconfig command (show run for short). Router#show run Building configuration... Current configuration: [output cut] ! interface Fastethernet 0/0
Lab 1.15: Serial Interface Commands
ip address 172.16.20.2 255.255.255.0 secondary ip address 172.16.10.2 255.255.255.0
Lab 1.15: Serial Interface Commands To configure a serial interface, there are a couple of specifics that need to be discussed.
Serial Interface You have a connection between two devices where data is sent between the two, one bit at a time. This occurs in only one direction at a time.
75
76
ICND1: Cisco IOS
Typically, when in production, the interface will be attached to a CSU/DSU type of device that provides clocking for the line. However, if you have a back-to-back configuration used in a lab environment, for example, one end must provide clocking. This would be the DCE end of the cable. Cisco routers, by default, are all DTE devices, and you must tell an interface to provide clocking if it is to act as a DCE device. If you don’t completely understand this right now, don’t worry, you will. Just run through the commands below for now and I promise it will become clear to you later.
CSU/DSU A telecommunication device used to connect a carrier circuit to a router. The carrier circuit can be a DS1 or DS3, T1 or T3. The CSU/DSU converts the DS1 signal into signal that the local network can understand. The CSU/DSU also converts the signal from the local network into a DS1 signal so it can be carried back across the DS1 circuit.
Network Layout Load the network layout you have been working with for labs in section 1.
Lab 1.15: Serial Interface Commands
77
Lab Steps 1.
Double-click on router 2621 Router A to bring up the console. Go to the privileged mode.
2.
You can configure a DCE serial interface with the clock rate command. Configure an interface that has a DCE connection. Router#config t Enter configuration commands, one per line. End with CTRL/Z. Router(config)#int s0/0 Router(config-if)#clock rate ? Speed (bits per second) 1200 2400 4800 9600 19200 38400 56000 64000 72000 125000 148000 250000 500000 800000 1000000 1300000 2000000 4000000 <300-4000000> Choose clockrate from list above Router(config-if)#clock rate 64000 Router(config-if)#int s0/1 Router(config-if)#clock rate 64000
It does not hurt anything to try and put a clock rate on an interface. Notice that the clock rate command is in bits per second. If you are not on an interface that is set to DCE, you will receive an error when trying this command.
78
3.
ICND1: Cisco IOS
The next command you need to understand is the bandwidth command. Every Cisco router ships with a default serial link bandwidth of a T1, or 1.544Mbps. However, understand that this has nothing to do with how data is transferred over a link. The bandwidth of a serial link is used by routing protocols such as IGRP, EIGRP, and OSPF to calculate the best cost to a remote network. If you are using RIP routing, then the bandwidth setting of a serial link is irrelevant. Router(config-if)#bandwidth ? <1-10000000> Bandwidth in kilobits Router(config-if)#bandwidth 64
4.
Notice that unlike the clock rate command, the bandwidth command is configured in kilobits.
Lab 1.16: Setting the Router Hostnames You can uniquely identify a device by giving it a hostname; you use the hostname command. This is only locally significant for the administrator, which means it has no bearing on how the router performs name lookups on the internetwork. On a router the default hostname is Router and Switch on switches. This stays in effect until you intentionally change the hostname.
Lab Steps 1.
Set the hostname of 2621 Router A. Router(config-if)#ctrl+z Router#config t Enter configuration commands, one per line. Router(config)#hostname 2621A 2621A(config)#
2.
End with CTRL/Z.
Notice that when you press Enter the command takes effect immediately.
Lab 1.17: Setting Interface Descriptions
Network Layout Load the network layout you have been working with for labs in section 1.
Lab 1.17: Setting Interface Descriptions Setting descriptions on an interface is helpful to the administrator and, like the hostname, only locally significant. For example, this is a helpful command because it can be used to keep track of circuit numbers.
79
80
ICND1: Cisco IOS
Network Layout Load the network layout you have been working with for labs in section 1.
Lab Steps 1.
On 2621 Router A, set the description of interface FastEthernet 0/0 to Sales LAN and the serial 0/0 interface to WAN to Miami with a circuit number of 6fdda4321. 2621A(config)#int fa0/0 2621A(config-if)#description Sales LAN 2621A(config-if)#int s0/0 2621A(config-if)#desc Wan to Miami circuit:6fdda4321
2.
You can view the description of an interface either with the show running-config command or the show interface command. 2621A#show run [output cut] interface FastEthernet0/0
Lab 1.18: Verifying Your Configuration
81
description Sales LAN ip address 172.16.20.2 255.255.255.0 secondary ip address 172.16.10.2 255.255.255.0 no ip directed-broadcast ! interface Serial0/0 description Wan to Miami circuit:6fdda4321 no ip address no ip directed-broadcast shutdown 2621A#show int fa0/0 FastEthernet 0/0 is up, line protocol is up Hardware is AmdFE, address is 00b0.6483.2120 (bia 00b0.6483.2120) Description: Sales LAN [cut] 2621A#show int s0/0 Serial 0/0 is administratively down, line protocol is down Hardware is HD64570 Description: Wan to Miami circuit:6fdda4321 [cut] 2621A#
Lab 1.18: Verifying Your Configuration Once you take a look at the running-config, and it appears that everything is in order, you can verify your configuration with utilities, like Ping and Telnet.
Troubleshooting Tip If you have a local host, to remote host connection issue ... NN
Use the ping command to ping your PC’s local ip address
NN
Use the ping command to ping your PC’s default gateway
NN
Ping the ip address of the machine or web page you are trying to reach
NN
Traceroute the ip address of the machine or web page you are trying to reach
Depending on which of the above tasks fail is where you should begin your search for the connection issue. Always make sure to check if your subnets and mask are correct from end to end.
ICND1: Cisco IOS
82
Network Layout Load the network layout you have been working with for labs in section 1.
Lab Steps 1.
Bring up the console for 2621 Router A.
2.
You can ping with different protocols, and you can see this by typing ping ? at the router user mode or privileged mode prompt, but not configuration mode.
Ping A diagnostic program that sees if a specific IP address is accessible. Packets are sent to the specified location and if they return correctly, communication was successful. This is used to verify connection to a remote host. Ping works at layer 3 of the OSI model.
Lab 1.18: Verifying Your Configuration
83
2621A#ping ? WORD Ping destination address or hostname clns CLNS echo ip IP echo tag Tag encapsulated IP echo
This program only supports IP ping at this time. 3.
You can also use the traceroute program to find the path a packet takes as it traverses an internetwork. Traceroute can also be used with multiple protocols.
Traceroute A TCP/IP utility that allows a user to determine if two computers are communicating successfully with each other. This network tool is used to determine the route taken by packets across an IP network. The time and location of the route taken to reach its destination computer is displayed. Traceroute works at layer 3 of the OSI model.
2621A#traceroute ? WORD Trace route to destination address or hostname appletalk AppleTalk Trace clns ISO CLNS Trace ip IP Trace ipv6 IPv6 Trace ipx IPX Tra
This program only supports IP with the trace command. 4.
Telnet can be used to test IP connectivity and to gain access into remote routers. Once you gain access into the remote router you can interact with the device as though you are physically in front of it. From the router prompt, you do not need to type the telnet command. If you just type a hostname or IP address, it will assume you want to telnet. The following example shows how to use Telnet from a router prompt. However, you need to have a configured a working network and destination host for Telnet to be successful. We will use Telnet more in other labs. 2621A#telnet ? WORD IP address or hostname of a remote system
84
5.
ICND1: Cisco IOS
Another way to verify your configuration is by typing show interface commands. The first command is show interface?, which shows us all the available configured or physical interfaces for a device. The only interfaces that are not logical are FastEthernet and Serial. 2621A#show int ? Async BVI CTunnel Dialer FastEthernet Loopback MFR Multilink Null Serial Tunnel Vif Virtual-Template Virtual-TokenRing accounting crb dampening description irb mac-accounting mpls-exp precedence rate-limit
6.
Async interface Bridge-Group Virtual Interface CTunnel interface Dialer interface FastEthernet IEEE 802.3 Loopback interface Multilink Frame Relay bundle interface Multilink-group interface Null interface Serial Tunnel interface PGM Multicast Host interface Virtual Template interface Virtual TokenRing Show interface accounting Show interface routing/bridging info Show interface dampening info Show interface description Show interface routing/bridging info Show interface MAC accounting info Show interface MPLS experimental accounting info Show interface precedence accounting info Show interface rate-limit info
You can be specific with the command and use show interface fastethernet 0/0, or serial 0/0. 2621A#show int fa0/0 FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 00b0.af40.3e18 (bia 00b0.af40.3e18) Description: Sales Lan Internet address is 172.16.10.2/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliablility 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full -duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:50, output 00:00:04, output hang never
Lab 1.18: Verifying Your Configuration
85
Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 0 packets/sec 588 packets input, 74628 bytes Received 588 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast 0 input packets with dribble condition detected 231 packets output, 53712 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out --More-[output cut]
7.
Use the show controllers command to display information about the physical interface itself. It will also give you the type of serial cable plugged into a serial port. Typically this will only be a DTE cable, which then plugs into a type of Data Service Unit (DSU). 2621A#show controllers s 0/0 Interface Serial0/0 Hardware is PowerQUICC MPC860 DCE V.35, clock rate 64000 idb at 0x813CA7B4, driver data structure at 0x813D1CE8 [output cut]
8.
Clear all configurations. You will want to clear the configurations for any router for which you have entered information, up to this point. This will allow you to configure the devices according to the suggested labs without any extraneous information. 2621A#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [con firm]enter [OK] Erase of nvram: complete 2621A# 01:58:09: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram 2621A#reload System configuration has been modified. Save? [yes/no]: no Proceed with reload? [confirm] enter Would you like to enter the initial configuration dialog? [yes/no]: n
86
ICND1: Cisco IOS
Lab 1.19: do Command The do command allows you ping other devices and view configurations while in the global configuration mode. Before IOS version 12.3, you could not use the do command. You had to be in user or privileged mode in order to ping other devices or view configurations. However, beginning with IOS version 12.3 you can use the do command in the configuration mode to accomplish this. With IOS version 12.2 you can also use the do command if you have the IOS Special Edition (SE). The do command is convenient because you do not have to exit the current configuration mode and perform the command in the privileged mode. With this program, there are three devices that will allow you to use the do command in global configuration mode: N
2811 router
NN
2960 switch
N
3560 switch
Network Layout Load the network layout you have been working with for labs in section 1.
Lab 1.19: do Command
87
Lab Steps 1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.
2.
Press enter and the Router> prompt will appear. You are now in the user mode.
3.
Change to the privileged mode. Router> Router>enable
4. Change to the Global Configuration mode. Perform the do show run command and the do show int s /0/0/0 command. Router# Router#config t Router(config)#do show run Building configuration... Current configuration : 3401 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! [output cut] Router(config)#do show int s 0/0/0 Serial0/0/0 is administratively down, line protocol is down Hardware is GT96K Serial MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliablility 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10) Last input 00:00:02, output 00:00:06, output hang never Last clearing of "show interface" counters 02:41:59 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec
88
ICND1: Cisco IOS
5 minute output rate 0 bits/sec, 0 packets/sec 1645 packets input, 100265 bytes, 0 no buffer Received 1139 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1662 packets output, 105842 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up
5.
On the Network Visualizer screen, double-click on 3560 Switch A. This will bring up a console screen.
6.
Press Enter and the Switch> prompt will appear. You are now in the user mode.
7.
Change to the privileged mode. Switch> Switch>enable
8.
Change to the global configuration mode. Perform the do show run command. Switch# Switch#config t 3560A(config)#do show run Building configuration... Current configuration : 898 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! no aaa new-model system mtu routing 1500 ip subnet-zero ! ! ! ! no file verify auto spanning-tree mode pvst
Lab 1.19: do Command
spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 [output cut]
89
IP Routing
Lab 2: Introduction to IP Routing This section will discuss the IP routing process. This is an important subject to understand as it pertains to all routers and configurations that use IP. IP routing is the process of moving packets from one network to another network and delivering the packets to hosts. This section will give you the background on how to configure and verify IP routing with Cisco routers. The following labs are covered in this section: NN
2.1: Configuring the SDM for the 2811 Router
NN
2.2: Connecting to the SDM using the 2811 Router
NN
2.3: Configuring an Interface with SDM
NN
2.4: Configuring DHCP with SDM
NN
2.5: Configuring Other Items with SDM
NN
2.6: Verifying Configurations with SDM
NN
2.7: Configuring the Routers
NN
2.8: Verifying the Configurations
NN
2.9: Configuring Static Routing
NN
2.10: Verifying Static Routing
NN
2.11: Configuring and Verifying Hosts
NN
2.12: Configuring Default Routing
NN
2.13: Verifying Default Routing
NN
2.14: Configuring RIPv2
NN
2.15: Verifying RIPv2
NN
2.16: Using Traceroute
NN
2.17: Using Debug with a RIPv2 Network
NN
2.18: Configure and Verify a Loopback Interface
NN
2.19: Using ARP (Address Resolution Protocol)
Lab 2: Introduction to IP Routing
93
The following commands are used in this section: Command
Meaning
debug ip igrp events
Provides a summary of the IGRP routing information running on the network
debug ip igrp transactions
Shows message requests from neighbor routers asking for an update and the broadcasts sent from your router towards that neighbor router
debug ip rip
Sends console messages displaying information about RIP packets being sent and received on a router interface
ip classless
Global configuration command used to tell a router to forward packets to a default route when the destination network is not in the routing table
ip route
Creates static and default routes on a router
network
Tells the routing protocol what network to advertise
no auto-summarization
Disables auto summarization
no ip route
Removes a static or default route
router eigrp as
Turns on IP EIGRP routing on a router
router igrp as
Turns on IP IGRP routing on a router
router rip
Turns on IP RIP routing on a router
show ip protocols
Shows the routing protocols and timers associated with each routing protocol configured on a router
show ip route
Displays the IP routing table
show protocols
Shows the routed protocols and network addresses configured on each interface
version 2
Enables rip version 2
94
IP Routing
Lab 2.1: Configuring the SDM for the 2811 Router Cisco® SDM is a Web-based device-management tool for routers. The SDM is a graphical user interface that allows you to quickly configure the 2811 router. After the initial setup, no interaction with the command line interface (CLI) is required. Before you can use SDM, you must first manually configure 2811 Router A with the CLI. In this lab we will configure 2811 Router A. Then, there are two more steps that must be finished before you can launch the SDM:
1.
Configure Host A because that is where we will launch SDM
2.
Set up https services on the router so you can configure 2811 Router A via a secure web browser
Network Layout Load SDM Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file SDM Layout.rsm and click Open.
Lab 2.1: Configuring the SDM for the 2811 Router
Lab Steps 1.
Double-click 2811 Router A. After the console screen comes up set the hostname and IP addresses of each interface. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#interface fastethernet 0/0 2811A(config-if)#ip address 172.16.10.1 255.255.255.0 2811A(config-if)#no shutdown Router(config-if)#interface fastethernet0/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#no shutdown 2811A(config)#exit 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
2.
Close the console screen.
3.
Right-click on Host A.
4.
Click on the Configs button.
95
96
IP Routing
5.
On Host A configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.10.5 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
6.
Click the OK button and then the Close button.
7.
Bring up the console screen for 2811 Router A by double clicking on the router. Verify you can reach Host A. 2811A#ping 172.16.10.5
If all is well, you should get the following output from the router! Sending 5, 100-byte ICMP Echos to 172.16.10.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811A# 8.
Configure HTTPS on the 2811 Router A and verify your configurations. 2811A(config-if)#exit 2811A(config)#ip http 2811A(config)#ip http % Generating 1024 bit 2811A(config)#ip http
server secure-server RSA keys, keys will be non-exportable...[OK] authentication local
Lab 2.1: Configuring the SDM for the 2811 Router
97
2811A(config)#username cisco privilege 15 password 0 cisco 2811A(config)#line console 0 2811A(config-line)#login local 2811A(config-line)#line vty 0 1180 2811A(config-line)#privilege level 15 2811A(config-line)#login local 2811A(config-line)#transport input telnet ssh 2811A(config-line)#exit 2811A(config)#do show run Before IOS version 12.3, you could not use the do command. You had to be in user or privileged mode in order to ping other devices or view configurations. However, beginning with IOS version 12.3 you can use the do command in the configuration mode to accomplish this.
You should now be able to launch the SDM. Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than SDM Layout.rsm. This allows you to start over with a non-configured network if you wish. 1.
There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
98
IP Routing
2.
A dialog box will appear. At the bottom you will see the file name SDM Layout.rsm. Rename the file. For example, you could name it My SDM Layout.rsm.
3.
Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading SDM Layout.rsm which is non-configured.
Lab 2.2: Connecting to the SDM using the 2811 Router Now that we have configured 2811 Router A with HTTPS, we can launch SDM via Host A.
Lab 2.2: Connecting to the SDM using the 2811 Router
Network Layout Load SDM Layout.rsm or whatever you named the file when you saved your work in the prior lab.
Lab Steps 1.
Put your cursor over Host A and click your right mouse button.
99
100
IP Routing
2.
Click the Web Browser button.
3.
When the web browser appears, enter the URL https://172.16.10.1 and press Enter.
4.
Select Yes when the Security Alert Dialog appears. The following screen may be different, depending on the web browser that you use.
Lab 2.2: Connecting to the SDM using the 2811 Router
5.
When the username and password dialog appears, enter the username and password that you created, in Lab 5.1, Step 8.
Username: cisco Password: cisco
101
102
6.
IP Routing
The SDM Launch screen will appear.
Do not close this window, it will shut down the SDM. Just minimize the window until you shut down SDM.
Lab 2.2: Connecting to the SDM using the 2811 Router
103
7.
When the Warning Security Dialog appears, check the Always trust content from publisher option and then select Yes.
8.
When the username and password dialog appears again, enter the username and password that you created, in Lab 2.1, Step 8. Username: cisco Password: cisco
9.
When the Change Default User Name and Password dialog screen appears, change your username and password. You will not see the following screen after your initial launch of the SDM.
104
IP Routing
You will be prompted to enter the new username and password that you just created. The SDM will load the configuration from router 2811A and you should now be connected to the router via the SDM application.
10. When you are finished with the SDM, close the SDM application, SDM launch page,
and the Web browser.
Lab 2.3: Configuring an Interface with SDM In this lab you will learn how to configure an IP address on a router interface of 2811 Router A, using the SDM. You must manually configure the interface of 2811 Router A before using the SDM to modify it. See Lab 2.1 on how to configure 2811 Router A. If the SDM is not running, refer to Lab 2.2 on how to load it.
Lab 2.3: Configuring an Interface with SDM
Network Layout Load SDM Layout.rsm or whatever you named the file when you saved your work.
105
106
IP Routing
Now that you have the SDM application up and running, you will see the main SDM window.
Lab Steps 1.
Click on the Configure button (upper left corner of the screen) and a configuration window is displayed.
Lab 2.3: Configuring an Interface with SDM
2. Then click on the Interface and Connections button.
3.
Click the Edit Interface/Connection tab, and the Edit Interface connection tab is displayed.
4.
Double click on the line that displays FastEthernet0/1.
107
108
IP Routing
. . . and the Interface Feature Edit Dialog screen appears:
5.
With the Interface Feature Edit dialog open, you can enter a new IP Address and subnet mask in the appropriate fields.
6.
Click the OK button to change the IP Address and subnet mask or click the Cancel button to exit. When a new configuration is sent to the router a Command Delivery Status dialog appears. When a new configuration is sent to the router a Command deliver window appears.
Lab 2.4: Configuring a DHCP Pool with SDM
7.
Save your configuration by clicking the Save button at the top of the screen.
8.
You will see the following dialog box. Click the Yes button to continue.
Lab 2.4: Configuring a DHCP Pool with SDM This lab will have you use the SDM to configure a DHCP Pool on 2811 Router A.
109
110
IP Routing
You must manually configure the interface of 2811 Router A before using the SDM to modify it. See Lab 2.1 on how to configure 2811 Router A. If the SDM is not running, refer to Lab 2.2 on how to load it.
Network Layout Load SDM Layout.rsm or whatever you named the file when you saved your work.
Lab 2.4: Configuring a DHCP Pool with SDM
111
Lab Steps 1.
Click on the Additional Tasks button located on the sidebar menu at the bottom left of the screen. If the Additional Task button is not visible, scroll the side bar menu down until it appears. The Additional Task window will appear.
2.
Expand the DHCP tree item by clicking the plus sign next to DHCP.
112
IP Routing
3.
Click on DHCP Pools and the DHCP Pools window will appear.
4.
Click the Add button and the DHCP Pool Dialog screen will appear.
5.
Configure your DHCP pool and then select the OK button.
Lab 2.4: Configuring a DHCP Pool with SDM
113
When a new configuration is sent to the router a Command Delivery Status window appears.
114
6.
IP Routing
Save your configuration by clicking the Save button.
Lab 2.5: Configuring Other Items with SDM This lab will have you use the SDM to configure the hostname, the banner (message of the day), the IP domain-name, and the enable secret password. You must manually configure the interface of 2811 Router A before using the SDM to modify it. See Lab 2.1 on how to configure 2811 Router A. If the SDM is not running, refer to Lab 2.2 on how to load it.
Lab 2.5: Configuring Other Items with SDM
Network Layout Load SDM Layout.rsm or whatever you named the file when you saved your work.
115
116
IP Routing
Lab Steps 1.
Click on the Router Properties tree item and the Device Properties screen will appear.
2.
Click the Edit button on the upper right side of the screen and the Device Properties dialog screen will appear.
Lab 2.5: Configuring Other Items with SDM
117
3.
Enter a hostname, an IP domain-name, and the message of the day banner.
4.
With the Device Properties dialog still open, click on the Secret Password tab and configure your new password and then click OK.
118
IP Routing
When a new configuration is sent to the router a Command Delivery Status dialog appears.
5.
Save your configuration by clicking the Save button.
Lab 2.6: Verifying Your Configurations with SDM
119
Lab 2.6: Verifying Your Configurations with SDM This lab will have you verify your new router configurations. You must manually configure the interface of the 2811 Router A before using the SDM to modify it. See Lab 2.1 on how to configure 2811 Router A. If the SDM is not running, refer to Lab 2.2 on how to load it.
Network Layout Load SDM Layout.rsm or whatever you named the file when you saved your work.
120
IP Routing
Lab Steps 1.
From your current SDM window, click on the Home button located at the top of the screen. You should see the following screen:
2.
Click on the View Running Config button on the middle right area of the screen. The Show Running Configuration screen will appear.
Lab 2.7: Configuring the Routers
3.
121
Scroll through the running configuration so you can view your configurations.
4. Click the Close button when you are finished. 5. Close the SDM application.
Lab 2.7: Configuring the Routers In this lab you will interact with routers, starting with 2621 Router A and working through 2811 Router A, and then finishing with 2621 Router B. After the configurations are complete, we will then build the routing tables.
IP Routing
122
Network Layout Load Standard Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file Standard Layout.rsm and click Open.
Lab Steps 1.
Double-click 2621 Router A. After the console screen comes up set the NN
Hostname
NN
Passwords
NN
Interface descriptions
NN
Banners
NN
IP addresses of each interface
Router>enable Router#config t Router(config)#hostname 2621A 2621A(config)#enable secret todd 2621A(config)#line console 0 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-line)#line aux 0 2621A(config-line)#password todd
Lab 2.7: Configuring the Routers
2621A(config-line)#login 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-line)#int fa0/0 2621A(config-if)#ip address 172.16.40.1 255.255.255.0 2621A(config-if)#description connection to LAN 40 2621A(config-if)#no shutdown 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#exit 2621A(config)#banner motd # This is the router 2621A # 2621A(config)#exit 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up set the NN
Hostname
NN
Passwords
NN
Interface descriptions
NN
Banners
NN
IP addresses of each interface
Router>enable Router#config t Router(config)#hostname 2811A 2811A(config)#enable secret todd 2811A(config)#line console 0 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-line)#line aux 0 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-line)#line vty 0 1180
123
124
IP Routing
2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-line)#int fa0/0 2811A(config-if)#ip address 172.16.10.1 255.255.255.0 2811A(config-if)#description connection to LAN 10 2811A(config-if)#no shutdown 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#exit 2811A(config)#banner motd # This is the router 2811A # 2811A(config)#exit 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Clock Rate It is important to understand clocking on and interface. On a real connection, clocking issues will typically cause data loss and or packet errors. You will also see framing slips on a carrier circuit when there is a clocking issue. You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
Lab 2.7: Configuring the Routers
Finding DCE DCE (data communications equipment) is the side of the connection that provides the clocking. Unless it is a 2811 router, you would enter the clock rate on the DCE side of a connection between routers. If you cannot remember what side of your connection is DCE, you can use the show controllers command. Here is an example: 2811#show controllers s0/1/1 Interface Serial0/1/1 Hardware is GT96K DCE V.35, clock rate 2000000 idb at 0x454E69C8, driver data structure at 0x454EE0EC wic_info 0x454EE6E8 Physical Port 0, SCC Num 0 [output cut]
The DCE connection is associated with s0/1/1 and a clockrate of 2000000. 3.
Double-click 2621 Router B. After the console screen comes up set the NN
Hostname
NN
Passwords
NN
Interface descriptions
NN
Banners
NN
IP addresses of each interface
Router>enable Router#config t Router(config)#hostname 2621B 2621B(config)#enable secret todd 2621B(config)#line console 0 2621B(config-line)#password todd 2621B(config-line)#login 2621B(config-line)#line aux 0 2621B(config-line)#password todd 2621B(config-line)#login 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621B(config-line)#int fa0/1
125
126
IP Routing
2621B(config-if)#ip address 172.16.50.1 255.255.255.0 2621B(config-if)#description connection to LAN 50 2621B(config-if)#no shutdown 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#exit 2621B(config)#banner motd # This is the router 2621B # 2621B(config)#exit 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than Standard Layout.rsm. This allows you to start over with a non-configured network if you wish. 1.
There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
Lab 2.9: Configuring Static Routing
127
2.
A dialog box will appear. At the bottom you will see the file name Standard Layout.rsm. Rename the file. In the following example it is renamed My Standard Layout.rsm.
3.
Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading Standard Layout.rsm which is non-configured.
Lab 2.9: Configuring Static Routing This lab will have you build the routing tables by hand, which means you will create static routing tables on each router. This will allow you to route throughout the entire network. At this point you can only route to directly connected networks of each router. Remember that the routing will not work until all static routes are configured in all routers. static route is a manually hard coded routing statement that creates a route in the routing table of a router. The static route specifies how the router will get to a certain network by using a certain path. Static routing refers to the manual method used to set up routing. This method has the advantage of being simple to create and predictable in its functionality. It is easy to manage in small networks but in larger ones it is difficult to set up and manage all
128
IP Routing
possible static routes. Static routes are not dynamically responsive to topology changes in a network.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work.
Lab 2.9: Configuring Static Routing
129
Lab Steps 1.
From 2621 Router A, use the ip route command to configure static routing. 2621 Router A is connected to networks 172.16.20.0 and 172.16.40.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway is always 172.16.20.1 (router 2811 A). 2621A#config t 2621A(config)#ip route 172.16.10.0 255.255.255.0 172.16.20.1 2621A(config)#ip route 172.16.30.0 255.255.255.0 172.16.20.1 2621A(config)#ip route 172.16.50.0 255.255.255.0 172.16.20.1 2621A(config)#exit 2621A#copy run start
Anatomy of a Command:IP Route 172.16.10.0 255.255.255.0 172.16.20.1 ip route
tells the system we are entering a static route
172.16.10.0
this is the destination ip network address, where we want to send packets
255.255.255.0 the mask of the destination ip network 172.16.20.1 the IP address of the next hop used to reach the destination address
2.
From 2621 Router, use the ip route command to configure static routing. 2621 Router B is connected to networks 172.16.30.0 and 172.16.50.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway is always 172.16.30.1 (router 2811 A). 2621B#config t 2621B(config)#ip route 172.16.10.0 255.255.255.0 172.16.30.1 2621B(config)#ip route 172.16.20.0 255.255.255.0 172.16.30.1 2621B(config)#ip route 172.16.40.0 255.255.255.0 172.16.30.1 2621B(config)#exit 2621B#copy run start
3.
From 2811 Router A, use the ip route command to configure static routing. 2811 Router A is connected to networks 172.16.10.0, 172.16.20.0 and 172.16.30.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway will be either to 2621 Router A or the 2621 Router B. 2811A#config t 2811A(config)#ip route 172.16.40.0 255.255.255.0 172.16.20.2
130
IP Routing
2811A(config)#ip route 172.16.50.0 255.255.255.0 172.16.30.2 2811A(config)#exit 2811A#copy run start
Directly Connected Routes In the preceding set of ip route commands for 2811 Router A, routes are not established for networks 20 and 30. 2811 Router A knows about these networks (routes) because they are directly connected to the router. Therefore you do not have to enter ip route commands for these two networks; only for networks that are not directly connected to 2811 Router A, such as networks 40 and 50.
Save Your File: Make sure you save the network layout file that you have been working with.
Lab 2.10: Verifying Static Routing It is important to be able to verify your configurations. The best command to use is show ip route. However, if a route is not in your routing table, make sure it is correctly configured in the running-config. If you see a routing entry in the running-config but it is not in the routing table, check the entry for a typo. If it is correct, then make sure the link to that network is up.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work.
Lab 2.10: Verifying Static Routing
131
Lab Steps 1.
From 2621 Router A, use the show ip route command to verify your routing table. 2621A#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 5 subnets S 172.16.30.0 [1/0] via 172.16.20.1 C 172.16.40.0 is directly connected, FastEthernet0/0 S 172.16.50.0 [1/0] via 172.16.20.1 C 172.16.20.0 is directly connected, Serial0/0 S 172.16.10.0 [1/0] via 172.16.20.1 2621A#
Anatomy of a Routing Table Output
Description
Metric
172.16.0.0/24 is subnetted, 5 subnets
class B network 172.16.0.0 /24 means a class C network is subnetted into 5 class C The 5 subnetted Class C networks are: networks. 172.16.50.0 172.16.40.0 172.16.30.0 172.16.20.0 172.16.10.0
S 172.16.30.0 [1/0] via 172.16.20.1
any packets destined for network 172.16.30.0 are forwarded to the next hop router with the ip address of 172.16.20.1
S means the route is a static route and was manually added using the ip route command. [1/0] is the administrative distance (1) and routing metric (0).
IP Routing
132
Anatomy of a Routing Table (continued) Output
Description
Metric
C 172.16.40.0 is directly any packets destined connected, FastEther- for network 172.16.40.0 are forwarded to the ip net0/0 address assigned to the FastEthernet0/0 interface
C means the route is directly connected to the local router’s FastEthernet0/0 interface The route is automatically added to the local routing table when F0/0 is assigned an ip address, has a physical cable connection, and is turned up for service.
S 172.16.50.0 [1/0] via 172.16.20.1
S means the route is a static route and was manually added using the ip route command.
any packets destined for network 172.16.50.0 are forwarded to the next hop router with the ip address of 172.16.20.1
[1/0] is the administrative distance (1) and routing metric (0)
C 172.16.20.0 is directly any packets destined for connected, Serial0/0 network 172.16.20.0 are forwarded to ip address assigned to the Serial0/0 interface
C means the route is directly connected to the local router’s Serial0/0 interface The route is automatically added to the local routing table when S0/0 is assigned an ip address, has a physical cable connection, and is turned up for service.
S 172.16.10.0 [1/0] via 172.16.20.1
S means the route is a static route and was manually added using the ip route command.
2.
any packets destined for network 172.16.10.0 are forwarded to the next hop router with the ip address of 172.16.20.1
[1/0] is the administrative distance (1) and routing metric (0).
From 2621 Router B, use the show ip route command to verify your routing table. 2621B#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route
Lab 2.10: Verifying Static Routing
133
Gateway of last resort is not set 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0 S 172.16.40.0 [1/0] via 172.16.30.1 C 172.16.50.0 is directly connected, FastEthernet0/0 S 172.16.20.0 [1/0] via 172.16.30.1 S 172.16.10.0 [1/0] via 172.16.30.1 2621B#
3.
From the 2811 Router A, use the show ip route command to verify your routing table. We will purposely go into the global configuration mode in order to use the do command. 2811A#config t 2811A(config#)do show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0/1 S 172.16.40.0 [1/0] via 172.16.20.2 S 172.16.50.0 [1/0] via 172.16.30.2 C 172.16.20.0 is directly connected, Serial0/1/1 C 172.16.10.0 is directly connected, FastEthernet0/0 2811A#
4.
Once you verify the routing tables in all routers, use the ping command to verify IP connectivity between routers. 2621A#ping 2621A#ping 2621B#ping 2621B#ping
172.16.50.1 172.16.30.2 172.16.40.1 172.16.20.2
134
IP Routing
Practice Scenario: Basic Cisco Router Operations Configuring Static or Default Routes Now that you have learned about some concepts and completed some hands-on work, try your problem-solving and troubleshooting skills with the following task. To complete your task you will need a network to interact with a scenario and the task(s) at hand. When you have finished with this scenario ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: N
The name of the command entered for this scenario
NN
The expected configuration
N
Your configuration
NN
N
The result for each command. You will see a green check mark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
Turn On Hostnames In some of the practice labs we refer to the hostname of a device. Therefore, we need to make sure that Hostnames is turned on for this lab. On the Network Visualizer screen click View and then click Hostnames so that it has a checkmark next to it.
Lab 2.10: Verifying Static Routing
135
136
IP Routing
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Practice Scenarios, Basic Cisco Router Operations, and Configuring Static or Default Routes - 1.
Lab 2.11: Configuring and Verifying the Hosts
137
Scenario The senior network administrator at Smoke-Alarm Inc. would like you to setup static routing on all network routers.
Task N
Configure static routing on the R&D_R1 router
NN
Configure static routing on the MARKETING_R1 router
N
Configure static routing on the Plant-1 router
Lab 2.11: Configuring and Verifying the Hosts We will now configure all the hosts in the network and then verify the configurations.
Network Layout Load the network layout you have been working with in section 2.
Lab Steps 1.
Right-click on Host A.
IP Routing
138
2.
Click on the Configs button.
3.
On Host A configure: NN
IP address
NN
Subnet Mask
NN
Default Gateway
IP address unique identification number for a device that is located on a network. An IP address is equivalent to the address of your home. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 172.16.10.6 could be an IP address. subnet mask when you split up an IP network it is used to determine what section or subnet the ip address of a networked device belongs to. An IP address has two parts, the network address and the host address. Let’s examine IP address 172.16.10.6. Assuming this is part of a Class B network, the first two numbers (172.16) represent the Class B network address, and the second two numbers (10.6) identify a particular host on this network. default gateway IP address configured on a networked device that allows that device to communicate outside of its own subnet. A default gateway is usually a layer 3 device like a router. When a network device wants to get to the Internet, it uses a default gateway. A default gateway IP address is equivalent to the on ramp of a highway.
IP Address: 172.16.10.5 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
Lab 2.11: Configuring and Verifying the Hosts
4.
Click the OK button and then the Close button.
5.
On Host B configure: NN
IP address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.10.6 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
6.
Click the OK button and then the Close button.
7.
On Host C configure: NN
IP address
NN
Subnet Mask
NN
Default Gateway
139
IP Routing
140
IP Address: 172.16.10.7 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
8.
Click the OK button and then the Close button.
9.
On Host D configure: NN
IP address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.10.8 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
10. Click the OK button and then the Close button. 11. On Host E configure: NN
IP address
NN
Subnet Mask
NN
Default Gateway
Lab 2.11: Configuring and Verifying the Hosts
141
IP Address: 172.16.40.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.40.1
12. Click the OK button and then the Close button. 13. On Host F configure: NN
IP address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.50.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.50.1
14. Click the OK button and then the Close button. 15. From each host, ping all other hosts. Here is an example where we ping all other hosts
from Host. 16. Double-click Host D on the network.
142
IP Routing
C:\>ping C:\>ping C:\>ping C:\>ping C:\>ping
172.16.10.5 172.16.10.6 172.16.10.7 172.16.40.3 172.16.50.3
Save Your File: Make sure you save the network layout file that you have been working with.
Lab 2.12: Configuring Default Routing Static routing is great in small networks, and is even better when you are trying to learn IP routing since you really have to understand how the network works to make static routing perform correctly. Configuring default routing on a router is not like setting the default gateway on a host. Remember that a router is the default gateway and you cannot set a default gateway on a router. However, you can set what is called a Gateway of Last Resort.
Gateway of Last Resort If a packet is destined for a network that is not listed in the routing table, the router will forward the packet to the default route.
You can only configure default routing on a router that is connected to a stub network, which means that there is not another router on the connected networks. In other words, there is only one way in and out. Routers 2621 A and 2621 B are stub routers to the LANs because they are the only way in and out of the LAN. Router 2811 A cannot use default routing because it is connected to multiple routes.
Lab 2.12: Configuring Default Routing
143
To configure default routing, use the ip route command, but instead of using the network and subnet mask, you use all zero (0’s), which mean all networks all masks. You must also use the ip classless command when using default routing. This tells the router to not drop packets, but instead to forward them to the default route address. Instead of typing all the commands by hand, you can use your up-arrow key to get the command you want to remove. Then press ctrl+a to move your cursor to the beginning of the line, then type no and press Enter. This is just an easier way to remove the static routes.
Network Layout Load the network layout you have been working with for labs in section 2.
Lab Steps 1.
Before configuring routers 2621 A and B with default routing, you must remove the static routes we created in lab 5.8. Use the no ip route command. 2621A#config t 2621A(config)#no ip route 172.16.10.0 255.255.255.0 172.16.20.1 2621A(config)#no ip route 172.16.30.0 255.255.255.0 172.16.20.1 2621A(config)#no ip route 172.16.50.0 255.255.255.0 172.16.20.1 2621A(config)#exit
IP Routing
144
Anatomy of a Command: No ip route 172.16.10.0 255.255.255.0 172.16.20.1 no ip route
tells the system we are removing a static route
172.16.10.0
this is the destination ip network address, where we want to send packets
255.255.255.0 the mask of the destination ip network 172.16.20.1 the IP address of the next hop used to reach the destination address
2.
Remove the static routes from 2621 Router B. 2621B#config t 2621B(config)#no ip route 172.16.10.0 255.255.255.0 172.16.30.1 2621B(config)#no ip route 172.16.20.0 255.255.255.0 172.16.30.1 2621B(config)#no ip route 172.16.40.0 255.255.255.0 172.16.30.1 2621B(config)#exit
3.
Verify the 2621 Router A and 2621 Router B only have the directly connected networks in the routing table. 2621A#show ip route [output cut] Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets C 172.16.40.0 is directly connected, FastEthernet0/0 C 172.16.20.0 is directly connected, Serial0/0 2621B#show ip route [output cut] Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0 C 172.16.50.0 is directly connected, FastEthernet0/0
4.
From the 2621 Router A, add the default route to 2811 Router A. The default route command will tell the router to send all packets destined for any network not in the routing table to the router 2811 A, which will then route the packet. 2621A(config)#ip route 0.0.0.0 0.0.0.0 172.16.20.1 2621A(config)#ip classless 2621A(config)#exit 2621A#copy run start
Lab 2.13: Verifying Default Routing
145
Anatomy of a Command: [default] ip route 0.0.0.0 0.0.0.0 172.16.20.1 ip route
tells the system we are removing a static route
0.0.0.0 this is a destination ip network address prefix that is not in the local routing table 0.0.0.0 this is a destination ip network mask prefix that is not in the local routing table 172.16.20.1 the IP address of the next hop router where packets destined for networks that have no local routing table entry will be forwarded
5.
From 2621 Router B, add the default route to 2811 Router A. The default route command will tell the router to send all packets destined for any network not in the routing table to the router 2811 A, which will then route the packet. 2621B#config t 2621B(config)#ip route 0.0.0.0 0.0.0.0 172.16.30.1 2621B(config)#ip classless 2621B(config)#exit 2621B#copy run start
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 2.13: Verifying Default Routing To verify the configurations of the default route, use the show ip route and ping commands.
Network Layout Load the network layout you have been working with for labs in section 2.
146
1.
IP Routing
Verify that the network is working by using the show ip route command on 2621 Router A to verify the routing tables. 2621A#show ip route [output cut] Gateway of last resort is 172.16.20.1 to network 0.0.0.0 172.16.0.0/24 is subnetted, 2 subnets C 172.16.40.0 is directly connected, FastEthernet0/0 C 172.16.20.0 is directly connected, Serial0/0 S* 0.0.0.0 [1/0] via 172.16.20.1 2621B#show ip route [output cut] Gateway of last resort is 172.16.30.1 to network 0.0.0.0 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0 C 172.16.50.0 is directly connected, FastEthernet0/0 S* 0.0.0.0 [1/0] via 172.16.30.1 The Gateway of Last Resort has now been set because a default route was configured for each router. In 2621 Router B, for example, it is denoted by the routing table entry S* 0.0.0.0 [1/0] via 172.16.30.1.
2.
Verify your network is working. Ping each host from Host D. Double-click Host D on the network.
Lab 2.13: Verifying Default Routing
C:\>ping C:\>ping C:\>ping C:\>ping C:\>ping
147
172.16.10.5 172.16.10.6 172.16.10.7 172.16.40.3 172.16.50.3
Save Your File: Make sure you save the network layout file that you have been working on.
Practice Scenario: Basic Cisco Router Operations Configuring Static or Default Routes Now that you have learned about some concepts and completed some hands-on work, try your problem-solving and troubleshooting skills with the following task. To complete your task you will need a network to interact with a scenario and the task(s) at hand. When you have finished with this scenario ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this scenario
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green check mark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
148
IP Routing
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Practice Scenarios, Basic Cisco Router Operations, and Configuring Static or Default Routes - 2 .
Lab 2.14: Configuring RIPv2
149
Turn On Hostnames In some of the practice labs we refer to the hostname of a device. Therefore, we need to make sure that Hostnames is turned on for this lab. On the Network Visualizer screen click View and then click Hostnames so that it has a checkmark next to it.
Scenario: The senior network administrator at Widget Inc. would like you to setup default routing.
Task: Configure default routing on the R&D_R1 router Configure default routing on the Plant-1 router
Lab 2.14: Configuring RIPv2 This lab will have you configure RIPv2. RIPv2 RIP does not carry subnet information. To overcome this, RIPv2 was created in 1994 to address some deficiencies in RIP. RIPv2 can carry subnet information. RIPv2 sends
150
IP Routing
routing updates via multicast address 224.0.0.9. It also provides support for variable length subnet masks (VLSM) and discontiguous networking. RIPv2 is not automatically turned on with the router rip command. You must also specify it and use the version 2 command. VLSM (Variable Length Subnet Mask) the network IP address 192.168.10.0/24 can be used to create subnets that have different subnet masks. You can create subnets 192.168.10.36/30 and 192.168.10.80/29 out of the 192.168.10.0/24 network IP address. You can use the 192.168.10.36/30 networks on your WAN links and 192.168.10.80/29 on one of your LAN segments. It is useful to use VLSM when you have different numbers of networked devices at each of your branch offices. VLSM helps IP administrators use their IP address resources more efficiently. discontiguous networking when a major network like 192.168.10.0 is separated by a different major network like 10.0.0.0. Example: The 192.168.10.0/24 network can be subnetted into two or more networks. The networks 192.168.10.36/30 and 192.168.10.80/29 are configured on different routers. The routers are using the 10.0.0.0 network to connect to each other, thus one major network is being separated by another major network.
Network Layout Load the network layout you have been working with in ICND 2 labs.
Lab 2.16: Using Traceroute
151
Lab Steps 1.
From 2621 Router A, configure RIP routing to use version 2. 2621A#config t 2621A(config)#router rip 2621A(config-router)#version 2 2621A(config-router)#ctrl+z
That’s all there is to it! Since we have already added our directly connected networks under router rip in our last lab, we now just have to tell it to run version 2. 2.
From 2621 Router B, configure RIP routing to use version 2. 2621B#config t 2621B(config)#router rip 2621B(config-router)#version 2 2621B(config-router)#ctrl+z
3.
From the 2811 Router A, configure RIP routing to user version 2. 2811A#config t 2811Aconfig)#router rip 2811A(config-router)#version 2 2811A(config-router)#ctrl+z
Lab 2.16: Using Traceroute With the traceroute command you can display a list of routers on a path from a source to a destination in your network.
152
IP Routing
Network Layout Load Traceroute Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file Traceroute Layout.rsm and click Open.
Lab Steps We will first configure all the devices with IP addresses. 1.
Double-click 2621 Router A. After the console screen comes up configure interface s0/0. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#no shutdown 2621A(config-if)#ctrl+z
Lab 2.16: Using Traceroute
153
2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Bring up the console for 2811 Router A. After the console screen configure the interfaces. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#no shutdown 2811A(config-if)#ctrl+z 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Please Note: You do not have to set the DCE connection associated with s0/1/1 which has a clockrate of 2000000. It is there by default. 3.
Double-click 2621 Router B. After the console screen comes up configure interface s0/0. Router>enable Router#config t Router(config)#hostname 2621B 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#no shutdown 2621B(config-if)#ctr+z 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
IP Routing
154
4.
On each the 2621 routers, enter the command show ip route. You should only see directly connected networks in the routing table. 2621B#show ip 172.16.0.0/24 C 172.16.30.0 2621A#show ip 172.16.0.0/24 C 172.16.20.0
route is subnetted, 1 subnets is directly connected, Serial0/0 route is subnetted, 1 subnets is directly connected, Serial0/0
Configure each device with RIPv2
RIPv2 RIP does not carry subnet information. To overcome this, RIPv2 was created in 1994 to address some deficiencies in RIP. RIPv2 can carry subnet information. RIPv2 sends routing updates via multicast address 224.0.0.9. It also provides support for variable length subnet masks (VLSM) and discontiguous networking. RIPv2 is not automatically turned on with the router rip command. You must also specify it and use the version 2 command.
5.
From 2621 Router A, configure RIP routing to use version 2. 2621A#config t 2621A(config)#router rip 2621A(config-router)#version 2 2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z
6.
From 2621 Router B, configure RIP routing to use version 2. 2621B#config t 2621B(config)#router rip 2621B(config-router)#version 2 2621B(config-router)#network 172.16.0.0 2621B(config-router)#ctrl+z
7.
From 2811 Router A, configure RIP routing to use version 2. 2811A#config t 2811Aconfig)#router rip
Lab 2.16: Using Traceroute
155
2811A(config-router)#version 2 2811A(config-router)#network 172.16.0.0 2811A(config-router)#ctrl+z
Verify RIPv2 configurations 8.
On both 2621 routers, use the show ip route command to verify the routing table. It should now have entries for router rip. 2621A#show ip 172.16.0.0/24 R 172.16.30.0 C 172.16.20.0
9.
route is subnetted, 2 subnets [120/2] via 172.16.20.1, 00:00:20, Serial0/0 is directly connected, Serial0/0
From 2621 Router B, use the show ip route command to verify the routing table. 2621B#show ip 172.16.0.0/24 C 172.16.30.0 R 172.16.20.0
route is subnetted, 2 subnets is directly connected, Serial0/0 [120/1] via 172.16.30.1, 00:00:24, Serial0/0
10. Ping the interfaces on 2811 Router A.
From 2621 Router A, ping s0/0/1 on 2811 Router A. It should succeed. 2621A#ping 172.16.30.1
From 2621 Router B, ping s0/1/1 on 2811 Router A. It should succeed. 2621B#ping 172.16.20.1
Use Traceroute 12. On 2621 Router A, trace the route to interface s0/0 of 2621 Router B. 2621A#traceroute 172.16.30.2 Type escape sequence to abort. Tracing the route to 172.16.30.2 1 172.16.20.1 12 msec 14 msec 12 msec 2 172.16.30.2 32 msec * 28 msec
Save Your File: Make sure you save the network layout file that you have been working on. You might want to save it with a different network name than Traceroute Layout.rsm. That allows you to load nonconfigured Traceroute Layout.rsm if you want to go through the lab again.
156
IP Routing
Lab 2.17: Using Debug with a RIPv2 Network Other than using the traceroute command to view network activity, you can use the debug command.
Network Layout Load Traceroute Layout.rsm or whatever you named it in lab 2.16.
1. On the Network Visualizer screen, click on the File menu and then click Open. 2. When the dialog box appears, make sure you are in the Networks folder. 3. Click on the file Traceroute Layout.rsm and click Open.
Lab 2.18: Configuring and Verifying a Loopback Interface
157
Lab Steps 1.
Double-click 2811 Router A. After the console screen comes up enter the command debug ip rip. It will take several seconds for output to appear in the console. 2811A>enable 2811A#debug ip rip *Feb 25 04:59:00.819: *Feb 25 04:59:00.819: *Feb 25 04:59:00.819: *Feb 25 04:59:16.146: (172.16.30.1) *Feb 25 04:59:16.146: *Feb 25 04:59:16.146: *Feb 25 04:59:16.146: *Feb 25 04:59:16.147: (172.16.20.1) *Feb 25 04:59:16.147: *Feb 25 04:59:16.147: *Feb 25 04:59:16.147: *Feb 25 04:59:18.562: *Feb 25 04:59:18.562: *Feb 25 04:59:18.562:
2.
RIP: received v2 update from 172.16.20.2 on Serial0/1/1 172.16.30.0/24 via 0.0.0.0 in 3 hops 172.16.20.0/24 via 0.0.0.0 in 1 hops RIP: sending v2 update to 224.0.0.9 via Serial0/0/1 RIP: build update entries 172.16.20.0/24 metric 1, tag 0 172.16.20.0/24 metric 1, tag 0 RIP: sending v2 update to 224.0.0.9 via Serial0/1/1 RIP: build update entries 172.16.30.0/24 metric 1, tag 0 172.16.30.0/24 metric 1, tag 0 RIP: received v2 update from 172.16.30.2 on Serial0/0/1 172.16.30.0/24 via 0.0.0.0 in 1 hops 172.16.20.0/24 via 0.0.0.0 in 2 hops
The debug activity will keep displaying information until you stop it. Press any key to stop information from displaying on the console screen. Then enter the no debug ip rip command. You will then see confirmation that debugging has been turned off. 2811A#no debug ip rip RIP protocol debugging is off
Lab 2.18: Configuring and Verifying a Loopback Interface A loopback interface is not a real, hardware-based interface like serial 0/0/0/ or fa0/1. It is a logical or virtual interface that is always “up” unlike a hardware interface that may be “up” or “down.” It is the best interface to ping in order to see if the router is “up.” In this lab you will create a loopback network.
158
IP Routing
Network Layout Load Loopback Layout.rsm.
Lab Steps 1.
Create a loopback interface on Router 2811 A. 2811A>en 2811A(config)#config t 2811A(config)#int loopback 0
2.
Enter an ip address for the loopback interface. 2811A(config-if)#ip address 172.16.40.1 255.255.255.0
Lab 2.18: Configuring and Verifying a Loopback Interface
3.
159
Verify the loopback interface on Router 2811 A. 2811A(config-if)#ctrl+z 2811A#show ip interface brief
Interface Protocol FastEthernet0/0 FastEthernet0/1 Serial0/0/0 Serial0/0/1 Serial0/1/0 Serial0/1/1 Loopback0
4.
IP-Address
OK? Method Status
172.16.10.1 unassigned unassigned 172.16.30.1 unassigned 172.16.20.1 172.16.40.1
YES YES YES YES YES YES YES
manual unset unset manual unset manual manual
up up administratively down down administratively down down up up administratively down down up up up up
From 2811 Router A, ping the loopback interface. 2811A#ping 172.16.40.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.40.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
5.
You can see the loopback entry in the running configs of 2811 Router A. 2811A#show run ! ! interface Loopback0 ip address 172.16.40.1 255.255.255.0 ! interface FastEthernet0/0 description connection to LAN 10 ip address 172.16.10.1 255.255.255.0 no ip directed-broadcast duplex auto ! [output cut]
160
6.
IP Routing
You should be able to successfully ping the loopback interface from another device. Go to Router 2621 A and ping the loopback interface on 2811 Router A. Interface s0/0 is administratively “up.” 2621A#ping 172.16.40.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.40.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
7.
Unlike the physical interfaces on a router, a loopback interface is virtual and can be removed. 2811A#config t 2811A(config)#no interface loopback 0 2811A(config)#ctl+z 2811A#
8.
You can confirm the removal of loopback interface 0. 2811A#show run ! ! ! interface FastEthernet0/0 description connection to LAN 10 ip address 172.16.10.1 255.255.255.0 no ip directed-broadcast duplex auto ! [output cut]
9.
You can also use the show ip interface brief command to verify the removal of the loopback interface. 2811A#show ip interface brief
Interface Protocol FastEthernet0/0 FastEthernet0/1 Serial0/0/0 Serial0/0/1 Serial0/1/0 Serial0/1/1
IP-Address
OK? Method Status
172.16.10.1 unassigned unassigned 172.16.30.1 unassigned 172.16.20.1
YES YES YES YES YES YES
manual unset unset manual unset manual
up up administratively down down administratively down down up up administratively down down up up
Lab 2.19: Using ARP (Address Resolution Protocol)
161
Lab 2.19: Using ARP (Address Resolution Protocol) ARP finds the unique hardware address of network devices based on IP addresses of the interface. If IP cannot find the destination of the hardware address, the system uses ARP to retrieve this information. In sending data (packets) the source must also have a destination MAC address. If the source does not know the MAC address of the destination, it has to get that address before data can be sent. To obtain the unknown layer 2 address when the layer 3 address is known, the source transmits an ARP Request. All devices on the path will see it but the only device that will answer it is the one with the matching layer 3 address. That device will send an ARP Reply, unicast back to the source. The sender will then have a MAC address to go with the IP address and can then transmit.
Network Layout Load ARP Layout.rsm before going through the following lab.
1. On the Network Visualizer screen, click on the File menu and then click Open. 2. When the dialog box appears, make sure you are in the Networks folder. 3. Click on the file ARP Layout.rsm and click Open.
162
IP Routing
Lab Steps 1.
Bring up the console for 2811 Router A. After the console screen appears, create a hostname. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config)#exit 2811A#
2.
Before any devices are configured the ARP table should have no entries. Use the command show arp to confirm this. 2811A#show arp
Protocol
3.
Address
Age (min)
Hardware Addr
Type
Interface
Configure 2811 Router A. 2811A(config-if)#int fa0/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#no shutdown 2811A(config-if)#int fa0/0 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#no shutdown 2811A(config-if)#ctrl+z 2811A#
4.
Use the show arp command on 2811 Router A to view the ARP table again. Notice the unique mac addresses associated with the two IP addresses. 2811A#show arp
Protocol Internet Internet
Address 172.16.30.1 172.16.20.1
Age (min) -
Hardware Addr 00b0.b250.5f37 00b0.8911.1e7e
Type ARPA ARPA
Interface FastEthernet0/0 FastEthernet0/1
Lab 2.19: Using ARP (Address Resolution Protocol)
5.
163
Double-click 2621 Router A. After the console screen comes up configure the interface. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-if)#int fa0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#no shutdown 2621A(config-if)#ctrl+z 2621A#
6.
Double-click 2621 Router B. After the console screen comes up configure the interface. Router>enable Router#config t Router(config)#hostname 2621B 2621Bconfig-if)#int fa0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#no shutdown 2621B(config-if)#ctr+z 2621B#
7.
Go back to 2811 Router A and issue the show arp command. Notice that every IP address has an accompanying, unique MAC address or hardware address.. 2811A#show arp
Protocol Internet Internet Internet Internet
Address 172.16.30.1 172.16.20.2 172.16.20.1 172.16.0.2
Age (min) 30 28
Hardware Addr 00b0.b250.5f37 00b0.76f0.f7c5 00b0.8911.1e7e 00b0.1dc0.652f
Type ARPA ARPA ARPA ARPA
Interface FastEthernet0/0 FastEthernet0/1 FastEthernet0/1 FastEthernet0/0
Managing a Cisco Internetwork
Lab 3: Introduction to Managing a Cisco Internetwork In this section, you will learn how to manage Cisco routers in an internetwork. The Internetworking Operating System (IOS) and configuration files reside in different locations in a Cisco device, and it is important to understand where these files are located and how they work. Host E is running a TFTP server daemon and will be used in this section to both back up and restore the Cisco IOS and configuration of the 2621 A router. The following labs are covered: NN
3.1: Password Recovery Techniques
NN
3.2: Backing up a Cisco IOS to a TFTP server
NN
3.3: Upgrading or restoring a Cisco IOS from a TFTP server
NN
3.4: Backing up a Cisco router configuration using a TFTP server
NN
3.5: Restoring a Cisco router configuration from a TFTP server
NN
3.6: Using the Cisco Discovery Protocol to gather information about neighbor devices
NN
3.7: Using Telnet
NN
3.8: Using Secure Shell in Place of Telnet
NN
3.9: Verifying Secure Shell in Place of Telnet
NN
3.10: Creating a hosts table on a router and resolving host names to IP addresses
NN
3.11: Configuring IGRP Routing
NN
3.12: Verifying IGRP Routing The commands covered in this section are as follows:
Command
Description
cdp enable
Turns on CDP on an individual interface
cdp holdtime
Changes the holdtime of CDP packets
cdp run
Turns on CDP on a router
cdp timer
Changes the CDP update timer
Lab 3: Introduction to Managing a Cisco Internetwork
167
Command
Description
config-register (confreg)
Tells the router how to boot and to change the configuration register setting
copy flash tftp
Copies a file from flash memory to a tftp host
copy run start
Copies the running-config file to the startup-config file
copy run tftp
Copies the running-config file to a tftp host
copy tftp flash
Copies a file from a tftp host to flash memory
copy tftp run
Copies a configuration from a tftp host to the runningconfig file
Ctrl+Shift+6, then X (keyboard combination)
Used to take you back to the originating router when you telnet to numerous routers
disconnect
Disconnects a connection to a remote router from the originating router
erase startup-config
Deletes the contents of NVRAM on a router
exit
Disconnects a connection to a remote router via Telnet
ip host
Creates a host table on a router
no cdp enable
Turns off CDP on an individual interface
no cdp run
Turns off CDP completely on a router
no ip host
Removes a hostname from a host table
o/r 0x2142
Changes a router to boot without using the contents of NVRAM
show cdp
Displays the CDP timer and holdtime frequencies
show cdp entry *
Same as show cdp neighbor detail, but does not work on a 1900 switch
show cdp neighbor
Shows the directly connected neighbor and the details about them
168
Managing a Cisco Internetwork
(continued) Command
Description
show cdp neighbor detail
Shows the IP address and IOS version and type, and includes all of the information from the show cdp neighbor command
show cdp traffic
Shows the CDP packets sent and received on a device and any errors
show flash
Views the files in flash memory
show hosts
Shows the contents of the host table
show run
Displays the running-config file
show sessions
Shows your connections via Telnet to remote devices
show start
Displays the startup-config file
show version
Displays the IOS type and version as well as the configuration register
Lab 3.1: Password Recovery Techniques All Cisco® routers have a 16-bit software register, which is written into NVRAM. By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM. By changing the configuration register, you can perform password recovery on a Cisco router. If you are locked out of a router because you forgot the password, you can change the configuration register to help you recover. Bit 6 in the configuration register is used to tell the router whether or not to use the contents of NVRAM to load a router configuration. The default configuration register value for bit 6 is 0x2102 (the 0 is bit 6), which means that bit 6 is off. With the default setting, the router will look for and load a router configuration stored in NVRAM (startup-config). To recover a password, you need to turn on bit 6, which will tell the router to ignore the NVRAM contents. The configuration register value to turn on bit 6 is 0x2142.
Lab 3.1: Password Recovery Techniques
169
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work while working in section 2.
Lab Steps 1.
You can see the current value of the configuration register by using the show version command (sh version or show ver for short), as in the following example on 2621 Router A: 2621A#show version Cisco Internetwork Operating System Software IOS (tm) C2621 Software (C2621-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1) [output cut] Configuration register is 0x2102
The last information given from this command is the value of the configuration register. In this example, the value is 0x2102, which is the default setting. 2.
You can change the configuration register by using the config-register command. For example, the following commands tell the router to boot from ROM monitor mode and then to verify the current configuration register value: 2621A(config)#config-register 0x0101 2621A(config)#ctrl+z
170
Managing a Cisco Internetwork
2621A#sh ver [output cut] Configuration register is 0x2102 (will be 0x0101 at next reload)
Notice that the show version command shows the current configuration register value, as well as what it will be when the router reboots. Any change to the configuration register will not take effect until the router is reloaded. 3.
From 2621 Router A, type reload at the privileged mode prompt. 2621A#copy run start 2621A#reload
4.
You will then see this output on your screen: “System configuration has been modified. Save? [yes/no]: “. Press Y.
5.
You will then be asked to confirm the reload. Press Enter.
6.
When the router is rebooting, press and hold ctrl+break on the keyboard, until it takes you into rom monitor mode. System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1) Copyright (c) 1999 by Cisco Systems, Inc. TAC:Home:SW:IOS:Specials for info PC = 0xfff0a530, Vector = 0x500, SP = 0x680127b0 C2621 platform with 32768 Kbytes of main memory PC = 0xfff0a530, Vector = 0x500, SP = 0x80004374 monitor: command "boot" aborted due to user interrupt rommon 1 >
7.
To change the bit value on a Cisco 2621 series router, simply enter the confreg (meaning config register) command at the prompt: rommon 1 >confreg 0x2142
You must reset or power cycle for new config to take effect. 8.
At this point, reset the router. rommon 1 >reset
9.
When the router reloads, say no to entering setup mode.
10. Enter privileged mode and then type copy startup-config running-config. 11. Change your passwords and then save your configuration with the copy run start
command. 12. Change your configuration register back to 0x2102. rommon 1 > confreg 0x2102
Lab 3.1: Password Recovery Techniques
Viewing Passwords on Net Configs screen If you want to take a peek at all the passwords set for the currently loaded network, you can view these on the Net Configs screen. 1.
Click Tools on the main menu of the Network Visualizer screen. Then click the Net Configs sub-menu selection. Or, right mouse click on the Network Visualizer screen and choose Net Configs from the pop-up menu. From the main menu
From the pop-up window
171
172
Managing a Cisco Internetwork
The following information will appear on the Net Configs screen, displaying passwords for every network device.
Lab 3.11: Configuring IGRP Routing Interior Gateway Routing Protocol (IGRP) is a Cisco proprietary distance vector routing protocol. It is an updated RIP routing protocol that uses an administrative distance of 100, so it will automatically overwrite RIP found routes in the routing table. Also, it uses Autonomous Systems (AS) to create groups of routers that share routing information. To configure IGRP, it is basically the same as RIP except you choose your AS number. All routers must use the same number as you want them to share information.
Lab 3.11: Configuring IGRP Routing
Network Layout Load IGRP Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file IGRP Layout.rsm and click Open. You should see the following non-configured network:
173
174
Managing a Cisco Internetwork
Lab Steps 1.
Double-click 2621 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-if)#interface serial 0/1 2621A(config-if)#ip address 172.16.10.2 255.255.255.0 2621A(config-if)#no shutdown 2621A(config-if)#exit 2621A(config)#exit 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Change the console screen so that you can enter configurations for 2621 Router B. Use the console menu to achieve this. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621Bconfig-if)#interface serial 0/0 2621Bconfig-if)#clock rate 64000 2621B(config-if)#ip address 172.16.10.1 255.255.255.0 2621B(config-if)#no shutdown 2621Bconfig-if)#interface serial 0/1 2621Bconfig-if)#clock rate 64000 2621B(config-if)#ip address 172.16.20.1 255.255.255.0 2621B(config-if)#no shutdown 2621B(config-if)#exit 2621B(config)#exit 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
Lab 3.11: Configuring IGRP Routing
3.
Change the console screen so that you can enter configurations for 2621 Router C. Use the console menu to achieve this. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621C 2621Cconfig-if)#interface serial 0/0 2621C(config-if)#ip address 172.16.20.2 255.255.255.0 2621C(config-if)#no shutdown 2621C(config-if)#exit 2621C(config)#exit 2621C#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621C#
4.
Configure 2621 Router A to use IGRP with an AS of 10. 2621A#config t 2621A(config)#router igrp 10 2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z 2621A#
5.
Configure 2621 Router B to use IGRP with an AS of 10. 2621B#config t 2621B(config)#router igrp 10 2621B(config-router)#network 172.16.0.0 2621B(config-router)#ctrl+z 2621B#
6.
175
Configure 2621 Router C to use IGRP with an AS of 10. 2621C#config t 2621C(config)#router igrp 10 2621C(config-router)#network 172.16.0.0 2621C(config-router)#ctrl+z 2621C#
176
Managing a Cisco Internetwork
Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than IGRP Layout.rsm. This allows you to start over with a non-configured network if you wish. 1.
There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
Lab 3.12: Verifying IGRP Routing
177
2.
A dialog box will appear. At the bottom you will see the file name IGRP Layout.rsm. Rename the file. For example, you could name it My IGRP Layout.rsm.
3.
Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading IGRP Layout.rsm which is non-configured.
Lab 3.12: Verifying IGRP Routing Since IGRP has a better administrative distance then RIP, all the routing tables should have IGRP found routes. Use the show ip route command and then the debugging tools to verifying IGRP.
Network Layout Load IGRP Layout.rsm or whatever you named the file when you saved your work in Lab 3.11.
178
Managing a Cisco Internetwork
Lab Steps 1.
From 2621 Router A, use the show ip route command to verify the routing table. 2621A#show ip route [output cut] 172.16.0.0/24 is subnetted, 2 subnets I 172.16.20.0 [100/160250] via 172.16.10.1, 00:00:14, Serial0/1 C 172.16.10.0 is directly connected, Serial0/1 2621A
Notice the “I” found routes. This is IGRP. 2.
Use the show ip protocol command from 2621 Router A. 2621A#show ip protocol Routing Protocol is "igrp 10" Sending updates every 90 seconds, next due in 25 seconds Invalid after 270 seconds, hold down 270, flushed after 630 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 IGRP maximum hop count 100 IGRP maximum metric variance 1 Redistributing: igrp 10 Routing for networks: 172.16.0.0 Routing information sources: Gateway Distance Last Update 172.16.10.1 100 00:01:05 Distance: 2621A#
Notice that the timer for IGRP to send out updates is every 90 seconds. 3.
From 2621 Router B, use the show ip route command to verify the routing table. 2621B#show ip route [output cut] 172.16.0.0/24 is subnetted, 2 subnets C 172.16.20.0 is directly connected, Serial0/1 C 172.16.10.0 is directly connected, Serial 2621B#
Lab 3.2: Backing Up the Cisco IOS
179
Routing tables take a small amount of time to update. 4.
From 2621 Router C, use the show ip route command to verify the routing table. 2621C#show ip route 172.16.0.0/24 is subnetted, 2 subnets C 172.16.20.0 is directly connected, Serial0/0 I 172.16.10.0 [100/160250] via 172.16.20.1, 00:00:48, Serial0/0 2621C#
5.
Use the debug ip igrp events command to see IGRP updates being sent and received on the router. See above. 2621A#debug ip igrp events IGRP protocol debugging is on ld23h: IGRP: sending update to 255.255.255.255 via Serial0/1 <172.16.10.2> ld23h: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes. ld23h: IGRP: Total routes in update: 1 2621A#
6.
Turn off debugging with the no debug ip igrp events command, or the undebug all command. 2621A#undebug all
7.
Use the debug ip igrp transactions command to see a summary of the IGRP events being processed on the router. 2621A#debug ip igrp transactions IGRP protocol debugging is on 2621A# ld23h: IGRP: sending update to 255.255.255.255 via Serial0/1 <172.16.10.2> ld23h: subnet 172.16.10.0, metric=189250 2621A#
8.
You can turn off the debug ip igrp transactions command. 2621A#no debug ip igrp transactions
Lab 3.2: Backing Up the Cisco IOS Before you upgrade or restore a Cisco® IOS, you should copy the existing file to a tftp host as a backup in case the new image does not work. You can use any tftp host to perform this function. By default, the flash memory in a router is used to store the Cisco® IOS. The
180
Managing a Cisco Internetwork
following sections describe how to check the amount of flash memory, copy the Cisco® IOS from flash memory to a tftp host, and then copy the IOS from a tftp host to flash memory.
Flash Memory Is computer memory that can hold information even when the device is powered down. Information can be be written to and stored in this memory.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work while working in section 2.
Lab Steps 1.
Before you attempt to upgrade the Cisco® IOS on your router with a new IOS file, you should verify that your flash memory has enough room to hold the new image. You can verify the amount of flash memory and the file or files being stored in flash memory by using the show flash command: 2621A#show flash System flash directory: File Length Name/status 1 6973004 c2600-bin-mz.122-13.T1.bin [6973068 bytes used, 1415540 available, 8388608 total] 8192K bytes of processor board System flash (Read/Write)
Lab 3.3: Restoring or Upgrading the Cisco Router IOS
181
2.
The last line in the router output shows that the flash is 8192K or 8MB, which is plenty of room for a new file that we want to use that is 6MB in size. Once you verify that the flash memory can hold the IOS you want to copy into flash memory, you can continue with your backup operation.
3.
The key to success in this backup routine is to make sure you have good connectivity to the tftp host. You can check this by pinging the device from the router console prompt, as in the following example: 2621A#ping 172.16.40.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.40.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
4.
After you ping the tftp host to make sure that IP is working, you can use the copy flash tftp command to copy the IOS to the tftp host, as shown below. Notice that after you enter the command, the name of the file in flash memory is displayed. This makes it easy for you. 2621A#copy flash tftp Source filename []? c2600-bin-mz.122-13.T1.bin Address or name of remote host []? 172.16.40.3 Destination filename [c2600-bin-mz.122-13.T1.bin]?(press enter) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [output cut] 6973004 bytes copied in 57.704 secs (120841 bytes/sec) 2621A#
5.
In this example, the content of flash memory was copied successfully to the tftp host. The address of the remote host is the IP address of the tftp host. The source filename is the file in flash memory. This was a pretty simple process as long as your router can talk to the tftp host.
Lab 3.3: Restoring or Upgrading the Cisco Router IOS You may need to restore the Cisco® IOS to flash memory to replace an original file that has been damaged or to upgrade the IOS. You can download the file from a tftp host to flash memory by using the copy tftp flash command. This command requires the IP address of the tftp host and the name of the file you want to download to flash memory.
182
Managing a Cisco Internetwork
No real files are used in this lab. This is just an exercise to show how it is done.
Lab Steps 1.
Type copy tftp flash command from the 2621 A router’s privileged mode prompt. You will see a message informing you that the router must reboot and run a ROM-based IOS image to perform this operation: 2621A#copy tftp flash Address or name of remote host []? 172.16.40.3 Source filename []? c2600-bin-mz.122-13.T1.bin Destination filename [c2600-bin-mz.122-13.T1.bin]? (press enter) %Warning:There is a file already existing with this name Do you want to over write? [confirm] (press enter) Accessing tftp://172.16.40.3/c2600-bin-mz.122-13.T1.bin... Erase flash: before copying? [confirm] (press enter) Erasing the flash filesystem will remove all files! Continue? [confirm] (press enter) Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased Erase of flash: complete Loading c2600-bin-mz.122-13.T1.bin from 1.1.1.1 (via FastEthernet0/0): !!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [output cut]
2.
After you tell the router where the file is and the filename, it asks you to confirm that you understand the contents of flash memory will be erased as shown in the output above. You are prompted twice, just to make sure that you really want to proceed with erasing flash memory.
3.
The row of e characters shows the contents of flash memory being erased. Each exclamation point (!) means that one UDP segment has been successfully transferred.
Lab 3.4: Backing Up the Cisco Configuration Any changes that you make to the router configuration are stored in the running-config file. If you do not perform a copy run start command after you make a change to runningconfig, that change will be gone if the router reboots or gets powered down. You may want
Lab 3.4: Backing Up the Cisco Configuration
183
to make another backup of the configuration information as an extra precaution in case the router or switch completely dies or for documentation. The following lab describes how to copy the configuration of a router to a tftp host.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work while working in section 2.
Lab Steps 1.
2.
To copy the router’s configuration from a router to a tftp host, you can use either the copy running-config tftp or copy starting-config tftp command. Either command will back up the router configuration that is currently running in DRAM or that is stored in NVRAM. To verify the configuration in DRAM, use the show running-config command (show run for short), as follows: 2621A#show run Building configuration... Current configuration: ! version 12.2 [output cut]
184
Managing a Cisco Internetwork
The current configuration information indicates that the router is now running version 12.2 of the IOS. 3.
Next, you would check the configuration stored in NVRAM. To see this, use the show startup-config command (show start for short), as follows: 2621A#show start Using 781 out of 32762 bytes ! version 12.2 [output cut]
The second line shows how much room your backup configuration is using. In this example, NVRAM is 32KB and only 781 bytes of it are used. Notice that the version of configuration in NVRAM is 12.2. If you are not sure that the files are the same, and the running-config file is what you want to use, then use the copy running-config startup-config to make sure both files are the same. By copying running-config to NVRAM as a backup, as shown below, you are assured that your running-config will always be reloaded if the router gets rebooted. 2621A#copy run start Destination filename [startup-config]?(press enter) Building configuration... [OK]
4.
Now when you enter the show starting-config command, the version shows the latest configuration. 2621A#show startup-config Using 781 out of 32762 bytes ! version 12.2
5.
Once the file is copied to NVRAM, you can make a second backup to a tftp host by using the copy running-config tftp command (copy run tftp for short), as follows: 2621A#copy run tftp Address or name of remote host []? 172.16.40.3 Destination filename [2621A-confg]? enter !! 487 bytes copied in 12.236 secs (40 bytes/sec) 2621A#
6.
Notice that this took only two exclamation points (!), which are two UDP acknowledgments. If you have a hostname configured, the command will automatically use the hostname plus the extension config as the name of the file.
Lab 3.5: Restoring the Cisco Router Configuration from a TFTP Server
185
Lab 3.5: Restoring the Cisco Router Configuration from a TFTP Server If you have changed your router’s running-config and want to restore the configuration to the version in startup-config, the easiest way to do this is to use the copy startupconfig running-config command (copy start run for short). You can also use the older Cisco® command, config mem, to restore a configuration. Of course, this will work only if you first copied running-config into NVRAM before making any changes.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work while working in section 2.
Lab Steps 1.
If you copied the router’s configuration to a tftp host as a second backup, you can restore the configuration using the copy tftp running-config command (copy tftp run for short) or the copy tftp startup-config command (copy tftp start for short), as shown below. 2621A#copy tftp run Address or name of remote host []? 172.16.40.3 Source filename []? 2621A-confg Destination filename [running-config]?(press enter)
186
Managing a Cisco Internetwork
Accessing tftp://172.16.40.3/2621A-confg... Loading 2621A-confg from 172.16.40.3 (via Fastethernet 0/0): !! [OK - 487/4096 bytes] 487 bytes copied in 5.400 secs (97 bytes/sec) 2621A# 00:38:31: %SYS-5-CONFIG: Configured from tftp://172.16.40.3/2621A-confg 2621A#
2.
After you copy your configuration from a tftp host to your router, you must then enable your interfaces as they are automatically shut down.
Lab 3.6: Using the Cisco Discovery Protocol to Gather Information about Neighbor Devices Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help administrators collect information about both locally attached and remote devices. You can gather hardware information, as well as protocol information about neighbor devices. This information is useful for troubleshooting and documenting the network.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work while working in section 2.
Lab 3.6: Using the Cisco Discovery Protocol to Gather Information about Neighbor Devices
187
Lab Steps 2621 Router A and 2621 Router B need to be configured in order for output to appear when you go through this lab.
1.
First gather CDP information on your router by getting CDP Timers and Holdtime Information. Use the show cdp command (sh cdp for short) which shows information about two CDP global parameters that can be configured on Cisco devices. The output on a router looks like this: 2811A#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled 2811A# N
NN
CDP timer is how often CDP packets are transmitted to all active interfaces. CDP holdtime is the amount of time that the device will hold packets received from neighbor devices.
Both the Cisco routers and the Cisco switches use the same parameters. 2.
Use the global commands cdp holdtime and cdp timer to configure the CDP holdtime and timer on a router. 2811A#config t Enter configuration commands, one per line. End with CTRL/Z. 2811A(config)#cdp ? advertise-v2 CDP sends version-2 advertisements holdtime Specify the holdtime (in sec) to be sent in packets log Log messages generated by CDP run Enable CDP source-interface Insert the interface's IP in all CDP packets timer Specify rate (in sec) at which CDP packets are sent> 2811A(config)#cdp timer 90 2811A(config)#cdp holdtime 240 2811A(config)#ctrl+z
3.
You can turn off CDP completely on the router with the no cdp run command from global configuration mode of a router. Enable CDP with the cdp run command. 2811A(config)#no cdp run 2811 (config)#cdp run 2811A(config)#ctrl+z
Managing a Cisco Internetwork
188
4.
To turn off or on CDP on a router interface, use the no cdp enable and cdp enable commands. Enable CDP on the interface with the cdp enable command. 2811A(config)#interface fastethernet 0/0 2811A(config-if)#no cdp enable 2811A(config-if)#cdp enable 2811A(config)#ctrl+z
5.
The show cdp neighbor command (show cdp nei for short) shows information about directly connected devices. It is important to remember that CDP packets are not passed through a Cisco switch, and you only see what is directly attached. On a router connected to a switch, you will not see the other devices connected to the switch. The following output shows the show cdp neighbor command used on the 2811 A router. 2811A#show cdp nei Device ID Local Intrfce 2621B Ser 0/0 Ser 0/0/1 2621A Ser 0/0 Ser 0/1/1 2811A#
Holdtme 170 170
Capability R
Platform
R
Port ID 2621 2621
The following table summarizes the information displayed by the show cdp neighbor command for each device. Field
Description
Device ID
The hostname of the device directly connected.
Local Interface
The port or interface on which you are receiving the CDP packet.
Holdtime
The amount of time the router will hold the information before discarding it if no more CDP packets are received.
Capability
The neighbor’s capability, such as router, switch, or repeater. The capability codes are listed at the top of the command output.
Platform
The type of Cisco device. In the above output, a 2811 router, two 2621 routers, a 3550 switch, and a 3560 switch are attached.
Port ID
The neighbor device’s port or interface on which the CDP packets are broadcasted out.
Lab 3.6: Using the Cisco Discovery Protocol to Gather Information about Neighbor Devices
6.
189
Another command that provides neighbor information is the show cdp neighbor detail command (show cdp nei de for short), which also can be run on the router or switch. This command shows detailed information about each device connected to the device, as in the router output below. 2811A#show cdp neighbor detail ------------------------Device ID: 2621B Entry address(es): IP Address: 172.16.30.2 Platform: cisco 2621, Capabilities: Router Interface: Serial0/0, Port ID (outgoing port): Serial0/0/1 Holdtime : 146 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by Cisco Systems, Inc. Compiled Sat 04-Jan-03 05:58 by ccai advertisement version: 2 ------------------------Device ID: 2621A Entry address(es): IP Address: 172.16.20.2 Platform: cisco 2621, Capabilities: Router Interface: Serial0/0, Port ID (outgoing port): Serial0/1/1 Holdtime : 146 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by Cisco Systems, Inc. Compiled Sat 04-Jan-03 05:58 by ccai advertisement version: 2 ------------------------2811A#
The output above shows the hostname and IP address of the directly connected devices. In addition to the same information displayed by the show cdp neighbor command, the show cdp neighbor detail command also shows the IOS version of the neighbor device.
190
7.
Managing a Cisco Internetwork
The show cdp entry * command displays the same information as the show cdp neighbor details command. The following is an example of the router output of the show cdp entry * command. 2811A#show cdp entry * ------------------------Device ID: 2621B Entry address(es): IP Address: 172.16.30.2 Platform: cisco 2621, Capabilities: Router Interface: Serial0/0, Port ID (outgoing port): Serial0/0/1 Holdtime : 146 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by Cisco Systems, Inc. Compiled Sat 04-Jan-03 05:58 by ccai advertisement version: 2 ------------------------Device ID: 2621A Entry address(es): IP Address: 172.16.20.2 Platform: cisco 2621, Capabilities: Router Interface: Serial0/0, Port ID (outgoing port): Serial0/1/1 Holdtime : 146 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by Cisco Systems, Inc. Compiled Sat 04-Jan-03 05:58 by ccai advertisement version: 2 ------------------------2811A#
Lab 3.7: Using Telnet
8.
191
The show cdp traffic command displays information about interface traffic, including the number of CDP packets sent and received and the errors with CDP. The following output shows the show cdp traffic command used on a router. 2811A#show cdp traffic CDP counters : Total packets output: 14556, Input: 7366 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 14556, Input: 7366 2811A#
Lab 3.7: Using Telnet Telnet is a virtual terminal protocol that is part of the TCP/IP protocol suite. Telnet allows you to make connections to remote devices and gather information and run programs. To start a Telnet session, logging into a another device requires a valid username and password on the destination hardware. After your routers and switches are configured, you can use the Telnet program to configure and check your routers and switches instead of needing to use a console cable. You use the Telnet program by typing telnet from any command prompt (DOS or Cisco). VTY passwords must be set on the routers for this to work. You cannot use CDP to gather information about routers and switches that are not directly connected to your device. However, you can use the Telnet application to connect to your neighbor devices and then run CDP on those remote devices to gather CDP information about remote devices. In this lab we will telnet from 2621 Router B into 2621 Router A and 3550 Switch A. In a prior lab we have configured 2621 Router A but now we need to configure 3550 Switch A at the start of this lab.
192
Managing a Cisco Internetwork
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work while working in section 2. You need a configured network in order to complete this lab.
Lab Steps 1.
Double-click 3550 Switch A in order to bring up the console screen.
2.
Perform the following commands: Switch>en Switch#config t Enter configuration commands, one per line. End with CNTL/Z Switch(config)#
3.
To set the IP configuration on a 3550 switch, use the ip address command. However, this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why
Lab 3.7: Using Telnet
the VLAN1 interface is configured by default. Let’s also set the hostname so that we can more clearly identify this device when we telnet into it in subsequent steps. Switch(config)#hostname 3550A 3550A(config)#interface vlan 1 3550A(config-if)#ip address 172.16.10.17 255.255.255.0
4.
The default gateway should also be set using the ip default-gateway command. However, unlike the IP address, this is completed at global configuration mode. 3550A(config-if)#exit 3550A(config)#ip default-gateway 172.16.10.1
5.
We need to set up a VTY password for the 3550 Switch A. 3550A(config)#line vty 0 15 3550A(config-line)#password todd 3550A(config-line)#ctrl+z
6.
Switch to 2621 Router A via the console menu.
7.
For this lab, remove the telnet and enable passwords from the 2621 Router A. 2621A>enable 2621A#config t Enter configuration commands, one per line. 2621A(config)#no enable secret 2621A(config)#no enable password 2621A(config)#line vty 0 4 2621A(config-line)#no password 2621A(config-line)#ctrl+z 2621A#
End with CTRL/Z.
193
194
8.
Managing a Cisco Internetwork
You can issue the telnet command from any router prompt, as in the following example from 2621 Router B to 2621 Router A: 2621B#telnet 172.16.20.2 Trying 172.16.10.2 ... Open Password required, but none set [Connection to 172.16.20.2 closed by foreign host] 2621B#
Remember that the VTY ports on a router are configured as login, which means that you must either set the VTY passwords or use the no login command. 9.
On a Cisco router, you do not need to use the telnet command. If you just type in an IP address from a command prompt, the router will assume you want to telnet to the device, as shown below: 2621B#172.16.20.2 Trying 172.16.10.2 ... Open Password required, but none set [Connection to 172.16.20.2 closed by foreign host] 2621B#
10. It’s time to set VTY passwords on the router I want to telnet into. Here is an example
of what I did: 2621A#config t Enter configuration commands, one per line. 2621A(config)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#ctrl+z 2621A#
End with CTRL/Z.
11. Now, let’s try connecting to the router again (from the 2621 Router B console). 2621B#172.16.20.2 Trying 172.16.20.2 ... Open User Access Verification Password: 2621A>
12. Remember that the VTY password is the user mode password, not the enable pass-
word. Watch what happens when I try to go into privileged mode after telneting into 2621 Router A: 2621A>en % No password set 2621A>
Lab 3.7: Using Telnet
195
This is a good security feature. You don’t want anyone just telneting onto your device and then being able to just type the enable command to get into privileged mode. You must set your enable password or enable secret password to use telnet to configure remote devices. 13. Now, exit out of 2621 Router A. 2621A>exit [Connection to 172.16.20.2 closed by foreign host] 2621B#
14. If you telnet to a router or switch, you can end the connection by typing exit at any
time. However, what if you want to keep your connection to a remote device but still come back to your original router console? To keep the connection, you can press the Ctrl+Shift+6 key combination, release it, and then press X. Here’s an example of connecting to multiple devices from 2621 Router B router console: 2621B#telnet 172.16.20.2 Trying 172.16.20.2 ... Open User Access Verification Password: 2621A> [press ctrl+shift+6 then x] 2621B#
In the example above, I telneted to the 2621 Router A, then typed the password to enter user mode. I then pressed Ctrl+Shift+6, then x (this doesn’t’t show on the screen output). Notice the command prompt is now back at the 2621 Router B. 15. You can also telnet into a switch. In the following example, we telnet to switch 3550 A. 2621B#telnet 172.16.10.17 Trying 172.16.10.17 ... Open User Access Verification Password: 3550A>
16. At this point, press Ctrl+Shift+6, then X, which will take you back to 2621 Router B
console. 2621B#
17. To see the connections made from your router to a remote device, use the show sessions
command, as shown below. 2621B#show sessions Conn Host 1 172.16.20.2 * 2 172.16.10.17 2621B#
Address 172.16.20.2 172.16.10.17
Byte 0 0
Idle Conn Name 0 172.16.20.2 0 172.16.10.17
196
Managing a Cisco Internetwork
18. Notice the asterisk (*) next to connection 2. This means that session 2 was the last
session. You can return to your last session by pressing enter twice. You can also return to any session by typing the number of the connection and pressing enter twice. Here is an example: 2621B#1 [Resuming connection 1 to 172.16.20.2 ... ] [press enter] 2621A> When changing windows from Router to Router do not close the window with the x or the Telnet information will be lost.
19. You can list all active consoles and VTY ports in use on your router with the show users command. Type show users from the 2621 Router A, which the 2621 Router B
had telneted into. 2621A>show users Line User 0 con 0 * 2 vty 0 Interface User 2621A>
Host(s) idle idle Mode
Idle Location 00:00:00 00:25:12 172.16.30.2 Idle Peer Address
In the output, the con represents the local console. In this example, the console is connected to two remote IP addresses, or devices. This output shows that the console is active and that VTY port 0 is being used. The asterisk represents the current terminal session user. 20. You can end Telnet sessions a few different ways. Typing exit or disconnect is probably the easiest and quickest. To end a session from a remote device, use the exit command,
as shown below. 2621A#exit [Connection to 172.16.20.2 closed by foreign host] 2621B#
21. To end a session from a local device, use the disconnect command, as shown below. 2621B#show sessions Conn Host * 2 172.16.10.17 2621B#disconnect 2
Address 172.16.10.17
Byte 0
Idle Conn Name 0 172.16.10.17
Lab 3.8: Using Secure Shell in Place of Telnet
197
Closing connection to 172.16.10.17 [confirm] [enter] 2621B#
In this example, we used the session number 2 because that was the connection to 3550 Switch A that we wanted to end. As explained earlier, you can use the show sessions command to see the connection number. Save Your File: Make sure you save the network layout file that you have been working on.
Lab 3.8: Using Secure Shell in Place of Telnet The last lab had you set your five basic passwords that can be used on a router. In order to gain access to the console (user mode) through the network (called in-band), you set a password on your VTY lines. This allowed Telnet access. However, Telnet is insecure because everything – including passwords – are sent in the clear. However, we can fix that by using Secure Shell (SSH). This is basically the same as using Telnet, but is a secure connection. We will configure our routers to use SSH on the VTY lines.
Network Layout Load Secure Shell Layout.rsm or whatever you previously named it, before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file Secure Shell Layout.rsm and click Open.
198
Managing a Cisco Internetwork
Lab Steps 1.
On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a console screen.
2.
Press Enter and the Router> prompt will appear. You are now in the user mode.
3.
Change to the privileged mode. Router> Router>enable
4.
We need to set a hostname on 2811 Router A. Router#config t Router(config)#hostname2811A 2811A(config)#
5.
The next thing we need to do is set a username and password to use for login when using SSH. 2811A(config)#username todd password lammle
6.
In addition, a domain name must be set. This is a required step when using SSH. However, it is not important what you set it to unless you are using a DNS server for domain lookups on the router. 2811A(config)#ip domain-name lammle.com
7.
Now a key needs to be generated on the router. This will be used to encrypt the password when connecting with SSH to the router. 2811A(config)#crypto key generate rsa The name for the keys will be: 2811A.lammle.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: [press enter] % Generating 512 bit RSA keys, keys will be non-exportable...[OK] 2811A(config)#
Now, we need to set our VTY line commands. The vty lines are used to set a Telnet password on the router. If the password is not set, then telnet cannot be used by default. However, we don’t have to use Telnet, we can use SSH instead, or with Telnet. We no longer use the “login” command by itself. We need to use the login local to have the vty lines look for the username and password configured locally on the router. Let’s take a look.
Lab 3.8: Using Secure Shell in Place of Telnet
8.
199
Use the line vty command to enter into line mode. 2811A(config)#line vty 0 ? <1-1180> Last Line number 2811A(config)#line vty 0 1180 2811A(config-line)#login local
9.
After settting the lines to use the username and password configured on the local router, we need to tell the vty lines to use SSH. 2811A(config-line)#transport input ssh
10. The above command allows only SSH session on the vty lines. You can use the follow-
ing command to allow both SSH and Telnet into your router (although, if you can use SSH, Telnet is not recommended). 2811A(config-line)#transport input ssh telnet
Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than Secure Shell Layout.rsm. This allows you to start over with a non-configured network if you wish. 1.
There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
200
Managing a Cisco Internetwork
2.
A dialog box will appear. At the bottom you will see the file name Secure Shell Layout.rsm. Rename the file. In the following example it is renamed My Secure Shell Layout.rsm.
3.
Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading Secure Shell Layout.rsm which is nonconfigured.
Lab 3.9: Verifying Secure Shell in Place of Telnet In Lab 3.8 we had configured 2811 Router A to be an SSH server. In this lab, we will use 2811 Router B to connect to 2811 Router A and verify that SSH is working. As we discussed in Lab 3.8, the reason we want to use SSH is because Telnet is insecure. However, we can fix that by using Secure Shell (SSH). This is basically the same as using Telnet, but is a secure connection. Let’s configure verify our SSH server on 2811 Router A.
Lab 3.9: Verifying Secure Shell in Place of Telnet
Network Layout Work with the saved network that you used to configure devices in Lab 3.8.
Lab Steps 1.
On the Network Visualizer screen, double-click 2811 Router B. This will bring up a console screen.
2.
The first thing we need to do is ping 2811 Router A from 2811 Router B to verify network connectivity. 2811B(config)#exit 2811B#ping 172.16.20.1
3.
Now, let’s SSH into 2811 Router A and verify our connection. We need to use the username configured on the 2811 Router A (from Lab 6.8) as our login. We do this with the “-l” option. The name used in the ssh command is case sensitive. 2811B#ssh -l todd 172.16.20.1 Password: [lammle is the password, does not appear when you type] 2811A>
201
202
4.
Managing a Cisco Internetwork
You can verify your connection on 2811 Router A with the show users command: 2811A>show users Line User * 66 vty 0 Vail Interface User 2811A>
Host(s) idle Mode
Idle Location 00:00:00 192.0.2.157 Idle Peer Address
Lab 3.10: Creating a Hosts Table on a Router and Resolve Host Names to IP Addresses You can use a hostname to connect to a remote device rather than use an IP address. The device that you are using to make the connection from must be able to translate the hostname to an IP address. This lab will show you how to create a hosts table on your router to resolve host names to IP addresses.
Lab Steps 1.
A host table provides name resolution only on the router on which it was built. The command to build a host table on a router is: ip host name ip_address
2.
Here is an example of configuring a host table on the 2621 Router B with two entries to resolve the names for the 2621 Router A and the 3550 Switch A: 2621B#config t
Enter configuration commands, one per line. End with CTRL/Z. 2621B(config)#ip host ? WORD Name of host 2621B(config)#ip host 2621A ? <0-65535> Default telnet port number A.B.C.D Host IP address additional Append addresses 2621B(config)#ip host 2621A 172.16.20.2 ? A.B.C.D Host IP address (maximum of 8)
Lab 3.10: Creating a Hosts Table on a Router and Resolve Host Names to IP Addresses
2621B(config)#ip host 2621A 172.16.20.2 2621B(config)#ip host 3550A 172.16.10.17 2621B(config)#ctrl+z
Network Layout Work with the saved network that you used to configure devices in Lab 3.9. You need a configured network in order to complete this lab.
3.
To see the host table, use the show hosts command, as shown below. 2621B#sh hosts Default domain is not set Name/address lookup uses domain service
203
204
Managing a Cisco Internetwork
Name servers are 255.255.255.255 Host Flags Age Type 2621A (perm, OK) 0 IP 3550A (perm, OK) 0 IP
Address(es) 172.16.20.2 172.16.10.17
2621B#
In the router output above, you can see the two hostnames and their associated IP addresses. The perm in the Flags column means the entry is manually configured. If it said temp, it would be an entry resolved by DNS. 4.
To verify that the host table resolves names, try typing the hostnames at a router prompt. Remember that if you don’t specify the command, the router assumes you want to telnet. Use the hostnames we just created to telnet into the remote devices and then press Ctrl+Shift+6, then X to return to the main console of the 2621B router. 2621B#2621A Trying 2621A (172.16.20.2)... Open User Access Verification Password: 2621A>(control+shift+6,then x) 2621B# 2621B#3550A Trying 3550A (172.16.40.2)... Open User Access Verification Password: 3550A#
5.
Notice in the entries in the show session output below that the hostname now shows up instead of the IP address because the IP addresses has been resolved. 3550A#sh sess Conn Host 1 2621A * 2 3550A
6.
Address 172.16.20.2 172.16.10.17
Idle Conn Name 0 2621A 0 3550A
You can remove a hostname from the table by using the no ip host command, as in the following example: 3550A>(control+shift+6,then x) 2621B# 2621B#config t Enter configuration commands, one per line. 2621B(config)#no ip host 2621A
7.
Byte 0 0
End with CTRL/Z.
Now remove the other hostname from the table by using the no ip host command. 2621B(config)#no ip host 3550A
Configuring the Catalyst Switch
Lab 4: Introduction to Configuring the Catalyst Switch The CCNA exam covers specific switch commands for the 2950/2960 and 3550/3560 switches. The following labs will teach you how to connect to the 1900 switch and Catalyst 2950/2960 and 3550/3560 switches and configure LAN switching. The labs covered in this section include: NN
4.1: Connecting to the 1900 Switch and setting the passwords
NN
4.2: Configuring the 1900 Switch
NN
4.3: Configuring the 1900 Switch Port Duplex
NN
4.4: Verifying the 1900 Switch IP Connectivity
NN
4.5: Erasing the 1900 Switch Configuration
Labs 4.1 - 4.5 are for the 1900 switch, which is not used in our standard network layouts, but is included for your educational purpose. The 1900 switch is an older switch and is end-of-life from Cisco. NN
4.6: Utilizing the 2950/2960 Switch
NN
4.7: Setting Passwords on the 2950/2960 Switch
NN
4.8: Configuring the 2950/2960 Switch
NN
4.9: Verifying the 2950/ 2960 Switch IP Connectivity
NN
4.10: Saving and Erasing the 2950/2960 Switch Configuration
NN
4.11: Utilizing the 3550/3560 Switch
NN
4.12: Setting Passwords on the 3550/3560 Switch
NN
4.13: Configuring the 3550/3560 Switch
NN
4.14: Verifying the 3550 /3560 Switch IP Connectivity
NN
4.15: Saving and Erasing the 3550/3560 Switch Configuration
Lab 4.1: Connecting to the 1900 Switch and Setting Passwords
207
Lab 4.1: Connecting to the 1900 Switch and Setting Passwords This lab will have you work with a switch and router, enter an IP address on a router, enter global configuration mode and then set the passwords.
Network Layout Load 1900 Switch Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file 1900 Switch Layout.rsm and click Open.
Lab Steps 1.
Double click the 1900 switch to view the the 1900 switch console. OR
208
Configuring the Catalyst Switch
Go to the 1900 switch via the console menu.
2.
You will then see the following output. Press K to enter the CLI. 1 user(s) now active on Management Console. User Interface Menu [M] Menus [K] Command Line [I] IP Configuration Enter Selection: K CLI session with the switch is open. To end the CLI session, enter [Exit]. >
3.
The first thing that you should configure on a switch is the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privileged mode passwords, just like a router. Enter privileged mode by using the enable command and then enter global configuration mode by using the config t command. The switch following output shows an example of how to get into enable mode, and then into global configuration mode. >enable #config t Enter configuration commands, one per line. (config)#
End with CTRL/Z
Lab 4.1: Connecting to the 1900 Switch and Setting Passwords
4.
209
Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password command. The switches output below shows the configuration of both the user mode and enable mode passwords. (config)#enable password ? level Set exec level password (config)#enable password level ? <1-15> Level number
5.
To enter the user mode password, use level number 1. To enter the enable mode password, use level mode 15. Remember the password must be at least four characters, but not longer then eight characters. The switch output below shows the user mode password being set and denied because it is more than eight characters. (config)#enable password level 1 toddlammle Error: Invalid password length.
Password must be between four and eight characters. 6.
The following output is an example of how to set both the user mode and enable mode passwords on the 1900 switch. (config)#enable password level 1 todd (config)#enable password level 15 todd1 (config)#exit #exit
7.
At this point, you can press enter and test your passwords. You will be prompted for a user mode password after you press K and then an enable mode password after you type enable. Catalyst 1900 Management Console Copyright (c) Cisco Systems, Inc. 1993-1998 All rights reserved. Enterprise Edition Software Ethernet Address: 00-30-80-CC-7D-00 PCA Number: 73-3122-04 PCA Serial Number: FAB033725XG Model Number: WS-C1912-A System Serial Number: FAB0339T01M Power Supply S/N: PHI031801CF
210
Configuring the Catalyst Switch
PCB Serial Number: FAB033725XG,73-3122-04 ------------------------------------------------1 user(s) now active on Management Console. User Interface Menu [M] Menus [K] Command Line Enter Selection: K Enter password: **** CLI session with the switch is open. To end the CLI session, enter [Exit]. >en Enter password: **** #
8.
The enable secret password is a more secure password and supersedes the enable password if set. You set this password the same way you set the enable secret password on a router. If you have an enable secret set, you don’t even need to bother setting the enable mode password. #config t Enter configuration commands, one per line. (config)#enable secret todd2
9.
End with CTRL/Z
You can use show running-config (show run for short) to see the current configuration on the switch. (config)#exit #sh run Building configuration... Current configuration: enable secret 5 $1$FMFQ$wFVYVLYn2aXscfB3J95.w. enable password level 1 "TODD" enable password level 15 "TODD1" [output cut]
Notice the enable mode passwords are not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router. One more thing to notice is that even though I typed the password as lowercase, the running-config shows the passwords as uppercase. It doesn’t matter how you type it in or how it shows in the configuration because the passwords are not case sensitive on the switch.
Lab 4.1: Connecting to the 1900 Switch and Setting Passwords
211
Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than 1900 Switch Layout.rsm. This allows you to start over with a non-configured network if you wish. 1.
There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
212
Configuring the Catalyst Switch
2.
A dialog box will appear. At the bottom you will see the file name 1900 Switch Layout.rsm. Rename the file. In the following example it is renamed to My 1900 Switch Layout.rsm.
3.
Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading 1900 Switch Layout.rsm which is non-configured.
Lab 4.2: Configuring the 1900 Switch Use the saved network layout file from Lab 4.1. The file name is 1900 Switch Layout.rsm or whatever you named it when you saved it in Lab 4.1.
Set the Hostname The hostname on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network or name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.
Lab 4.2: Configuring the 1900 Switch
213
Lab Step 1.
The 1900 switch command to set the hostname is exactly like any router: you use the hostname command. Remember, it is one word. The switch output below shows the console screen. Press K to go into user mode, enter the password, use the enable command and enter the enable secret password. From global configuration mode, type the command hostname hostname. 1 user(s) now active on Management Console. User Interface Menu [M] Menus [K] Command Line [I] IP Configuration Enter Selection: K Enter password: **** CLI session with the switch is open. To end the CLI session, enter [Exit]. >en Enter password: **** #config t Enter configuration commands, one per line. (config)#hostname 1900A 1900A(config)#exit
End with CTRL/Z
Notice that as soon as I pressed enter, the hostname of the switch appeared. Remember that from global configuration mode, which you enter by using the config t command, it changes the running-config. Any changes you make in this mode take effect immediately.
Configure the IP Address You do not have to set any IP configuration on the switch to make it work. You can just plug in devices and they should start working, just like they would on a hub. The reason you would set the IP address information on the switch is so you can either manage the switch via Telnet or other management software, or you wanted to configure the switch with different VLANs and other network functions. VLANs are discussed in later labs. 2.
By default, no IP address or default-gateway information is set. You would set both the IP address and the default-gateway on a layer-two switch, just like any host. By typing the command show ip (or sh ip), you can see the default IP configuration of the switch. 1900A#show ip IP Address: 0.0.0.0 Subnet Mask: 0.0.0.0 Default Gateway: 0.0.0.0 Management VLAN: 1
214
Configuring the Catalyst Switch
Domain name: Name server 1: 0.0.0.0 Name server 2: 0.0.0.0 HTTP server : Enabled HTTP port : 80 RIP : Enabled
Notice in the above switch output that no IP address, default-gateway, or other IP parameters are configured. 3.
To set the IP configuration on a 1900 switch, use the ip address command. The default gateway should also be set using the ip default-gateway command. The switch output below shows an example of how to set the IP address and defaultgateway on a 1900 switch. 1900A#config t Enter configuration commands, one per line. End with CTRL/Z 1900A(config)#ip address 172.16.10.16 255.255.255.0 1900A(config)#ip default-gateway 172.16.10.1 1900A(config)#exit
4.
Once you have your IP information set, use the show ip command to verify your changes. You can view this information with the show running-config command as well. 1900A#show ip IP Address: 172.16.10.16 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1 Management VLAN: 1 Domain name: Name server 1: 0.0.0.0 Name server 2: 0.0.0.0 HTTP server : Enabled HTTP port : 80 RIP : Enabled 1900A#
To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gateway commands, at the global configuration prompt.
Configure Interfaces It is important to understand how to access switch ports. The 1900 switch uses the type slot/port command. For example, FastEthernet 0/3 is 10BaseT port 3. Another example
Lab 4.2: Configuring the 1900 Switch
215
would be FastEthernet 0/26 which is the first of the two FastEthernet ports available on the 1900 switch. The 1900 switch type slot/port command can be used with either the interface command or the show command. The interface command allows you to set interface specific configurations. The 1900 switch has only one slot: zero (0). 5.
To configure an interface on a 1900 switch, go to global configuration mode and use the interface command. From global configuration, use the interface command and the type, either Ethernet or FastEthernet interface. I am going to demonstrate the Ethernet interface configuration first. 1900A#config t Enter configuration commands, one per line. 1900A(config)#int ethernet ? <0-0> IEEE 802.3
6.
End with CTRL/Z
The previous output asks for the slot. Since the 1900 switch is not modular, there is only one slot. The next output gives us a slash (/) to separate the slot/port configuration. 1900A(config)#int ethernet 0? / 1900A(config)#int ethernet 0/? <1-25> IEEE 802.3
7.
After the 0/configuration command, the above output shows the amount of ports you can configure. The output below shows the completed command. 1900A(config)#int ethernet 0/1
8.
Once you are in interface configuration, the prompt changes to (config-if). After you are at the interface prompt, you can use the help commands to see the available commands. 1900A(config-if)#? Interface configuration commands: cdp Cdp interface subcommands description Interface specific description duplex Configure duplex operation exit Exit from interface configuration mode help Description of the interactive help system no Negate a command or set its defaults port Perform switch port configuration shutdown Shutdown the selected interface spantree Spanning tree subsystem vlan-membership VLAN membership configuration 1900A(config-if)#?exit
216
Configuring the Catalyst Switch
You can switch between interface configuration by using the int e 0/# command at any time from global configuration mode. 9.
The switch output below shows the configuration of a FastEthernet port on the 1900 switch. Notice that the command is interface fastethernet, but the slot is still 0. The only ports available are 26 and 27. 1900A(config)#int fastethernet ? <0-0> FastEthernet IEEE 802.3 1900A(config)#int fastethernet 0/? <26-27> FastEthernet IEEE 802.3 1900A(config)#int fastethernet 0/26 1900A(config-if)#int fast 0/27 1900A(config-if)#ctl+z
10. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the command
used to view a 10BaseT interface and the command to view a fastethernet interface. 1900A#show int e0/1 ethernet 0/1 is Suspended-no-linkbeat Hardware is Built-in 10Base-T Address is 0030.80CC.7D01 MTU 1500 bytes, BW 10000 Kbits 802.1d STP State: Forwarding Forward Transitions: 1 [output cut] 1900A#show int f0/26 Fastethernet 0/26 is Suspended-no-linkbeat Hardware is Built-in 100Base-TX Address is 0030.80CC.7D1A MTU 1500 bytes, BW 100000 Kbits 802.1d STP State: Blocking Forward Transitions: 0 [output cut]
Configure Interface Descriptions You can administratively set a name for each interface on the 1900 switch. Like the hostname, the descriptions are only locally significant. For the 1900 series switch, use the description command. You cannot use spaces with the description command, but you can use underlines if you need to. 11. To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface. You can
Lab 4.2: Configuring the 1900 Switch
217
make the descriptions more then one word, but you can’t use spaces. You will have to use the underline as shown below: 1900A#config t Enter configuration commands, one per line. End with CTRL/Z 1900A(config)#int e0/1 1900A(config-if)#description Finance_VLAN 1900A(config-if)#int f0/26 1900A(config-if)#description trunk_to_Building_4 1900A(config-if)#ctl+z
In the configuration example above, we set the description on both a 10Mbps port and a 100Mbps port.
View Interface Descriptions Once you have configured the descriptions you want on each interface, you can then view the descriptions with either the show interface command, or show running-config command. 12. View the configuration of the Ethernet interface 0/1 by using the show interface ethernet 0/1 command. 1900A#show int e0/1 Ethernet 0/1 is Enabled Hardware is Built-in 10Base-T Address is 0030.80CC.7D01 MTU 1500 bytes, BW 10000 Kbits 802.1d STP State: Forwarding Forward Transitions: Port monitoring: Disabled Unknown unicast flooding: Enabled Unregistered multicast flooding: Enabled Description: Finance_VLAN Duplex setting: Half duplex Back pressure: Disabled
1
13. Use the show running-config command to view the interface configurations as well. 1900A#show run Building configuration... Current configuration: ! hostname "1900A" ! ip address 172.16.10.16 255.255.255.0
218
Configuring the Catalyst Switch
ip default-gateway 172.16.10.1 ! enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0 enable password level 1 "TODD" enable password level 15 "TODD1" ! interface Ethernet 0/1 description "Finance_VLAN" [output cut]
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 4.3: Configuring the 1900 Switch Port Duplex The 1900 switch has only 12 or 24 10BaseT ports and comes with one or two FastEthernet ports. You can only set the duplex on the 1900 switch, as the ports are all fixed speeds.
Network Layout Use the saved network that you have been working with.
Lab 4.3: Configuring the 1900 Switch Port Duplex
219
Lab Steps 1.
Use the duplex command in interface configuration. In the switch output below, notice the options available on the FastEthernet ports. 1900A(config)#int f0/26 1900A(config-if)#duplex ? auto Enable auto duplex configuration full Force full duplex operation full-flow-control Force full duplex with flow control half Force half duplex operation 1900A(config-if)#duplex full 1900A(config-if)#ctrl+z
The following Table shows the different duplex options available on the 1900 switches. The 1900 FastEthernet ports default to auto duplex, which means they will try and auto detect the duplex the other end is running. TA b L E :
Duplex Options
Parameter
Definition
Auto
Set the port into auto-negotiation mode. Default for all 100BaseTX ports.
Full
Forces the 10 or 100Mbps ports into full duplex mode.
Full-flow-control
Works only with 100BaseTX ports, uses flow control so buffers won’t overflow.
Half
Default for 10BaseT ports, forces the ports to work only in half duplex mode.
2.
Once you have the duplex set, you can use the show interface command to view the duplex configuration. 1900A#show int f0/26 Fastethernet 0/26 is enabled Hardware is Built-in 100Base-TX Address is 0030.80CC.7D1A MTU 1500 bytes, BW 100000 Kbits 802.1d STP State: Blocking Forward Transitions: Port monitoring: Disabled Unknown unicast flooding: Enabled Unregistered multicast flooding: Enabled
0
220
Configuring the Catalyst Switch
Description: trunk to Building 4 Duplex setting: Full duplex Back pressure: Disabled
3.
In the output above, the duplex setting shows full duplex.
Lab 4.4: Verifying 1900 Switch IP Connectivity It is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 1900 switch. However, you cannot telnet from the 1900 switch or use traceroute.
Network Layout Use the saved network that you are using while working with the 1900 switch.
Lab 4.4: Verifying 1900 Switch IP Connectivity
Lab Steps 1.
Right-click on Host A.
2.
Click on the Configs button.
3.
On Host A configure: NN
IP Address
N
Subnet Mask
NN
Default Gateway
IP Address: 172.16.10.9 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
4.
Click the OK button and then the Close button.
221
222
5.
Configuring the Catalyst Switch
Ping the host from the switch 1900 A. 1900A#ping 172.16.10.9 Sending 5, 100-byte ICMP Echos to 172.16.10.9, time out is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms
The output on a successful ping: exclamation point (!). If you receive periods (.) instead of exclamation points, that signifies a timeout.
6.
Telnet to the host. 1900A#telnet 172.16.10.9 ^ % Invalid input detected at '^' marker.
In the Telnet example above, notice the error when you try to telnet from the 1900 switch. The command is not available on the 1900 switch. However, you can telnet into a switch at any time, as long as the switch is configured correctly. Save Your File: Make sure you save the network layout file that you have been working on.
Lab 4.5: Erasing the 1900 Switch Configuration The switch configuration is stored in NVRAM, just as any router. You cannot view the startup-config, or contents of NVRAM. You can only view the running-config. When you make a change to the switches’ running-config, the switches automatically copy the configuration on the switch to NVRAM. You can delete the configuration in NVRAM on the 1900 switch if you want to start over on the switches’ configuration. To delete the contents of NVRAM on a 1900 switch, use the delete nvram command.
Lab 4.5: Erasing the 1900 Switch Configuration
223
Network Layout Use the saved network that you are using while working with the 1900 switch.
Lab Steps 1.
Type delete ? from a 1900 Switch A, privileged mode prompt. Notice in the switch output below that there are two options: nvram and vtp. We want to delete the contents of NVRAM to the factory default settings. 1900A#delete ? nvram NVRAM configuration vtp Reset VTP configuration to defaults 1900A#delete nvram
This command resets the switch with factory defaults. All system parameters will revert to their default factory settings. All static and dynamic addresses will be removed. 2.
Reset system with factory defaults, [Y]es or [N]o? Yes Notice the message received from the switch when the delete nvram command is used. Once you say yes, the configuration is gone.
224
3.
Configuring the Catalyst Switch
To confirm the configuration is gone, use the show run command. #show run Building configuration... Current configuration: ! interface Ethernet 0/1 ! interface Ethernet 0/2 ! interface Ethernet 0/3 ! interface Ethernet 0/4 [output cut]
Lab 4.6: Utilizing the 2950 and 2960 Switch The 2950 and 2960 switches are very similar and basically support the same commands. The configuration commands between the two switches differ because: NN
NN
The Catalyst 2950 switch runs Cisco IOS 12.1EA software, and the Catalyst 2960 switch runs Cisco IOS 12.2SE software. The hardware is different. In this program the 2950 switch has 12 FastEthnet ports ...
Lab 4.7: Setting Passwords on the 2950/2960 Switch
NN
225
and the 2960 switch has eight FastEthernet ports and one GigabitEthernet port ...
If you use a 2950 switch command, it might not be supported on the 2960 switch. The 2960 switch software handles the incompatible commands by either: NN
accepting it and translating them
NN
rejecting the command In this program the supported commands for these two switches are identical.
Lab 4.7: Setting Passwords on the 2950/2960 Switch This lab will have you work with a 2950/2960 switch. The commands used in configuring the 2950 or 2960 switches are identical in this program. You can choose which device you would like to work with in setting passwords. In this lab, enter the global configuration mode and then set the passwords.
226
Configuring the Catalyst Switch
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work in earlier labs.
Lab 4.7: Setting Passwords on the 2950/2960 Switch
227
Lab Steps 1.
Double-click 2950 Switch A or 2960 Switch A to open the console screen.
2.
Press Enter to connect to the console. Switch>
3.
For the user mode of the switch, you can use the help screen just like a router. Switch>? Exec commands: <1-99> access-enable clear connect disable disconnect enable exit help lock login logout name-connection ping rcommand resume show systat telnet terminal traceroute tunnel --More-[output cut]
4.
Session number to resume Create a temporary Access-List entry Reset functions Open a terminal connection Turn off privileged commands Disconnect an existing network connection Turn on privileged commands Exit from the EXEC Description of the interactive help system Lock the terminal Log in as a particular user Exit from the EXEC Name an existing network connection Send echo messages Run command on remote switch Resume an active network connection Show running system information Display information about terminal lines Open a telnet connection Set terminal line parameters Trace route to destination Open a tunnel connection
The first thing that you should configure on a switch are the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privileged mode passwords, just like a router. Enter the enable mode by using the enable command and then enter global configuration mode by using the config t command. The switch following output shows an example of how to get into enable mode, and then into global configuration mode. Switch>enable Switch#config t
228
Configuring the Catalyst Switch
Enter configuration commands, one per line. Switch(config)#
5.
End with CTRL/Z
Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password and enable secret command. The switches’ output below shows the configuration of both the user mode and enable mode passwords. Switch(config)#enable password ? 0 Specifies an UNENCRYPTED password will follow 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) 'enable' password level Set exec level password Switch(config)#enable password todd Switch(config)#enable secret cisco Switch(config) If you set your enable secret, the enable password is superseded and not used, just like in a router.
6.
In addition to the enable password and enable secret, the 2950/2960 switch allows you to set a console and Telnet password as well using the line commands, just like in a router. Switch(config)line ? <0-16> First Line number console Primary terminal line vty Virtual terminal Switch(config)#line console 0 Switch(config-line)#password console Switch(config-line)#login Switch(config-line)#line vty ? % Unrecognized command
7.
Remember that just like in a router, you cannot get help for a line command from within line configuration mode. Type Exit to go back one step. Switch(config-line)#exit Switch(config)#line vty ? <0-15> First Line number Switch(config)#line vty 0 15 Switch(config-line)#password telnet Switch(config-line)#login Switch(config-line)#ctrl+z Switch#
Lab 4.8: Configuring the 2950/2960 Switch
8.
229
You can use show running-config (show run for short) to see the current configuration on the switch. Current configuration : 997 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! enable secret 5 $1$yNgO$9uU0Z6NG1ib4vlt05bmMW1 enable password todd ! ip subnet-zero ! spanning-tree extend system-id ! ! interface FastEthernet0/1 no ip address ! interface FastEthernet0/2 no ip address --More--
Notice the enable mode password is not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router. Save Your File: Make sure you save the network layout file that you have been working on.
Lab 4.8: Configuring the 2950/2960 Switch This lab will have you work with a 2950/2960 switch. The commands used in configuring the 2950 or 2960 switches are identical in this program. Even though the step-by-steps refer to the 2950 switch, you can also configure the 2960 with the same steps.
230
Configuring the Catalyst Switch
Network Layout Work with the saved network that you used to configure devices in Lab 4.7.
Set the Hostname The hostname on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network and is not used for name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.
Lab 4.8: Configuring the 2950/2960 Switch
231
The 2950/2960 switch command to set the hostname is exactly like any router: you use the hostname command. Remember, it is one word. From global configuration mode, type the command hostname hostname.
Lab Steps 1.
Double-click 2950 Switch A or 2960 Switch A to open the console screen. Switch>enable Enter password: **** Switch#config t Enter configuration commands, one per line. Switch(config)#hostname 2950A 2950A(config)#exit 2950A#
End with CTRL/Z
Notice that as soon as you press enter, the hostname of the switch appears. Remember that from global configuration mode, which you enter by using the config t command, it changes the running-config. Any changes you make in this mode take effect immediately.
Configure the IP Address 2.
By default, no IP address or default-gateway information is set. You would set both the IP address and the default-gateway on a layer-two switch, just like any host. By typing the command show running-config you can see the default IP configuration of the switch. Notice in your switch output that no IP address, default-gateway, or other IP parameters are configured.
3.
To set the IP configuration on a 2950 switch, use the ip address command. However, this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default. 2950A#config t Enter configuration commands, one per line. End with CTRL/Z 2950A(config)#interface vlan 1 2950A(config-if)#ip address 172.16.40.2 255.255.255.0 2950A(config-if)#exit 2950A(config)#
4.
The default gateway should also be set using the ip default-gateway command. However, unlike the IP address, this is completed at global configuration mode. 2950A(config)#ip default-gateway 172.16.40.1 2950A(config)#exit 2950A#
232
Configuring the Catalyst Switch
IP Default-Gateway This is used on devices where no routing information is provided by the router that tells you how to get to the next, directly connected device. It tells us what pathway to use to send packets to the next, directly connected device. In the previous set of commands the ip default-gateway is 172.16.40.1 because that is the IP address of interface f0/0 on Router 2621 A.
To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gateway commands, at the appropriate configuration prompt.
Configure Interfaces It is important to understand how to access switch ports. The 2950/2960 switch uses the type slot/port command, just like a 2621 router. For example, Fastethernet 0/3 is 10/100BaseT port 3. The 2950/2960 switch type slot/port command can be used with either the interface command or the show command. The interface command allows you to set interface specific configurations. The 2950/2960 switch has only one slot: zero (0), just like the 1900. 5.
To configure an interface on a 2950/2960 switch, go to global configuration mode and use the interface command as shown. Since the 2950/2960 switch is not modular, there is only one slot, which is 0, although it lists 0-2 for some odd reason. However, you can
Lab 4.8: Configuring the 2950/2960 Switch
233
only type in “0” as the slot in this program. Any other slot number will give you an error. The next output gives us a slash (/) to separate the slot/port configuration. 2950A#config t 2950A(config)#interface fastethernet ? <0-2> FastEthernet interface number 2950A(config)#interface fastethernet 0? / 2950A(config)#interface fastethernet 0/? <0-12> FastEthernet interface number
6.
After the 0/configuration command, the above output shows the amount of ports you can configure. The output below shows the completed command. 2950A(config)#interface fastethernet 0/1 2950A(config-if)#
7.
Once you are in interface configuration, the prompt changes to (config-if). You can switch between interface configurations by using the int fa 0/# command at any time from global configuration mode. Now, let’s look at the duplex and speed configurations for a switch port. 2950A(config)#int fa0/1 2950A(config-if)#duplex ? auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation 2950A(config-if)# 2950A(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation auto Enable AUTO speed configuration 2950A(config-if)#
8.
Since the switch port’s duplex and speed settings are already set to auto by default, you do not need to change the switch port settings. It is recommended that you allow the switch port to auto negotiate speed and duplex settings in most situations. In a rare situation, when it is required to manually set the speed and duplex of a switch port, you can use the following configuration. 2950A(config-if)#duplex full Duplex will not be set until speed is set to non-auto value 2950A(config-if)#speed 100
9.
Notice in the above command that to run full duplex, you must set the speed to non-auto value.
234
Configuring the Catalyst Switch
10. In addition to the duplex and speed commands that can be configured on the switch port, you also can turn on what is called portfast. The portfast command allows
a switch port to come up quickly. Typically a switch port waits 50 seconds for the spanning-tree to go through its “gotta make sure there are no loops!” cycle. However, if you turn portfast on, then you better be sure you do not create a physical loop on the switch network. A spanning-tree loop can severely hurt or bring your network down. Here is how you would enable portfast on a switch port. 2950A(config-if)#spanning-tree ? bpdufilter Don’t send or receive BPDUs on this interface bpduguard Don't accept BPDUs on this interface cost Change an interface's spanning tree port path cost guard Change an interface's spanning tree guard mode link-type Specify a link type for spanning tree protocol use port-priority Change an interface's spanning tree port priority portfast Enable an interface to move directly to forwarding on link up stack-port Enable stack port vlan VLAN Switch Spanning Tree
11. The command above shows the available options for the spanning-tree command. We want to use the portfast command. 2950A(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on FastEthernet0/1 but will only have effect when the interface is in a non-trunking mode. 2950A(config-if)#
12. Notice the message the switch provides when enabling portfast. Although it seems like
the command did not take effect, as long as the port is in access mode (discussed in a minute), the port will now be in portfast mode. 13. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the
command used to view a 10/100BaseT interface on the 2950/2960 switch. 2950A(config-if)#ctrl+z 2950A#show int f0/1 FastEthernet0/1 is down line protocol is down (notconnect) Hardware is FastEthernet, address is 00b0.9eb1.bcd0 (bia 00b0.9eb1.bcd0) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255
Lab 4.8: Configuring the 2950/2960 Switch
235
Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:02, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 1097702 packets input, 71821315 bytes, 0 no buffer Received 488076 broadcasts, 0 runts, 0 giants, 0 throttles 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 3752639 multicast, 0 pause input 0 input packets with dribble condition detected 1590235 packets output, 290473092 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
14. In addition to the show interface command, you can use the show running-config
command to see the interface configuration as well. [output cut] ! interface FastEthernet0/1 duplex full speed 100 spanning-tree portfast ! interface FastEthernet0/2 [output cut]
15. You can administratively set a name for each interface on the 2950/2960 switch. Like the
hostname, the descriptions are only locally significant. For the 2950/2960 series switch, use the description command. You can use spaces with the description command, but you can use underlines if you need to.
236
Configuring the Catalyst Switch
To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface. 2950A#config t Enter configuration commands, one per line. End with CTRL/Z 2950A(config)#int fa 0/1 2950A(config-if)#description Sales VLAN 2950A(config-if)#int fa 0/8 2950A(config-if)#description trunk to Building 8 2950A(config-if)#
In the configuration example above, we set the description on both port 1 and 12. 16. Once you have configured the descriptions you want on each interface, you can then view the descriptions with either the show interface command, or show runningconfig command. View the configuration of the Ethernet interface 0/1 by using the show interface ethernet 0/1 command. 2950A#show int fa 0/1 FastEthernet0/1 is down line protocol is down (notconnect) Hardware is FastEthernet, address is 00b0.9eb1.bcd0 (bia 00b0.9eb1.bcd0) Description: Sales VLAN MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, media type is 10/100BaseTX (output cut)
17. Use the show running-config command to view the interface configurations as well. 2950A#show run [output cut] ! interface FastEthernet0/1 description "Sales VLAN" spanning-tree portfast ! [output cut]
Notice in the above switch output that the show int fa0/1 command and the show run command both show the description command set on an interface. Save the network that you have been working on.
Lab 4.9: Verifying 2950/2960 Switch IP Connectivity
237
Lab 4.9: Verifying 2950/2960 Switch IP Connectivity This lab will have you work with a 2950/2960 switch. The commands used in configuring the 2950 or 2960 switches are identical in this program. Even though the step-by-steps refer to the 2950 switch, you can also configure the 2960 with the same steps. It is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 2950/2960 switch. However, you cannot telnet from the 2950/2960 switch or use traceroute.
Network Layout Work with the saved network that you used to configure devices in Lab 4.8.
1.
In the following example, ping Host E on the network from 2950 Switch A. Notice the output on a successful ping: exclamation point (!). If you receive periods (.) instead of exclamation points, that signifies a timeout.
238
Configuring the Catalyst Switch
2950A#ping 172.16.40.3 Sending 5, 100-byte ICMP Echos to 172.16.40.3, time out is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms
2.
In the following example, ping Host F on the network from the 2960 A switch.
2960A#ping 172.16.50.3 Sending 5, 100-byte ICMP Echos to 172.16.50.3, time out is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms
Lab 4.10: Saving and Erasing 2950/2960 Switch Configuration
239
Lab 4.10: Saving and Erasing 2950/2960 Switch Configuration This lab will have you work with a 2950/2960 switch. The commands used in configuring the 2950 or 2960 switches are identical in this program. Even though the step-by-steps refer to the 2950 switch, you can also configure the 2960 with the same steps. The switch configuration is stored in NVRAM, just as any router, and placed in RAM when the switch boots. The file in RAM is called the running-config and the file in NVRAM is called the startup-config. You can view the startup-config, also called the backup configuration, with the show startup-config command.
Network Layout Work with the saved network that you used to configure devices in Lab 4.9.
240
Configuring the Catalyst Switch
Lab Steps 1.
To save the switch configuration, you type copy running-config startup-config, or copy run start, just like on a router. 2950A#copy run start Destination filename [startup-config]?press Enter Building configuration... [OK] 2950A#
2.
You can delete the configuration in NVRAM on the 2950 switch if you want to start over on the switches’ configuration. To delete the contents of NVRAM on a 2950 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the running-config. 2950A#erase startup-config Erasing the nvram file system will remove all files! Continue? [confirm] press Enter [OK] Erase of nvram: complete 2950A#sh start %% Non-volatile configuration memory is not present 2950A#
3.
Again, just because you have erased the contents of NVRAM with the erase startup-config command, you need to remember that the running-config is still in RAM. To erase the running-config you have to reload the switch.
4.
Change to the console screen for 2960 Switch A. Save your configuration. 2960A#copy run start Destination filename [startup-config]?press Enter Building configuration... [OK] 2960A#
5.
To delete the contents of NVRAM on a 2960 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the running-config. 2960A#erase startup-config Erasing the nvram file system will remove all files! Continue? [confirm] press Enter [OK]
Lab 4.12: Setting Passwords on the 3550/3560 Switch
241
Erase of nvram: complete 2960A#sh start %% Non-volatile configuration memory is not present 2960A#
Lab 4.11: Utilizing the 3550 and 3560 Switch The 3550 and 3560 switches are very similar and basically support the same commands. The configuration commands between the two switches differ because: NN
The Catalyst 3550 switch runs Cisco IOS 12.1EA software, and the Catalyst 3560 switch runs Cisco IOS 12.2SE software.
NN
The hardware is different. In this program, the 3550 switch has 10 FastEthnet ports ...
NN
and the 3560 switch has eight FastEthernet ports and one GigabitEthernet port ...
In this program, the supported commands for these two switches are identical.
Lab 4.12: Setting Passwords on the 3550/3560 Switch This lab will have you work with a 3550/3560 switch. The commands used in configuring the 3550 or 3560 switches are identical in this program. Even though the step-by-steps refer to the 3550 switch, you can also configure the 3560 with the same steps. Enter global configuration mode and then set the passwords.
242
Configuring the Catalyst Switch
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work in earlier labs.
Lab Steps 1.
Double-click 3550 Switch A to open the console screen.
2.
Press Enter to connect to the console. 3550A>
3.
The first thing that you should configure on a switch is the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privileged mode passwords, just like a router. Enter enable mode by using the enable command and then enter global configuration mode by using the config t command. The following output shows an example of how to get into enable mode, and then into global configuration mode. 3550A>enable 3550A#config t Enter configuration commands, one per line. Switch(config)#
4.
End with CTRL/Z
Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password and enable secret command. The
Lab 4.12: Setting Passwords on the 3550/3560 Switch
243
switches output below shows the configuration of both the user mode and enable mode passwords. 3550A(config)#enable password ? 0 Specifies an UNENCRYPTED password will follow 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) 'enable' password level Set exec level password 3550A(config)#enable password todd 3550A(config)#enable secret cisco 3550A(config) If you set your enable secret, the enable password is superseded and not used, just like in a router.
6.
In addition to the enable password and enable secret, the 3550/3560 switch allows you to set a console and Telnet password as well using the line commands, just like in a router. 3550A(config)line ? <0-16> First Line number console Primary terminal line vty Virtual terminal 3550A(config)#line console 0 3550A(config-line)#password console 3550A(config-line)#login 3550A(config-line)#exit 3550A(config)#line vty 0 15 3550A(config-line)#password telnet 3550A(config-line)#login 3550A(config-line)#ctrl+z The telnet password was already set for 3550 Switch A in an earlier lab.
7.
You can use show running-config (show run for short) to see the current configuration on the switch. 3550A(config-line)#ctrl+z 3550A#show run Building configuration... Current configuration : 866 bytes ! version 12.1 no service single-slot-reload-enable
244
Configuring the Catalyst Switch
no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 3550A ! enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0 enable password todd ! ip subnet-zero ! ! spanning-tree extend system-id ! ! interface FastEthernet0/1 switchport mode dynamic desirable ! interface FastEthernet0/2 switchport mode dynamic desirable [output cut] The enable mode password is not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router.
Lab 4.13: Configuring the 3550/3560 Switch This lab will have you work with a 3550 switch. The commands used in configuring the 3550 or 3560 switches are identical in this program. Even though the step-by-steps refer to the 3550 switch, you can also configure the 3560 with the same steps. The hostnames on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network and is not used for name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.
Lab 4.13: Configuring the 3550/3560 Switch
245
Network Layout Work with the saved network that you used to configure devices in Lab 4.12.
Set the Hostname The hostnames on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network and is not used for name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.
246
Configuring the Catalyst Switch
Lab Steps 1.
The 3550/3560 switch command to set the hostname is exactly like any router: you use the hostname command. Remember, it is one word. From global configuration mode, type the command hostname hostname. Switch>enable Enter password: **** Switch#config t Enter configuration commands, one per line. Switch(config)#hostname 3550A 3550A(config)#exit 3550A#
End with CTRL/Z
Notice that as soon as you press Enter, the hostname of the switch appears. Remember that from global configuration mode, which you enter by using the config t command, it changes the running-config. Any changes you make in this mode take effect immediately.
Configure the IP Address 2.
By default, no IP address or default-gateway information is set. You would set both the IP address and the default-gateway on a layer-two switch, just like any host. By typing the command show running-config you can see the default IP configuration of the switch. Notice in your switch output that no IP address, default-gateway, or other IP parameters are configured.
3.
To set the IP configuration on a 3550/3560 switch, use the ip address command. However, this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default. 3550A#config t Enter configuration commands, one per line. End with CTRL/Z 3550A(config)#interface vlan 1 3550A(config-if)#ip address 172.16.10.4 255.255.255.0 3550A(config-if)#exit 3550A(config)#
4.
The default gateway should also be set using the ip default-gateway command. However, unlike the IP address, this is completed at global configuration mode. 3550A(config)#ip default-gateway 172.16.10.1 3550A(config)#exit 3550A#
Lab 4.13: Configuring the 3550/3560 Switch
247
To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gateway commands, at the appropriate configuration prompt.
Configure Interfaces It is important to understand how to access switch ports. The 3550/3560 uses the type slot/port command, just like a 2621 router and just like the 3550/3560. For example, Fastethernet 0/3 is 10/100BaseT port 3. The 3550/3560 type slot/port command can be used with either the interface command or the show command. The interface command allows you to set interface specific configurations. The 3550/3560 has only one slot: zero (0), just like the 1900. 5.
To configure an interface on a 3550/3560, go to global configuration mode and use the interface command as shown. 3550A#config t Enter configuration commands, one per line. End with CTRL/Z 3550A(config)#interface ? Async Async interface BVI Bridge-Group Virtual Interface Dialer Dialer interface FastEthernet FastEthernet IEEE 802.3 Group-Async Async Group interface Lex Lex interface Loopback Loopback interface Multilink Multilink-group interface Null Null interface Port-channel Ethernet Channel of interfaces Transparent Transparent interface Tunnel Tunnel interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing Vlan Catalyst Vlans fcpa Fiber Channel range interface range command 3550A(config)#interface
6.
The next output asks for the slot. Since the 3550/3560 is not modular, there is only one slot, which is 0, although it lists 0-2 for some odd reason. However, you can only type in “0” as the slot in this program. Any other slot number will give you an error. The next output gives us a slash (/) to separate the slot/port configuration. 3550A(config)#interface fastethernet ? <0-2> FastEthernet interface number
248
Configuring the Catalyst Switch
3550A(config)#interface fastethernet 0? / 3550A(config)#interface fastethernet 0/? <0-10> FastEthernet interface number
7.
After the 0/configuration command, the above output shows the amount of ports you can configure. The output below shows the completed command. 3550A(config)#interface fastethernet 0/4 3550A(config-if)#
8.
Once you are in interface configuration mode, the prompt changes to (config-if). After you are at the interface prompt, you can use the help commands to see the available commands. 3550A(config-if)#? Interface configuration commands: arp Set arp type (arpa, probe, snap) or timeout bandwidth Set bandwidth informational parameter carrier-delay Specify delay for interface transitions cdp CDP interface subcommands channel-group Etherchannel/port bundling configuration default Set a command to its defaults delay Specify interface throughput delay description Interface specific description dot1x IEEE 802.1X subsystem duplex Configure duplex operation exit Exit from interface configuration mode help Description of the interactive help system hold-queue Set hold queue depth ip Interface Internet Protocol config commands keepalive Enable keepalive load-interval Specify interval for load calculation for an interface logging Configure logging for interface mac-address Manually set interface MAC address mls mls interface commands mvr MVR per port configuration no Negate a command or set its defaults ntp Configure NTP --More--
Lab 4.13: Configuring the 3550/3560 Switch
249
You can switch between interface configurations by using the int fa 0/# command at any time from global configuration mode. 9.
Let’s look at the duplex and speed configurations for a switch port. 3550A(config-if)#exit 3550A(config)#int fa0/4 3550A(config-if)#duplex ? auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation 3550A(config-if)# 3550A(config-if)#speed? 10 Force 10 Mbps operation 100 Force 100 Mbps operation auto Enable AUTO speed configuration 3550A(config-if)#
10. Since the switch port’s duplex and speed settings are already set to auto by default, you
do not need to change the switch port settings. It is recommended that you allow the switch port to auto negotiate speed and duplex settings in most situations. In a rare situation, when it is required to manually set the speed and duplex of a switch port, you can use the following configuration. 3550A(config-if)#speed 100 Duplex will not be set until speed is set to non-auto value 3550A(config-if)#duplex full
Full Duplex Transmission of data in two directions simultaneously. It has a higher throughput than half duplex. NN
There are no collision domains with this setting
NN
Both sides must have the capability of being set to full duplex
NN
Both sides of the connection must be configured with full duplex
NN
Each side transmits and receives at full bandwidth in both directions
11. Notice in the above command that to run full duplex, you must set the speed to non-
auto value.
250
Configuring the Catalyst Switch
12. In addition to the duplex and speed commands that can be configured on the switch port, you also can turn on what is called portfast. The portfast command allows a
switch port to come up quickly. Typically a switch port waits 50 seconds for spanningtree to go through its “gotta make sure there are no loops!” cycle. However, if you turn portfast on, then you better be sure you do not create a physical loop on the switch network. A spanning-tree loop can severely hurt or bring your network down. Here is how you would enable portfast on a switch port. 3550A(config-if)#spanning-tree ? bpdufilter Don't send or receive BPDUs on this interface bpduguard Don't accept BPDUs on this interface cost Change an interface's spanning tree port path cost guard Change an interface's spanning tree guard mode link-type Specify a link type for spanning tree protocol use port-priority Change an interface's spanning tree port priority portfast Enable an interface to move directly to forwarding on link up stack-port Enable stack port vlan VLAN Switch Spanning Tree
13. The command above shows the available options for the spanning-tree command. We want to use the portfast command. 3550A(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on FastEthernet0/4 but will only have effect when the interface is in a non-trunking mode. 3550A(config-if)#
14. Notice the message the switch provides when enabling portfast. Although it seems like
the command did not take effect, as long as the port is in access mode (discussed in a minute), the port will now be in portfast mode. 15. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the
command used to view a 10/100BaseT interface on the 3550/3560. 3550A(config-if)#ctrl+z 3550A#show int f0/4 FastEthernet0/4 is up, line protocol is up Hardware is Fast Ethernet, address is 00b0.c5e4.e2cf (bia 00b0.c5e4.e2cf) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
Lab 4.13: Configuring the 3550/3560 Switch
Encapsulation ARPA, loopback not set reliability 255/255, txload 1/255, rxload 1/255 Keepalive set (10 sec) Full duplex, 100Mb/s input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 1w6d, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 64 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 1 packets output, 64 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out 3550A#
16. In addition to the show interface command, you can use the show running-config
command to see the interface configuration as well. 3550A#show run [output cut] interface FastEthernet0/3 switchport mode dynamic desirable ! interface FastEthernet0/4 switchport mode dynamic desirable spanning-tree portfast ! interface FastEthernet0/5 [output cut]
251
252
Configuring the Catalyst Switch
17. You can administratively set a name for each interface on the 3550/3560. Like the
hostname, the descriptions are only locally significant. For the 3550 series switch, use the description command. You can use spaces with the description command, but you can use underlines if you need to. To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface. 3550A#config t Enter configuration commands, one per line. End with CTRL/Z 3550A(config)#int fa 0/4 3550A(config-if)#description Marketing VLAN 3550A(config-if)#int fa 0/10 3550A(config-if)#description trunk to Building 3 3550A(config-if)#
In the configuration example above, we set the description on both port 4 and 10. 18. Once you have configured the descriptions you want on each interface, you can then view the descriptions with either the show interface command, or show runningconfig command. View the configuration of the Ethernet interface 0/4 by using the show interface ethernet 0/4 command. 3550A(config-if)#ctrl+z 3550A#show int fa 0/4 FastEthernet0/4 is up, line protocol is up Hardware is Fast Ethernet, address is 00b0.1a09.2097 (bia 00b0.1a09.2097) Description: Marketing VLAN (output cut)
19. Use the show running-config command to view the interface configurations as well. 3550A#show run [output cut] ! interface FastEthernet0/4 description "Marketing VLAN" duplex full speed 100 spanning-tree portfast ! [output cut]
Lab 4.14: Verifying 3550/3660 Switch IP Connectivity
253
Notice in the above switch output that the show int fa0/4 command and the show run command both show the description command set on an interface. Save the network that you have been working on.
Lab 4.14: Verifying 3550/3660 Switch IP Connectivity This lab will have you work with a 3550/3560 switch. The commands used in configuring the 3550 or 3560 switches are identical in this program. Even though the step-by-steps refer to the 3550 switch, you can also configure the 3560 with the same steps. It is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 3550/3560 switch. However, you cannot telnet from the 3550/3560 switch or use traceroute.
Network Layout Work with the saved network that you used to configure devices in Lab 4.13.
1.
In the following example, ping Host B on the network from the 3550 Switch A . Notice the output on a successful ping: exclamation point (!). If you receive periods (.) instead of exclamation points, that signifies a timeout.
254
Configuring the Catalyst Switch
3550A#ping 172.16.10.6 Sending 5, 100-byte ICMP Echos to 172.16.10.6, time out is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms
2.
In the following example, ping Host C on the network from the 3560 A switch.
3560A#ping 172.16.10.7 Sending 5, 100-byte ICMP Echos to 172.16.10.7, time out is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms
Lab 4.15: Saving and Erasing the 3550/3560 Switch Configuration
255
Lab 4.15: Saving and Erasing the 3550/3560 Switch Configuration This lab will have you work with a 3550/3560 switch. The commands used in configuring the 3550 or 3560 switches are identical in this program. Even though the step-by-steps refer to the 3550 switch, you can also configure the 3560 with the same steps. The switch configuration is stored in NVRAM, just as any router and placed in RAM when the switch boots. The file in RAM is called the running-config and the file in NVRAM is called the startup-config. You can view the startup-config, also called the backup configuration, with the show startup-config command.
Network Layout Work with the saved network that you used to configure devices in Lab 4.14.
256
1.
Configuring the Catalyst Switch
To save the switch configuration, you type copy running-config startup-config, or copy run start, just like on a router. 3550A#copy run start Destination filename [startup-config]?press Enter Building configuration... [OK] 3550A#
2.
You can delete the configuration in NVRAM on the 3550 switch if you want to start over on the switches’ configuration. To delete the contents of NVRAM on a 3550 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the running-config. 3550A#erase startup-config Erasing the nvram filesystem will remove all files! Continue? [confirm] press Enter [OK] Erase of nvram: complete 3550A#sh start %% Non-volatile configuration memory is not present 3550A#
3.
Again, just because you have erased the contents of NVRAM with the erase startupconfig command, you need to remember that the running-config is still in RAM. To erase the running-config you have to reload the switch.
4.
Change to the console screen for 3560 Switch A. Save your configuration. 3560A#copy run start Destination filename [startup-config]?press Enter Building configuration... [OK] 3560A#
5.
To delete the contents of NVRAM on a 3560 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the runningconfig. 3560A#erase startup-config Erasing the nvram filesystem will remove all files! Continue? [confirm] press Enter [OK] Erase of nvram: complete 3560A#sh start %% Non-volatile configuration memory is not present 3560A#
NAT
Lab 5: Introduction to Network Address Translation (NAT) What Does NAT Do? NAT splits networks into two distinct sections, outside and inside. Inside addresses are usually assigned PRIVATE IP addresses and the outside addresses are assigned PUBLIC IP addresses on the Internet.
When Do You Use NAT? NAT, at times, decreases the overwhelming amount of Public IP addresses required in your networking environment. And NAT comes in really handy when two companies that have duplicate internal addressing schemes merge. NAT is also great to have around when an organization changes its Internet Service Provider (ISP) and the networking manager doesn’t want to hassle with changing the internal address scheme. Here’s a list of situations when it’s best to have NAT on your side: NN
You need to connect to the Internet and your hosts do not have globally unique IP addresses.
NN
You change to a new ISP that requires you to renumber your network.
NN
You require two Intranets with duplicate addresses to merge.
Advantages and Disadvantages of Implementing NAT Advantages
Disadvantages
Conserves legally registered addresses
Translation introduces switching path delays
Reduces address overlap occurrence
Loss of end-to-end IP traceability
Increases flexibility when connecting to Internet
Certain applications will not function with NAT enabled
Eliminates address renumbering as network changes
Lab 5.1: Configuring Your Routers
259
Lab 5.1: Configuring Your Routers In this lab, you will configure NAT on 2811 Router A to translate the private IP address of 192.168.10.0 to a public address of 171.16.10.0.
Network Layout Load Nat-Pat Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file Nat-Pat Layout.rsm and click Open.
260
NAT
Command Summary for NAT/PAT Lab Command
Purpose
IP nat inside source list acl pool name
Translates IPs that match the ACL from the pool
IP nat inside source static inside_addr outside_addr
Statically maps an inside address to an outside address
IP nat pool name
Creates an address pool
IP nat inside
Sets an interface to be an inside interface
IP nat outside
Sets an interface to be an outside interface
Show ip nat translations
Shows current NAT translations
Setting up the NAT Lab creates an address pool You will set up IP addresses on the router interfaces, plus, turn on EIGRP on every router. Configure the routers with the IP addresses listed below: Router IP Address Scheme Router
Interface
IP Address
2811 A
S0/0/0
171.16.10.1/24
2811 B
F0/0
192.168.10.1/24
2811 B
S0/0/0
171.16.10.2/24
2811 C
F0/0
192.168.10.2/24
2811 C
F0/1
192.168.20.1/24
2811 D
F0/1
192.168.20.2/24
Lab 5.1: Configuring Your Routers
261
Lab Steps 1.
Double-click 2811 Router A in order to bring up the console screen. Configure the router. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-if)#interface serial 0/0/0 2811A(config-if)#ip address 171.16.10.1 255.255.255.0 2811A(config-if)#no shutdown 2811A(config-if)#exit 2811A(config)#router eigrp 15 2811A(config-router)#network 171.16.0.0 2811A(config-router)#ctrl+z 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
2.
Use the console menu to bring up the console screen for 2811 Router B.
3.
Configure 2811 Router B. Router>enable Router#config t Router(config)#hostname 2811B 2811B(config-if)#interface serial 0/0/0 2811B(config-if)#ip address 171.16.10.2 255.255.255.0 2811B(config-if)#no shutdown 2811B(config-if)#interface f0/0 2811B(config-if)#ip address 192.168.10.1 255.255.255.0 2811B(config-if)#no shutdown 2811B(config-if)#exit 2811B(config)#router eigrp 15 2811B(config-router)#network 171.16.0.0 2811B(config-router)#network 192.168.10.0 2811B(config-router)#no auto-summary 2811B(config-router)#ctrl+z
262
NAT
2811B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811B#
Auto-Summary The process of taking subnets like 192.168.10.4/30 or 192.168.10.56/29 and summarizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29 the networks are summarized to their Class C base network address of 192.168.10.0/24. Summarization occurs at classful network boundaries. Classful network boundaries occur when one class of networks meet a different class of networks, thus a network boundary. If subnet 192.168.10.4/30 or 192.168.10.56/29 were crossing over to another router connected by the 10.1.1.0/24 network, the classful network boundary is between the 10.0.0.0/8 and 192.168.10.0/24 networks.
No Auto-Summary The process of taking the subnets like 192.168.10.4/30 or 192.168.10.56/29 and not summarizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29, the networks are never summarized to their Class C base network address of 192.168.10./24 when classful network boundaries are encountered.
4.
Use the console menu to bring up the console screen for 2811 Router C.
5.
Configure 2811 Router C. Router>enable Router#config t Router(config)#hostname 2811C 2811C(config-if)#interface f0/0 2811C(config-if)#ip address 192.168.10.2 255.255.255.0 2811C(config-if)#no shutdown 2811C(config-if)#interface f0/1 2811C(config-if)#ip address 192.168.20.1 255.255.255.0 2811C(config-if)#no shutdown
Lab 5.1: Configuring Your Routers
263
2811C(config-if)#exit 2811C(config)#router eigrp 15 2811C(config-router)#network 192.168.10.0 2811C(config-router)#network 192.168.20.0 2811C(config-router)#ctrl+z 2811C#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811C#
6.
Use the console menu to bring up the console screen for 2811 Router D.
7.
Configure 2811 Router D. Router>enable Router#config t Router(config)#hostname 2811D 2811D(config-if)#interface f0/1 2811D(config-if)#ip address 192.168.20.2 255.255.255.0 2811D(config-if)#no shutdown 2811D(config-if)#exit 2811D(config)#router eigrp 15 2811D(config-router)#network 192.168.20.0 2811D(config-router)#ctrl+z 2811D#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811D#
8.
After you configure the routers, you should be able to ping from router to router. Verify that you can ping from 2811 Router A to 2811 Router D and from 2811 Router D to 2811 Router A. If you cannot, STOP!, troubleshoot your network. 2811A#ping 192.168.20.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811A# 2811D#ping 171.16.10.1
264
NAT
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 171.16.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811D#
9.
You can also verify your EIGRP routes with the show ip route command. 2811A#show ip route [output cut] 171.16.0.0/24 is subnetted, 1 subnets C 171.16.10.0 is directly connected, Serial0/0/0 D 192.168.20.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0 D 192.168.10.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0 2811A# 2811B#show ip route [output cut] 171.16.0.0/24 is subnetted, 1 subnets C 171.16.10.0 is directly connected, Serial0/0/0 D 192.168.20.0 [90/2172416] via 192.168.10.2, 00:08:08, FastEthernet0/0 C 192.168.10.0/24 is directly connected, FastEthernet0/0 2811B# 2811C#show ip route [output cut] 171.16.0.0/24 is subnetted, 1 subnets D 171.16.10.0 [90/2172416] via 192.168.10.1, 00:09:08, FastEthernet0/0 C 192.168.20.0/24 is directly connected, FastEthernet0/1 C 192.168.10.0/24 is directly connected, FastEthernet0/0 2811C# 2811D#show ip route [output cut] 171.16.0.0/24 is subnetted, 1 subnets D 171.16.10.0 [90/2172416] via 192.168.20.1, 00:10:25, FastEthernet0/1 C 192.168.20.0/24 is directly connected, FastEthernet0/1 D 192.168.10.0 [90/2172416] via 192.168.20.1, 00:10:25, FastEthernet0/1 2811D#
Lab 5.1: Configuring Your Routers
265
Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than Nat-Pat Layout.rsm. This allows you to start over with a non-configured network if you wish. 1.
There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
266
NAT
2.
A dialog box will appear. At the bottom you will see the file name Nat-Pat Layout.rsm. Rename the file. In the following example it is renamed to My Nat-Pat Layout.rsm.
3.
Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading Nat-Pat Layout.rsm which is non-configured.
Switch Security
Lab 6.1: Configuring Switch Security In this lab you will configure a switch to mitigate security attacks. In some networks it may be desirable to implement security on switchports in order to restrict which computers can access the network. This is accomplished through switchport security commands. Through such commands an administrator can control how many computers can be connected to a given port as well as specify, based on MAC addresses, which computers are allowed to connect to the port. The lab topology consists of 2960 Switch A with a connection to Hosts A and B. Host
MAC Address
Host A
8e36.6b21.6e25
Host B
1175.3e8b.d4f0
Lab Steps 1.
First you will enable switchport security on interface FastEthernetst 0/1 on 2960 Switch A. This and the subsequent security commands are entered in the interface configuration mode. Switch>enable Switch#config t Switch#hostname 2960A 2960A(config)#int fa0/1 2960A(config-if)#switchport mode access 2960A(config-if)#switchport port-security
2.
Configure 2960 Switch A to limit the devices that can connect through interface FastEthernet 0/1. You will set the maximum number of devices to 1. 2960A(config-if)#switchport port-security maximum 1
3.
Set the MAC address that can be learned through the interface. 2960A(config-if)#switchport port-security mac-address b21f.135f.d81e
Lab 6.1: Configuring Switch Security
269
Network Layout Load Switchport Security Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file Switchport Security Layout.rsm and click Open. You should see the following non-configured network:
4.
The switch response when port security is violated depends on which response state has been configured. These states are as follows: Protect Once the maximum number of secure MAC addresses is reached on a port additional addresses will not be learned and packets from unknown addresses are dropped. No notification is sent. Restrict Once the maximum number of secure MAC addresses is reached on a port additional addresses will not be learned and packets from unknown addresses are dropped. An SNMP trap is sent, a syslog message is logged and the violation counter increases. Shutdown Once the maximum number of secure MAC addresses is reached on a port the receipt of a packet from an unknown address causes the port to be “error disabled” and the port LED turns off. An SNMP trap is sent, a syslog message is logged and the violation counter increases.
270
Switch Security
Shutdown VLAN This mode is implemented on a per VLAN basis. Once the maximum number of secure MAC addresses is reached on a port for a designated VLAN, the receipt of a packet from an unknown address causes the port to be “error disabled” for that VLAN. 5.
Configure FastEthernet 0/1 to be shut down upon a violation. 2960A(config-if)#switchport port-security violation shutdown
6.
Configure interface FastEthernet 0/2 to only allow one MAC address to be learned through the interface but will use the “sticky” method for that MAC address to be learned and placed in the configuration. 2960A(config-if)#int fa0/2 2960A(config-if)#switchport 2960A(config-if)#switchport 2960A(config-if)#switchport 2960A(config-if)#switchport
7.
mode access port-security port-security maximum 1 port-security mac-address sticky
Go back to the enable mode. 2960A(config-if)#ctrl+z 2960A#
Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than Switchport Security Layout.rsm. This allows you to start over with your initial, non-configured network if you wish. There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
Lab 6.2: Verifying Switch Security
271
Lab 6.2: Verifying Switch Security Now that the switch configuration is complete, you will verify that the switch security configuration effectively prevents the attachment of an unauthorized host machine.
272
Switch Security
Network Layout Load Switchport Security Layout.rsm or whatever you named the file when you saved your work. You need a configured network in order to complete this lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file Switchport Security Layout.rsm and click Open.
Lab Steps 1.
Issue the show mac-address-table command from 2960 Switch A. This should confirm that MAC addresses of host A and host B are in the MAC address table. The addresses are listed below.
Lab 6.2: Verifying Switch Security
Host
MAC Address
IP Address
Host A
8e36.6b21.6e25
10.1.1.1
Host B
1175.3e8b.d4f0
10.1.1.2
Host C
2c9b.00e9.9c64
10.1.1.3
273
If the addresses are not in the table, issue a ping from host A to host B (ping 10.1.1.2 from host A). 2960A#show mac-address-table Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ---- ---------------------1 8e36.6b21.6e25 STATIC Fa0/1 1 1175.3e8b.d4f0 STATIC Fa0/2
2.
Next issue the show run command. You should see the following output. 2960A#show run interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address b21f.135f.d81e interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security mac-address sticky 1175.3e8b.d4f0
3.
Next you will confirm the effectiveness of these commands by disconnecting host B from FastEthernet port 0/2 on 2960 Switch A and connecting host C to FastEthernet port 0/2. a.
Right-click on host B and click on the Ethernet 0/0 interface.
b.
When asked if you want to remove this connection, click Yes.
c.
Right-mouse click host C, click Ethernet port 0/0, then move the mouse pointer over to 2960 Switch A.
Switch Security
274
d.
Right-mouse click 2960 Switch A and then click FastEthernet 0/2 to complete the connection.
Once you have done so return to the switch command prompt. You should see the following messages displayed: 2960A# %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up Press the Enter key if necessary.
4.
Bring up the DOS screen for host A. Ping from host A to host C (ping 10.1.1.3). Once you have done so return to the switch command prompt. You should see the following messages displayed: %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
Lab 6.2: Verifying Switch Security
275
This confirms that the interface was disabled when it saw a new MAC address connected to the port.
Individual Labs (Comprehensive) Please Note: Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
Introduction to Individual Labs We offer CCNA labs that are comprehensive and self-contained. They stand on their own, and do not require configurations from prior labs. These labs are typically longer than the accumulative labs because you are starting with a non-configured network each time you bring up an Individual lab. You are totally configuring the network for each lab, from beginning to finish. We provide step-by-step instructions for these labs.
Grading When you have finished with each Individual lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Switch Security
276
Individual Lab: Cisco 2811 Router and Security Device Manager (SDM) Cisco® SDM is a Web-based device-management tool for routers. The SDM is a graphical user interface that allows to quickly configure the 2811 router. No interaction with the command line interface (CLI) is required. Please Note: Before you can use SDM, you must first manually configure the 2811 router with the CLI.
In this lab we will: N
Configure 2811 Router A
NN
Configure Host A because that is where we will be launching the SDM
N
Set up https services on the router so you can configure 2811 Router A via a secure web browser
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
N
The expected configuration.
NN
Your configuration.
N
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Lab 6.2: Verifying Switch Security
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, IP Routing, and 2811 Router and SDM.
277
Switch Security
278
Lab Steps 1.
Double-click 2811 Router A. After the console screen comes up set the hostname and IP addresses of each interface. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#int fa0/0 2811A(config-if)#ip address 172.16.10.1 255.255.255.0 2811A(config-if)#no shutdown 2811A(config-if)#int fa0/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#no shutdown 2811A(config-if)#exit 2811A(config)#exit 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
2.
Right-click on Host A.
3.
Click on the Configs button.
4.
On Host A configure: N
IP address
NN
Subnet Mask
N
Default Gateway
Lab 6.2: Verifying Switch Security
279
IP Address: 172.16.10.5 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
5.
Click the OK button and then the Close button.
6.
Bring up the console screen for 2811 Router A by double-clicking on the router. Verify you can reach Host A. 2811A#ping 172.16.10.5
If all is well, you should get the following output from the router! Sending 5, 100-byte ICMP Echos to 172.16.10.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811A#
7.
Configure HTTPS on the 2811 Router A and verify your configurations. 2811A#config t 2811A(config)#ip http server 2811A(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] 2811A(config)#ip http authentication local 2811A(config)#username cisco privilege 15 password 0 cisco 2811A(config)#line console 0 2811A(config-line)#login local 2811A(config-line)#line vty 0 1180
280
Switch Security
2811A(config-line)#privilege level 15 2811A(config-line)#login local 2811A(config-line)#transport input telnet 2811A(config-line)#transport input telnet ssh 2811A(config-line)#exit 2811A(config)#do show run Before IOS version 12.3, you could not use the do command. You had to be in user or privileged mode in order to ping other devices or view configurations. However, beginning with IOS version 12.3 you can use the do command in the configuration mode to accomplish this.
You should now be able to launch SDM.
Launching SDM Via Host A Now that we have configured 2811 Router A with HTTPS, we can launch SDM via Host A.
Network Layout If it is not already loaded, bring up Standard Layout.rsm before going through the following lab.
8.
Put your cursor over Host A and click your right mouse button.
9.
Click the Web Browser button.
10. When the web browser appears, enter the URL https://172.16.10.1 11. Select Yes when the Security Alert Dialog appears. The following screen may be different, depending on the web browser that you use.
Lab 6.2: Verifying Switch Security
12. When the username and password dialog appears, enter the username and password
that you created earlier.
281
282
Switch Security
Username: cisco Password: cisco 13. The SDM Launch screen will appear.
Do not close this window, it will shut down the SDM. Just minimize the window until you shut down the SDM.
Lab 6.2: Verifying Switch Security
283
14. When the Warning Security Dialog appears, check the Always trust content from pub-
lisher option and then select Yes.
15. When the username and password dialog appears again, enter the username and pass-
word that you created earlier. Username: cisco Password: cisco 16. When the Change Default User Name and Password dialog screen appears, change
your username and password. You will not see the following screen after your initial launch of the SDM.
284
Switch Security
You will be prompted to enter the new username and password that you just created. The SDM will load the configuration from 2811 RouterA and you should now be connected to the router via the SDM application.
Configure IP Address Using SDM You will now learn how to configure an IP address on a router interface of 2811 Router A, using the SDM. Now that you have the SDM application up and running, you will see the main SDM window.
Lab 6.2: Verifying Switch Security
17. Click on the Configure button (upper left corner of the screen) and a configuration
window is displayed.
285
286
Switch Security
18. Then click on the Interface and Connections button.
19. Click the Edit Interface/Connection tab, and the Edit Interface connection tab is
displayed. 20. Double-click on the line that displays FastEthernet0/1.
Lab 6.2: Verifying Switch Security
287
. . . and the Interface Feature Edit Dialog screen appears:
21. With the Interface Feature Edit dialog open, you can enter a new IP Address and sub-
net mask in the appropriate fields. 22. Click the OK button to change the IP Address and subnet mask or click the Cancel
button to exit. When a new configuration is sent to the router a Command deliver window appears.
288
Switch Security
23. Save your configuration by clicking the Save button at the top of the screen.
You will see the following dialog box. Click the Yes button to continue.
Configure DHCP Pool with the SDM You will now use the SDM to configure a DHCP Pool on your 2811 Router A.
Lab 6.2: Verifying Switch Security
289
24. Click on the Additional Tasks button located on the sidebar menu and at the bottom
left of the screen. If the Additional Task button is not visible, scroll the side bar menu until it appears. The Additional Task window will appear.
25. Expand the DHCP tree item by clicking the plus sign next to DHCP.
290
Switch Security
26. Click on DHCP Pools and the DHCP Pools window will appear.
27. Click the Add button and the DHCP Pool Dialog screen will appear.
Lab 6.2: Verifying Switch Security
291
28. Configure your DHCP pool and then select the OK button.
When a new configuration is sent to the router a Command Delivery Status window appears.
292
Switch Security
29. Save your configuration by clicking the Save button.
Using the SDM to Configure Other Items You will now use the SDM to configure the hostname, the banner (message of the day), the IP domain-name, and the enable secret password. 30. Click on the Router Properties tree item and the Device Properties screen will appear.
Lab 6.2: Verifying Switch Security
31. Click the Edit button on the upper right side of the screen and the Device Properties
dialog screen will appear.
32. Enter a hostname, an IP domain-name, and the message of the day banner.
293
294
Switch Security
33. With the Device Properties dialog still open, click on the Secret Password tab and con-
figure your new password and then click OK.
When a new configuration is sent to the router a Command Delivery Status dialog appears.
Lab 6.2: Verifying Switch Security
34. Save your configuration by clicking the Save button.
Verify Router Configurations You will now verify your new router configurations. 35. From your current SDM window, click on the Home button located at the top of the
screen. You should see the following screen:
295
296
Switch Security
36. Click on the View Running Config button on the middle right area of the screen. The
Show Running Configuration screen will appear.
37. Scroll through the running configuration so you can view your configurations.
Lab 6.2: Verifying Switch Security
297
38. Click the Close button when you are finished. 39. Close the SDM application. 40. The SDM launch page and browser need to be closed manually.
Individual Lab: Configuring Routers In this lab you will connect to the routers starting with 2621 Router A and working through 2811 Router A, and then finishing with 2621 Router B. After the configurations are complete, we will then build the routing tables. Then we will verify configurations with the show run command and the show ip route command. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
298
Switch Security
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, IP Routing, and Configuring Routers.
Lab 6.2: Verifying Switch Security
Lab Steps 1.
Double-click 2621 Router A. After the console screen comes up set the N
Hostname
NN
Passwords
N
Interface descriptions
NN
Banners
N
IP addresses of each interface
Router>enable Router#config t Router(config)#hostname 2621A 2621A(config)#enable secret todd 2621A(config)#line console 0 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-line)#line aux 0 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#exit 2621A(config)#exit 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up set the N
Hostname
NN
Passwords
N
Interface descriptions
299
Switch Security
300
NN
Banners
NN
IP addresses of each interface
Router>enable Router#config t Router(config)#hostname 2811A 2811A(config)#enable secret todd 2811A(config)#line console 0 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-line)#line aux 0 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#exit 2811A(config)#exit 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Clock Rate It is important to understand clocking on and interface. On a real connection, clocking issues will typically cause data loss and or packet errors. You will also see framing slips on a carrier circuit when there is a clocking issue. You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
Lab 6.2: Verifying Switch Security
3.
Double-click 2621 Router B. After the console screen comes up set the NN
Hostname
NN
Passwords
NN
Interface descriptions
NN
Banners
NN
IP addresses of each interface
Router>enable Router#config t Router(config)#hostname 2621B 2621B(config)#enable secret todd 2621B(config)#line console 0 2621B(config-line)#password todd 2621B(config-line)#login 2621B(config-line)#line aux 0 2621B(config-line)#password todd 2621B(config-line)#login 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#exit 2621B(config)#exit 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
4.
Starting at 2621 Router A and finishing at 2621 Router B, run the following two commands: 2621A#show run Building configuration... Current configuration : 625 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime
301
302
Switch Security
no service password-encryption ! hostname 2621A ! enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0 ! ip subnet-zero ! interface FastEthernet0/0 no ip address no ip directed-broadcast shutdown ! interface Serial0/0 description connection to 2811A ip address 172.16.20.2 255.255.255.0 no ip directed-broadcast ! [output cut] 2621A#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 1 subnets C 172.16.20.0 is directly connected, Serial0/0 2621A#
Show IP Route Is used to see the routing table on your router. It is important to notice that only the directly connected networks are showing. This means the routers can only route to the directly connected networks. In order to send packets to another network not in the routing table, we must configure the routing table with this network and how to get to the remote network.
Lab 6.2: Verifying Switch Security
303
Notice that the running-config command shows the complete configuration your router is running. 5.
Run through the verification commands on the other routers. 2811A#show run 2811A#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0/1 C 172.16.20.0 is directly connected, Serial0/1/1 2811A#
This table shows a directly connected route to routers 2621 A and 2621 B. Please Note: Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case. 2621B#show run 2621B#show ip route
Individual Lab: Configuring the 1900 Switch Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
In this lab you will work with a switch and router to: NN
Enter an IP address on 2621 Router A
NN
Set the passwords on 1900 Switch A
NN
Set the Hostname
NN
Configure an IP Address
NN
Configure Interfaces
NN
Configure Interface Descriptions
NN
Configure Port Duplex
NN
Erase the Configuration
Switch Security
304
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Lab Steps 1.
Double-click 1900 Switch A to view the 1900 Switch A console.
2.
You will then see the following output. Press K to enter the CLI. 1 user(s) now active on Management Console. User Interface Menu [M] Menus [K] Command Line [I] IP Configuration Enter Selection: K CLI session with the switch is open. To end the CLI session, enter [Exit]. >
Lab 6.2: Verifying Switch Security
305
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Layer 2 Switching, and 1900 Switch A.
3.
The first thing that you should configure on a switch is the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privileged mode passwords, just like a router. Enter enable mode by using the enable com-
306
Switch Security
mand and then enter global configuration mode by using the config t command. The switch following output shows an example of how to get into enable mode, and then into global configuration mode. >enable #config t Enter configuration commands, one per line. (config)#
4.
End with CTRL/Z
Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password command. The switches output below shows the configuration of both the user mode and enable mode passwords. (config)#enable password ? level Set exec level password (config)#enable password level ? <1-15> Level number
5.
To enter the user mode password, use level number 1. To enter the enable mode password, use level mode 15. Remember the password must be at least four characters, but no longer than eight characters. The switch output below shows the user mode password being set and denied because it is more than eight characters. (config)#enable password level 1 toddlammle Error: Invalid password length.
Password must be between four and eight characters. 6.
The following output is an example of how to set both the user mode and enable mode passwords on 1900 Switch A. (config)#enable password level 1 todd (config)#enable password level 15 todd1 (config)#exit #exit
7.
At this point, you can press enter and test your passwords. You will be prompted for a user mode password after you press K and then an enable mode password after you type enable. Catalyst 1900 Management Console Copyright (c) Cisco Systems, Inc. 1993-1998 All rights reserved. Enterprise Edition Software Ethernet Address: 00-30-80-CC-7D-00 PCA Number: 73-3122-04
Lab 6.2: Verifying Switch Security
307
PCA Serial Number: FAB033725XG Model Number: WS-C1912-A System Serial Number: FAB0339T01M Power Supply S/N: PHI031801CF PCB Serial Number: FAB033725XG,73-3122-04 ------------------------------------------------1 user(s) now active on Management Console. User Interface Menu [M] Menus [K] Command Line Enter Selection: K Enter password: **** CLI session with the switch is open. To end the CLI session, enter [Exit]. >en Enter password: **** #
8.
The enable secret password is a more secure password and supersedes the enable password if set. You set this password the same way you set the enable secret password on a router. If you have an enable secret set, you don’t even need to bother setting the enable mode password. #config t Enter configuration commands, one per line. (config)#enable secret todd2
9.
End with CTRL/Z
You can use show running-config (show run for short) to see the current configuration on the switch. (config)#exit #show run Building configuration... Current configuration: enable secret 5 $1$FMFQ$wFVYVLYn2aXscfB3J95.w. enable password level 1 "TODD" enable password level 15 "TODD1" [output cut]
Notice the enable mode passwords are not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router. One more thing to notice is that even though I typed the password as lowercase, the running-config shows the passwords as uppercase. It does not matter how you type it in or how it shows in the configuration because the passwords are not case sensitive on the switch.
308
Switch Security
Setting the Hostname The hostname on a switch, as well as on a router, is only locally significant. This means that it doesn’t have any function on the network or name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving. 10. Enter a hostname for 1900 Switch A. #config t Enter configuration commands, one per line. (config)#hostname 1900A 1900A(config)#exit
End with CTRL/Z
Notice that as soon as I pressed enter, the hostname of the switch appeared. Remember that from global configuration mode, which you enter by using the config t command, it changes the running-config. Any changes you make in this mode take effect immediately.
Configuring an IP Address You do not have to set any IP configuration on the switch to make it work. You can just plug in devices and they should start working, just like they would on a hub. The reason you would set the IP address information on the switch is so you can either manage the switch via Telnet or other management software, or you wanted to configure the switch with different VLANs and other network functions. VLANs are discussed in later labs. 11. By default, no IP address or default-gateway information is set. You would set both the
IP address and the default-gateway on a layer-two switch, just like any host. By typing the command show ip, you can see the default IP configuration of the switch. 1900A#show ip IP Address: 0.0.0.0 Subnet Mask: 0.0.0.0 Default Gateway: 0.0.0.0 Management VLAN: 1 Domain name: Name server 1: 0.0.0.0 Name server 2: 0.0.0.0 HTTP server : Enabled HTTP port : 80 RIP : Enabled
Notice in the above switch output that no IP address, default-gateway, or other IP parameters are configured.
Lab 6.2: Verifying Switch Security
309
12. To set the IP configuration on a 1900 Switch A, use the ip address command. The default gateway should also be set using the ip default-gateway command. The
switch output below shows an example of how to set the IP address and default-gateway on a 1900 Switch A. 1900A#config t Enter configuration commands, one per line. End with CTRL/Z 1900A(config)#ip address 172.16.10.16 255.255.255.0 1900A(config)#ip default-gateway 172.16.10.1 1900A(config)#exit
13. Once you have your IP information set, use the show ip command to verify your changes. You can view this information with the show running-config command as well. 1900A#show ip IP Address: 172.16.10.16 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1 Management VLAN: 1 Domain name: Name server 1: 0.0.0.0 Name server 2: 0.0.0.0 HTTP server : Enabled HTTP port : 80 RIP : Enabled 1900A#
To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gateway commands, at the global configuration prompt.
Configuring Interfaces It is important to understand how to access switch ports. 1900 Switch A uses the type slot/port command. For example, FastEthernet 0/3 is 10BaseT port 3. Another example would be FastEthernet 0/26 which is the first of the two Fast Ethernet ports available on 1900 Switch A. 1900 Switch A type slot/port command can be used with either the interface command or the show command. The interface command allows you to set interface specific configurations. 1900 Switch A has only one slot: zero (0). 14. To configure an interface on a 1900 Switch A, go to global configuration mode and use the interface command. From global configuration, use the interface command
310
Switch Security
and the type, either Ethernet or FastEthernet interface. I am going to demonstrate the ethernet interface configuration first. 1900A#config t Enter configuration commands, one per line. 1900A(config)#int ethernet ? <0-0> IEEE 802.3
End with CTRL/Z
15. The previous output asks for the slot. Since 1900 Switch A is not modular, there is only
one slot. The next output gives us a slash (/) to separate the slot/port configuration. 1900A(config)#int ethernet 0? / 1900A(config)#int ethernet 0/? <1-25> IEEE 802.3
16. After the 0/configuration command, the above output shows the amount of ports you
can configure. The output below shows the completed command. 1900A(config)#int ethernet 0/1
17. Once you are in interface configuration, the prompt changes to (config-if). After you
are at the interface prompt, you can use the help commands to see the available commands. 1900A(config-if)#? Interface configuration commands: cdp Cdp interface subcommands description Interface specific description duplex Configure duplex operation exit Exit from interface configuration mode help Description of the interactive help system no Negate a command or set its defaults port Perform switch port configuration shutdown Shutdown the selected interface spantree Spanning tree subsystem vlan-membership VLAN membership configuration 1900A(config-if)#?exit
You can switch between interface configuration by using the int e 0/# command at any time from global configuration mode. 18. The switch output below shows the configuration of a FastEthernet port on 1900 Switch A. Notice that the command is interface fastethernet, but the slot is still 0.
The only ports available are 26 and 27. 1900A(config)#int fastethernet ? <0-0> FastEthernet IEEE 802.3
Lab 6.2: Verifying Switch Security
311
1900A(config)#int fastethernet 0/? <26-27> FastEthernet IEEE 802.3 1900A(config)#int fastethernet 0/26 1900A(config-if)#int fast 0/27 1900A(config-if)#ctrl+z
19. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the command
used to view a 10BaseT interface and the command to view a FastEthernet interface. 1900A#show int e0/1 ethernet 0/1 is Suspended-no-linkbeat Hardware is Built-in 10Base-T Address is 0030.80CC.7D01 MTU 1500 bytes, BW 10000 Kbits 802.1d STP State: Forwarding Forward Transitions: [output cut] 1900A#show int f0/26 FastEthernet 0/26 is Enabled Hardware is Built-in 100Base-TX Address is 00b0.8f36.3eac MTU 1500 bytes, BW 10000 Kbits 802.1d STP State: Forwarding Forward Transitions: [output cut]
1
1
Configuring Interface Descriptions You can administratively set a name for each interface on 1900 Switch A. Like the hostname, the descriptions are only locally significant. For a 1900 series switch, use the description> command. You cannot use spaces with the description command, but you can use underlines if you need to. 20. To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface. You can
make the descriptions more than one word, but you can’t use spaces. You’ll have to use the underline as shown below: 1900A#config t Enter configuration commands, one per line. End with CTRL/Z 1900A(config)#int e0/1 1900A(config-if)#description Finance_VLAN 1900A(config-if)#int f0/26 1900A(config-if)#description trunk_to_Building_4 1900A(config-if)#
Switch Security
312
In the configuration example above, we set the description on both a 10Mbps port and a 100Mbps port.
Configuring Port Duplex 1900 Switch A has only 12 or 24 10BaseT ports and comes with one or two FastEthernet ports. You can only set the duplex on 1900 Switch A, as the ports are all fixed speeds. 21. Use the duplex command in interface configuration. In the switch output below, notice the options available on the FastEthernet ports. 1900A(config-if)#duplex ? auto Enable auto duplex configuration full Force full duplex operation full-flow-control Force full duplex with flow control half Force half duplex operation 1900A(config-if)#duplex full 1900A(config-if)#ctrl+z
The following table shows the different duplex options available on 1900 Switch A. 1900 Switch A FastEthernet ports default to auto duplex, which means they will try and auto-detect the duplex the other end is running. Duplex Options Parameter
Definition
Auto
Set the port into auto-negotiation mode. Default for all 100BaseTX ports.
Full
Forces the 10 or 100Mbps ports into full duplex mode.
Full-flow-control
Works only with 100BaseTX ports; uses flow control so buffers won’t overflow.
Half
Default for 10BaseT ports; forces the ports to work only in half duplex mode.
22. Once you have the duplex set, you can use the show interface command to view the
duplex configuration. 1900A#show int f0/26 FastEthernet 0/26 is Enabled Hardware is Built-in 100Base-TX Address is 00b0.8f36.3eac MTU 1500 bytes, BW 10000 Kbits
Lab 6.2: Verifying Switch Security
802.1d STP State: Forwarding Forward Transitions: Port monitoring: Disabled Unknown unicast flooding: Enabled Unregistered multicast flooding: Enabled Description: trunk_to_Building_4 Duplex/Flow Control setting: Full duplex Enhanced Congestion Control: Disabled
313
1
23. In the output above, the duplex setting shows full duplex.
Grade Me Before you move on and erase your configurations, you should click the Grade Me button to check out your work.
Erasing the Configuration The switch configuration is stored in NVRAM, just as any router. You cannot view the startup-config, or contents of NVRAM. You can only view the running-config. When you make a change to the switches’ running-config, the switches automatically copy the configuration on the switch to NVRAM. You can delete the configuration in NVRAM on 1900 Switch A if you want to start over on the switches’ configuration. To delete the contents of NVRAM on a 1900 Switch A, use the delete nvram command. 24. Type delete ? from a 1900 A privileged mode prompt. Notice in the switch output
below that there are two options: nvram and vtp. We want to delete the contents of NVRAM to the factory default settings. 1900A#delete ? nvram NVRAM configuration vtp Reset VTP configuration to defaults 1900A#delete nvram
This command resets the switch with factory defaults. All system parameters will revert to their default factory settings. All static and dynamic addresses will be removed. Reset system with factory defaults, [Y]es or [N]o?
Yes
Notice the message received from the switch when the delete nvram command is used. Once you say yes, the configuration is gone. 25. To confirm the configuration is gone, use the show run command. #show run Building configuration... Current configuration: !
314
Switch Security
interface Ethernet ! interface Ethernet ! interface Ethernet ! interface Ethernet [output cut]
0/1 0/2 0/3 0/4
Individual Lab: Configuring 2950 Switch This lab will have you work with a 2950 switch, enter global configuration mode and then set the passwords. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Lab 6.2: Verifying Switch Security
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Layer 2 Switching, and 2950 Switch.
315
316
Switch Security
Lab Steps 1.
Double-click 2950 Switch A to open the console screen.
2.
Press enter to connect to the console Switch>
3.
For the user mode of the switch, you can use the help screen just like a router. Switch>? Exec commands: <1-99> access-enable clear connect disable disconnect enable exit help lock login logout name-connection ping rcommand resume show systat telnet terminal traceroute tunnel --More-[output cut]
4.
Session number to resume Create a temporary Access-List entry Reset functions Open a terminal connection Turn off privileged commands Disconnect an existing network connection Turn on privileged commands Exit from the EXEC Description of the interactive help system Lock the terminal Log in as a particular user Exit from the EXEC Name an existing network connection Send echo messages Run command on remote switch Resume an active network connection Show running system information Display information about terminal lines Open a telnet connection Set terminal line parameters Trace route to destination Open a tunnel connection
The first thing that you should configure on a switch is the passwords. You don’t want unauthorized users connecting to the switch. You can set both the user mode and privileged mode passwords, just like a router. Enter the enable mode by using the enable command and then enter global configuration mode by using the config t command.
Lab 6.2: Verifying Switch Security
317
The switch following output shows an example of how to get into enable mode, and then into global configuration mode. Switch>enable Switch#config t Enter configuration commands, one per line. Switch(config)#
5.
End with CTRL/Z
Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password and enable secret command. The switches output below shows the configuration of both the user mode and enable mode passwords. Switch(config)#enable password ? 0 Specifies an UNENCRYPTED password will follow 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) 'enable' password level Set exec level password Switch(config)#enable password todd Switch(config)#enable secret cisco Switch(config)
6.
Remember, if you set your enable secret, the enable password is superseded and not used, just like in a router.
7.
In addition to the enable password and enable secret, 2950 allows you to set a console and Telnet password as well using the line commands, just like in a router. Switch(config)line ? <0-16> First Line number console Primary terminal line vty Virtual terminal Switch(config)#line console 0 Switch(config-line)#password console Switch(config-line)#login Switch(config-line)#line vty ? % Unrecognized command
8.
Remember that just like in a router, you cannot get help for a line command from within line configuration mode. Type exit to go back one step. Switch(config-line)#exit Switch(config)#line vty ? <0-15> First Line number
318
Switch Security
Switch(config)#line vty 0 15 Switch(config-line)#password telnet Switch(config-line)#login Switch(config-line)#ctrl+z Switch#
9.
You can use show running-config (show run for short) to see the current configuration on the switch. Current configuration : 997 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! enable secret 5 $1$yNgO$9uU0Z6NG1ib4vlt05bmMW1 enable password todd ! ip subnet-zero ! spanning-tree extend system-id ! ! interface FastEthernet0/1 no ip address ! interface FastEthernet0/2 no ip address --More--
Notice the enable mode password is not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router.
Setting the Hostname The hostname on a switch, as well as on a router, is only locally significant. This means that it doesn’t have any function on the network and is not used for name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving.
Lab 6.2: Verifying Switch Security
319
10. The 2950 switch command to set the hostname is exactly like any router: you use the hostname command. Remember, it is one word. From global configuration mode, type the command hostname hostname. Switch>enable Enter password: **** Switch#config t Enter configuration commands, one per line. Switch(config)#hostname 2950A 2950A(config)#exit 2950A#
End with CTRL/Z
Notice that as soon as you press Enter, the hostname of the switch appears. Remember that from global configuration mode, which you enter by using the config t command, it changes the running-config. Any changes you make in this mode take effect immediately.
Configuring IP Address Information You do not have to set any IP configuration on the switch to make it work. You can just plug in devices and they should start working, just like they would on a hub. The reason you would set the IP address information on the switch is so you can either manage the switch via Telnet or other management software, or you wanted to configure the switch with different VLANs and other network functions. VLANs are discussed later labs. 11. By default, no IP address or default-gateway information is set. You would set both the
IP address and the default-gateway on a layer-two switch, just like any host. By typing the command show running-config you can see the default IP configuration of the switch. Notice in your switch output that no IP address, default-gateway, or other IP parameters are configured. 12. To set the IP configuration on a 2950 switch, use the ip address command. However,
this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default. 2950A#config t Enter configuration commands, one per line. End with CTRL/Z 2950A(config)#int vlan 1 2950A(config-if)#ip address 172.16.40.2 255.255.255.0 2950A(config-if)#exit 2950A(config)#
13. Before we perform step 14, we need to configure 2621 Router A. Router>enable Router#config t
320
Switch Security
Router(config)#hostname 2621A 2621A(config-line)#int fa0/0 2621A(config-if)#ip address 172.16.40.1 255.255.255.0 2621A(config-if)#no shutdown 2621A(config-if)#exit
14. The default gateway should also be set using the ip default-gateway command.
However, unlike the IP address, this is completed at global configuration mode. 2950A(config)#ip default-gateway 172.16.40.1 2950A(config)#exit 2950A#
IP Default-Gateway This is used on devices where no routing information is provided by the router that tells you how to get to the next, directly connected device. It tells us what pathway to use to send packets to the next, directly connected device. In the previous set of commands the ip default-gateway is 172.16.40.1 because that is the IP address of interface f0/0 on 2621 Router A.
To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gateway commands, at the appropriate configuration prompt.
Lab 6.2: Verifying Switch Security
321
Configuring Interfaces It is important to understand how to access switch ports. The 2960 switch uses the type slot/port command, just like a 2600 router and just like 2950 switch. For example, FastEthernet 0/3 is 10/100BaseT port 3. The 2960 switch type slot/port command can be used with either the interface command or the show command. The interface command allows you to set interface specific configurations. The 2960 switch has only one slot: zero (0), just like the 1900. 15. To configure an interface on a 2950 switch, go to global configuration mode and use the interface command as shown. 2950A#config t Enter configuration commands, one per line. End with CTRL/Z 2950A(config)#interface ? Async Async interface BVI Bridge-Group Virtual Interface Dialer Dialer interface FastEthernet FastEthernet IEEE 802.3 Group-Async Async Group interface Lex Lex interface Loopback Loopback interface Multilink Multilink-group interface Null Null interface Port-channel Ethernet Channel of interfaces Transparent Transparent interface Tunnel Tunnel interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing Vlan Catalyst Vlans fcpa Fiber Channel range interface range command 2950A(config)#interface
16. The next output asks for the slot. Since a 2950 switch is not modular, there is only one
slot, which is 0, although it lists 0-2 for some odd reason. However, you can only type in “0” as the slot in this program. Any other slot number will give you an error. The next output gives us a slash (/) to separate the slot/port configuration. 2950A(config)#int fastethernet ? <0-2> FastEthernet interface number 2950A(config)#int fastethernet 0? / 2950A(config)#int fastethernet 0/? <0-12> FastEthernet interface number
322
Switch Security
17. After the 0/ configuration command, the above output shows the amount of ports you
can configure. The output below shows the completed command. 2950A(config)#int fa0/9 2950A(config-if)#
18. Once you are in interface configuration, the prompt changes to (config-if). After you are
at the interface prompt, you can use the help commands to see the available commands. 2950A(config-if)#? Interface configuration commands: arp Set arp type (arpa, probe, snap) or timeout bandwidth Set bandwidth informational parameter carrier-delay Specify delay for interface transitions cdp CDP interface subcommands channel-group Etherchannel/port bundling configuration default Set a command to its defaults delay Specify interface throughput delay description Interface specific description dot1x IEEE 802.1X subsystem duplex Configure duplex operation exit Exit from interface configuration mode help Description of the interactive help system hold-queue Set hold queue depth ip Interface Internet Protocol config commands keepalive Enable keepalive load-interval Specify interval for load calculation for an interface logging Configure logging for interface mac-address Manually set interface MAC address mls mls interface commands mvr MVR per port configuration no Negate a command or set its defaults ntp Configure NTP --More--
You can switch between interface configurations by using the int fa 0/# command at any time from global configuration mode. 19. There are a couple of interface commands that you can configure on the switch. The commands we are interested in are the duplex command and the portfast command. 2950A#config t Enter configuration commands, one per line. 2950A(config)#int fa0/9 2950A(config-if)#duplex ?
End with CNTL/Z.
Lab 6.2: Verifying Switch Security
323
auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation 2950A(config-if)#
20. Since the switch ports are set to auto by default, you can change each of the switch
ports to always be in full-duplex mode for better performance. This is recommended. 2950A(config-if)#duplex full Duplex will not be set until speed is set to non-auto value 2950A(config-if)#speed 100
21. Notice in the above command that to run full duplex, you must set the speed to non-
auto value. 22. In addition to the duplex and speed commands that can be configured on the switch
port, you also can turn on what is called portfast. The portfast command allows a switch port to come up quickly. Typically a switch port waits 50 seconds for spanningtree to go through its “gotta make sure there are no loops!” cycle. However, if you turn portfast on, then you better be sure you do not create a physical loop on the switch network. A spanning-tree loop can severely hurt or bring your network down. Here is how you would enable portfast on a switch port. 2950A(config-if)#spanning-tree ? bpdufilter Do not send or receive BPDUs on this interface bpduguard Do not accept BPDUs on this interface cost Change an interface's spanning tree port path cost guard Change an interface's spanning tree guard mode link-type Specify a link type for spanning tree protocol use port-priority Change an interface's spanning tree port priority portfast Enable an interface to move directly to forwarding on link up stack-port Enable stack port vlan VLAN Switch Spanning Tree
23. The command above shows the available options for the spanning-tree command. We want to use the portfast command. 2950A(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on FastEthernet0/9 but will only have effect when the interface is in a non-trunking mode. 2950A(config-if)#
324
Switch Security
24. Notice the message the switch provides when enabling portfast. Although it seems like
the command didn’t take effect, as long as the port is in access mode (discussed in a minute), the port will now be in portfast mode. 25. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the
command used to view a 10/100BaseT interface on a 2950 switch. 2950A#ctrl+z 2950A#show int f0/9 FastEthernet0/9 is up, line protocol is up Hardware is Fast Ethernet, address is 00b0.1a09.2097 (bia 00b0.1a09.2097) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full duplex, 100Mb/s input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 1w6d, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 64 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 1 packets output, 64 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out 2950A#
26. In addition to the show interface command, you can use the show running-config
command to see the interface configuration as well. [output cut] interface FastEthernet0/8
Lab 6.2: Verifying Switch Security
325
! interface FastEthernet0/9 spanning-tree portfast ! interface FastEthernet0/10 [output cut]
27. You can administratively set a name for each interface on a 2950 switch. Like the host-
name, the descriptions are only locally significant. For a 2950 series switch, use the description command. You can use spaces with the description command, but you
can use underlines if you need to. To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface. 2950A#config t Enter configuration commands, one per line. End with CTRL/Z 2950A(config)#int fa 0/9 2950A(config-if)#description Finance VLAN 2950A(config-if)#int fa 0/12 2950A(config-if)#description trunk to Building 4 2950A(config-if)#
In the configuration example above, we set the description on both port 9 and 12. 28. Once you have configured the descriptions you want on each interface, you can then view the descriptions with either the show interface command, or show runningconfig command. View the configuration of the Ethernet interface 0/9 by using the show interface ethernet 0/9 command. 2950A#show int fa 0/9 FastEthernet0/9 is up, line protocol is up Hardware is Fast Ethernet, address is 00b0.1a09.2097 (bia 00b0.1a09.2097) Description: Finance VLAN (output cut)
29. Use the show running-config command to view the interface configurations as well. 2950A#show run [output cut] ! interface FastEthernet0/9 description "Finance VLAN" spanning-tree portfast ! [output cut]
Switch Security
326
Notice in the above switch output that the show int fa0/9 command and the show run command both show the description command set on an interface.
Verifying the IP Connectivity It is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 2950 switch. However, you cannot telnet from the 2950 switch or use traceroute. At this point we will configure Host E so that we can perform step 33. 30. Right-mouse click Host E. 31. Click on the Configs button.
32. On Host E configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.40.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.40.1
Lab 6.2: Verifying Switch Security
327
33. In the following example, ping Host E from 2950 Switch A. Notice the output on a
successful ping: exclamation point (!). If you receive periods (.) instead of exclamation points, that signifies a timeout. 2950A#ping 172.16.40.3 Sending 5, 100-byte ICMP Echos to 172.16.40.3, time out is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms
Grade Me Before you move on and erase your configurations, you should click the Grade Me button to check out your work.
Saving and Erasing Your Configurations The switch configuration is stored in NVRAM, just as any router, and placed in RAM when the switch boots. The file in RAM is called the running-config and the file in NVRAM is called the startup-config. You can view the startup-config, also called the backup configuration, with the show startup-config command. 34. To save the switch configuration, you type copy running-config startup-config, or
copy run start, just like on a router. 2950A#copy run start Destination filename [startup-config]?press Enter Building configuration... [OK] 2950A#
35. To delete the contents of NVRAM on a 2950 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the running-config. 2950A#erase startup-config Erasing the nvram filesystem will remove all files! Continue? [confirm] press Enter [OK] Erase of nvram: complete 2950A#showstart %% Non-volatile configuration memory is not present 2950A#
328
Switch Security
Individual Lab: Configuring the 2960 Switch This lab will have you work with a 2960 switch, enter global configuration mode and then set the passwords. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Lab Steps 1.
Double-click 2960 Switch A to open the console screen.
2.
Press Enter to connect to the console. Switch>
3.
Enter the enable mode by using the enable command and then enter global configuration mode by using the config t command. Switch>enable Switch#config t Enter configuration commands, one per line. Switch(config)#
End with CTRL/Z
Lab 6.2: Verifying Switch Security
329
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Layer 2 Switching, and 2960 Switch.
4.
Once you are in global configuration mode, you can set the user mode and enable mode passwords by using the enable password and enable secret command. The switches output below shows the configuration of both the user mode and enable mode passwords. Switch(config)#enable password todd Switch(config)#enable secret cisco Switch(config) If you set your enable secret, the enable password is superseded and not used, just like in a router.
330
5.
Switch Security
In addition to the enable password and enable secret, the 2960 switch allows you to set a console and Telnet password as well using the line commands, just like in a router. Switch(config)#line console 0 Switch(config-line)#password console Switch(config-line)#login
6.
Remember that just like in a router, you cannot get help for a line command from within line configuration mode. Type exit to go back one step. Switch(config-line)#exit Switch(config)#line vty 0 15 Switch(config-line)#password telnet Switch(config-line)#login Switch(config-line)#ctrl+z Switch#
7.
You can use show running-config (show run for short) to see the current configuration on the switch. Switch#show run Building configuration... Current configuration : 918 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname switch ! enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0 enable password todd ! no aaa new-model system mtu routing 1500 no ip subnet-zero [output cut]
Notice the enable mode password is not encrypted by default, but the enable secret is. This is the same password configuration technique that you will find on a router.
Lab 6.2: Verifying Switch Security
331
Setting the Hostname The hostname on a switch, as well as on a router, is only locally significant. This means that it does not have any function on the network and is not used for name resolution whatsoever. However, it is helpful to set a hostname on a switch so that you can identify the switch when connecting to it. A good rule of thumb is to name the switch after the location it is serving. 8.
The 2960 switch command to set the hostname is exactly like any router: you use the hostname command. From global configuration mode, type the command hostname hostname. Switch>enable Enter password: **** Switch#config t Enter configuration commands, one per line. Switch(config)#hostname 2960A 2960A(config)#exit 2960A#
End with CTRL/Z
Any changes you make in this mode take effect immediately.
Configuring IP Address Information You do not have to set any IP configuration on the switch to make it work. You can just plug in devices and they should start working, just like they would on a hub. The reason you would set the IP address information on the switch is so you can either manage the switch via Telnet or other management software, or you wanted to configure the switch with different VLANs and other network functions. VLANs are discussed in later labs. 9.
To set the IP configuration on a 2960 switch, use the ip address command. However, this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default. 2960A#config t Enter configuration commands, one per line. End with CTRL/Z 2960A(config)#int vlan1 2960A(config-if)#ip address 172.16.50.2 255.255.255.0 2960A(config-if)#exit 2960A(config)#
10. Before we perform step 11, we need to configure router 2621 B. Router>enable Router#config t
332
Switch Security
Router(config)#hostname 2621B 2621B(config-line)#int fa0/0 2621B(config-if)#ip address 172.16.50.1 255.255.255.0 2621B(config-if)#no shutdown 2621B(config-if)#exit
11. The default gateway should also be set using the ip default-gateway command. How-
ever, unlike the IP address, this is completed at global configuration mode. 2960A(config)#ip default-gateway 172.16.50.1 2960A(config)#exit 2960A#
To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip default-gateway commands, at the appropriate configuration prompt.
Configuring Interfaces It is important to understand how to access switch ports. The 2960 switch uses the type slot/port command, just like a 2621 router and just like the 2960 switch. For example, FastEthernet 0/3 is 10/100BaseT port 3. The 2960 switch type slot/port command can be used with either the interface command or the show command. The interface command allows you to set interface specific configurations. The 2960 switch has only one slot: zero (0), just like the 1900. 12. To configure an interface on a 2960 switch, go to global configuration mode and use the interface command as shown. Since the 2960 switch is not modular, there is only
one slot, which is 0, although it lists 0-2 for some odd reason. However, you can only type in “0” as the slot in this program. Any other slot number will give you an error. The next output gives us a slash (/) to separate the slot/port configuration. 2960A#config t 2960A(config)#interface fastethernet ? <0-2> FastEthernet interface number 2960A(config)#interface fastethernet 0? / 2960A(config)#interface fastethernet 0/? <0-12> FastEthernet interface number
13. After the 0/configuration command, the above output shows the amount of ports you
can configure. The output below shows the completed command. 2960A(config)#int fa0/1 2960A(config-if)#
Lab 6.2: Verifying Switch Security
333
14. Once you are in interface configuration, the prompt changes to (config-if). You can switch between interface configurations by using the int fa 0/# command at any time
from global configuration mode. There are a couple of interface commands that you can configure on the switch. The commands we are interested in are the duplex command and the portfast command. 2960A(config)#int fa0/1 2960A(config-if)#duplex ? auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation 2960A(config-if)#
15. Since the switch ports are set to “auto” by default, you can change each of the switch
ports to always be in full-duplex mode for better performance. This is recommended. 2960A(config-if)#duplex full Duplex will not be set until speed is set to non-auto value 2960A(config-if)#speed 100
16. Notice in the above command that to run full duplex, you must set the speed to non-
auto value. 17. In addition to the duplex commands that can be configured on the switch ports, you
also can turn on what is called portfast. This enables a switch port to come up quickly and not to wait the typical 50 seconds for spanning-tree to go through its “I gotta make sure there are no loops!” cycle. However, if you turn portfast on, then you better be sure you do not create a physical loop on the switch network or it will bring your network down. You are basically telling the switch to not check for loops using these ports. Here is how you would enable portfast on a switch port. 2960A(config-if)#spanning-tree ? bpdufilter Do not send or receive BPDUs on this interface bpduguard Do not accept BPDUs on this interface cost Change an interface's spanning tree port path cost guard Change an interface's spanning tree guard mode link-type Specify a link type for spanning tree protocol use port-priority Change an interface's spanning tree port priority portfast Enable an interface to move directly to forwarding on link up stack-port Enable stack port vlan VLAN Switch Spanning Tree
18. The command above shows the available options for the spanning-tree command. We want to use the portfast command. 2960A(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single
334
Switch Security
host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on FastEthernet0/1 but will only have effect when the interface is in a non-trunking mode. 2960A(config-if)#
19. Notice the message the switch provides when enabling portfast. Although it seems like
the command didn’t take effect, as long as the port is in access mode (discussed in a minute), the port will now be in portfast mode. 20. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the
command used to view a 10/100BaseT interface on the 2960 switch. 2960A#show int f0/1 FastEthernet0/1 is down line protocol is down (notconnect) Hardware is FastEthernet, address is 00b0.9eb1.bcd0 (bia 00b0.9eb1.bcd0) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:02, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 1097702 packets input, 71821315 bytes, 0 no buffer Received 488076 broadcasts, 0 runts, 0 giants, 0 throttles 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 3752639 multicast, 0 pause input 0 input packets with dribble condition detected 1590235 packets output, 290473092 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
Lab 6.2: Verifying Switch Security
335
21. In addition to the show interface command, you can use the show running-config
command to see the interface configuration as well. [output cut] ! interface FastEthernet0/1 spanning-tree portfast ! interface FastEthernet0/2 [output cut]
22. You can administratively set a name for each interface on the 2960 switch. Like the
hostname, the descriptions are only locally significant. For the 2960 series switch, use the description command. You can use spaces with the description command, but you can use underlines if you need to. To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface. 2960A#config t Enter configuration commands, one per line. End with CTRL/Z 2960A(config)#int fa 0/1 2960A(config-if)#description Sales VLAN 2960A(config-if)#int fa 0/8 2960A(config-if)#description trunk to Building 8 2960A(config-if)#
In the configuration example above, we set the description on both port 1 and 12. 23. Once you have configured the descriptions you want on each interface, you can then view the descriptions with either the show interface command, or show runningconfig command. View the configuration of the Ethernet interface 0/1 by using the show interface ethernet 0/1 command. 2960A#show int fa0/1 FastEthernet0/1 is down line protocol is down (notconnect) Hardware is FastEthernet, address is 00b0.9eb1.bcd0 (bia 00b0.9eb1.bcd0) Description: Sales VLAN MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, media type is 10/100BaseTX (output cut)
Switch Security
336
24. Use the show running-config command to view the interface configurations as well. 2960A#show run [output cut] ! interface FastEthernet0/1 description "Sales VLAN" spanning-tree portfast ! [output cut]
Notice in the above switch output that the show int fa0/1 command and the show run command both show the description command set on an interface.
Verifying the IP Connectivity It is important to test the switch IP configuration. You can use the ping program, and you can telnet into the 2960 switch. However, you cannot telnet from the 2960 switch or use traceroute. 25. Right-mouse click Host F. 26. Click on the Configs button.
27. On Host F configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
Lab 6.2: Verifying Switch Security
337
IP Address: 172.16.50.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.50.1
28. In the following example, ping Host F on the network from the 2960 A switch. 2960A#ping 172.16.50.3 Sending 5, 100-byte ICMP Echos to 172.16.50.3, time out is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms
Grade Me Before you move on and erase your configurations, you should click the Grade Me button to check out your work.
Saving and Erasing Your Configuration The switch configuration is stored in NVRAM, just as any router and placed in RAM when the switch boots. The file in RAM is called the running-config and the file in NVRAM is called the startup-config. You can view the startup-config, also called the backup configuration, with the show startup-config command. 29. To save the switch configuration, you type copy running-config startup-config, or
copy run start , just like on a router. 2960A#copy run start Destination filename [startup-config]?press Enter Building configuration... [OK] 2960A#
30. To delete the contents of NVRAM on a 2960 switch, use the erase startup-config command as shown. However, you still need to reload the switch to erase the runningconfig. 2960A#erase startup-config Erasing the nvram filesystem will remove all files! Continue? [confirm] press Enter [OK] Erase of nvram: complete
338
Switch Security
2960A#show start %% Non-volatile configuration memory is not present 2960A#
Individual Lab: Static Routing This lab will have you build the routing tables by hand, which means you will create static routing tables on each router. This will allow you to route throughout the entire network. At this point you can only route to directly connected networks of each router. Remember that the routing will not work until all static routes are configured on all routers. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Lab 6.2: Verifying Switch Security
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, IP Routing, and Static Routing.
339
340
Switch Security
Static Route Is a manually hard coded routing statement that creates a route in the routing table of a router. The static route specifies how the router will get to a certain network by using a certain path. Static routing refers to the manual method used to set up routing. This method has the advantage of being simple to create and predictable in its functionality. It is easy to manage in small networks but in larger ones it is difficult to set up and manage all possible static routes. Static routes are not dynamically responsive to topology changes in a network.
Lab Steps Copy and Paste Script Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into user mode, copy and paste the script into the
Lab 6.2: Verifying Switch Security
341
console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter. 2621 Router A
2811 Router A
2621 Router B
enable
enable
enable
config t
config t
config t
hostname 2621A
hostname 2811A
hostname 2621B
line vty 0 4
line vty 0 1180
line vty 0 4
password todd
password todd
password todd
login
login
login
int s0/0
int s0/1/1
int s0/0
ip address 172.16.20.2 255.255.255.0
ip address 172.16.20.1 255.255.255.0
ip address 172.16.30.2 255.255.255.0
description connection to 2811A
no shutdown
no shutdown exit
description connection to 2621A int s0/0/1 ip address 172.16.30.1 255.255.255.0 description connection to 2621B
exit copy run start
no shutdown exit
description connection to 2811A no shutdown exit exit copy run start
exit copy run start
1.
Double-click 2621 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t
342
Switch Security
Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#exit 2621A(config)#exit 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#exit 2811A(config)#exit 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Lab 6.2: Verifying Switch Security
343
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
3.
Double-click 2811 Router B. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#exit 2621B(config)#exit 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
4.
From 2621 Router A, use the ip route command to configure static routing. 2621 Router A is connected to network 172.16.20.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway is always 172.16.20.1 (router 2811 A). 2621A#config t 2621A(config)#ip route 172.16.30.0 255.255.255.0 172.16.20.1 2621A(config)#exit 2621A#copy run start
Switch Security
344
Anatomy of a Command: IP Route 172.16.30.0 255.255.255.0 172.16.20.1 ip route
tells the system we are entering a static route
172.16.30.0
this is the destination ip network address, where we want to send packets
255.255.255.0 the mask of the destination ip network 172.16.20.1 the IP address of the next hop used to reach the destination address
5.
From 2621 Router B, use the ip route command to configure static routing. is connected to network 172.16.30.0 and a static route must be configured for EVERY network that is not directly connected. The next hop gateway is always 172.16.30.1 (router 2811 A). 2621B#config t 2621B(config)#ip route 172.16.20.0 255.255.255.0 172.16.30.1 2621B(config)#exit 2621B#copy run start
Directly Connected Routes In the preceding set of ip route commands for 2621 Router B, routes are not established for network 30. 2621 Router B knows about network 30 because it is directly connected to it. Therefore you do not have to enter ip route commands for network 30; only for networks that are not directly connected to 2621 Router B, such as network 20.
6.
From 2621 Router A, use the show ip route command to verify your routing table. 2621A#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route Gateway of last resort is not set
Lab 6.2: Verifying Switch Security
345
172.16.0.0/24 is subnetted, 3 subnets S 172.16.30.0 [1/0] via 172.16.20.1 C 172.16.20.0 is directly connected, Serial0/0 2621A# anatomy of a routing table Output
Description
Metric
172.16.0.0/24 is subnetted, 2 subnets
class B network 172.16.0.0 is subnetted into two class C networks
/24 means a class C network The two subnetted Class C networks are 172.16.30.0 172.16.20.0
S 172.16.30.0 [1/0] via 172.16.20.1
C 172.16.20.0 is directly connected, Serial0/0
7.
any packets destined for network 172.16.30.0 are forwarded to the next hop router with the ip address of 172.16.20.1
S means the route is a static route and was manually added using the ip route command
any packets destined for network 172.16.20.0 are forwarded to ip address assigned to the Serial0/0 interface
C means the route is directly connected to the local router’s Serial0/0 interface. The route is automatically added to the local routing table when S0/0 is assigned an ip address, has a physical cable connection, and is turned up for service
[1/0] is the administrative distance (1) and routing metric (0)
From 2621 Router B, use the show ip route command to verify your routing table. 2621B#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets
346
Switch Security
C 172.16.30.0 is directly connected, Serial0/0 S 172.16.20.0 [1/0] via 172.16.30.1 2621B#
8.
Once you verify the routing tables in all routers, use the ping command to verify IP connectivity between routers. 2621A#ping 172.16.30.2 2621B#ping 172.16.20.2
Individual Lab: Telnet Telnet is a virtual terminal protocol that is part of the TCP/IP protocol suite. Telnet allows you to make connections to remote devices and gather information and run programs. After your routers and switches are configured, you can use the Telnet program to configure and check your routers and switches instead of needing to use a console cable. You use the Telnet program by typing telnet from any command prompt (DOS or Cisco). VTY passwords must be set on the routers for this to work. You cannot use CDP to gather information about routers and switches that are not directly connected to your device. However, you can use the Telnet application to connect to your neighbor devices and then run CDP on those remote devices to gather CDP information about remote devices. In this lab we will telnet from 2621 Router B into 2621 Router A and 3550 Switch A. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
Lab 6.2: Verifying Switch Security
347
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Cisco Internetwork, and Telnet.
348
Switch Security
Lab Steps Copy and Paste Script Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into user mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter.
Lab 6.2: Verifying Switch Security
Router 2621 A
Router 2811 A
Router 2621 B
enable
enable
enable
config t
config t
config t
hostname 2621A
hostname 2811A
hostname 2621B
line vty 0 4
line vty 0 1180
line vty 0 4
password todd
password todd
password todd
login
login
login
interface s0/0
interface fastethernet 0/0
interface s0/0
ip address 172.16.20.2 255.255.255.0
ip address 172.16.10.1 255.255.255.0
ip address 172.16.30.2 255.255.255.0
description connection to 2811A
description connection to LAN 10
description connection to 2811A
no shutdown
no shutdown
no shutdown
exit
interface s0/1/1
exit
exit
ip address 172.16.20.1 255.255.255.0
exit
copy run start
description connection to 2621A
349
copy run start
no shutdown interface s0/0/1 ip address 172.16.30.1 255.255.255.0 description connection to 2621B no shutdown exit exit copy run start
1.
Double-click 2621 Router A. After the console comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-if)#int s0/0
350
Switch Security
2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#exit 2621A(config)#exit 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-line)#int fastethernet 0/0 2811A(config-if)#ip address 172.16.10.1 255.255.255.0 2811A(config-if)#description connection to LAN 10 2811A(config-if)#no shutdown 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#exit 2811A(config)#exit 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Lab 6.2: Verifying Switch Security
351
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
3.
Double-click 2621 Router B. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621Bconfig-if)#interface s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#exit 2621B(config)#exit 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
4.
We need to add a routing protocol such as RIP. Add RIP for each router with a network of 172.16.0.0. 2621A#config t 2621A(config)#router rip 2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z 2621B#config t 2621B(config)#router rip 2621B(config-router)#network 172.16.0.0 2621B(config-router)#ctrl+z 2811A#config t 2811A(config)#router rip 2811A(config-router)#network 172.16.0.0 2811A(config-router)#ctrl+z
352
5.
Switch Security
Go to the console for 3550 Switch A and perform the following commands: switch>en switch#config t Enter configuration commands, one per line. End with CNTL/Z switch(config)#
6.
To set the IP configuration on a 3550 switch, use the ip address command. However, this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default. Let’s also set the hostname so that we can more clearly identify this device when we telnet into it in subsequent steps. switch(config)#hostname 3550A 3550A(config)#int vlan 1 3550A(config-if)#ip address 172.16.10.17 255.255.255.0
7.
The default gateway should also be set using the ip default-gateway command. However, unlike the IP address, this is completed at global configuration mode. 3550A(config-if)#exit 3550A(config)#ip default-gateway 172.16.10.1
8.
We need to set up a VTY password for the 3550 Switch A. 3550A(config)#line vty 0 15 3550A(config-line)#password todd 3550A(config-line)#login 3550A(config-line)#ctrl+z 3550A#copy run start
9.
Switch to the 2621 B router via the console menu.
Lab 6.2: Verifying Switch Security
353
10. You can issue the telnet command from any router prompt, as in the following example
from 2621 Router B to 2621 Router A: 2621B#telnet 172.16.20.2 Trying 172.16.10.2 ... Open Password required, but none set [Connection to 172.16.20.2 closed by foreign host] 2621B#
Remember that the VTY ports on a router are configured as login, which means that you must either set the VTY passwords or use the no login command. 11. On a Cisco router, you do not need to use the telnet command. If you just type in an
IP address from a command prompt, the router will assume you want to telnet to the device, as shown below: 2621B#172.16.20.2 Trying 172.16.10.2 ... Open Password required, but none set [Connection to 172.16.20.2 closed by foreign host] 2621B#
12. It’s time to set VTY passwords on the router I want to telnet into. Here is an example
of what was done: 2621A#config t Enter configuration commands, one per line. 2621A(config)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-line)#ctrl+z 2621A#
End with CTRL/Z.
13. Now, let’s try connecting to the router again (from the 2621 Router B console). 2621B#172.16.20.2 Trying 172.16.20.2 ... Open User Access Verification Password: 2621A>
14. Remember that the VTY password is the user mode password, not the enable pass-
word. Watch what happens when I try to go into privileged mode after telneting into 2621 Router A: 2621A>en % No password set 2621A>
354
Switch Security
This is a good security feature. You don’t want anyone just telneting onto your device and then being able to just type the enable command to get into privileged mode. You must set your enable password or enable secret password to use telnet to configure remote devices. 15. Now, exit out of 2621 Router A. 2621A>exit [Connection to 172.16.20.2 closed by foreign host] 2621B#
16. If you telnet to a router or switch, you can end the connection by typing Exit at any
time. However, what if you want to keep your connection to a remote device but still come back to your original router console? To keep the connection, you can press the Ctrl+Shift+6 key combination, release it, and then press X. Here’s an example of connecting to multiple devices from the 2621 Router B console: 2621B#telnet 172.16.20.2 Trying 172.16.20.2 ... Open User Access Verification Password: 2621A> [press ctrl+shift+6 then x] 2621B#
In the example above, I telneted to 2621 Router A, then typed the password to enter user mode. I then pressed Ctrl+Shift+6, then x (this does not show on the screen output). Notice the command prompt is now back at the 2621 B router. 17. You can also telnet into a switch. In the following example, we telnet to 3550 Switch A. 2621B#telnet 172.16.10.17 Trying 172.16.10.17 ... Open User Access Verification Password: 3550A>
18. At this point, press Ctrl+Shift+6, then X, which will take you back to the 2621 B
router console. 2621B#
19. To see the connections made from your router to a remote device, use the show sessions command, as shown below. 2621B#show sessions Conn Host
Address
Byte
Idle Conn Name
Lab 6.2: Verifying Switch Security
1 172.16.20.2 * 2 172.16.10.17 2621B#
172.16.20.2 172.16.10.17
0 0
355
0 172.16.20.2 0 172.16.10.17
20. Notice the asterisk (*) next to connection 2. This means that session 2 was the last ses-
sion. You can return to your last session by pressing enter twice. You can also return to any session by typing the number of the connection and pressing enter twice. Here is an example: 2621B#1 [Resuming connection 1 to 172.16.20.2 ... ] [press enter] 2621A> When changing windows from Router to Router do not close the window with the “x” or the telnet information will be lost.
21. You can list all active consoles and VTY ports in use on your router with the show users command. Type show users from 2621 Router A, which 2621 Router B had
telneted into. 2621A>show users Line User 0 con 0 * 2 vty 0 Interface User 2621A>
Host(s) idle idle Mode
Idle Location 00:00:00 00:25:12 172.16.30.2 Idle Peer Address
In the command’s output, the con represents the local console. In this example, the console is connected to two remote IP addresses, or devices. This output shows that the console is active and that VTY port 0 is being used. The asterisk represents the current terminal session user. 22. You can end Telnet sessions a few different ways. Typing exit or disconnect is probably the easiest and quickest. To end a session from a remote device, use the exit command,
as shown below. 2621A#exit [Connection to 172.16.20.2 closed by foreign host] 2621B#
23. To end a session from a local device, use the disconnect command, as shown below. 2621B#show sessions Conn Host
Address
Byte
Idle Conn Name
356
Switch Security
* 2 172.16.10.17 172.16.10.17 0 2621B#disconnect 2 Closing connection to 172.16.10.17 [confirm] [enter] 2621B#
0 172.16.10.17
In this example, we used the session number 2 because that was the connection to the 3550 Switch A that we wanted to end. As explained earlier, you can use the show sessions command to see the connection number.
Individual Lab: Using the Cisco Discovery Protocol to Gather Information about Neighbor Devices Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help administrators collect information about both locally attached and remote devices. You can gather hardware information, as well as protocol information about neighbor devices. This information is useful for troubleshooting and documenting the network. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Lab 6.2: Verifying Switch Security
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Cisco Internetwork, and Cisco Discovery Protocol.
357
358
Switch Security
Lab Steps 1.
Double-click 2621 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#exit 2621A(config)#exit 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#exit 2811A(config)#exit 2811A#copy run start Destination filename [startup-config]? [enter]
Lab 6.2: Verifying Switch Security
359
Building configuration... [OK] 2811A#
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
3.
Double-click 2621 Router B. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#exit 2621B(config)#exit 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B
4.
Gather CDP information on your router by getting CDP Timers and Holdtime Information. Use the show cdp command which shows information about two CDP global parameters that can be configured on Cisco devices. The output on a router looks like this: 2811A#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled 2811A#
Switch Security
360
NN
NN
CDP timer is how often CDP packets are transmitted to all active interfaces. CDP holdtime is the amount of time that the device will hold packets received from neighbor devices.
Both the Cisco routers and the Cisco switches use the same parameters. 5.
Use the global commands cdp holdtime and cdp timer to configure the CDP holdtime and timer on a router. 2811A#config t Enter configuration commands, one per line. End with CTRL/Z. 2811A(config)#cdp ? advertise-v2 CDP sends version-2 advertisements holdtime Specify the holdtime (in sec) to be sent in packets log Log messages generated by CDP run Enable CDP source-interface Insert the interface's IP in all CDP packets timer Specify rate (in sec) at which CDP packets are sent 2811A(config)#cdp timer 90 2811A(config)#cdp holdtime 240 2811A(config)#ctrl+z
6.
You can turn off CDP completely on the router with the no cdp run command from global configuration mode of a router. Enable CDP with the cdp run command. 2811A(config)#no cdp run 2811 (config)#cdp run 2811A(config)#ctrl+z
7.
To turn off or on CDP on a router interface, use the no cdp enable and cdp enable commands. Enable CDP on the interface with the cdp enable command. 2811A(config)#int fa0/0 2811A(config-if)#no cdp enable 2811A(config-if)#cdp enable 2811A(config)#ctrl+z
8.
The show cdp neighbor command (show cdp nei for short) shows information about directly connected devices. It is important to remember that CDP packets are not passed through a Cisco switch, and you only see what is directly attached. On a router connected to a switch, you will not see the other devices connected to the switch. The following output shows the show cdp neighbor command used on the 2811 A router. 2811A#show cdp nei Device ID Local Intrfce 2621B Ser 0/0/1 Ser 0/0
Holdtme 170
Capability R
Platform
Port ID 2621
Lab 6.2: Verifying Switch Security
2621A Ser 0/0 2811A#
Ser 0/1/1
170
R
361
2621
The following table summarizes the information displayed by the show cdp neighbor command for each device. Field
Description
Device ID
The hostname of the device directly connected.
Local Interface
The port or interface on which you are receiving the CDP packet.
Holdtime
The amount of time the router will hold the information before discarding it if no more CDP packets are received.
Capability
The neighbor’s capability, such as router, switch, or repeater. The capability codes are listed at the top of the command output.
Platform
The type of Cisco device. In the above output, a 2811 router, two 2621 routers, a 3550 switch, and a 3560 switch are attached.
Port ID
The neighbor device’s port or interface on which the CDP packets are broadcasted out.
9.
Another command that provides neighbor information is the show cdp neighbor detail command (show cdp nei de for short), which also can be run on the router or switch. This command shows detailed information about each device connected to the device, as in the router output below. 2811A#show cdp neighbor detail ------------------------Device ID: 2621B Entry address(es): IP Address: 172.16.30.2 Platform: cisco 2621, Capabilities: Router Interface: Serial0/0, Port ID (outgoing port): Serial0/0/1 Holdtime : 146 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by Cisco Systems, Inc.
362
Switch Security
Compiled Sat 04-Jan-03 05:58 by ccai advertisement version: 2 ------------------------Device ID: 2621A Entry address(es): IP Address: 172.16.20.2 Platform: cisco 2621, Capabilities: Router Interface: Serial0/0, Port ID (outgoing port): Serial0/1/1 Holdtime : 146 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by Cisco Systems, Inc. Compiled Sat 04-Jan-03 05:58 by ccai advertisement version: 2 ------------------------2811A#
The output above shows the hostname and IP address of the directly connected devices. In addition to the same information displayed by the show cdp neighbor command, the show cdp neighbor detail command also shows the IOS version of the neighbor device. 10. The show cdp entry * command displays the same information as the show cdp neighbor details command. The following is an example of the router output of the show cdp entry * command. 2811A#show cdp entry * ------------------------Device ID: 2621B Entry address(es): IP Address: 172.16.30.2 Platform: cisco 2621, Capabilities: Router Interface: Serial0/0, Port ID (outgoing port): Serial0/0/1 Holdtime : 146 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by Cisco Systems, Inc. Compiled Sat 04-Jan-03 05:58 by ccai
Lab 6.2: Verifying Switch Security
363
advertisement version: 2 ------------------------Device ID: 2621A Entry address(es): IP Address: 172.16.20.2 Platform: cisco 2621, Capabilities: Router Interface: Serial0/0, Port ID (outgoing port): Serial0/1/1 Holdtime : 146 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by Cisco Systems, Inc. Compiled Sat 04-Jan-03 05:58 by ccai advertisement version: 2 ------------------------2811A#
11. The show cdp traffic command displays information about interface traffic, including
the number of CDP packets sent and received and the errors with CDP. The following output shows the show cdp traffic command used on a router. 2811A#show cdp traffic CDP counters : Total packets output: 30, Input: 30 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 30, Input: 30 2811A#
Individual Lab: Working with a Router Interface Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
By default, interfaces are shut down and turned off. That means that packets cannot travel through the device to another connected device. You can turn an interface on with the no shutdown command. You can turn off or shut down an interface with the shutdown command. You can check the status of an interface by using the show interface command. If an interface is shut down, it will display administratively down when using the show interface command, and the show running-config command will also show the interface as shut down.
364
Switch Security
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Lab Steps 1.
On the Network Visualizer screen, double-click on 2621 Router A. This will bring up a console screen.
2.
Press Enter and the Router> prompt will appear. You are now in the user mode.
3.
Change to the privileged mode and global configuration mode. Router> Router>enable Router>config t Enter configuration commands, one per line.
4.
Set the hostname. Router(config)#hostname 2621A
End with CTRL/Z.
Lab 6.2: Verifying Switch Security
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Cisco IOS, and Router Interface.
365
366
5.
Switch Security
Type show interface fastethernet 0 and see that it is administratively down. 2621A(config)#exit 2621A#show int fa0/0 FastEthernet0/0 is administratively down, line protocol is up [output cut]
6.
Bring up interface FastEthernet 0/0 with the no shutdown command. 2621A#config t Enter configuration commands, one per line. End with CTRL/Z. 2621A(config)#int fa0/0 2621A(config-if)#no shutdown 2621A(config-if)#ctrl+z 00:57:08: %LINK-3-UPDOWN: Interface Fastethernet 0/0, changed state to up 00:57:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface Fastethernet 0/0, changed state to up 2621A#show int fa0/0 Fastethernet 0/0 is up, line protocol is down [output cut]
7.
Configure the router to enable all interfaces by issuing the no shutdown command on all interfaces.
Configuring an IP Address on an Interface 8.
Configure the FastEthernet 0/0 interface with the IP address of 172.16.10.2/24. 2621A#config t 2621A(config)#int fa0/0 2621A(config-if)#ip address 172.16.10.2 255.255.255.0
Notice that in order to enable an interface, we use the no shut command. Remember to look at the command show interface fa0/0, for example, which will show you if it administratively shut down or not. Show running-config will also show you if the interface is shut down. 9.
If you want to add a second subnet address to an interface, then you must use the secondary command.
Lab 6.2: Verifying Switch Security
367
Subnet Address Is a range of logical addresses within the address space of an organization. This allows you to take one network and turn it into many more, smaller networks. This allows for less network traffic on each network and faster and more efficient networks. See the section Subnetting Basics in the Sybex CCNA Study Guide, 7th edition.
If you type another IP address and press Enter, it will replace the existing IP address and mask. To add a secondary IP address, use the secondary command. 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 secondary 2621A(config-if)#ctrl+z
10. You can verify both addresses are configured on the interface with the show runningconfig command (show run for short). 2621A#show run Building configuration... Current configuration: [output cut] ! interface Fastethernet 0/0 ip address 172.16.20.2 255.255.255.0 secondary ip address 172.16.10.2 255.255.255.0
Serial Interface To configure a serial interface, there are a couple of specifics that need to be discussed. Typically, when in production, the interface will be attached to a CSU/DSU type of device that provides clocking for the line. However, if you have a back-to-back configuration used in a lab environment, for example, one end must provide clocking. This would be the DCE end of the cable. Cisco routers, by default, are all DTE devices, and you must tell an interface to provide clocking if it is to act as a DCE device. If you don’t completely understand this right now, don’t worry, you will. Just run through the commands below for now and I promise it will become clear to you later.
368
Switch Security
Serial Interface You have a connection between two devices where data is sent between the two one bit at a time. This occurs in only one direction at a time.
Lab 6.2: Verifying Switch Security
369
11. You can configure a DCE serial interface with the clock rate command. Configure an
interface that has a DCE connection. 2621A#config t Enter configuration commands, one per line. End with CTRL/Z. 2621A(config)#int s0/0 2621A(config-if)#clock rate ? Speed (bits per second) 1200 2400 4800 9600 19200 38400 56000 64000 72000 125000 148000 250000 500000 800000 1000000 1300000 2000000 4000000 <300-4000000> Choose clockrate from list above 2621A(config-if)#clock rate 64000
It does not hurt anything to try and put a clock rate on an interface. Notice that the clock rate command is in bits per second. If you are not on an interface that is set to DCE than you will receive an error when trying this command.
370
Switch Security
Finding DCE DCE (data communications equipment) is the side of the connection that provides the clocking. Unless it is a 2811 router, you would enter the clock rate on the DCE side of a connection between routers. If you cannot remember what side of your connection is DCE, you can use the show controllers command. Here is an example: 2811#show controllers s0/1/1 Interface Serial0/1/1 Hardware is GT96K DCE V.35, clock rate 2000000 <------------ The DCE connection is associated with s0/1/1 and a clockrate of 2000000 idb at 0x454E69C8, driver data structure at 0x454EE0EC wic_info 0x454EE6E8 Physical Port 0, SCC Num 0 [output cut]
12. The next command you need to understand is the bandwidth command. Every Cisco
router ships with a default serial link bandwidth of a T1, or 1.544Mbps. However, understand that this has nothing to do with how data is transferred over a link. The bandwidth of a serial link is used by routing protocols such as IGRP, EIGRP, and OSPF to calculate the best cost to a remote network. If you are using RIP routing, then the bandwidth setting of a serial link is irrelevant. 2621A(config-if)#bandwidth ? <1-10000000> Bandwidth in kilobits 2621A(config-if)#bandwidth 64
Notice that unlike the clock rate command, the bandwidth command is configured in kilobits.
Setting An Interface Description 13. Set the description of the interface serial 0/0 interface to WAN to Miami with a circuit
number of 6fdda4321. 2621A(config-if)#int s0/0 2621A(config-if)#desc Wan to Miami circuit:6fdda4321
14. You can view the description of an interface either with the show running-config command or the show interface command. 2621A#show run [output cut]
Lab 6.2: Verifying Switch Security
371
! interface Serial0/0 description Wan to Miami circuit:6fdda4321 no ip address no ip directed-broadcast shutdown clockrate 64000 ! [output cut] 2621A#show int s0/0 Serial0/0 is administratively down, line protocol is down Hardware is PowerQUICC Serial Description: Wan to Miami circuit:6fdda4321 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 0. reliablility 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set [output cut] 2621A#
Individual Lab: Configuring Hosts We will now configure all the hosts in the network and then verify the configurations. We will start with Host A. When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
Switch Security
372
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Lab Steps Copy and Paste Script Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into User mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press enter.
Lab 6.2: Verifying Switch Security
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Cisco IOS, and Configuring Hosts.
373
Switch Security
374
2621 Router A
2811 Router A
2621 Router B
enable
enable
enable
config t
config t
config t
hostname 2621A
hostname 2811A
hostname 2621B
line vty 0 4
line vty 0 1180
line vty 0 4
password todd
password todd
password todd
login
login
login
interface serial 0/0
interface fastethernet 0/0
interface serial 0/0
ip address 172.16.20.2 255.255.255.0
ip address 172.16.10.1 255.255.255.0
ip address 172.16.30.2 255.255.255.0
description connection to 2811A
description connection to LAN 10
description connection to 2811A
no shutdown
no shutdown
no shutdown
exit
interface serial 0/1/1
exit
exit
ip address 172.16.20.1 255.255.255.0
exit
copy run start
description connection to 2621A
copy run start
no shutdown interface serial 0/0/1 ip address 172.16.30.1 255.255.255.0 description connection to 2621B no shutdown exit exit copy run start
1.
Double-click 2621 Router A. After the console screen comes up set the N
Hostname
NN
Interface description
N
IP addresses of each interface
Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd
Lab 6.2: Verifying Switch Security
2621A(config-line)#login 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#exit
2.
Double-click 2811 Router A. After the console screen comes up set the NN
Hostname
NN
Interface description
NN
IP addresses of each interface
Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-line)#int fa0/0 2811A(config-if)#ip address 172.16.10.1 2811A(config-if)#description connection 2811A(config-if)#no shutdown 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 2811A(config-if)#description connection 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 2811A(config-if)#description connection 2811A(config-if)#no shutdown 2811A(config-if)#exit
255.255.255.0 to LAN 10
255.255.255.0 to 2621A
255.255.255.0 to 2621B
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
375
Switch Security
376
3.
Double-click 2811 Router B. After the console screen comes up set the NN
Hostname
NN
Interface description
NN
IP addresses of each interface
Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#exit
4.
We need to add a routing protocol such as RIP. Add RIP for each router with a network of 172.16.0.0. 2621A(config)#router rip 2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A# 2621B#config t 2621B(config)#router rip 2621B(config-router)#network 172.16.0.0 2621B(config-router)#ctrl+z 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B# 2811A#config t 2811A(config)#router rip 2811A(config-router)#network 172.16.0.0 2811A(config-router)#ctrl+z
Lab 6.2: Verifying Switch Security
377
2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
5.
Right-click on Host A.
6.
Click on the Configs button.
7.
On Host A configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP address unique identification number for a device that is located on a network. An IP address is equivalent to the address of your home. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 172.16.10.6 could be an IP address.
378
Switch Security
subnet mask when you split up an IP network it is used to determine what section or subnet the IP address of networked device belongs to. An IP address has two parts, the network address and the host address. Let’s examine IP address 172.16.10.6. Assuming this is part of a Class B network, the first two numbers (172.16) represent the Class B network address, and the second two numbers (10.6) identify a particular host on this network. default gateway IP address configured on a networked device that allows that device to communicate outside of its own subnet. A default gateway is usually a layer 3 device like a router. When a network device wants to get to the Internet, it uses a default gateway. A default gateway IP address is equivalent to the on ramp of a highway.
IP Address: 172.16.10.5 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
8.
Right-click on Host B.
Lab 6.2: Verifying Switch Security
9.
Click on the Configs button.
10. On Host B configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.10.6 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
11. Click the OK button and then the Close button. 12. On Host C configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
379
Switch Security
380
IP Address: 172.16.10.7 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
13. Click the OK button and then the Close button. 14. On Host D configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.10.8 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.10.1
15. Click the OK button and then the Close button. 16. On Host E configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
Lab 6.2: Verifying Switch Security
381
IP Address: 172.16.40.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.40.1
17. Click the OK button and then the Close button. 18. On Host F configure: NN
IP Address
N
Subnet Mask
NN
Default Gateway
IP Address: 172.16.50.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.50.1
19. Click the OK button and then the Close button. 20. From each host, ping all other hosts. Here is an example where we ping all others hosts
from Host.
382
Switch Security
21. Double-click Host D on the network.
C:\>ping C:\>ping C:\>ping C:\>ping C:\>ping
172.16.10.5 172.16.10.6 172.16.10.7 172.16.40.3 (this should fail) 172.16.50.3 (this should fail)
ICND2
RIP - IPv6 Lab 1.1: Configuring RIP Routing Configuring the routers with static and default routing is interesting to say the least. However, it is not very often that you would use just static and default routing in a network these days. This lab will configure Routing Information Protocol (RIP), one of the first dynamic routing protocols created. It is easy and works pretty well in small to medium size networks.
Dynamic Routing The process of routers in an Intranet or Internet advertising route information automatically between each other. There is typically a common dynamic routing protocol configured on each router. RIP Version 1 and 2, OSPF, EIGRP, and BGP are some examples of dynamic routing protocols. When all routers have received routing updates and have updated routing tables, the network is said to have converged. Convergence means that all routers in the internetwork have the same routing information. At this point, a routed protocol, IP for example, can send user data throughout the internetwork.
Network Layout Load Standard Layout.rsm (or whatever you have named it in ICND1 labs) before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
Lab 1.1: Configuring RIP Routing
3.
385
Click on the file Standard Layout.rsm and click Open.
Lab Steps To configure RIP routing, you first have to remove the static and default routes configured on the routers. This is assuming that you completed ICND1 Lab 2.9. Skip to lab step 4 if you did not work with ICND1 Lab 2.9. If do not remove static and default routes, you will have connectivity throughout the network and will not know if you have correctly set up RIP. Removing static and default routes will help you clearly determine when and if you have set up RIP throughout the network. Then use the router rip command to configure RIP. Then tell the routers which networks are advertised with RIP. 1.
From 2621 Router A, delete the default route and then verify the routing table with the show ip route command. Only the directly connected networks should be in the routing table. 2621A#config t 2621A(config)#no ip route 0.0.0.0 0.0.0.0 172.16.20.1 2621A(config)#exit 2621A#show ip route [output cut] Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets C 172.16.40.0 is directly connected, FastEthernet0/0 C 172.16.20.0 is directly connected, Serial0/0
386
2.
ICND2
From the 2621 Router B, delete the default route and then verify the routing table with the show ip route command. Only the directly connected networks should be in the routing table. 2621B#config t 2621B(config)#no ip route 0.0.0.0 0.0.0.0 172.16.30.1 2621B(config)#exit 2621B#show ip route [output cut] Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0 C 172.16.50.0 is directly connected, FastEthernet0/0
3.
From 2811 Router A, delete the static routes and then verify the routing table with the show ip route command. Only the directly connected networks should be in the routing table. 2811A#config t 2811A(config)#no ip route 172.16.40.0 255.255.255.0 172.16.20.2 2811A(config)#no ip route 172.16.50.0 255.255.255.0 172.16.30.2 2811A(config)#do show ip route [output cut] Gateway of last resort is not set 172.16.0.0/24 is subnetted, 3 subnets C 172.16.30.0 is directly connected, Serial0/0/1 C 172.16.20.0 is directly connected, Serial0/1/1 C 172.16.10.0 is directly connected, FastEthernet0/0
Deleting the static and default routes was the hardest part of configuring RIP routing! Now, configure each router with RIP. 4.
From 2621 Router A, configure RIP routing and tell RIP the network you want to advertise.
Router Rip Command Turns on RIP routing.
Network Command Should be entered for each of the networks that the router is connected to and is a part of the RIP network. In our network we have only one network, network 172.16.0.0.
Lab 1.1: Configuring RIP Routing
387
RIP NN
NN
NN
NN
NN
NN
Stands for Routing Information Protocol. Sends routing-update messages at regular intervals (usually every 30 seconds) and when the network topology changes. Uses a single metric called a hop, which measures the distance between the source and destination. Is limited to a hop count of 15. It has a maximum hop count. This means a network cannot be more than 15 hops from the source to the destination. Otherwise the destination is deemed as unreachable. Has a routing update timer that is used so that on a period basis (usually every 30 seconds) creates an update for each known route. Does not support VLSM.
2621A#config t 2621A(config)#router rip 2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z
That’s all there is to it! Dynamic routing is easy on small networks. The important thing to notice here is that the network address is a classful address, which means you use the classful boundary.
Classful Routing Routing protocols (i.e., RIPv1 and IGRP) where subnet masks (routing masks) are not sent in the periodic routing updates. For example, we use the 172.16.0.0 class B network address and subnet that network with 24 bits of subnetting. This means the third octet is used for subnets and the fourth octet is the host addresses for each subnet. RIP is a classful routing protocol, which means that you do not type in any subnet addresses, only the class B address. When using a classful network protocol like RIP, make sure that all networked devices have the same subnet mask.
5.
From 2621 Router B, configure RIP routing and tell RIP the network you want to advertise. 2621B#config t 2621B(config)#router rip
388
ICND2
2621B(config-router)#network 172.16.0.0 2621B(config-router)#ctrl+z
6.
From 2811 Router A, configure RIP routing and tell RIP the network you want to advertise. 2811A#config t 2811A(config)#router rip 2811A(config-router)#network 172.16.0.0 2811A(config-router)#ctrl+z
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 1.2: Verifying RIP Routing Configuring RIP is pretty easy, especially in small networks. It is important to be able to verify RIP on Cisco® routers. This lab will provide you with the commands to verify RIP.
Network Layout Load the network layout you have been working with in Lab 1.1.
Lab 1.2: Verifying RIP Routing
389
Lab Steps 1.
From 2621 Router A, use the show ip route command to verify the routing table. 2621A#show ip route 172.16.0.0/24 is subnetted, 5 subnets R 172.16.30.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0 C 172.16.40.0 is directly connected, FastEthernet0/0 C 172.16.20.0 is directly connected, Serial0/0 R 172.16.10.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0 R 172.16.50.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0
Notice the R, which means it is a RIP found route. The C is a directly connected network. You should see two directly connected routes and three RIP routes. 2.
From 2621 Router B, use the show ip route command to verify the routing table. 2621B#show ip route 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0 R 172.16.40.0 [120/2] via 172.16.30.1, 00:00:21, Serial0/0 C 172.16.50.0 is directly connected, FastEthernet0/0 R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:21, Serial0/0 R 172.16.10.0 [120/1] via 172.16.30.1, 00:00:21, Serial0/0
3.
From the 2811 Router A, use the show ip route command to verify the routing table. 2811A#show ip route 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0/1 R 172.16.40.0 [120/1] via 172.16.20.2, 00:00:27, Serial0/1/1 R 172.16.50.0 [120/1] via 172.16.30.2, 00:00:27, Serial0/0/1 C 172.16.20.0 is directly connected, Serial0/1/1 C 172.16.10.0 is directly connected, FastEthernet0/0
4.
From 2621 Router B, use the debug ip rip command to see RIP updates being sent and received on the router. 2621B#debug ip rip RIP protocol debugging is on 2621B# then after a few seconds .... *Oct 13 17:19:25.906: RIP: received v1 *Oct 13 17:19:25.906: 172.16.40.0 *Oct 13 17:19:25.906: 172.16.20.0 *Oct 13 17:19:25.906: RIP: received v1
update from 172.16.30.1 on Serial0/0 in 2 hops in 2 hops update from 172.16.30.1 on Serial0/0
390
ICND2
*Oct 13 17:19:25.906: 172.16.40.0 in 3 hops *Oct 13 17:19:25.906: 172.16.20.0 in 3 hops *Oct 13 17:19:25.906: RIP: received v1 update from 172.16.30.1 on Serial0/0 *Oct 13 17:19:25.906: 172.16.40.0 in 4 hops *Oct 13 17:19:25.906: 172.16.20.0 in 4 hops *Oct 13 17:19:25.906: RIP: received v1 update from 172.16.30.1 on Serial0/0 *Oct 13 17:19:25.906: 172.16.40.0 in 5 hops [output cut]
5.
To turn off debugging, use the no debug ip rip command, or the undebug all command. 2621B#undebug all
6.
To see detailed information about currently configured protocols on a router, use the show ip protocols command. 2621B#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds, next due in 27 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Triggered RIP Key-chain Serial0/0 1 1 2 FastEthernet0/0 1 1 2 Automatic network summarization is in effect Maximum path: 4 Routing for networks: 172.16.0.0 Routing information sources: Gateway Distance Last Update 172.16.30.1 120 00:00:03 Distance: 2621B#
Notice the timers. RIP is sent out every 30 seconds by default. The administrative distance for RIP is 120 by default. 7.
Another really good command is the show protocols command, which shows you the routed protocol configuration of each interface. 2621B#show protocols Global values: Internet protocol routing is enabled
Lab 1.2: Verifying RIP Routing
Serial0/1 is administratively down, line protocol is down Serial0/0 is up, line protocol is up Internet address is 172.16.30.2/24 FastEthernet0/1 is administratively down, line protocol is down FastEthernet0/0 is up, line protocol is up Internet address is 172.16.50.1/24
Administrative Distance Is a measure of the trustworthiness of the source of the routing information. It is reported as a number between 0 and 255. The smaller the number, the more reliable the protocol. If you have, for example, two protocols IGRP and RIP configured on a router, the IGRP routes will be preferred over the RIP routes. This is because you have an administrative distance of 120 for RIP and 100 for IGRP. Source
Default Distance Value
Connected interface
0
Static route
1
Enhanced Interior Gateway Routing Protocol (EIGRP) summary route
5
External Border Gateway Protocol (BGP)
20
Internal EIGRP
90
IGRP
100
OSPF
110
Intermediate System-to-Intermediate System (IS-IS)
115
Routing Information Protocol (RIP)
120
Exterior Gateway Protocol (EGP)
140
On Demand Routing (ODR)
160
External EIGRP
170
Internal BGP
200
Unknown
255
391
ICND2
392
8.
From 2811 Router A, use the show protocols command. 2811A#show protocols Global values: Internet protocol routing is enabled Serial0/0/0 is administratively down, line protocol is down Serial0/0/1 is up, line protocol is up Internet address is 172.16.30.1/24 Serial0/1/0 is administratively down, line protocol is down Serial0/1/1 is up, line protocol is up Internet address is 172.16.20.1/24 FastEthernet0/0 is up, line protocol is up Internet address is 172.16.10.1/24
Lab 1.3: Configuring IPv6 Static Routing Internet Protocol Version 6 (IPv6) is the new addressing scheme that will eventually replace all IPv4 addresses. The IPv4 address scheme is no longer adequate to meet the needs of the growing Internet, and growing Intranets. IPv6 was also designed to increase routing performance and network scalability issues. IPv6 addresses are 128 bits in length. Hexadecimal Groups IPv6 addresses are divided into eight, 16 bit hexadecimal groups. For example, 2001:0000:0000:0008:0000:0000:0000:0012 can be divided into ... 2001:
0000:
0000:
0008:
0000:
0000:
0000:
0012
1
2
3
4
5
6
7
8
The IPV6 address above can also be shortened to 2001:0:0:8:0:0:0:12 or 2001::8:0:0:0:12
Address Types There are three IPv6 address types: NN
Unicast
NN
Anycast
NN
Multicast
Lab 1.3: Configuring IPv6 Static Routing
Unicast Types There are four unicast address types: NN
Link local
N
Unique local
NN
Global
N
Special
IPv6 Bits IPv6 bit address can be divided into ... 48 bits
16 bits
64 bits
2001:0000:0000:
0008:
0000:0000:0000:0012
Global Prefix
Subnet
Interface ID
This lab will have you create an IPv6 network. In this network you will use IPv6 to create both default and static routing. The network used in this lab has IPv4 addresses already configured on each router interface. Having both IPv4 and IPv6 addresses on an interface is called DUAL stacking.
Network Layout Load IPv6 Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
393
394
3.
ICND2
Click on the file IPv6 Layout.rsm and click Open. You should see the following nonconfigured network:
Lab Steps 1.
Enable IPv6 routing and Cisco Express Forwarding (CEF) on each router. 2811A#config t 2811A(config)#ipv6 2811A(config)#ipv6 2811B#config t 2811B(config)#ipv6 2811B(config)#ipv6 2811C#config t 2811C(config)#ipv6 2811C(config)#ipv6
2.
unicast-routing cef unicast-routing cef unicast-routing cef
Configure IPv6 addresses on 2811 Router A. 2811A(config)#int fa0/0 2811A(config-if)#ipv6 address 2001::10:1/112
Lab 1.3: Configuring IPv6 Static Routing
395
2811A(config-if)#int s0/0/0 2811A(config-if )ipv6 address 2001::20:1/112 2811A(config-if)#int s0/1/0 2811A(config-if)#ipv6 address 2001::30:1/112 2811A(config-if)#exit
3.
Configure IPv6 addresses on 2811 Router B. 2811B(config)#interface fastethernet 0/0 2811B(config-if)# ipv6 address 2001::40:1/112 2811B(config-if)#int s0/1/0 2811B(config-if)#ipv6 address 2001::30:2/112 2811B(config-if)#exit
4.
Configure IPv6 addresses on 2811 Router C. 2811C(config)#int fa0/0 2811C(config-if)# ipv6 address 2001::50:1/112 2811C(config-if)#int s0/0/0 2811C(config-if)#ipv6 address 2001::20:2/112 2811C(config-if)#exit
5.
Configure two IPv6 static routes on 2811 Router A. 2811A(config)#ipv6 route 2001::40:0/112 2001::30:2 2811A(config)#ipv6 route 2001::50:0/112 2001::20:2 2811A(config)#exit 2811A#copy run start
The static routes will allow 2811 Router A to communicate with the rest of the network. 6.
Configure a IPv6 default route on 2811 Router B. 2811B(config)#ipv6 route 2811B(config)#exit 2811B#copy run start
::/0 2001::30:1
This default route will allow 2811 Router B to communicate with the rest of the network. 2811 Router B will use 2811 Router A as a gateway of last resort. 7.
Configure a IPv6 default route on 2811 Router C. 2811C(config)#ipv6 route 2811C(config)#exit 2811C#copy run start
::/0 2001::20:1
This default route will allow 2811 Router C to communicate with the rest of the network. 2811 Router C will use 2811 Router A as a gateway of last resort.
396
ICND2
Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than IPv6 Layout. rsm. This allows you to start over with a non-configured network if you wish. 1.
There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
Lab 1.4: Verifying IPv6 Static Routing
397
2.
A dialog box will appear. At the bottom you will see the file name IPv6 Layout.rsm. Rename the file. For example, you could name it My IPv6 Layout.rsm.
3.
Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading IPv6 Layout.rsm which is non-configured.
Lab 1.4: Verifying IPv6 Static Routing Understanding how to configure routers is very important. But just as important as the understanding of configuring routers is the process of verifying your configurations. This lab will provide you with the commands to verify your IPv6 Static Routing configurations.
Network Layout Load IPv6 Layout.rsm or whatever you named the file when you saved your work. You need a configured network in order to complete this lab.
398
ICND2
Lab Steps 1.
On 2811 Router A, issue the show running-configuration command to verify the IPv6 configurations. 2811A#show run [output cut] ! interface FastEthernet0/0 ip address 172.16.10.1 255.255.255.0 no ip directed-broadcast ipv6 address 2001::10:1/112 ! [output cut] ! interface Serial0/0/0 ip address 172.16.20.1 255.255.255.0 no ip directed-broadcast clockrate 2000000 ipv6 address 2001::20:1/112 ! [output cut] ! interface Serial0/1/0 ip address 172.16.30.1 255.255.255.0 no ip directed-broadcast clockrate 2000000 ipv6 address 2001::30:1/112 ! [output cut] ! ipv6 route 2001::40:0/112 2001::30:2 ipv6 route 2001::50:0/112 2001::20:2 ! [output cut] 2811A#
As you can see, each interface has an IPv6 address. You can also see the IPv6 static routes that are configured. 2.
On 2811 Router A, issue the show ipv6 interface command to see which router interfaces are configured for IPv6. 2811A#show ipv6 interface FastEthernet0/0 is up, line protocol is up
Lab 1.4: Verifying IPv6 Static Routing
IPv6 is enabled, link-local address is FE80::21A:2FFF:FE55:D408 Global unicast address(es): 2001::10:1, subnet is 2001::10:0/112 Joined group address(es): FF02::1 FF02::2 FF02::1:FF10:1 FF02::1:FF55:D408 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled [output cut] Serial0/0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::21A:2FFF:FE55:D408 Description: conn-to-2811A Global unicast address(es): 2001::20:1, subnet is 2001::30:0/112 Joined group address(es): FF02::1 FF02::2 FF02::1:FF20:1 FF02::1:FF55:D408 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled [output cut] Serial0/1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::21A:2FFF:FE55:D408 Description: conn-to-2811C Global unicast address(es): 2001::30:1, subnet is 2001::20:0/112 Joined group address(es): FF02::1 FF02::2 FF02::1:FF30:1 FF02::1:FF55:D408 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled [output cut] 2811A#
399
400
3.
ICND2
On 2811 Router A, issue the show ipv6 interface brief command to see a summary of the router interfaces configured for IPv6. 2811A#show ipv6 interface brief FastEthernet0/0 [up/up] FE80::21A:2FFF:FE55:D408 2001::10:1 FastEthernet0/1 [administratively down/down] Serial0/0/0 [up/up] FE80::21A:2FFF:FE55:D408 2001::20:1 Serial0/0/1 [administratively down/down] Serial0/1/0 [up/up] FE80::21A:2FFF:FE55:D408 2001::30:1 Serial0/1/1 [administratively down/down] 2811A#
4.
On 2811 Router A, issue the show ipv6 route command to see the IPv6 routing table. 2811A#show ipv6 route IPv6 Routing Table - 10 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2001::10:0/112 [0/0] via ::, FastEthernet0/0 L 2001::10:1/128 [0/0] via ::, FastEthernet0/0 C 2001::20:0/112 [0/0] via ::, Serial0/0/0 L 2001::20:1/128 [0/0] via ::, Serial0/0/0 C 2001::30:0/112 [0/0] via ::, Serial0/1/0 L 2001::30:1/128 [0/0] via ::, Serial0/1/0 S 2001::40:0/112 [1/0] via 2001::30:2 S 2001::50:0/112 [1/0]
Lab 1.4: Verifying IPv6 Static Routing
401
via 2001::20:2 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 2811A#
5.
From 2811 Router A, ping the IPv6 Fast Ethernet addresses of routers 2811 B and 2811 C. Pinging will verify that your default and static routing configurations are correct. 2811A#ping ipv6 2001::40:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::40:1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms 2811A# 2811A#ping ipv6 2001::50:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::50:1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms 2811A#
Practice Scenario: Basic Cisco Router Operations Troubleshooting IPv6 Static Routing You have been asked to resolve the issue. This is stated below.
(use Practice Scenario: … Troubleshooting Ipv6 … ) Now that you have learned about some concepts and completed some hands-on work, try your problem-solving and troubleshooting skills with the following task. To complete your task you will load a specific network layout which you will use in working through the scenario. When you have finished with this lab ...
ICND2
402
You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab.
NN
The expected configuration.
NN
Your configuration.
NN
NN
The result for each command. You will see a green check mark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible.
Turn On Hostnames In some of the practice labs we refer to the hostname of a device. Therefore, we need to make sure that Hostnames is turned on for this lab. On the Network Visualizer screen click View and then click Hostnames so that it has a checkmark next to it.
Lab 1.4: Verifying IPv6 Static Routing
Scenario Your IPv6 network has been working fine up until today.
Task You have been asked to resolve the issue.
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Practice Scenarios, Basic Cisco Router Operations, and Troubleshooting IPv6 Static Routing.
403
404
ICND2
Lab 1.5: Configuring RIP IPv6 Routing (RIPng) In this lab you will create an IPv6 RIPng network. The network used in this lab has IPv4 addresses already configured on each router interface. This will demonstrate DUAL stacking. You will also be given the commands to verify your RIPng routing configurations.
Network Layout Load IPv6 Layout.rsm or whatever you named the file when you saved your work in Lab 1.3.
Lab Steps 1.
You need to remove the IPv6 routing configured in the previous lab. Perform this for each of the three routers. 2811A#config t 2811A(config)#no ipv6 route 2001::40:0/112 2001::30:2 2811A(config)#no ipv6 route 2001::50:0/112 2001::20:2
Lab 1.5: Configuring RIP IPv6 Routing (RIPng)
2811B#config t 2811B(config)#no ipv6 route 2811C#config t 2811C(config)#no ipv6 route
2.
405
::/0 2001::30:1 ::/0 2001::20:1
On the 2811 Router A, enable the IPv6 RIPng routing process from global and interface configuration mode. 2811A(config)#ipv6 router rip myripngprocess 2811A(config-rtr)#exit 2811A(config)#int fa0/0 2811A(config-if)#ipv6 rip myripngprocess enable 2811A(config-if)#int s0/0/0 2811A(config-if )ipv6 rip myripngprocess enable 2811A(config-if)#int s0/1/0 2811A(config-if)#ipv6 rip myripngprocess enable 2811A(config-if)#ctrl+z 2811A#copy run start
Remember that the ipv6 unicast-routing command must be configured on the router before the RIPng routing process can be enabled. The previous labs had you configure the command on all routers so we will not do it here. 3.
On the 2811 Router B, enable the IPv6 RIPng routing process from global configuration mode. 2811B(config)#ipv6 router rip myripngprocess 2811A(config-rtr)#exit 2811B(config)#int fa0/0 2811B(config-if)#ipv6 rip myripngprocess enable 2811B(config-if)#int s0/1/0 2811B(config-if)#ipv6 rip myripngprocess enable 2811B(config-if)#ctrl+z 2811B#copy run start
4.
On the 2811 Router C, enable the IPv6 RIPng routing process from global configuration mode. 2811C(config)#ipv6 router rip myripngprocess 2811C(config-rtr)#exit 2811C(config)#int fa0/0 2811C(config-if)#ipv6 rip myripngprocess enable 2811C(config-if)#int s0/0/0 2811C(config-if)#ipv6 rip myripngprocess enable 2811C(config-if)#ctrl+z 2811C#copy run start
406
ICND2
Lab 1.6: Verifying RIP IPv6 Routing (RIPng) Understanding how to configure routers is very important. But just as important as the understanding of configuring routers is the process of verifying your configurations. This lab will provide you with the commands to verify your RIPng routing configurations.
Network Layout Load IPv6 Layout.rsm or whatever you named the file when you saved your work in Lab 1.5.
Lab Steps 1.
On the 2811 Router A, issue the show running-configuration command to verify the IPv6 configurations. 2811A# show run [output cut]
Lab 1.6: Verifying RIP IPv6 Routing (RIPng)
407
! ipv6 unicast-routing ipv6 cef ! [output cut] ! interface FastEthernet0/0 ip address 172.16.10.1 255.255.255.0 no ip directed broadcast ipv6 address 2001::10:1/112 ipv6 rip myripngprocess enable ! [output cut] ! interface Serial0/0/0 ip address 172.16.20.1 255.255.255.0 no ip directed broadcast ipv6 address 2001::20:1/112 clock rate 8000000 ipv6 rip myripngprocess enable ! interface Serial0/1/0 ip address 172.16.30.1 255.255.255.0 no ip directed broadcast ipv6 address 2001::30:1/112 ipv6 rip myripngprocess enable clock rate 8000000 no cdp enable ! [output cut] ! ipv6 router rip myripngprocess [output cut] 2811A#
As you can see, RIPng is configured on each interface. You can also see the IPv6 RIP (RIPng) routing process. 2.
On 2811 Router A, issue the show ipv6 route command to see the IPv6 routing table. 2811A#show ipv6 route IPv6 Routing Table - 10 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
408
ICND2
U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2001::10:0/112 [0/0] via ::, FastEthernet0/0 L 2001::10:1/128 [0/0] via ::, FastEthernet0/0 C 2001::20:0/112 [0/0] via ::, Serial0/0/0 L 2001::20:1/128 [0/0] via ::, Serial0/0/0 C 2001::30:0/112 [0/0] via ::, Serial0/1/0 L 2001::30:1/128 [0/0] via ::, Serial0/1/0 R 2001::40:0/112 [120/2] via FE80::215:FAFF:FED7:EDA0, Serial0/1/0 R 2001::50:0/112 [120/2] via FE80::21A:2FFF:FE52:4808, Serial0/0/0 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 2811A#
3.
On 2811 Router A, issue the show ipv6 protocols command to see the IPv6 protocols that are running on the router. 2811A#show ipv6 protocols IPv6 Routing Protocol is "connected" IPv6 Routing Protocol is "static" IPv6 Routing Protocol is "rip myripngprocess" Interfaces: Serial0/0/1 Serial0/0/0 FastEthernet0/0 Redistribution: None 2811A_aka_2811B#
Lab 1.6: Verifying RIP IPv6 Routing (RIPng)
4.
From 2811 Router A, ping the IPv6 Fast Ethernet addresses of Routers 2811 B and 2811 C. Pinging will verify that your RIPng configurations are correct. 2811A#ping ipv6 2001::40:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::40:1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms 2811A#ping ipv6 2001::50:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::5 0:1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms 2621B_aka_2811A#
409
Cisco Wide Area Networks (WAN)
Lab 2: Introduction to Cisco Wide Area Network Support The Cisco IOS WAN can support many different WAN protocols that can help you extend your LANs to other LANs at remote sites. Connecting company sites together so information can be exchanged is imperative in this economy. However, it would take a truckload of money to put in your own cable or dedicated connections to network all of your company’s remote locations. Service providers allow you to lease or share connections that the service provider already has installed, which can save money and time. Although this section does not cover every type of Cisco WAN support, it does cover the HDLC, PPP, and Frame Relay. The labs covered in this section are as follows: NN
2.1: Configuring PPP Encapsulation
NN
2.2: Verifying PPP Encapsulation
NN
2.3: Configuring PPP Authentication with CHAP
NN
2.4: Verifying PPP with Authentication
NN
2.5: Understanding Frame Relay Configuration
NN
2.6: Configuring Frame Relay Switching
NN
2.7: Configuring Frame Relay with Subinterfaces
NN
2.8: Verifying Frame Relay
The commands covered in this section are as follows: Command
Meaning
encapsulation frame-relay
Changes the encapsulation to frame-relay on a serial link.
encapsulation frame-relay ietf
Sets the encapsulation type to the Internet Engineering Task Force (IETF). Used to connect Cisco routers to off-brand routers.
encapsulation hdlc
Restores the default encapsulation of HDLC on a serial link.
Lab 2.1: Configuring PPP Encapsulation
413
Command
Meaning
encapsulation ppp
Changes the encapsulation on a serial link to PPP.
frame-relay interface-dlci
Configures the PVC address on a serial interface or subinterface.
frame-relay lmi-type
Configures the LMI type on a serial link.
interface s0.16 point-to-point
Creates a point-to-point subinterface on a serial link that can be used with frame-relay.
ppp authentication chap
Tells PPP to use CHAP authentication.
show frame-relay lmi
Sets the LMI type on a serial interface.
show frame-relay map
Shows the static and dynamic Network layer to PVC mappings.
show frame-relay pvc
Shows the configured PVC’s and DLCI numbers configured on a router.
username name password password
Creates usernames and passwords used for authentication on a Cisco router.
Lab 2.1: Configuring PPP Encapsulation The High-Level Data-Link Control protocol (HDLC) is a point-to-point protocol used on leased lines. No authentication can be used with HDLC and is the default encapsulation used by Cisco routers over synchronous serial links. Cisco’s HDLC is proprietary—it won’t communicate with any other vendor’s HDLC implementation. If you wanted to either offer authentication on a serial link or to connect from a Cisco router to another vendor router, then we need to configure PPP on the serial interfaces. PPP (Point-to-Point Protocol) is a data-link protocol that can be used over asynchronous serial (dial-up) media and uses the LCP (Link Control Protocol) to build and maintain datalink connections. The basic purpose of PPP is to transport layer-3 packets across a data link layer point-to-point link. This lab will have you configure PPP on all four serial networks, and replace HDLC as the encapsulation method on our serial links.
414
Cisco Wide Area Networks (WAN)
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work in earlier labs.
Lab Steps 1.
Connect to 2811 Router B and change the encapsulation on the serial links from HDLC to PPP. 2811A>enable 2811A#config t 2811A(config)#interface serial 0/0/1 2811A(config-if)#encapsulation ppp 2811A(config-if)#interface serial 0/1/1 2811A(config-if)#encapsulation ppp 2811A(config-if)#ctrl+z 2811A#
2.
Connect to 2621 Router B and change the encapsulation on the serial links from HDLC to PPP. 2621B>enable 2621B#config t 2621B(config)#interface serial 0/0 2621B(config-if)#encapsulation ppp
Lab 2.2: Verifying PPP Encapsulation
415
2621B(config-if)#ctrl+z 2621B#
3.
Connect to 2621 Router A and change the encapsulation on the serial link from HDLC to PPP. 2621A>enable 2621A#config t 2621A(config)#interface serial 0/0 2621A(config-if)#encapsulation ppp 2621A(config-if)#ctrl+z 2621A#
That is all there is to it. This part is easy. Save Your File: Make sure you save the network layout file that you have been working on.
Lab 2.2: Verifying PPP Encapsulation Once you have replaced HDLC as the serial encapsulation method, then you need to verify your network is still working properly. The first command to use is the show ip route command to make sure all your IP routes are still present.
Network Layout Work with the saved network that you used to configure devices in Lab 2.1.
416
Cisco Wide Area Networks (WAN)
Lab Steps 1.
From 2621 Router A, use the show ip route command to verify the network is still running. 2621A#show ip route [output cut] 172.16.0.0/16 is O 172.16.30.0/24 C 172.16.20.1/32 C 172.16.40.0/24 O 172.16.50.0/24 C 172.16.20.0/24 O 172.16.10.0/24 2621A#
2.
From 2621 Router B, use the show ip route command to verify the network is still running. 2621B#show ip route [output cut] 172.16.0.0/16 is C 172.16.30.1/32 C 172.16.30.0/24 O 172.16.40.0/24 C 172.16.50.0/24 O 172.16.20.0/24 O 172.16.10.0/24 2621B#
3.
variably subnetted, 6 subnets, 2 masks [110/74] via 172.16.20.1, 22:22:18, Serial0/0 is directly connected, Serial0/0 is directly connected, FastEthernet0/0 [110/74] via 172.16.20.1, 22:22:18, Serial0/0 is directly connected, Serial0/0 [110/74] via 172.16.20.1, 22:22:18, Serial0/0
variably subnetted, 6 subnets, 2 masks is directly connected, Serial0/0 is directly connected, Serial0/0 [110/74] via 172.16.30.1, 22:22:18, Serial0/0 is directly connected, FastEthernet0/0 [110/74] via 172.16.30.1, 22:22:18, Serial0/0 [110/74] via 172.16.30.1, 22:22:18, Serial0/0
From 2811 Router A, use the show ip route command to verify the network is still running. 2811A#show ip route [output cut] 172.16.0.0/16 is C 172.16.30.2/32 C 172.16.30.0/24 O 172.16.40.0/24 C 172.16.20.2/32 O 172.16.50.0/24 C 172.16.20.0/24 C 172.16.10.0/24 2811A#
variably subnetted, 7 subnets, 2 masks is directly connected, Serial0/0/1 is directly connected, Serial0/0/1 [110/74] via 172.16.20.2, 22:22:18, Serial0/1/1 is directly connected, Serial0/1/1 [110/74] via 172.16.30.2, 22:22:18, Serial0/0/1 is directly connected, Serial0/1/1 is directly connected, FastEthernet0/0
Lab 2.3: Configuring PPP Authentication with CHAP
4.
417
From 2811 Router A, use the show interface command to see the serial link encapsulation. 2811A#show interface s0/0/1 Serial0/0/1 is up, line protocol is up Hardware is GT96K Serial Description: connection to 2621B Internet address is 172.16.30.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set [output cut] 2811A#show interface s0/1/1 Serial0/1/1 is up, line protocol is up Hardware is GT96K Serial Description: connection to 2621A Internet address is 172.16.20.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set
Lab 2.3: Configuring PPP Authentication with CHAP Now that the network should be up and working with PPP, you can use PPP authentication to stop unwanted users from connected to your network. Although, this is typically used with dial-up, it still can be used with serial interfaces. This lab will have you configure PPP authentication on all routers serial interfaces using the CHAP protocol. Challenge Authentication Protocol (CHAP) is used at the initial startup of a link and at periodic checkups on the link to make sure the router is still communicating with the same host. After PPP finishes its initial phase, the local router sends a challenge request to the remote device. The remote device sends a value calculated using a one-way hash function called MD5. The local router checks this hash value to make sure it matches. If the values don’t match, the link is immediately terminated. To configure PPP authentication, first set the hostname of the router if it is not already set (this is not an option!). Then set the username and password for the remote router connecting to your router. For example, if you are connected to 2621 Router A and want to configure authentication, you would set the hostname and then create a username that consists of the router you are going to connect to, in this example, 2811 Router A.
418
Cisco Wide Area Networks (WAN)
This is shown below: Router#config t Enter configuration commands, one per line. End with CTRL/Z. Router(config)#hostname 2621A 2621A(config)#username 2811A password cisco
When using the hostname command, remember that the username is the hostname of the remote router connecting to your router. It is case-sensitive. Also, the password on both routers must be the same. It is a plain-text password and can be seen with a show run command. You must have a username and password configured for each remote system you are going to connect to. The remote routers must also be configured with usernames and passwords. After you set the hostname, usernames, and passwords, choose the authentication as shown in the following example: 2621A#config t Enter configuration commands, one per line. End with CTRL/Z. 2621A(config)#int s0/0 2621A(config-if)#ppp authentication chap 2621A(config-if)#ctrl+z 2621A#
Network Layout Work with the saved network that you used to configure devices in Lab 2.2.
Lab 2.4: Verifying PPP with Authentication
419
Lab Steps 1.
Open a console to 2621 Router A and create a username of 2811A and with a password of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap. 2621A#config t 2621A(config)#username 2811A password cisco 2621A(config)#int s0/0 2621A(config-if)#ppp authentication chap 2621A(config-if)#ctrl+z 2621A#
2.
Open a console to 2621 Router B and create a username of 2811A and with a password of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap. 2621B#config t 2621B(config)#username 2811A password cisco 2621B(config)#int s0/0 2621B(config-if)#ppp authentication chap 2621B(config-if)#ctrl+z 2621B#
3.
Open a console to 2811 Router A and create a username of router 2621A and 2621B and with a password of cisco. Then configure the serial interfaces 0/0/1 and 0/1/1 to use ppp authentication of chap. 2811A#config t 2811A(config)#username 2621A password cisco 2811A(config)#username 2621B password cisco 2811A(config)#int s0/0/1 2811A(config-if)#ppp authentication chap 2811A(config)#int s0/1/1 2811A(config-if)#ppp authentication chap 2811A(config-if)#ctrl+z
Save Your File: ing on.
Make sure you save the network layout file that you have been work-
Lab 2.4: Verifying PPP with Authentication Once you have configured PPP with authentication as the serial encapsulation method, then you need to verify your network is still working properly.
420
Cisco Wide Area Networks (WAN)
The first command to use is the show ip route command to make sure all your IP routes are still present. The next command to use is the show interface command.
Network Layout Work with the saved network that you used to configure devices in Lab 2.3.
Lab Steps 1.
From 2621 Router A, use the show ip route command to verify the network is still running. 2621A#show ip route [output cut] 172.16.0.0/16 is O 172.16.30.0/24 C 172.16.20.1/32 C 172.16.40.0/24 O 172.16.50.0/24 C 172.16.20.0/24 O 172.16.10.0/24 2621A#
variably subnetted, 6 subnets, 2 masks [110/74] via 172.16.20.1, 22:22:18, Serial0/0 is directly connected, Serial0/0 is directly connected, FastEthernet0/0 [110/74] via 172.16.20.1, 22:22:18, Serial0/0 is directly connected, Serial0/0 [110/74] via 172.16.20.1, 22:22:18, Serial0/0
Lab 2.4: Verifying PPP with Authentication
2.
From 2621 Router B, use the show ip route command to verify the network is still running. 2621B#show ip route [output cut] 172.16.0.0/16 is C 172.16.30.1/32 C 172.16.30.0/24 O 172.16.40.0/24 C 172.16.50.0/24 O 172.16.20.0/24 O 172.16.10.0/24 2621B#
3.
variably subnetted, 6 subnets, 2 masks is directly connected, Serial0/0 is directly connected, Serial0/0 [110/74] via 172.16.30.1, 22:22:18, Serial0/0 is directly connected, FastEthernet0/0 [110/74] via 172.16.30.1, 22:22:18, Serial0/0 [110/74] via 172.16.30.1, 22:22:18, Serial0/0
From 2811 Router A, use the show ip route command to verify the network is still running. 2811A#show ip route [output cut] 172.16.0.0/16 is C 172.16.30.2/32 C 172.16.30.0/24 O 172.16.40.0/24 C 172.16.20.2/32 O 172.16.50.0/24 C 172.16.20.0/24 C 172.16.10.0/24 2811A#
4.
421
variably subnetted, 7 subnets, 2 masks is directly connected, Serial0/0/1 is directly connected, Serial0/0/1 [110/74] via 172.16.20.2, 22:22:18, Serial0/1/1 is directly connected, Serial0/1/1 [110/74] via 172.16.30.2, 22:22:18, Serial0/0/1 is directly connected, Serial0/1/1 is directly connected, FastEthernet0/0
From 2811 Router A use the show interface command to see the serial link encapsulation. 2811A#show int s0/0/1 Serial0/0/1 is up, line protocol is up Hardware is GT96K Serial Description: connection to 2621B Internet address is 172.16.30.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Keepalive set (10) Last input 00:00:02, output 00:00:06, output hang never Last clearing of "show interface" counters 02:41:59 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
422
Cisco Wide Area Networks (WAN)
Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1645 packets input, 100265 bytes, 0 no buffer Received 1139 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1662 packets output, 105842 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up 2811A# 2811A#show int s0/1/1 Serial0/1/1 is up, line protocol is up Hardware is GT96K Serial Description: connection to 2621A Internet address is 172.16.20.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Keepalive set (10) Last input 00:00:02, output 00:00:06, output hang never Last clearing of "show interface" counters 02:41:59 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1645 packets input, 100265 bytes, 0 no buffer Received 1139 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1662 packets output, 105842 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up
Lab 2.5: Understanding Frame Relay Configuration
423
Lab 2.5: Understanding Frame Relay Configuration Frame Relay provides a communications interface between DTE (data terminal equipment) and DCE (data circuit-terminating equipment, such as packet switches) devices. DTE consists of terminals, PCs, routers, and bridges—customer-owned end-node and internetworking devices. DCE consists of carrier-owned internetworking devices. Frame Relay sends packets at the data link layer (layer 2) of the OSI model rather than at the network layer (layer 3). A frame can incorporate packets from different protocols.
Frame Relay Uses Virtual Circuits Frame Relay provides connection-oriented, Data Link layer communication via virtual circuits. These virtual circuits are logical connections created between two DTE’s across a packet-switched network, which is identified by a DLCI, or Data Link Connection Identifier. Also, Frame Relay uses both PVCs (Permanent Virtual Circuits) and SVCs (Switched Virtual Circuits which is a form of dialup), although most Frame Relay networks use only PVCs. This virtual circuit provides the complete path to the destination network prior to the sending of the first frame.
Configuring Frame Relay Encapsulation When configuring Frame Relay on Cisco routers, you need to specify it as an encapsulation on serial interfaces. There are only two encapsulation types: Cisco and IETF (Internet Engineering Task Force). The following router output shows the two different encapsulation methods when choosing Frame Relay on your Cisco router: 2621A#config t 2621A(config)#interface s0/0 2621A(config-if)#encapsulation frame-relay ? ietf Use RFC1490 encapsulation
The default encapsulation is Cisco unless you manually type in IETF, and Cisco is the type used when connecting two Cisco devices. You’d opt for the IETF-type encapsulation if you needed to connect a Cisco device to a non-Cisco device with Frame Relay.
Frame Relay DLCI Frame Relay virtual circuits (PVCs) are identified by Data Link Connection Identifiers (DLCIs). A Frame Relay service provider, such as the telephone company, typically assigns DLCI values, which are used by Frame Relay to distinguish between different virtual circuits on the network. Because many virtual circuits can be terminated on one multipoint Frame Relay interface, many DLCIs are often affiliated with it.
424
Cisco Wide Area Networks (WAN)
For the IP devices at each end of a virtual circuit to communicate, their IP addresses need to be mapped to DLCIs. This mapping can function as a multipoint device—one that can identify to the Frame Relay network the appropriate destination virtual circuit for each packet that is sent over the single physical interface. The mappings can be done dynamically through IARP (Inverse ARP) or manually through the frame relay map command. DLCI numbers, used to identify a PVC, are typically assigned by the provider and start at 16. Configuring a DLCI number to be applied to an interface is shown below: 2621A(config-if)#frame-relay interface-dlci ? <16-1007> Define a DLCI as part of the current subinterface 2621A(config-if)#frame-relay interface-dlci 16
Frame Relay LMI The Local Management Interface (LMI) was developed in 1990 by Cisco Systems, StrataCom, Northern Telecom, and Digital Equipment Corporation and became known as the Gang-of-Four LMI or Cisco LMI. This gang took the basic Frame Relay protocol from the CCIT and added extensions onto the protocol features that allow internetworking devices to communicate easily with a Frame Relay network. The LMI is a signaling standard between a CPE device (router) and a frame switch. The LMI is responsible for managing and maintaining status between these devices. If you’re not going to use the auto-sense feature of LMI, you’ll need to check with your Frame Relay provider to find out which type to use instead. The default type is Cisco, but you may need to change to ANSI or Q.933A. The three different LMI types are depicted in the router output below. 2621A(config-if)#frame-relay lmi-type ? cisco ansi q933a 2621A(config-if)#frame-relay lmi-type ansi
You can have multiple virtual circuits on a single serial interface and yet treat each as a separate interface. These are known as subinterfaces. Think of a subinterface as a hardware interface defined by the IOS software. An advantage gained through using subinterfaces is the ability to assign different Network layer characteristics to each subinterface and virtual circuit, such as IP routing on one virtual circuit and IPX on another.
Subinterfaces with Frame Relay You define subinterfaces with the int s0.subinterface number command as shown below. You first set the encapsulation on the serial interface, and then you can define the subinterfaces. 2621A(config-int)#encapsulation frame-relay 2621A(config-int)#exit
Lab 2.6: Configuring Frame Relay Switching
425
2621A(config)#int s0/0.? <0-4294967295> Serial interface number 2621A(config)#int s0/0.16 ? multipoint Treat as a multipoint link point-to-point Treat as a point-to-point link 2621A(config)#int s0/0.16 point-to-point 2621A(config-subif)#
You can define an almost limitless number of subinterfaces on a given physical interface (keeping router memory in mind). In the above example, we chose to use subinterface 16 because that represents the DLCI number assigned to that interface. However, you can choose any number between 0 and 4,292,967,295.
Lab 2.6: Configuring Frame Relay Switching Now that you should have a background on how to configure basic Frame Relay on a Cisco router, this lab will have you configure 2811 Router A as a Frame relay switch. Then you will configure routers 2811 B and 2811 C as remote Frame Relay connections. To perform this lab, you need to delete the configurations on 2811 Router A first since the Frame Relay switching configuration is completely different then what we have now.
Network Layout Work with the saved network that you used to configure devices in Lab 2.4.
426
Cisco Wide Area Networks (WAN)
Lab Steps 1.
From 2811 Router A, type erase start then reload. 2811A#erase start Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [press Enter] [OK] Erase of nvram: complete *Oct 27 19:30:52.640: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram 2811A# 2811A#reload System configuration has been modified. Save? [yes/no]: n Proceed with reload? [confirm] (press enter) *Nov 15 16:11:07.406: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1) Copyright (c) 2005 by cisco Systems, Inc. Initializing memory for ECC c2811 processor with 262144 Kbytes of main memory Main memory is configured to 64 bit mode with ECC enabled Readonly ROMMON initialized program load complete, entry point: 0x8000f000, size: 0xc940 program load complete, entry point: 0x8000f000, size: 0xc940 program load complete, entry point: 0x8000f000, size: 0x228d9f8 Self decompressing the image : ############################################# #### ######################################################################### [OK] Smart Init is enabled smart init is sizing iomem ID MEMORY_REQ TYPE 0003E7 0X003DA000 C2811 Mainboard 0X00263F50 Onboard VPN 0X000021B8 Onboard USB 0X002C29F0 public buffer pools 0X00211000 public particle pools TOTAL: 0X00B13AF8 If any of the above Memory Requirements are
Lab 2.6: Configuring Frame Relay Switching
"UNKNOWN", you may be using an unsupported configuration or there is a software problem and system operation may be compromised. Rounded IOMEM up to: 12Mb. Using 4 percent iomem. [12Mb/256Mb] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team Image text-base: 0x40093160, data-base: 0x42B00000 This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory. Processor board ID FTX0952C3EG 2 FastEthernet interfaces 4 Serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled.
427
428
Cisco Wide Area Networks (WAN)
239K bytes of non-volatile configuration memory. 125440K bytes of ATA CompactFlash (Read/Write) --- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]: (press n)
2.
Open a console for 2811 Router A and configure the hostname. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#exit 2811A(config)#
Once your router is clear, you can now make them a frame relay switch with the frame-relay switching command. However, that is the easy part. You need to map every DLCI on the switch. Of course the router only has two connections, so it is not too time consuming, but if you had dozens of PVCs, this could take a while. 3.
On the frame relay switch, use the frame relay route command to map each and every DLCI. Here is an example: 2811A(config)#int s0/0/1 2811A(config-if)#frame-relay route 17 int serial 0/1/1 16 2811A(config-if)#exit 2811A(config)#
This command tells the switch that if it receives a frame on serial 0/0/1 with a PVC of 17, then send it out serial 0/1/1 using a PVC of 16. Again, in our network, this configuration will only be two routes so it’s not a big deal. 4.
On 2811 Router A configure the Frame Switching. No IP addresses are assigned to the routes interfaces. Remember, this is a Data Link layer function only, so IP is irrelevant to this configuration. 2811A(config)#frame-relay switching 2811A(config)#int s0/0/1 2811A(config)#encapsulation frame-relay 2811A(config-if)#no shut 2811A(config-if)#frame intf-type dce 2811A(config-if)#frame-relay route 17 int serial 0/1/1 16 2811A(config-if)#int s0/1/1 2811A(config)#encapsulation frame-relay 2811A(config-if)#no shut 2811A(config-if)#frame intf-type dce
Lab 2.7: Configuring Frame Relay with Subinterfaces
429
2811A(config-if)#frame-relay route 16 int serial 0/0/1 17 2811A(config-if)#ctrl+z 2811A#
5.
Save you configurations. 2811A#copy run start
6.
Now that the frame-relay switching router is configured, you need to configure the remote routers. Save Your File: Make sure you save the network layout file that you have been working on.
Lab 2.7: Configuring Frame Relay with Subinterfaces This lab will have you bring up the console for Routers 2811 B and 2811 C and configure them for frame relay configuration using subinterfaces. Since the Frame-Relay switches are not using IP addressing, connecting from Routers 2811 B to 2811 C, for example, will use one subnet and appear like a direct connection. Use subnet 172.16.100.0.
Network Layout Work with the saved network that you used to configure devices in Lab 2.6.
430
Cisco Wide Area Networks (WAN)
Lab Steps 1.
Open the console for 2811 Router B and configure the serial 0/0 interface with a Frame Relay subinterface. To perform this, you must remove the IP address from the serial interface. 2811B#config t 2811B(config)#int serial 0/0 2811B(config-if)#no ip address 2811B(config-if)#no shut 2811B(config-if)#encapsulation frame-relay 2811B(config-if)#int serial 0/0.16 point-to-point 2811B(config-subif)#ip address 172.16.100.1 255.255.255.0 2811B(config-subif)#frame-relay interface-dlci 16 2811B(config-subif)#ctrl+z 2811B#
2.
Open the console for 2811 Router C and configure the serial 0/0 interface with a Frame Relay subinterface. 2811C#config t 2811C(config)#int serial 0/0 2811C(config-if)#no ip address 2811C(config-if)#no shut 2811C(config-if)#encapsulation frame-relay 2811C(config-if)#int serial 0/0.17 point-to-point 2811C(config-subif)#ip address 172.16.100.2 255.255.255.0 2811C(config-subif)#frame-relay interface-dlci 17 2811C(config-subif)#ctrl+z 2811C#
3.
Verify the Frame Relay connection is up and running. Ping from 2811 Router B to the 2811 Router C. 2811B#ping 172.16.100.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.100.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811B#
Lab 2.8: Verifying Frame Relay
Lab 2.8: Verifying Frame Relay There are several ways to check the status of your interfaces and PVCs once you have Frame Relay encapsulation set up and running.
Network Layout Work with the saved network that you used to configure devices in Lab 2.7.
Lab Steps 1.
Open the console screen for 2621 Router A. I have this in the online docs.
2.
You can use the show frame-relay command with a question mark (?) to get the command options: The show frame-relay lmi command will give you the LMI traffic statistics exchanged between the local router and the Frame Relay switch. 2621A#show frame ip lapf lmi map pvc qos-autosense route rtp
? show frame relay IP statistics show frame relay lapf status/statistics show frame relay lmi statistics Frame-Relay map table show frame relay pvc statistics show frame relay qos-autosense information show frame relay route show frame relay RTP statistics
431
432
Cisco Wide Area Networks (WAN)
svc show frame relay SVC stuff traffic Frame-Relay protocol statistics vofr show frame relay VoFR statistics 261A#show frame lmi LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = ANSI Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Rcvd 1748 Num Status msgs Sent 1748 Num Update Status Sent 0 Num St Enq. Timeouts 0 2811B#
The router output from the show frame-relay lmi command shows you LMI errors as well as the LMI type. 3.
The show frame pvc command will list all configured PVCs and DLCI numbers. It provides the status of each PVC connection and traffic statistics. It will also give you the number of BECN and FECN packets received on the router. 2621A#show frame pvc PVC Statistics for interface Serial0/0 (Frame Relay DTE) DLCI = 16 , DLCI USAGE = LOCAL , PVC STATUS = ACTIVE , INTERFACE = Serial0/0.16 input pkts 11290 output pkts 11277 in bytes 898590 out bytes 899156 dropped pkts 2 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 11264 out bcast bytes 898468 pvc create time 13:25:57, last time pvc status changed 13:25:39 2811B#
4.
You can also use the show interface command to check for LMI traffic. The show interface command displays information about the encapsulation as well as layer-2 and layer-3 information. The LMI DLCI is used to define the type of LMI being used. If it is 1023, it is the default LMI type of Cisco. If the LMI DLCI is zero, then it is the ANSI LMI type. 2621A#show int s0/0 Serial0/0 is up, line protocol is up Hardware is PowerQUICC Serial Description: connection to 2811A
Lab 2.8: Verifying Frame Relay
433
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 0. reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY, loopback not set Keepalive set (10) FR SVC disabled, LAPF state down LMI enq sent 41, LMI stat recvd 22, LMI upd recvd 0, DTE LMI down LMI enq recvd 4, LMI stat sent 0, LMI upd sent 0 LMI DLCI 0 LMI type is ANSI frame relay DTE Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0 [output cut] 2811B#
The show interface command displays line, protocol, DLCI and LMI information. 5.
The show frame map command will show you the Network layer-to-DLCI mappings. 2621A#show frame map Serial0/0 (up):ip dlci 16(0x66,0x1860), broadcast status defined, active Serial0/0.16 (up): point-to-point dlci, dlci 16(0x66,0x1860), broadcast status defined, active 2621A#
EIGRP
Lab 3: Introduction to EIGRP In this section you will learn about EIGRP which is a proprietary Cisco protocol that only runs on Cisco routers. You will learn how to manage Cisco routers in an internetwork. EIGRP uses the properties of both distance vector and link state and uses autonomous systems (AS) to create groups of routers that share routing information. The following labs are covered: NN
3.1: Configuring EIGRP Routing
NN
3.2: Verifying EIGRP Routing
NN
3.3: Configuring EIGRP Wild Card Masks
NN
3.4: Verifying EIGRP Wild Card Masks Configurations
NN
3.5: Configuring EIGRP Authentication
NN
3.6: Verifying EIGRP Authentication
NN
3.7: Configuring Advanced Commands with EIGRP
Lab 3.1: Configuring EIGRP Routing EIGRP is a Cisco proprietary hybrid routing protocol. If you want your routers to share information they must all: NN
have EIGRP running
NN
use the same AS number
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work in earlier labs. You need a configured network in order to complete this lab.
Lab 3.1: Configuring EIGRP Routing
437
EIGRP NN
Stands for Enhanced Interior Routing Protocol
NN
Uses properties of both distance vector and link state
NN
Has an administrative distance of 90
NN
Has a maximum hop count of 255
NN
NN
Will automatically overwrite RIP (which has a default administrative distance of 120) routes in the routing table Uses autonomous systems (AS) to create groups of routers that share routing information
NN
Classless routing protocol but configured in a classful manner
NN
Uses RTP Reliable Transport Protocol
NN
Uses DUAL Diffusing Update Algorithm
NN
Supports VLSM, summarization, and discontiguous networking
NN
Supports IP V4 and V6, IPX, AppleTalk
Lab Steps 1.
First go to 2621 Router A and ping interface f 0/0 on 2621 Router B. The packet will travel through 2811 Router A on its way to 2621 Router B. 2621A#ping 172.16.30.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.30.2, timeout is 2 seconds: !!!!!
2.
We have not done anything yet with EIGRP but we can ping a distant router. If you look back at Lab 5.16 (if you have been sequentially going through the labs), we configured every router with RIP version 2. We need to remove RIP from every router so that we can test the effects of the EIGRP commands. 2621A#config t 2621A(config)#no router rip 2621B#config t 2621B(config)#no router rip 2811A#config t 2811A(config)#no router rip
438
3.
EIGRP
Now try pinging 172.16.30.2. 2621A#ping 172.16.30.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.30.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms 2621A#
Good! We have removed RIP and now no connectivity. We can now proceed with EIGRP. 4.
Configure 2621 Router A to use EIGRP with an AS of 10. 2621A#config t 2621A(config)#router eigrp 10 2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z 2621A#
5.
Configure 2621 Router B to use EIGRP with an AS of 10. 2621B#config t 2621B(config)#router eigrp 10 2621B(config-router)#network 172.16.0.0 2621B(config-router)
6.
Configure 2811 Router A to use EIGRP with an AS of 15. 2811A#config t 2811A(config)#router eigrp 15 2811A(config-router)#network 172.16.0.0 2811A(config-router)#exit
7.
Now that we have EIGRP on every router, go to 2621 Router A and ping 172.16.30.2 on 2621 Router B. 2621A#ping 172.16.30.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.30.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms 2621A#
Lab 3.1: Configuring EIGRP Routing
439
It did not work. Click on the Net Detective icon to see if we can find out why the ping was not successful.
You will see the following information: 1.
Network 172.16.0.0 was not found in the routing tables for 2621 Router A.
2.
The desired address falls outside of the protocol networks set up for one or more of the devices.
3.
The desired IP address of 172.16.30.2 was not found. None of the interfaces in the current network have been configured with this IP address.
Net Detective® Unless you are an expert in using routers and switches, you might enter a command, have it not work, and not immediately know what you did wrong. We have tried to bridge that gap with Net Detective®. There are several hundred commands that Net Detective monitors. If something does not work properly, clicking on the Net Detective button may prove be helpful. For example, if you are unsuccessful in trying to ping between 2600 A and 2600 B, Net Detective® will provide a several suggestions as to what is possibly wrong.
440
EIGRP
We know that Network 172.16.0.0 is in the routing table. Maybe #2 is true. Ok, I found it. The AS number for 2811 Router A is wrong. Change it from 15 to 10. 8.
First, remove router eigrp 15 and put the correct command in. 2811A(config)#no router eigrp % Incomplete command. (We forgot to put 15 in the command. Try again) 2811A(config)#no router eigrp 15 2811A(config)#router eigrp 10 2811A(config-router)#network 172.16.0.0 2811A(config-router)#ctrl+z 2811A#
9.
Now the ping should work. Go to 2621 Router A and ping interface f 0/1 on 2621 Router B. 2621A#ping 172.16.50.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.50.1, timeout is 2 seconds: !!!!!
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 3.2: Verifying EIGRP Routing Since EIGRP has a better administrative distance then IGRP and RIP, all the routing tables should have EIGRP found routes (D). Use the show ip route command and other EIGRP show commands to verify EIGRP.
Network Layout Work with the saved network that you used in Lab 3.1.
1.
From 2621 Router A, use the show ip route command to verify the routing table. 2621A#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
Lab 3.2: Verifying EIGRP Routing
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 5 subnets D 172.16.30.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0 C 172.16.40.0 is directly connected, FastEthernet0/0 D 172.16.50.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0 C 172.16.20.0 is directly connected, Serial0/0 D 172.16.10.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0 2621A#
Notice the routes that begin with D. These are EIGRP routes. 2.
Use the show ip protocol command from 2621 Router A. 2621A#show ip protocol Routing Protocol is "eigrp 10" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hop count 100 EIGRP maximum metric variance 1 Redistributing: eigrp 10 Automatic network summarization is in effect Maximum path: 4 Routing for networks: 172.16.0.0 Routing information sources: Gateway Distance Last Update 172.16.20.1 90 02:23:05 Distance: internal 90 external 170 2621A#
Based on this output, we can see that EIGRP is enabled for autonomous system 10 and that the K values are set to their defaults. The variance is 1, so only equal-cost load balancing will be performed. Automatic summarization is on. We can also see that EIGRP is advertising for one network and that it sees one neighbor.
441
442
3.
EIGRP
From the 2621 Router B, use the show ip route command to verify the routing table. 2621B#show ip route [output cut] 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0 D 172.16.40.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0 C 172.16.50.0 is directly connected, FastEthernet0/0 D 172.16.20.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0 D 172.16.10.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0 2621B#
4.
From 2811 Router A, use the show ip route command to verify the routing table. 2811A#show ip route [output cut] 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0/1 D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:20:55, Serial0/1/1 D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:20:55, Serial0/0/1 C 172.16.20.0 is directly connected, Serial0/1/1 C 172.16.10.0 is directly connected, FastEthernet0/0 2811A#
5.
From 2621 Router A, use the show ip eigrp neighbors command to see the EIGRP neighbor table. This table holds information about the router’s directly connected neighbors. 2621A#show ip eigrp neighbor IP-EIGRP neighbors for process 10 H Address Interface Type 0 172.16.20.1 2621A#
S0/0
Hold Uptime
SRTT
(sec) 12 02:28:04
(ms) 20
RTO
200
Q
Seq
cnt Num 0 1
In the above output, H indicates the order in which the neighbor was discovered. The hold time is how long this router will wait for a Hello packet to arrive from a specific neighbor. The uptime indicates how long the neighbor relationship has been established. The SRTT field is the smooth round-trip timer, which is an indication of the time it takes for a round-trip from this router to its neighbor and back. This value is used to determine how long to wait after a multicast for a reply from this neighbor. If a reply is not received, this router will switch to using unicasts to attempt to complete the communication. The time between multicast attempts is specified by the Retransmission Time Out (RTO) field,
Lab 3.2: Verifying EIGRP Routing
443
which is itself based upon the SRTT values. The Q value indicates whether there are any outstanding messages in the queue; consistently large values would indicate a problem. And finally the Seq field indicates the sequence number of the last update from that neighbor, which is used to maintain synchronization and avoid duplicate or out-of-sequence processing of messages. 6.
From the 2621 Router A, use the show ip route eigrp. This command gives you a quick picture of the EIGRP routes. If a route does not appear in the routing table, verify the source of the route. If the source is functioning properly, check the topology table. The routing table from the perspective of 2621 Router A looks like this: 2621A#show ip route eigrp 172.16.0.0/24 is subnetted, 5 subnets D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:00:49, Serial0/0 D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:00:49, Serial0/0 D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:00:49, Serial0/0 2621A#
Notice that most EIGRP routes are indicated with simply a D designation and that the administrative distance of these routes is 90. This represents internal EIGRP routes. If a route has a D EX designation, this would indicate that it is an external EIGRP route, which implies that the route was introduced into EIGRP via redistribution. 7.
From the 2621 Router A, use the show ip eigrp topology command to see the EIGRP topology table. This table shows the entire network as 2621 Router A understands it. If the route is not in the topology table, it is safe to assume that there is a problem between the topology database and the routing table. There must be a reason the topology database is not injecting the route into the routing table. 2621A#show ip route eigrp topology IP-EIGRP Topology Table for AS(10)/ID(172.16.20.2) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 172.16.30.0/24, 1 successors, FD is 2172416 via 172.16.20.1 (2172416/28160), Serial0/1/1 P 172.16.40.0/24, 1 successors, FD is 2172416 via Connected, FastEthernet0/0 P 172.16.50.0/24, 1 successors, FD is 2172416 via 172.16.20.1 (2172416/28160), Serial0/1/1 P 172.16.20.0/24, 1 successors, FD is 2172416 via Connected, Serial0/0 P 172.16.10.0/24, 1 successors, FD is 2172416 via 172.16.20.1 (2172416/28160), Serial0/1/1 2621A#
444
EIGRP
Notice that every route is preceded by a P; this indicates that the route is in the passive state, which is good. Routes in the active state indicate that the router has lost its path to this network and is searching for a replacement. Each entry also indicates the feasible distance, or FD, to each remote network and the next-hop neighbor through which packets will travel to this destination. Each entry also has two numbers in brackets ( ), the first indicating the feasible distance and the second the advertised distance to a remote network. Additionally, if you want to find out about any secondary route (feasible successor route) to another network, you can use the show ip eigrp topology command. 8.
From 2621 Router A, use the show ip eigrp traffic command to see if updates are being sent. If the counters for EIGRP input and output packets don’t increase, no EIGRP information is being sent between peers. The following output indicates that 2621A is experiencing normal traffic. 2811A#show ip eigrp traffic IP-EIGRP Traffic Statistics for process 10 Hellos sent/received: 640/279 Updates sent/received: 3/1 Queries sent/received: 0/0 Replies sent/received: 0/0 Acks sent/received: 5/7 Input queue high water mark 1, 0 drops SIA-Queries sent/received: 0/0 SIA-Replies sent/received: 0/0 2811A#
9.
From 2621 Router A, use the show ip eigrp events command. This command displays a log of every EIGRP event—when routes are injected and removed from the routing table and when EIGRP adjacencies reset or fail. This information can be used to see if there are routing instabilities in the network. Be cautioned that this command displays a substantial amount of information in even the simplest configurations. 2621A#show ip eigrp events Event information for AS 10: 1 15:49:03.848 Change queue emptied, entries: 1 2 15:49:03.848 Metric set: 172.16.30.0/24 2707456 3 15:49:03.848 Update reason, delay: new if 4294967295 4 15:49:03.848 Update sent, RD: 172.16.30.0/24 4294967295 5 15:49:03.848 Update reason, delay: metric chg 4294967295 6 15:49:03.848 Update sent, RD: 172.16.30.0/24 4294967295 7 15:49:03.848 Route install: 172.16.30.0/24 172.16.20.1 8 15:49:03.848 Find FS: 172.16.30.0/24 4294967295
Lab 3.3: Configuring EIGRP Wild Card Masks
445
9 15:49:03.848 Rcv update met/succmet: 2707456 2195456 10 15:49:03.848 Rcv update dest/nh: 172.16.30.0/24 172.16.20.1 11 15:49:03.848 Metric set: 172.16.30.0/24 4294967295 [output cut]
All of the commands covered in this lab are intended to be used by the system administrator when troubleshooting a problem in the network.
Lab 3.3: Configuring EIGRP Wild Card Masks Cisco added the wild card mask or inverse mask feature to EIGRP in IOS version 12.0(4). EIGRP wild card masks are similar to the OSPF implementation. The addition of wild card masks to the EIGRP configuration suite gives network administrators more administrative control. Wild card masks allow network administrators to easily designate which routed interfaces will or will not participate in EIGRP routing advertisements. In this lab, configure EIGRP wild card masks on each router.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work.
Lab Steps Any previous EIGRP configuration needs to be removed before configuring EIGRP with wild card masks. 1.
Configure wild card masks on 2811 Router A. 2811A#config t 2811A(config)#no router eigrp 10 2811A(config)#router eigrp 10 2811A(config-router)#network 172.16.10.1 0.0.0.0 2811A(config-router)#network 172.16.20.1 0.0.0.0 2811A(config-router)#network 172.16.30.1 0.0.0.0 2811A(config-router)#exit 2811A(config)#exit 2811A#copy run start
446
EIGRP
The commands: network 172.16.10.1 0.0.0.0, network 172.16.20.1 0.0.0.0, and network 172.16.30.1 0.0.0.0 tell the EIGRP process to advertise the interfaces 172.16.10.1, 172.16.20.1, and 172.16.30.1. The wildcard mask of 0.0.0.0 tells the EIGRP process to match all four octets exactly. 2.
Configure wild card masks on 2621 Router A. 2621A#config t 2621A(config)#no router eigrp 10 2621A(config)#router eigrp 10 2621A(config-router)#network 172.16.20.0 0.0.0.255 2621A(config-router)#network 172.16.40.0 0.0.0.255 2621A(config-router)#exit 2621A(config)#exit 2621A#copy run start
The commands: network 172.16.20.0 0.0.0.255, and network 172.16.40.0 0.0.0.255 tell the EIGRP process to look for and advertise interfaces configured with network 172.16.20 or 172.16.40 in the first three octets, and any value in the last octet. 3.
Configure wild card masks on 2621 Router B. 2621B#config t 2621B(config)#no router eigrp 10 2621B(config)#router eigrp 10 2621B(config-router)#network 172.0.0.0 0.255.255.255 2621B(config-router)#exit 2621B(config)#exit 2621B#copy run start
The command: 172.0.0.0 0.255.255.255 tells the EIGRP process to look for and advertise any interface configured with network 172 in the first octet, and any value in the last three octets.
Lab 3.4: Verifying EIGRP Wild Card Mask Configurations This lab will provide you with the commands to verify EIGRP wild card mask configurations.
Lab 3.4: Verifying EIGRP Wild Card Mask Configurations
447
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work. You need a configured network in order to complete this lab.
Lab Steps 1.
At this point, your network should have converged. Issue the show ip route command on each router. 2811A#show ip route 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0/1 D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:03:07, Serial0/1/10 D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:03:07, Serial0/0/ C 172.16.20.0 is directly connected, Serial0/1/1 C 172.16.10.0 is directly connected, FastEthernet0/0 2811A# 2621A#show ip route 172.16.0.0/24 is subnetted, 5 subnets D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0 C 172.16.40.0 is directly connected, FastEthernet0/0 D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0 C 172.16.20.0 is directly connected, Serial0/0 D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0 2621A# 2621B#show ip route 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0 D 172.16.40.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0 C 172.16.50.0 is directly connected, FastEthernet0/1 D 172.16.20.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0 D 172.16.10.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0 2621B#
448
2.
EIGRP
Issue the show running-configuration command on each router to verify wild card mask configurations. 2811A#show run [output cut] ! router eigrp 10 network 172.16.10.1 0.0.0.0 network 172.16.20.1 0.0.0.0 network 172.16.30.1 0.0.0.0 ! [output cut] 2621A#show run [output cut] ! router eigrp 10 network 172.16.20.0 0.0.0.255 network 172.16.40.0 0.0.0.255 ! [output cut] 2621B# show run [output cut] ! router eigrp 10 network 172.0.0.0 0.255.255.255 ! [output cut]
3. Issue the show ip eigrp interfaces command to display interfaces configured within
the EIGRP process. 2811A#show ip eigrp interfaces IP-EIGRP interfaces for process 10 Xmit Queue Interface Peers Un/Reliable Fa0/0 0 0/0 Se0/0/1 0 0/0 Se0/1/1 0 0/0 2811A#
Mean SRTT 0 0 0
Pacing Time Un/Reliable 0/1 0/1 0/1
Multicast Flow Timer 0 0 0
Pending Routes 0 0 0
Lab 3.5: Configuring EIGRP Authentication
2621A#show ip eigrp interfaces IP-EIGRP interfaces for process 10 Xmit Queue Mean Interface Peers Un/Reliable SRTT Fa0/0 0 0/0 0 Se0/0 0 0/0 0 2621A# 2621B#show ip eigrp interfaces IP-EIGRP interfaces for process 10 Xmit Queue Mean Interface Peers Un/Reliable SRTT Fa0/1 0 0/0 0 Se0/0 0 0/0 0 2621B#
Pacing Time Un/Reliable 0/1 0/1
Multicast Flow Timer 0 0
Pacing Time Un/Reliable 0/1 0/1
Multicast Flow Timer 0 0
449
Pending Routes 0 0
Pending Routes 0 0
Lab 3.5: Configuring EIGRP Authentication EIGRP Authentication protects network routers from unauthorized access. Implementing EIGRP Authentication adds a layer of security to routing messages. Routing messages are shared among routers in a common autonomous system. Only routers configured with the appropriate authentication credentials will share routing updates. Pre-shared keys (PSKs) and Message Digest 5 (MD5) facilitate messages authentication between routers. Typically, routers belonging to the same EIGRP autonomous system exchange routing updates without requiring message authentication. Routers in this lab will require message authentication before EIGRP routing updates are accepted. Pre-shared keys are configured from global configuration mode. Additionally, authentication will need to be configured on each interface.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work. You need a configured network in order to complete this lab.
450
EIGRP
Lab Steps 1.
Issue the show ip route command on Routers 2811 A, 2621 A, and 2621 B. Make sure your network is completely converged. 2811A#show ip route 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0/1 D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:03:07, Serial0/1/10 D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:03:07, Serial0/0/1 C 172.16.20.0 is directly connected, Serial0/1/1 C 172.16.10.0 is directly connected, fastethernet0/0 2811A# 2621A#show ip route 172.16.0.0/24 is subnetted, 5 subnets D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0 C 172.16.40.0 is directly connected, fastethernet0/0 D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0 C 172.16.20.0 is directly connected, Serial0/0 D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0 2621A# 2621B#show ip route 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0 D 172.16.40.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0 C 172.16.50.0 is directly connected, fastethernet0/1 D 172.16.20.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0 D 172.16.10.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0 2621B#
2.
Configure a pre-shared key on 2811 Router A. 2811A#config t 2811A(config)#key chain securekey-2811A 2811A(config-keychain)#key 100 2811A(config-keychain-key)#key-string secure-eigrp-traffic 2811A(config-keychain-key)#exit 2811A(config-keychain)#exit
Lab 3.5: Configuring EIGRP Authentication
3.
Configure a pre-shared key on 2621 Router A. 2621A#config t 2621A(config)#key chain securekey-2621A 2621A(config-keychain)#key 100 2621A(config-keychain-key)#key-string secure-eigrp-traffic 2621A(config-keychain-key)#exit 2621A(config-keychain)#exit
4.
Configure a pre-shared key on 2621 Router B. 2621B#config t 2621B(config)#key chain securekey-2621B 2621B(config-keychain)#key 100 2621B(config-keychain-key)#key-string secure-eigrp-traffic 2621B(config-keychain-key)#exit 2621B(config-keychain)#exit
5. Configure interfaces on 2811 Router A with authentication. 2811A(config)#int fa0/0 2811A(config-if)#ip authentication 2811A(config-if)#ip authentication 2811A(config-if)#int s0/0/1 2811A(config-if)#ip authentication 2811A(config-if)#ip authentication 2811A(config-if)#int s0/1/1 2811A(config-if)#ip authentication 2811A(config-if)#ip authentication 2811A(config-if)#exit 2811A(config)#exit 2811A# copy run start
6.
mode eigrp 10 md5 key-chain eigrp 10 securekey-2811A mode eigrp 10 md5 key-chain eigrp 10 securekey-2811A mode eigrp 10 md5 key-chain eigrp 10 securekey-2811A
Configure interfaces on 2621 Router A with authentication. 2621A(config)#int fa0/0 2621A(config-if)#ip authentication 2621A(config-if)#ip authentication 2621A(config-if)#int s0/0 2621A(config-if)#ip authentication 2621A(config-if)#ip authentication 2621A(config-if)#exit 2621A(config)#exit 2621A#copy run start
mode eigrp 10 md5 key-chain eigrp 10 securekey-2621A mode eigrp 10 md5 key-chain eigrp 10 securekey-2621A
451
452
7.
EIGRP
Configure interfaces on 2621 Router B with authentication. 2621B(config)#int fa0/1 2621B(config-if)#ip authentication 2621B(config-if)#ip authentication 2621B(config-if)#int s0/0 2621B(config-if)#ip authentication 2621B(config-if)#ip authentication 2621B(config-if)#exit 2621B(config)#exit 2621B#copy run start
mode eigrp 10 md5 key-chain eigrp 10 securekey-2621B mode eigrp 10 md5 key-chain eigrp 10 securekey-2621B
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 3.6: Verifying EIGRP Authentication This lab will provide you with the commands to verify EIGRP Authentication.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work. You need a configured network in order to complete this lab.
Lab Steps 1.
At this point, your network should have converged and message authentication should be in effect. Issue the show ip route command on each router. 2811A#show ip route 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0/1 D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:03:07, Serial0/1/10 D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:03:07, Serial0/0/1 C 172.16.20.0 is directly connected, Serial0/1/1 C 172.16.10.0 is directly connected, FastEthernet0/0 2811A# 2621A#show ip route 172.16.0.0/24 is subnetted, 5 subnets
Lab 3.6: Verifying EIGRP Authentication
D 172.16.30.0 C 172.16.40.0 D 172.16.50.0 C 172.16.20.0 D 172.16.10.0 2621A#
[90/2172416] via 172.16.20.1, 00:33:19, Serial0/0 is directly connected, FastEthernet0/0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0 is directly connected, Serial0/0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
2621B#show ip route 172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Serial0/0 D 172.16.40.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0 C 172.16.50.0 is directly connected, FastEthernet0/1 D 172.16.20.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0 D 172.16.10.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0 2621B#
2.
Issue the show running-configuration command on each router to verify EIGRP Authentication. 2811A#show run [output cut] ! key chain securekey-2811A key 100 key-string secure-eigrp-traffic ! [output cut] 2621A# show run [output cut] ! key chain securekey-2621A key 100 key-string secure-eigrp-traffic ! [output cut] 2621B# show run [output cut] ! key chain securekey-2621B key 100 key-string secure-eigrp-traffic ! [output cut]
453
454
3.
EIGRP
Issue the show key chain command to display all the configured key chains. 2811A#show key chain Key-chain securekey-2811A: key 100 -- text "secure-eigrp-traffic" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now] 2811A# 2621A#show key chain Key-chain securekey-2621A: key 100 -- text "secure-eigrp-traffic" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now] 2621A# 2621B#show key chain Key-chain securekey-2621B: key 100 -- text "secure-eigrp-traffic" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now] 2621B#
4.
Issue the show ip eigrp interfaces detail command to display interfaces configurations. 2811A#show ip eigrp interfaces detail [output cut] Se0/0/1 0 0/0 0 0/1 Hello interval is 5 sec Next xmit serial Un/reliable mcasts: 0/0 Un/reliable ucasts: 0/0 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Authentication mode is md5, key-chain is "securekey-2811A" Use unicast [output cut] 2621A#show ip eigrp interfaces detail [output cut] Fa0/0 0 0/0 0 0/1 Hello interval is 5 sec Next xmit serial Un/reliable mcasts: 0/0 Un/reliable ucasts: 0/0
0
0
0
0
Lab 3.6: Verifying EIGRP Authentication
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Authentication mode is md5, key-chain is "securekey-2621A" Use unicast [output cut] 2621B#show ip eigrp interfaces detail [output cut] Se0/0 0 0/0 0 0/1 Hello interval is 5 sec Next xmit serial Un/reliable mcasts: 0/0 Un/reliable ucasts: 0/0 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Authentication mode is md5, key-chain is "securekey-2621B" Use unicast 2621B#
0
455
0
The command displays the authentication mode and the name of the configured key chain. 5.
Verify that 2621 Router B will not receive any routing updates if EIGRP Authentication is not configured correctly. 2621B#config t 2621B(config)# interface serial 0/0 2621B(config-if)#no ip authentication mode eigrp 10 md5 2621B(config-if)#no ip authentication key-chain eigrp 10 2621B(config-if)#exit 2621B(config)#exit 2621B#
6.
Issue the show ip route command on 2621 Router B. 2621B#show ip route [output cut] 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0 C 172.16.50.0 is directly connected, FastEthernet0/1 2621B#
As you can see above, the routing table for 2621 Router B has no EIGRP routing entries. Without the correct authentication configured on an interface, 2621 Router B will never receive routing updates.
456
EIGRP
Lab 3.7: Configuring Advanced Commands with EIGRP This section will have you configure a router with advanced EIGRP commands. Although the network used in this lab is too small to see any advantage to most of these commands, running through the commands on a router will help you become more familiar and comfortable with the commands when used later in the Extended labs or when you build your own larger networks.
Network Layout Work with the saved network that you used in Lab 3.5.
Unless set otherwise, the bandwidth on a serial interface is assumed to be T1 (1.544Kbps). In order to identify slower links, such as a 128K link, you must configure this manually. It is important that the bandwidth setting accurately reflect the actual bandwidth because it is one of the two elements used to calculate a route’s metric. Improperly set bandwidth statements will skew the route decisions made by EIGRP. Use the bandwidth command followed by the bandwidth in kilobits in interface configuration mode. The possible values are from 1 to 10,000,000. The following command sets the bandwidth to 512K: 2621A(config)#interface serial 0/0 Router(config-if)#bandwidth 512
The default for EIGRP is to use 50 percent of the available bandwidth per neighbor. This can be adjusted if you wish, by using the interface configuration command ip bandwidth-percent eigrp as percent, where percent indicates the percentage of bandwidth that EIGRP could potentially use. The following command configures EIGRP to use 40 percent of the available bandwidth per neighbor for autonomous system 10 on interface Serial 0/0: 2621A(config-if)#ip bandwidth-percent eigrp 10 40
In congested networks, it may also be necessary to increase the EIGRP hello-interval and hold-time so that neighbors do not mistakenly assume that an EIGRP neighbor has died when in fact there has simply been a delay in the arrival of Hello packets. The command to set the Hello interval is ip hello-interval eigrp as seconds; this indicates the number of seconds between transmissions of Hello packets. The command to set the hold timer is ip hold-time eigrp as seconds; this indicates how long to wait for a Hello packet before assuming that the neighbor has failed. In general, the hold time should be three times the
Lab 3.7: Configuring Advanced Commands with EIGRP
457
Hello interval. The hello-interval defaults to 60 seconds on NBMA media running at speeds of T1 or slower, and for all other networks, it defaults to 5 seconds. The hold-time defaults to 180 seconds on T1 or slower NBMA networks and 15 seconds on all other networks. Both commands are entered under interface configuration mode, and the seconds parameter can range from 1 to 65535. 2621A(config-if)#interface fastethernet 0/0 2621A(config-if)#ip hello-interval eigrp ? <1-65535> Autonomous system number 2621A(config-if)#ip hello-interval eigrp 10 ? <1-65535> Seconds between hello transmissions 2621A(config-if)#ip hello-interval eigrp 10 100 2621A(config-if)#ip hold-time eigrp 10 ? <1-65535> Seconds before neighbor is considered down 2621A(config-if)#ip hold-time eigrp 10 300
The commands above set the Hello interval to 100 seconds and the hold time to 300 seconds for EIGRP AS 10.
OSPF
Lab 4: Introduction to OSPF OSPF is an open standards routing protocol that has been implemented by a wide variety of network vendors, including Cisco. The easiest way to configure OSPF is simply to use a single area. We will also discuss OSPF DR and BDR Elections. The following labs are covered: NN
4.1: Configuring Single Area OSPF
NN
4.2: Verifying Single Area OSPF
NN
4.3: OSPF Authentication
NN
4.4: Stub Area Configuration
NN
4.5: Totally Stub
NN
4.6: OSPF DR and BDR Elections
Lab 4.1: Configuring Single Area OSPF This section will discuss the OSPF routing process. OSPF an open standards routing protocol that has been implemented by a wide variety of network vendors, including Cisco. The benefit of an approach based on open standards is that equipment from multiple vendors can interoperate as long as their implementations are compliant with the appropriate Requests for Comments (RFCs). This does not mean that vendors are forced to restrict their implementations to only the features documented in the RFCs. On the contrary, Cisco and others have added features to their versions of OSPF that may not be found in other vendors’ implementations. Knowing which features are standards based and which are proprietary becomes important when deploying multivendor OSPF networks. NN
Stands for open shortest path first
NN
Uses the concept of an area, which is a grouping of contiguous OSPF networks and hosts
NN
Is a link-state routing protocol
Lab 4.1: Configuring Single Area OSPF
NN
Has no maximum hop count
NN
Has an administrative distance of 110
NN
Includes equal-cost multipath routing
NN
Supports VLSM, summarization, and discontiguous networks
461
The easiest (and least scalable) way to configure OSPF is simply to use a single area, which requires a minimum of two commands. This program only supports a single area OSPF network, which will always be area 0.
The command to activate the OSPF routing process is as follows: 2621A(config)#router ospf ? <1-65535>
A value in the range 1 through 65535 identifies the OSPF Process ID, which is a unique number on this router that groups a series of OSPF configuration commands under a specific running process. Different OSPF routers do not have to use the same Process ID in order to communicate. It is purely a local value and is basically irrelevant. The only time an OPSF number would matter is when you have multiple OSPF Autonomous Systems (AS) connecting together on the same network. This lab will be pretty simple as far as OSPF goes. We will start the process on each router, then configure the interfaces to be in OSPF area 0. This is much more complicated then any of the other routing protocols we have configured, but simple nonetheless for OSPF. However, since EIGRP has a better administrative distance then OSPF, we need to also disable the EIGRP routing processes on each router.
Network Layout Work with the saved network that you have been using in section 3.
462
OSPF
Lab Steps 1.
First, disable EIGRP on the 2621 Router A. 2621A#conf t Enter configuration commands, one per line. End with CNTL/Z. 2621A(config)#no router eigrp 10
2.
Disable EIGRP on the 2621 B router. 2621B#conf t Enter configuration commands, one per line. End with CNTL/Z. 2621B(config)#no router eigrp 10
3.
Disable EIGRP on the 2811 Router A. 2811A#conf t Enter configuration commands, one per line. End with CNTL/Z. 2811A(config)#no router eigrp 10
4.
You will start the OSPF process by issuing the following command, as an example: 2621A(config)#router ospf 100
5.
After starting the OSPF process (and disabling EIGRP on each router), you need to identify the interfaces on which to activate OSPF communications and the area in which each resides. This will also configure the networks you will advertise to others. This is achieved with the following command as an example: 2621A(config-router)#network 10.0.0.0 0.255.255.255 area ? <0-4294967295> OSPF area ID as a decimal value A.B.C.D OSPF area ID in IP address format
A 0 (zero) octet in the wildcard mask indicates that the corresponding octet in the network must match exactly. A 255, on the other hand, indicates that you do not care what the corresponding octet is in the network number. A network and wildcard mask combination of 1.1.1.1 0.0.0.0 would match 1.1.1.1 only and nothing else. This is useful if you want to activate OSPF on a specific interface in a very clear and simple fashion. If you insist on matching a range of networks, the network and wildcard mask combination of 1.1.0.0 0.0.255.255 would match anything in the range 1.1.0.0–1.1.255.255. It’s simpler and safer to stick to using wildcard masks of 0.0.0.0 and identify each OSPF interface individually.
Lab 4.1: Configuring Single Area OSPF
463
Remember that OSPF routers will only become neighbors if their interfaces share a network that is configured to belong to the same area number. The format of the area number is either a decimal value from the range 0–4294967295 or a value represented in standard dotted-decimal notation. Area 0.0.0.0 is a legitimate area, for example, and is identical to area 0. Again, we only support area 0 in this module at this time. Just a reminder, here are the router interface IP addresses for routers on the current network: Router 2621 A 2621 A 2621 B 2621 B 2811 A 2811 A 2811 A
6.
Interface Serial 0/0 Fastethernet 0/0 Serial 0/0 Fastethernet 0/0 Serial 0/1/1 Serial 0/0/1 Fastethernet 0/0
IP Address 172.16.20.2 172.16.40.1 172.16.30.2 172.16.50.1 172.16.20.1 172.16.30.1 172.16.10.1
Configure the 2621 Router A to advertise both directly connected networks with OSPF. The router ospf number does not matter; use whatever feels good to you. The number can even all be the same on all routers, or they can be different. In this lab we will use different numbers. 2621A(config)#router ospf 100 2621A(config-router)#network 172.16.20.2 0.0.0.0 area 0 2621A(config-router)#network 172.16.40.0 0.0.0.255 area 0 2621A(config-router)#ctrl+z
Anatomy of a Command: Network 172.16.20.2 0.0.0.0 area 0 Network 172.16.20.2 0.0.0.0 area 0 - tells the OSPF process to advertise the interface 172.16.20.2 into area 0. 172.16.20.2—the network number 0.0.0.0—The wildcard mask of 0.0.0.0 tells the process to match each octet exactly. 0 - The final argument is the area number. It indicates the area to which the interfaces identified in the network and wildcard mask portion belong. It tells the OSPF process to advertise the interface 172.16.20.2 into area 0. The combination of the two first two numbers identifies the interfaces that OSPF will operate on and that will also be included in its OSPF Link State Advertisements (LSA) advertisements.
464
OSPF
Anatomy of a command: network 172.16.40.0 0.0.0.2555 area 0 Network 172.16.40.0 0.0.0.255 area 0—tells the router OSPF process to look for any interface in subnet 172.16.40.0 and advertise that in area 0. 172.16.40.0—the network number. 0.0.0.255—With a wildcard of 0.0.0.255, this tells the OSPF process to match the first three octets exactly, but the fourth octet value is irrelevant. We could have used this command as well: network 172.16.40.1 0.0.0.0 area 0, which is just another way to advertise the same interface, but is more precise. No difference in function on the router or OSPF. 0—The final argument is the area number. It indicates the area to which the interfaces identified in the network and wildcard mask portion belong. It tells the OSPF process to advertise the interface 172.16.40.0 into area 0. The combination of the two first two numbers identifies the interfaces that OSPF will operate on and that will also be included in its OSPF Link State Advertisements (LSA) advertisements.
7.
Configure 2621 Router B to advertise both directly connected networks with OSPF. 2621B(config)#router ospf 101 2621B(config-router)#network 172.16.30.2 0.0.0.0 area 0 2621B(config-router)#network 172.0.0.0 0.255.255.255 area 0 2621B(config-router)#ctrl+z
Now, let us go over what we have configured on 2621 Router B. Please understand that all we are doing is advertising OSPF networks and this lab is showing the many ways to accomplish the same thing. The command network 172.16.30.2 0.0.0.0 area 0 tells the OSPF process to advertise the interface 172.16.30.2 into area 0. The wildcard mask of 0.0.0.0 tells the process to match all four octets exactly. The command network 172.0.0.0 0.255.255.255 area 0 tells the OSPF process to look for an interface configured with network 172 in the first octet, but the other three octets can be any value. Once found, place that interface in area 0. Now, understand that with this second command, the first command is really not needed; we just did it for fun! The network command 172.0.0.0 will find any interface that has an IP address that starts with 172 and put that in area 0.
Lab 4.2: Verifying Single Area OSPF
8.
465
Configure 2811 Router A to advertise all directly connected networks with OSPF. 2811A(config)#router ospf 102 2811A(config-router)#network 172.16.10.1 0.0.0.0 area 0 2811A(config-router)#network 172.16.20.1 0.0.0.0 area 0 2811A(config-router)#network 172.16.30.1 0.0.0.0 area 0 2811A(config-router)#ctrl+z
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 4.2: Verifying Single Area OSPF This lab describes several ways to verify proper OSPF configuration and operation.
Network Layout Work with the saved network that you used to configure devices in Lab 4.1.
1.
The show ip ospf command is used to display OSPF information for one or all OSPF processes running on the router. Information contained therein includes the Router ID, area information, SPF statistics, and LSA timer information. Here is a sample output from 2621 Router A: 2621A#sho ip ospf Routing Process "ospf 100" with ID 172.16.40.1
466
OSPF
Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) (Inactive) Number of interfaces in this area is 2 Area has no authentication SPF algorithm executed 7 times Area ranges are Number of LSA 7. Checksum Sum 0x2E2A0 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 2621A#
2.
The information displayed by the show ip ospf database command indicates the number of links and the neighboring Router ID. The output is broken down by area. Here is a sample output from 2621 Router A: 2621A#show ip ospf database OSPF Router with ID (172.16.40.1) (Process Router Link States (Area 0) Link ID ADV Router Age Seq# 172.16.50.1 172.16.50.1 475 0x80000003 172.16.40.1 172.16.40.1 475 0x80000003 172.16.30.1 172.16.30.1 475 0x80000003 2621A#
3.
ID 100) Checksum 0x0030F9 0x0030F9 0x0030F9
Link count 3 3 3
The show ip ospf interface command displays all interface-related OSPF information. Data is displayed about OSPF information for all interfaces or for specified interfaces. Information includes the interface IP address, area assignment, Process ID, Router ID, network type, cost, priority, DR/BDR (if applicable), timer intervals, and adjacent neighbor information. Here is a sample output: 2621A#show ip ospf interface FastEthernet0/1 is up, line protocol is up Internet Address 172.16.40.1/24, Area 0 Process ID 100, Router ID 172.16.40.1, Network Type BROADCAST, Cost: 1
Lab 4.2: Verifying Single Area OSPF
467
Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 172.16.40.1, Interface address 172.16.40.1 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:06 Index 2/2, flood queue length 0 [output cut] Serial0/0 is up, line protocol is up Internet Address 172.16.20.2/24, Area 0 Process ID 100, Router ID 172.16.40.1, Network Type POINT_TO_POINT, Cost: 64 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:06 [output cut] 2621A#
Notice in the above output that the hello timer is set to 10 seconds and the dead timer is set to 40. If two or more routers are connected together, the timers must be set exactly the same. By looking at line three of the show ip ospf interface command, you can see the OSPF network type.
OSPF network types NN
Point-to-Point
NN
Broadcast
NN
Point-to-Multipoint
NN
Nonbroadcast
NN
Point-to-Multipoint Nonbroadcast
4.
The show ip ospf neighbor command is very useful. It summarizes the pertinent OSPF information regarding neighbors and the adjacency state. If a DR or BDR exists, that information is also displayed. Here is an output from 2621 Router A: 2621A#show ip ospf neighbor Neighbor ID Pri State 172.16.30.1 1 FULL/BDR 2621A#
Dead Time 00:00:36
Address 172.16.20.1
Interface Serial0/0
468
5.
OSPF
The show ip protocols command is useful whether you are running OSPF, EIGRP, IGRP, RIP, BGP, ISIS, or any other routing protocol you can configure on your router. It provides an excellent overview of the actual operation of all currently running protocols. 2621A#show ip protocols Routing Protocol is "ospf 100" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 172.16.40.1 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 172.16.20.2 0.0.0.0 area 0 172.16.40.0 0.0.0.255 area 0 Routing Information Sources: Gateway Distance Last Update 172.16.30.1 110 00:00:29 172.16.50.1 110 00:00:29 Distance: (default is 110) 2621A#
6.
Based upon this output, you can determine the OSPF Process ID, OSPF Router ID, type of OSPF area, networks and areas configured for OSPF, and OSPF Router IDs of neighbors.
Lab 4.3: OSPF Authentication OSPF supports different methods of authentication. Authentication can be configured to pass the authentication key in clear text or encrypted. You will configure both methods of authentication in this lab. Additionally, when configuring an encrypted key, you can specify a single key or, by assigning numbers to keys, specify a series of keys. 2811 Router A has interfaces in both Area 0 and Area 1. 2811 Router B has an interface in Area 0 directly connected to 2811 Router A. 2811 Router C has an interface in Area 0 directly connected to 2811 Router A. 2811 Router D has an interface in Area 1 directly connected to 2811 Router A. For both the 2811 Router A - 2811 Router B and 2811 Router A - 2811 Router C connections you will configure message digest authentication. For the 2811 Router A - 2811 Router C connection you will configure a key list. For the 2811 Router A - 2811 Router D connection you will configure clear text authentication. Network Layout: Load OSPF Authentication Layout.rsm before going through the following lab. 1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
Lab 4.3: OSPF Authentication
3.
Click on the file OSPF Authentication Layout.rsm and click Open. You should see the following network:
Lab Steps 1.
469
Bring up the console for 2811 Router A. After the console screen comes up set the: Hostname IP Address OSPF Parameters Router#config t Router(config)#hostname 2811A 2811A(config)#int f0/1 2811A(config-if)#ip add 10.1.0.1 255.255.255.0
470
OSPF
2811A(config-if)#no shut 2811A(config-if)#int f0/0 2811A(config-if)#ip add 10.2.0.1 255.255.255.02811A(config-if)#no shut 2811A(config-if)#int s0/0/0 2811A(config-if)#ip add 172.16.1.1 255.255.255.0 2811A(config-if)#no shut 2811A(config-if)#router ospf 25 2811A(config-router)#network 10.1.0.1 0.0.0.0 area 0 2811A(config-router)#network 10.2.0.1 0.0.0.0 area 0 2811A(config-router)#network 172.16.1.1 0.0.0.0 area 1
2.
Bring up the console for 2811 Router B. After the console screen comes up set the: Hostname IP Address OSPF Parameters Router#config t Router(config)#hostname 2811B2811B(config)#int f0/1 2811B(config-if)#ip add 10.1.0.2 255.255.255.0 2811B(config-if)#no shut 2811B(config-if)#router ospf 25 2811B(config-router)#network 10.1.0.2 0.0.0.0 area 0
3.
Bring up the console for 2811 Router C. After the console screen comes up set the: Hostname IP Address OSPF Parameters Router#config t Router(config)#hostname 2811C 2811C(config)#int f0/0 2811C(config-if)#ip add 10.2.0.2 255.255.255.0 2811C(config-if)#no shut 2811C(config-if)#router ospf 25 2811C(config-router)#network 10.2.0.2 0.0.0.0 area 0
4.
Bring up the console for 2811 Router D. After the console screen comes up set the: Hostname IP Address OSPF Parameters Router#config t Router(config)#hostname 2811D 2811D(config)#int s0/0/0
Lab 4.3: OSPF Authentication
471
2811D(config-if)#ip add 172.16.1.2 255.255.255.0 2811D(config-if)#no shut 2811D(config-if)#router ospf 25 2811D(config-router)#network 172.16.1.2 0.0.0.0 area 1
Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than OSPF Authentication Layout.rsm This allows you to start over with your initial, non-configured network if you wish. There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
5.
On 2811 Router A, confirm that 2811 Router A has an OSPF neighbor relationship with 2811 Router B, 2811 Router C and 2811 Router D. 2811A(config-router)#ctrl+z 2811A#show ip ospf neighbor Neighbor ID Pri State 172.16.1.2 1 FULL/
-
Dead Time 00:00:36
Address 172.16.1.2
Interface Serial0/0/0
472
OSPF
10.2.0.2 1 FastEthernet0/0 10.1.0.2 1 FastEthernet0/1
6.
FULL/BDR
00:00:36
10.2.0.2
FULL/BDR
00:00:36
10.1.0.2
You will now configure authentication on 2811 Rouer A only. You will configure message-digest authentication for area 0 and plain text authentication for area 1. You will then confirm that all neighbor relationships have closed as expected (authentication is not configured on any other routers) 2811A#config t 2811A(config)#router ospf 25 2811A(config-router)#area 0 authentication message-digest 2811A(config-router)#area 1 authentication 2811A(config-router)#int f0/1 2811A(config-if)#ip ospf authentication-key 0 cisco 2811A(config)#int f0/0 2811A(config-if)#ip ospf message-digest-key 1 md5 0 cisco1 2811A(config-if)#ip ospf message-digest-key 2 md5 0 cisco2 2811A(config)#int s0/0/0 2811A(config-if)#ip ospf authentication-key 0 cisco3 2811A(config-if)#ctrl+z 2811A#show ip ospf neighbor 2811A#
7.
Now you will configure authentication on the other routers then confirm that the neighbor relationships have been re-established. 2811B(config-router)#exit 2811B(config)#router ospf 25 2811B(config-router)#area 0 authentication message-digest 2811B(config-router)#int f0/1 2811B(config-if)#ip ospf authentication-key 0 cisco 2811B(config-if)#ctrl+z 2811C(config-router)#exit 2811C(config)#router ospf 25 2811C(config-router)#area 0 authentication message-digest 2811C(config)#int f0/0 2811C(config-if)#ip ospf message-digest-key 1 md5 0 cisco1 2811C(config-if)#ip ospf message-digest-key 2 md5 0 cisco2 2811C(config-if)#ctrl+z
Lab 4.4: Stub Area Configuration
473
2811D(config-router)#exit 2811D(config)#router ospf 25 2811D(config-router)#area 1 authentication 2811D(config)#int s0/0/0 2811D(config-if)#ip ospf authentication-key 0 cisco3 2811D(config-if)#exit
8.
On 2811 Router A, confirm that 2811 Router A has an OSPF neighbor relationship with 2811 Router B, 2811 Router C and 2811 Router D. 2811A#show ip ospf neighbor Neighbor ID Pri State 172.16.1.2 1 FULL/ 10.2.0.2 1 FULL/BDR FastEthernet0/0 10.1.0.2 1 FULL/BDR FastEthernet0/1
Dead Time 00:00:36 00:00:36
Address 172.16.1.2 10.2.0.2
00:00:36
10.1.0.2
Interface Serial0/0/0
Lab 4.4: Stub Area Configuration Since the main purpose of having stub areas is to keep such areas from carrying external routes, we need to review some design guidelines before configuring a stub area or a totally stubby area: Area 0 (the backbone area) cannot be made a stub area. Since autonomous system boundary routers inject external routes, do not make any area containing an ASBR a stub area. Since routers within a stub area use a default route to get out of the stub area, typically there is only one route out of the stub area. Therefore, a stub area should usually only contain a single area border router. Keep in mind that since a default route is being used, if a stub area contains more than one ABR, a non-optimal path may be used. If you decide to make a particular area a stub area, be sure to configure all the routers in the area as stubby. If a router within a stub area has not been configured as stubby, it will not be able to correctly form adjacencies and exchange OSPF routes. The following are some benefits of a stub area configuration: Smaller Link State Database Reduction in the size of the routing table Reduction in CPU processing for link state advertising Automatic creation of default gateway
474
OSPF
With the guidelines in mind, let’s examine a sample configuration for a stub area. We are going to make Area 2 a stub area.Let’s review some key elements of our stub area configuration example: The syntax to make a router stubby is [area area-id stub]. All routers that are part of Area 2 are configured as stubby. Area 2 has only one ABR (i.e., only one path out of the area). The ABR used the area area-id stub command only for Area 2, not for Area 0, which is not stubby. Network Layout: Work with the saved network that you used to configure devices in lab 4.1.
Lab Steps 1.
Configure 2811 Router A to be stubby: 2811A#config t Enter configuration commands, one per line. End with CNTL/Z. 2811A(config)# router ospf 102 2811A(config-router)#area 2 stub 2811A(config-router)#ctrl+z
2.
Configure 2621 Router B to be stubby: 2621B#config t Enter configuration commands, one per line. End with CNTL/Z. 2621B(config)#router ospf 101 2621B(config-router)#area 2 stub 2621B(config-router)#ctrl+z
3.
Verify your stub configurations on routers 2811 A, and 2621 B. 2811A#show ip ospf Routing Process “ospf 102” with ID 172.16.30.1 Supports only single TOS(TOS0) routes It is an area border router SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 3. 2 normal 1 stub 0 nssa External flood list length 0
Lab 4.4: Stub Area Configuration
475
[output cut] Area 1 [output cut] Area 2 Number of interfaces in this area is 1 It is a stub area Area has no authentication SPF algorithm executed 7 times Area ranges are Number of LSA 0. Checksum Sum 0x2E2A0 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 2811A# 2621B#show ip ospf Routing Process “ospf 101” with ID 172.16.50.1 Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 1. 0 normal 1 stub 0 nssa External flood list length 0 Area 2 Number of interfaces in this area is 2 It is a stub area [output cut] 2621B#
As you can see, area 2 is now a stub area on both routers. 4.
Issue the show ip route to verify that the routing table now has a gateway of last resort set. 2621B#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2
OSPF
476
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.16.30.1 to network 0.0.0.0 O IA 172.16.20.0/24 [110/128] via 172.16.30.1, 00:00:15, Serial0/0 O IA 172.16.10.0/24 [110/129] via 172.16.30.1, 00:00:15, Serial0/0 O IA 172.16.40.0/24 [110/65] via 172.16.30.1, 00:00:15, Serial0/0 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, FastEthernet0/1 C 172.16.50.0 is directly connected, Serial0/0 O*IA 0.0.0.0/0 [110/65] via 172.16.30.1, 00:00:15, Serial0/0 2621B#
As you can see, a gateway of last resort has automatically been added to the routing table. 5.
Issue the show run command on router 2811 A and 2621 B to verify the stubby c onfiguration.
Lab 4.5: Totally Stub Using the same network topology as we had for the stub area configuration lets examine how to make Area 2 a totally stubby area. Remember, the only difference between a stub area and a totally stubby area is that totally a stubby area does not allow summary routes to be injected into it. The following are some benefits of a totally stub area configuration: Smaller Link State Database Reduction in the size of the routing table Reduction in CPU processing for link state advertising Automatic creation of default gateway Network Layout: Work with the saved network that you used to configure devices in lab 4.4.
Lab Steps 1.
Issue the show ip route command on 2621 Router B. 2621B.#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
Lab 4.5: Totally Stub
477
E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.16.30.1 to network 0.0.0.0 O IA 172.16.20.0/24 [110/128] via 172.16.30.1, 00:00:15, Serial0/0 O IA 172.16.10.0/24 [110/129] via 172.16.30.1, 00:00:15, Serial0/0 O IA 172.16.40.0/24 [110/65] via 172.16.30.1, 00:00:15, Serial0/0 172.16.0.0/24 is subnetted, 2 subnets C 172.16.50.0 is directly connected, FastEthernet0/1 C 172.16.30.0 is directly connected, Serial0/0 O*IA 0.0.0.0/0 [110/65] via 172.16.30.1, 00:00:15, Serial0/0 2621B#
As you can see, the routing table still has routes flagged with “O IA”, OSPF inter area routes. The routing table should look like this for now. 2.
Configure OSPF area 2 on the 2811 Router A (ABR) router to be totally stubby: 2811A#config t Enter configuration commands, one per line. End with CNTL/Z. 2811A(config)#router ospf 102 2811A(config-router)#area 2 stub no-summary 2811A(config-router)#ctrl+z
The totally stubby configuration only needs to be made on our (ABR) router 2811 A. 3.
Issue the show ip ospf command to verify your totally stubby configurations on 2811 Router A. 2811A#show ip ospf Routing Process “ospf 100” with ID 172.16.30.1 Supports only single TOS(TOS0) routes It is an area border router SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 3. 2 normal 1 stub 0 nssa External flood list length 0 [output cut] Area 2
478
OSPF
Number of interfaces in this area is 1 It is a stub area, no summary LSA in this area Area has no authentication [output cut] 2811A#
As you can see, area 2 is not allowing summary routes into the stub area. 4.
Issue the show ip route command on 2621 Router B. 2621B.#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.16.30.1 to network 0.0.0.0 172.16.0.0/24 is subnetted, 2 subnets C 172.16.50.0 is directly connected, FastEthernet0/1 C 172.16.30.0 is directly connected, Serial0/0 O*IA 0.0.0.0/0 [110/65] via 172.16.30.1, 00:01:33, Serial0/0 2621B#
You can now see that the routing table no longer has routes flagged with “O IA”, OSPF inter area routes. The routing table only displays directly connected interfaces and a gateway of last resort. As you can see the routing table is noticeable smaller. 5.
Issue the show run command on 2811 Router A to verify the totally stubby configuration.
Lab 4.6: OSPF DR and BDR Elections This lab will have you work with the lab OSPF DR and BDR Election layout to watch the DR and BDR elections on the 10.10.10.0 network, by forcing and verifying the election process. Remember that elections occur on broadcast and non-broadcast multi-access networks only. This means we need a LAN to run this lab, as shown in the network layout .
Lab 4.6: OSPF DR and BDR Elections
479
Network Layout: Load the network layout file, OSPF DR and BDR Elections Layout.rsm.
Lab Steps 1. 2.
Double-click 2621 Router A in order to bring up the console screen. Configure the hostname. Router>enable Router#config t Router(config)#hostname 2621A
3.
Configure the router with OSPF. 2621A(config)#router ospf 1 2621A(config-router)#network 10.10.10.0 0.0.0.255 area 0
4.
Configure interface Fa0/0 for 2621 Router A. 2621A(config)#int f0/0 2621A(config-if)#ip add 10.10.10.1 255.255.255.0 2621A(config-if)#no shut 2621A(config-if)#ctrl+z 2621A#copy run start
480
5. 6.
OSPF
Use the menu to change to the console for 2621 Router B. Configure the hostname. Router>enable Router#config t Router(config)#hostname 2621B
7.
Configure the router with OSPF. 2621B(config)#router ospf 1 2621B(config-router)#network 10.10.10.0 0.0.0.255 area 0
8.
Configure interface Fa0/0 for 2621 Router B. 2621B(config)#int f0/0 2621B(config-if)#ip add 10.10.10.3 255.255.255.0 2621B(config-if)#no shut 2621B(config-if)#ctrl+z 2621B#copy run start
9.
Use the menu to change to the console for 2811 Router A.
10. Configure the hostname. Router>enable Router#config t Router(config)#hostname 2811A 11. Configure the router with OSPF. 2811A(config)#router ospf 1 2811A(config-router)#network 10.10.10.0 0.0.0.255 area 0 12. Configure interface Fa0/0 for the 2811 A router. 2811A(config)#int f0/0 2811A(config-if)#ip add 10.10.10.2 255.255.255.0 2811A(config-if)#no shut 2811A(config-if)#ctrl+z 2811A#copy run start 13. Use the menu to change to the console for 2811 Router B. 14. Configure the hostname. Router>enable Router#config t Router(config)#hostname 2811B
Lab 4.6: OSPF DR and BDR Elections
481
15. Configure the router with OSPF 2811B(config)#router ospf 1 2811B(config-router)#network 10.10.10.0 0.0.0.255 area 0 16. Configure interface Fa0/0 for 2811 Router B. 2811B(config)#int f0/0 2811B(config-if)#ip add 10.10.10.4 255.255.255.0 2811B(config-if)#no shut 2811B(config-if)#ctrl+z 2811B#copy run start 17. On 2621 Router A verify the RID of your router. Use the show ip ospf command on
the router to gather this information. 2621A#show ip ospf Routing Process “ospf 1” with ID 10.10.10.1 Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) (Inactive) Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 7 times Area ranges are Number of LSA 1. Checksum Sum 0x2E2A0 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 2621A#
18. Enter the command show ip ospf interface fa0/0 to verify area ID, DR, BDR informa-
tion and the hello and dead timers of the interface connected to the 10.1.1.0 network. 2621A#show ip ospf interface fa0/0 FastEthernet0/0 is up, line protocol is up Internet Address 10.10.10.1/24, Area 0 Process ID 1, Router ID 10.10.10.1, Network Type BROADCAST, Cost: 64 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.10.10.4 , Interface address 10.10.10.4
482
OSPF
Backup Designated router (ID) 10.10.10.3 , Interface address 10.10.10.3 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:01 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 3, Adjacent neighbor count is 3 Adjacent with neighbor 10.10.10.3(Backup Designated Router) Adjacent with neighbor 10.10.10.2(Other Designated Router) Adjacent with neighbor 10.10.10.4(Designated Router) Suppress hello for 0 neighbor(s) 2621A#
19. By looking at the show ip ospf interface fa0/0 output, which router is the DR? Which
router is the BDR? 20. Verify the network type of your router. Since the connection is on an Ethernet LAN,
the Network Type is BROADCAST. What would the Network Type be if you were viewing a serial connection? Answer: point-to-point. 21. he priority of all routers, by default, is 1. If you were to change the priority to 0, then
the router would never participate in the election process for the LAN (remember that elections do not occur on serial point-to-point links). 22. Change the priority of a router that you choose to become the new DR. Choose any
router that is not the DR at this moment. 23. Enable the debugging process that allows you to see the DR and BDR election take place.
Use the command debug ip ospf adjacency on the router that will become the DR. 24. For the router that was chosen to become the new DR, set your priority of the
FastEthernet 0/0 interface to 3. Here is how you do that: config t int fa0/0 ip ospf priority 3
25. Now shut down all the Fa0/0 interfaces of all four routers. 26. Now enable all four routers fa0/0 interfaces with the no shut command. 27. The election should take place and the router you have chosen with the highest priority
should now be the DR. 28. Type show ip ospf interface fa0/0 to verify the DR and BDR information. 29. Hopefully you also noticed the debug output of the election process. 30. The priority of a routers interface can be set all the way up to 255. However, if the
priority is set to 255, the DR/BDR can never be formed.
Virtual LANs (VLANs)
Lab 5: Introduction to Virtual LANs VLANs is a group of hosts that are (logically) connected, regardless of their (physical) LAN segment location. This allows you to specify where packets are transmitted instead of them being seen by every device. VLAN configuring is accomplished through software configurations which makes it easy to add or move a single host or group hosts when needed. VLANs create smaller broadcast domains, thus reducing broadcast collisions and increasing the efficiency of your network resources. Easily managing your network, adding security, and the future growth of your network can be addressed by the use of VLANs. This section will cover VLANs configured for the 1900, 3550, and 3560 switches. The labs covered in this section include: NN
5.1: Configuring VLANs on a 1900 Switch
NN
5.2: Configuring the 1900 Switch The labs above are for the 1900 switch, which is not a switch used in the Standard Layout, but is included for your educational purpose. The 1900 switch is an older switch and is end-of-life from Cisco®.
NN
5.3: Configuring VLANs on a 3550 Switch
NN
5.4: Configuring Trunk Ports/VTP Domain a 3550 Switch
NN
5.5: Configuring VLANs on a 3560 Switch
NN
5.6: Configuring Trunk Ports/VTP Domain on a 3560 Switch
NN
5.7: Intra and InterVLAN Routing The commands used in this section are described below:
Command
Description
delete vtp
Deletes VTP configurations from a switch
encapsulation isl 2
Sets ISL routing for VLAN 2
Lab 5.1: Configuring VLANs on a 1900 Switch
Command
Description
int f0/0.1
Creates a subinterface
interface e0/5
Configures Ethernet interface 5
interface f0/26
Configures FastEthernet 26
show trunk A
Shows the trunking status of port 26
show trunk B
Shows the trunking status of port 27
show vlan
Shows all configured VLANs
show vlan-membership
Shows all port VLAN assignments
show vtp
Shows the VTP configuration of a switch
trunk auto
Sets the port to auto trunking mode
trunk on
Sets a port to permanent trunking mode
vlan 2 name Sales
Creates a VLAN 2 named Sales
vlan-membership static 2
Assigns a static VLAN to a port
vtp client
Sets the switch to be a VTP client
vtp domain
Sets the domain name for the VTP configuration
vtp server
Sets the switch to be a VTP server
485
Lab 5.1: Configuring VLANs on a 1900 Switch Configuring VLANs is the easy part of the job. It is trying to understand which users you want in each VLAN that is time consuming. Once you have decided the number of VLANs you want to create and the users that will be members of each VLAN, you can create your VLAN. You can create up to 64 VLANs on a 1900 switch.
486
Virtual LANs (VLANs)
Network Layout Load 1900 Switch Layout.rsm before going through the following lab.
1.
On the Network Visualizer screen, click on the File menu and then click Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file 1900 Switch Layout.rsm and click Open.
Lab Steps 1.
Double-click 1900 Switch A in order to bring up the console screen.
2.
To configure VLANs on the 1900 series switch, choose “k” from the initial user interface menu to get into IOS configuration. The following switch output is the console display when connecting to a 1900 switch. Press “k” to enter the CLI mode, and enter global configuration mode using the enable command and then config t. 1 user(s) now active on Management Console. User Interface Menu [M] Menus [K] Command Line Enter Selection: k
Lab 5.1: Configuring VLANs on a 1900 Switch
487
CLI session with the switch is open. To end the CLI session, enter [Exit].
3.
To configure VLANs on an IOS-based switch, use the vlan [vlan#] name [vlan name] command. The following will demonstrate how to configure VLANs on the switch by creating three VLANs for three different departments. >en #config t Enter configuration commands, one per line. (config)#hostname1900A 1900A(config)#vlan 2 name sales 1900A(config)#vlan 3 name marketing 1900A(config)#vlan 4 name mis 1900A(config)#exit
4.
End with CNTL/Z
After you create the VLANs that you want, you can use the show vlan command to see the configured VLANs. However, notice that by default all ports on the switch are in VLAN 1. To change the VLAN associated with a port you need to go to each interface and tell it what VLAN to be a member of. Once the VLANs are created, verify your configuration with the show vlan command (sh vlan for short). 1900A#sh vlan VLAN Name Status Ports -------------------------------------1 default Enabled 1-12,A,B,AUI 2 sales Enabled 3 marketing Enabled 4 mis Enabled 1002 fddi-default Suspended 1003 token-ring-defau Suspended 1004 fddinet-default Suspended 1005 trnet-default Suspended -------------------------------------[output cut]
5.
You can configure each port to be in a VLAN by using the vlan-membership command. You can only configure VLANs one port at a time. There is no command to assign more than one port to a VLAN at a time with the 1900 switch. In the following example, we configure interface 2 to VLAN 2, interface 4 to VLAN 3, and interface 5 to VLAN 4. 1900A#config t Enter configuration commands, one per line.
End with CNTL/Z
488
Virtual LANs (VLANs)
1900A(config)#int e0/2 1900A(config-if)#vlan-membership ? dynamic Set VLAN membership type as dynamic static Set VLAN membership type as static 1900A(config-if)#vlan-membership static ? <1-1005> ISL VLAN index 1900A(config-if)#vlan-membership static 2 1900A(config-if)#int e0/4 1900A(config-if)#vlan-membership static 3 1900A(config-if)#int e0/5 1900A(config-if)#vlan-membership static 4 1900A(config-if)#exit 1900A(config)#exit
6.
Now, type show vlan again to see the ports assigned to each VLAN. 1900A#sh vlan VLAN Name Status Ports -------------------------------------1 default Enabled 1,3,6-12,A,B,AUI 2 sales Enabled 2 3 marketing Enabled 4 4 mis Enabled 5 1002 fddi-default Suspended 1003 token-ring-defau Suspended 1004 fddinet-default Suspended 1005 trnet-default Suspended -------------------------------------[output cut]
7.
Another command you can use to see the ports assigned to a VLAN is show vlan-membership. Notice that this command shows each port on the switch, which VLAN the port is a member of, and the membership type (static or dynamic). 1900A#sh vlan-membership Port VLAN Membership Type ----------------------------1 1 Static 2 2 Static 3 1 Static 4 3 Static 5 4 Static
Port VLAN Membership Type -----------------------------
Lab 5.3: Configuring VLANs on a 3550 Switch
6 7 8 9 10 11 12 AUI A B 1900A#
1 1 1 1 1 1 1 1 1 1
489
Static Static Static Static Static Static Static Static Static Static
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 5.3: Configuring VLANs on a 3550 Switch Configuring VLANs is the easy part of the job. It is trying to understand which users you want in each VLAN that is time consuming. Once you have decided the number of VLANs you want to create and the users that will be members of each VLAN, you can create your VLAN.
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work in earlier labs.
490
Virtual LANs (VLANs)
Lab Steps 1.
To configure VLANs on the 3550 series switch, you can configure the VLANs from the VLAN database. You do this from privileged mode, not configuration mode. Type vlan database: 3550A#vlan database
2.
To configure VLANs on the 3550 switch, use the vlan # name name command. The following shows an example of creating three VLANs. 3550A(vlan)#vlan 2 name Sales VLAN 2 added: Name: Sales 3550A(vlan)#vlan 4 name Marketing VLAN 4 added: Name: Marketing 3550A(vlan)#vlan 7 name Research VLAN 7 added: Name: Research 3550A(vlan)#exit APPLY completed. Exiting.... 3550A#
3.
You must apply your changes to the switch. You can either use the apply command or use the exit command which will then apply the changes.
4.
After you create the VLANs that you want, you can use the show vlan command to see the configured VLANs. However, notice that by default all ports on the switch are in VLAN 1. To change the VLAN associated with a port you need to go to each interface and tell it what VLAN to be a member of. Once the VLANs are created, verify your configuration with the show vlan command (show vlan for short). 3550A#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10
Lab 5.3: Configuring VLANs on a 3550 Switch
2 Sales 4 Marketing 7 Research 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default [output cut]
5.
active active active active active active active
You can configure each port to be in a VLAN by using the switchport access vlan # command. You can only configure VLANs one port at a time. In the following example, we configure interface 1 to VLAN 2, interface 5 to VLAN 7, and interface 10 to VLAN 4. 3550A#config t Enter configuration commands, one per line. 3550A(config)#int fa0/1 3550A(config-if)#switchport access vlan 2 3550A(config)#int fa0/5 3550A(config-if)#switchport access vlan 7 3550A(config-if)#int fa0/10 3550A(config-if)#switchport access vlan 4 3550A(config-if)#exit
6.
491
End with CNTL/Z
You must also set the port to be in access mode, which means that the interface will only be a member of one VLAN. 3550A(config)#int fa0/1 3550A(config-if)#switchport mode access 3550A(config)#int fa0/5 3550A(config-if)#switchport mode access 3550A(config-if)#int fa0/10 3550A(config-if)#switchport mode access 3550A(config-if)#exit 3550A(config)#exit 3550A#copy run start Destination filename [startup-config]? Building configuration... [OK] 3550A#
492
7.
Virtual LANs (VLANs)
Now, type show vlan again to see the ports assigned to each VLAN. 3550A#sh vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/2, Fa0/4, Fa0/6, Fa0/7 Fa0/8, Fa0/9 2 Sales active Fa0/1 4 Marketing active Fa0/10 7 Research active Fa0/5 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active [output cut]
Interface Fa0/1 is a member of VLAN 2, interface Fa0/05 a member of VLAN 5, and interface Fa0/10 is a member of VLAN 4. 8.
Another command you can use to see the ports assigned to a VLAN is show running-config. 3550A#show run [output cut] ! interface FastEthernet0/1 switchport access vlan 2 switchport mode access ! interface FastEthernet0/5 switchport access vlan 7 switchport mode access ! interface FastEthernet0/10 switchport access vlan 4 switchport mode access ! [output cut] 3550A#
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 5.4: Configuring Trunk Ports and VTP Domain on a 3550 Switch
493
Lab 5.4: Configuring Trunk Ports and VTP Domain on a 3550 Switch Network Layout Work with the saved network that you used to configure devices in Lab 5.3.
Configure Trunk Ports Trunk links are 100 or 1000 Mbps point-to-point links between two switches, between a switch and router, or between a switch and server. Trunked links carry the traffic of multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps links, nor would you want to. Remember that an access link is a port on a switch that is a member of only one VLAN. In this network 3560 Switch A is connected to 3550 Switch A via interface Fa0/3 on each device. That is what we are going to use to set our trunk port between the two switches.
Lab Steps 1.
To configure trunking on a 3550 port, use the interface command switchport mode command. In this lab we will set it up for fa0/3. 3550A>en 3550A#config t
494
Virtual LANs (VLANs)
3550A(config)#int fa0/3 3550A(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802.1q trunking encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface 3550A(config-if)#switchport trunk encapsulation dot1q 3550A(config-if)#switchport mode trunk
2.
By default, traffic from all VLANs are sent over a trunk link. To change the VLANs permitted to send traffic on a trunk link, use the switchport trunk allowed vlan except # command. The command allows traffic from all VLANs except the VLANs listed. In lab 9.5 we set up VLAN 7, for now we do not want to allow VLAN 7 to send traffic across the trunk link. 3550A(config-if)#switchport trunk allowed vlan except 7
3.
The above command sets the trunking interface to allow traffic from all VLANs except for VLAN 7.
4.
To verify your trunk ports, use the show running-config command. 3550A(config-if)#exit 3550A(config)#exit 3550A#show run [output cut] ! interface FastEthernet0/3 switchport trunk allowed vlan 1-6,8-1005 switchport mode trunk switchport trunk encapsulation dot1q ! [output cut]
5.
Notice in the above output that all VLANs are allowed except for VLAN 7.
Configure VTP Domain Every Catalyst switch is configured by default to be a VTP server. To configure VTP, first configure the domain name you want to use, as discussed in the next section. Once you configure the VTP information on a switch, you need to verify the configuration.
Lab 5.5: Configuring VLANs on a 3560 Switch
6.
495
Use the vtp global configuration mode command to set this information. In the following example, we explicitly set switch 3550 A to be a VTP server, which it already is, and then set the VTP domain to routersim. 3550A(config)#vtp mode server Device mode already VTP SERVER. 3550A(config)#vtp domain routersim Changing VTP domain name from NULL to routersim 3550A(config)#
7.
After you configure the VTP information, you can verify it with the show vtp status command. 3550A#show vtp status VTP Version : 2 Configuration Revision : 4 Maximum VLANs supported locally : 64 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : routersim VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x70 0x01 0xF2 0x72 0x97 0xA1 0x35 0xEB Configuration last modified by: 172.16.10.17 at 11-29-93 20:39:24 Local updater ID is 172.16.10.17 on interface Vl1 (lowest numbered VLAN interface found) 3550A#
The preceding switch output shows the VTP domain and the switch’s mode.
Lab 5.5: Configuring VLANs on a 3560 Switch In this lab we want to eventually associate ports 2 and 8 with VLANs 2 and 4, that were set up for 3550 Switch A in lab 5.3. However, we do not have to manually set up VLANs 2 and 4 again for 3560 Switch A. That can be broadcast from 3550 Switch A (from work you did in lab 5.2), however, we must do a couple things in order to facilitate that.
496
Virtual LANs (VLANs)
Network Layout Work with the saved network that you used to configure devices in Lab 5.4.
Lab Steps 1.
Initially, let’s issue the show vlan command to verify that there are no VLANs associated with 3560 Switch A. 3560A#sh vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Gi0/1 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active [output cut]
No VLANs!
Lab 5.5: Configuring VLANs on a 3560 Switch
2.
497
We now need to configure two ports, one for each VLAN by using the switchport access vlan # command. You can only configure VLANs one port at a time. In the following example, we configure interface 2 to VLAN 2 and interface 8 to VLAN 4. 3560A(config)#config t Enter configuration commands, one per line. 3560A(config)#int fa0/2 3560A(config-if)#switchport access vlan 2 3560A(config-if)#int f0/8 3560A(config-if)#switchport access vlan 4
3.
End with CNTL/Z
You must also set the port to be in access mode, which means that the interface will only be a member of one VLAN. 3560A(config)#int fa0/2 3560A(config-if)#switchport mode access 3560A(config-if)#int fa0/8 3560A(config-if)#switchport mode access 3560A(config-if)#exit 3560A(config)#exit 3560A#copy run start Destination filename [startup-config]? Building configuration... [OK] 3560A#
4.
We can verify what we did with the two ports with the show run command. 3560A#show run [output cut] ! interface FastEthernet0/2 switchport access vlan 2 switchport mode access ! interface FastEthernet0/8 switchport access vlan 4 switchport mode access ! [output cut] 3560A#
Save Your File: Make sure you save the network layout file that you have been working on.
498
Virtual LANs (VLANs)
Lab 5.6: Configuring Trunk Ports and VTP Domain on a 3550 Switch Network Layout Work with the saved network that you used to configure devices in Lab 5.5.
Configure Trunk Ports Trunk links are 100 or 1000 Mbps point-to-point links between two switches, between a switch and router, or between a switch and server. Trunked links carry the traffic of multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps links, nor would you want to. Remember that an access link is a port on a switch that is a member of only one VLAN.
Lab Steps 1.
To configure trunking on a 3560 port, use the interface command switchport mode trunk command. In this lab we will configure interface fa0/3. 3560A>en 3560A#config t
Lab 5.6: Configuring Trunk Ports and VTP Domain on a 3550 Switch
499
3560A(config)#int fa0/3 3560A(config-if)#switchport mode trunk 3560A(config-if)#switchport trunk encapsulation dot1q
2.
To verify your trunk port, use the show running-config command. 3560A(config-if)#exit 3560A(config)#exit 3560A#show run [output cut] ! interface FastEthernet0/3 switchport mode trunk switchport trunk encapsulation dot1q ! [output cut]
Configure VTP Domain Every Catalyst switch is configured by default to be a VTP server. To configure VTP, first configure the domain name you want to use, as discussed in the next section. Once you configure the VTP information on a switch, you need to verify the configuration. 3.
Use the vtp global configuration mode command to set this information. In the following example, we set the switch to a VTP client and then set the VTP domain to routersim. 3560A(config)#config t 3560A(config)#vtp mode client Setting device to VTP CLIENT mode. 3560A(config)#vtp domain routersim Changing VTP domain name from NULL to routersim 3560A(config)#ctrl+z
4.
After you configure the VTP information, you can verify it with the show vtp command. 3560A#sh vtp status VTP Version Configuration Revision Maximum VLANs supported locally Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode
: : : : : : :
2 3 64 7 Client routersim Disabled
500
Virtual LANs (VLANs)
VTP V2 Mode VTP Traps Generation MD5 digest Configuration last modified by: Local updater ID is 172.16.10.3 interface found) 3560A#
: Disabled : Disabled : 0x70 0x01 0xF2 0x72 0x97 0xA1 0x35 0xEB 172.16.10.3 at 11-29-93 20:39:24 on interface Vl1 (lowest numbered VLAN
The preceding switch output shows the VTP domain and the switch’s mode. 5.
VLAN information should now be propagated from 3550 Switch A to 3560 Switch A. Confirm this with the show vlan command. 3560A#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6, Fa0/7 Gi0/1 2 Sales active Fa0/2 4 Marketing active Fa0/8 7 Research active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active VLAN 7 will not be allowed to pass any traffic on the trunk link because we issued the command switchport trunk allowed vlan except 7 in lab 5.4, step 2.
Lab 5.7: IntraVLAN and InterVLAN Routing In previous labs we have set up VLANs 2 and 4 for the 3550 and 3560 switches. We will first set up the proper subnetting so that we can place Hosts A and C in VLANs 2 and Hosts B and D in VLANs 4. We will then have you test this by communicating with the
Lab 5.7: IntraVLAN and InterVLAN Routing
501
VLANS. Then we will set up interVLAN routing so that Hosts from VLANs 2 and 4 can communicate with each other. Network devices in different VLANs cannot communicate with each other without sending traffic through a router. In this lab we will use 2811 Router A to perform the 802.1q routing so that we can route traffic between the two VLANs. Two new subnets will be needed. We will us subnets 172.16.2.0/24 and 172.16.3.0/24. 2811 Router A FastEthernet 0/0 interface will stay at 172.16.10.1/24, however, the IP address needs to be moved to a subinterface, which we’ll do in a minute.
Network Layout Work with the saved network that you used to configure devices in Lab 5.6.
Lab Steps 1.
We configured all hosts in this network in ICND1 lab 2.11. If you have not configured the hosts in this lab, you should go through ICND1 lab 2.11. Let’s start from that point. VLAN 2 will have a subnet of 172.16.2.0/24 and VLAN 4 will have a subnet of 172.16.3.0/24. Change the current IP addresses of the hosts so they are in their proper VLAN. Change the IP addresses and defaultgateways of the four hosts.
Virtual LANs (VLANs)
502
Host
Current IP Address
New IP Address
New Default Gateway
A
172.16.10.5
172.16.2.2
172.16.2.1
B
172.16.10.6
172.16.3.3
172.16.3.1
C
172.16.10.7
172.16.2.3
172.16.2.1
D
172.16.10.8
172.16.3.2
172.16.3.1
2.
Verify you have set up the VLANs correctly by pinging from Host A to Host C. C:\>ping 172.16.2.3 Pinging 172.16.2.3 with 32 bytes of data: Reply from 172.16.2.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.2.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.2.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.2.3 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.2.3: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>
Once you can ping, you know you have configured at least one VLAN correctly. At this time, Host A and Host C cannot ping anything else in the network except each other. 3.
At this point you should not be able to ping Host B even though it is connected to the same switch. C:\>ping 172.16.3.3 Pinging 172.16.3.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping Statistics for 172.16.3.3: Packets Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\>
Lab 5.7: IntraVLAN and InterVLAN Routing
4.
503
Verify you have set up the VLANs correctly by pinging from Host B to Host D. C:\>ping 172.16.3.2 Pinging 172.16.3.2 with 32 bytes of data: Reply from 172.16.3.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.3.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.3.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.3.2 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.3.2: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>
Once you can ping, you know you have configured both VLANs correctly. At this time, Host B and Host D cannot ping anything else in the network except each other. 5.
To have the hosts ping outside their own VLAN, you must setup some type of routing You also need to setup a trunk link between the switch and the router. Use 2811 Router A FastEthernet 0/0 interface and create 802.1q routing. Create three subinterfaces, one for each VLAN. To establish a trunk link between 3550 Switch A and the 2811 Router A, configure FastEthernet 0/4, on the 3550 Switch A as a trunk port with 802.1q encapsulation. 2811A>enable 2811A#config t 2811A(config)#int fa0/0 2811A(config-if)#no ip address 2811A(config-if)#int fa0/0.1 2811A(config-subif)#encapsulation dot1q 1 2811A(config-subif)#ip address 172.16.10.1 255.255.255.0 2811A(config-subif)# int fa0/0.2 2811A(config-subif)#encapsulation dot1q 2 2811A(config-subif)#ip address 172.16.2.1 255.255.255.0 2811A(config-subif)# int fa0/0.3 2811A(config-subif)#encapsulation dot1q 4 2811A(config-subif)#ip address 172.16.3.1 255.255.255.0 2811A(config-subif)#router ospf 102 2811A(config-router)#network 172.16.2.0 0.0.0.255 a 0 2811A(config-router)#network 172.16.3.0 0.0.0.255 a 0 2811A(config-subif)#exit 2811A(config)#exit 2811A#copy run start
504
Virtual LANs (VLANs)
Destination filename [startup-config]? Building configuration... [OK] 2811A# 3550A>en 3550A#config t 3550A(config)#int f0/4 3550A(config-if)#switchport mode trunk 3550A(config-if)#switchport trunk encapsulation dot1q
6.
Verify your sub-interface configurations with the show run command. 2811A(config)#show run [output cut] ! interface FastEthernet0/0 description connection to LAN 10 no ip address no ip directed-broadcast ! interface FastEthernet0/0.1 encapsulation dot1Q 1 ip address 172.16.10.1 255.255.255.0 ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 172.16.2.1 255.255.255.0 ! interface FastEthernet0/0.4 encapsulation dot1Q 4 ip address 172.16.3.1 255.255.255.0 ! [output cut]
7.
At this point, the hosts should be able to ping all hosts and 2811 Router A.
Access Lists
Lab 6: Introduction to Managing Traffic with Access Lists This set of labs will have you configure IP filtering on the internetwork. The proper use and configuration of access lists is a vital part of router configuration. Contributing mightily to the efficiency and optimization of your network, access lists give network managers a huge amount of control over traffic flow throughout the internetwork.
Access List A set of permissions that have been established at an interface level that are used to permit or deny packets moving through a router, and permit or deny Telnet (VTY) access to or from a router. It essentially acts as a packet filtering firewall.
With access lists, managers can gather basic statistics on packet flow and security policies can be implemented. Sensitive devices can also be protected from unauthorized access. We will discuss access lists for TCP/IP, and we will cover some of the tools available to test and monitor the functionality of applied access lists. The following labs are presented in this section: NN
6.1: Standard IP Access-Lists Lab
NN
6.2: Verifying Standard IP Access-lists Lab
NN
6.3: Applying an Access-List to a VTY Line Lab
NN
6.4: Extended IP Access-Lists Lab
NN
6.5: Verifying Extended IP Access-lists
NN
6.6: Removing Extended IP Access-lists The commands covered in this chapter are as follows:
Command
Meaning
access-list
Creates a list of tests to filter the networks.
host
Specifies a single host address.
Lab 6.1: Standard IP Access-Lists
Command
Meaning
any
Wildcard command. Specifies any host or any network; same as the 0.0.0.0 255.255.255.255 command.
0.0.0.0 255.255.255.255
Wildcard command; same as the any command.
ip access-group
Applies an IP access-list to an interface.
access-class
Applies a standard IP access list to a VTY line.
show access-list
Shows all the access lists configured on the router.
show access-list 110
Shows only access-list 110.
show ip access-list
Shows only the IP access lists.
show ip interface
Shows which interfaces have IP access lists applied.
507
There are two types of access lists used with IP. Standard access lists use only the source IP address in an IP packet to filter the network. This basically permits or denies an entire suite of protocols. IPX standards can filter on both source and destination IPX address. Extended access lists these check for both source and destination IP address, protocol field in the Network layer header, and port number at the Transport layer header. Once you create an access list, you apply it to an interface with either an inbound or outbound list: Inbound access lists packets are processes through the access list before being routed to the outbound interface. Outbound access lists packets are routed to the outbound interface and then processed through the access list.
Lab 6.1: Standard IP Access-Lists This lab will have you block access to network 172.16.40.0 from Host F. Access-lists can be tricky because if you do not create your lists correctly, you can bring the network down. There are two steps with access-lists: NN
Create an access-list
N
Apply an access-list
standard IP access-lists use source addresses for filtering packets. A collection of permit and deny conditions is applied to IP addresses.
508
Access Lists
Network Layout Load Standard Layout.rsm or whatever you named the file when you saved your work in earlier labs.
1.
Double-click Host F.
Lab 6.1: Standard IP Access-Lists
2.
509
Verify that you can ping to the 2950 Switch A and that you can ping Host E from Host F.
C:\ping 172.16.40.2 Pinging 172.16.40.2 with 32 bytes of data: Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.40.2: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>ping 172.16.40.3 Pinging 172.16.40.3 with 32 bytes of data: Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.40.3: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>
510
Access Lists
3.
From the Host F menu, bring up the console for the 2621 Router A.
4.
Create an access-list that blocks access from host F trying to get to network 172.16.40.0. 2621A>enable 2621A#config t 2621A(config)#access-list 10 deny host 172.16.50.3 2621A(config)#access-list 10 permit any
That is all we’re going to do for the list. Remember that IP standard access-lists should be created closest to the destination network, which is why we built that access-list on 2621 Router A. It is directly connected to network 172.16.40.0.
Lab 6.1: Standard IP Access-Lists
5.
511
After creating an access-list for 2621 Router A, we now need to add the access-list to the serial 0/0 interface of 2621 Router A.
2621A(config)#interface serial 0/0 2621A(config-if)#ip access-group 10 in
This applied the access-list 10 to the serial 0/0 interface of 2621 Router A and filtered any incoming packets. 6.
Check to see that Host F can no longer ping to 172.16.40.2 and 172.16.40.3. C:\>ping 172.16.40.2 Pinging 172.16.40.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. C:\> C:\>ping 172.16.40.3 Pinging 172.16.40.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. C:\>
512
7.
Access Lists
If the access-list is correct, all other devices should still be able to reach network 172.16.40.0. Ping from 2621 Router B and verify that you can reach 172.16.40.2 and 172.16.40.3. 2621B#ping 172.16.40.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.40.2, timeout is !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 2621B# 2621B#ping 172.16.40.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.40.3, timeout is !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 2621B#
2 seconds: = 4/4/4 ms
2 seconds: = 4/4/4 ms
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 6.2: Verifying Standard IP Access-Lists Pinging and telnetting through the internetwork is a really good way to verify the network and access-lists. However, using the Cisco IOS commands is also a good way to verify the lists.
Network Layout Work with the saved network that you used to configure devices in lab 6.1.
Lab 6.2: Verifying Standard IP Access-Lists
513
Lab Steps 1.
Bring up the console for 2621 Router A and type show access-list to see the list configured on the router. 2621A(config-if)#ctrl+z 2621A#show access-list Standard IP access list 10 deny 172.16.50.3 permit any 2621A#
2.
You can also type either show ip access-list or show access-list 10 to gather specific list configurations. 2621A#show access-list 10 Standard IP access list 10 deny 172.16.50.3 permit any 2621A#
3.
To see which interface has access-lists applied, use the show ip interface command. 2621A#show ip interface Serial0/0 is up, line protocol is up Internet address is 172.16.20.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1514 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 10 [output cut]
4.
The show running-config is useful to see both the access-list and to verify the interface where the access-list is applied. 2621Ashow run [output cut] ! interface Serial0/0 description connection to 2811A
514
Access Lists
ip address 172.16.20.2 255.255.255.0 no ip directed-broadcast ip access-group 10 in ! [output cut]
Lab 6.3: Applying an Access-List to a VTY Line You will have a difficult time trying to stop users from telneting into a router because any active port on a router is fair game for VTY access. However, you can use a standard IP access-list to control access by placing the access-list on the VTY lines themselves. To perform this function: 1.
Create a standard IP access-list that permits only the host or hosts you want to be able to telnet into the routers.
2.
Apply the access list to the VTY line with the access-class command. This lab will have you stop Host F from telneting into 2621 Router A.
Network Layout Work with the saved network that you used to configure devices in lab 6.2.
Lab 6.3: Applying an Access-List to a VTY Line
515
Lab Steps 1.
Remove the access-list on 2621 Router A. 2621A#config t 2621A(config)#no access-list 10
2.
Remove the access-list on the serial 0/0 interface of 2621 Router A. 2621A(config)#int s0/0 2621A(config-if)#no ip access-group 10 in You can just type no access-list 10 on to remove the access-list, but you must type the whole command from the interface to remove the list from the interface on the router.
3.
Verify that Host F can telnet into 2621 Router A. C:\>telnet 172.16.20.2 Connecting To 172.16.20.2 ... This is 2621 Router A User Access Verification Password: 2621A>
4.
Exit from your telnet session. 2621A>exit Connection to host lost. C:\>
5.
Connect to 2621 Router A and block telnet access for Host F, but allow all other devices to telnet to the 2621 A router. 2621A#config t 2621A(config)#access-list 20 deny host 172.16.50.3 2621A(config)#access-list 20 permit any
6.
Apply the access-list directly to the VTY lines and not to an interface. 2621A(config)#line vty 0 4 2621A(config-line)#access-class 20 in 2621A(config-line)#ctrl+z 2621A#
516
7.
Access Lists
Verify that Host F can no longer telnet into 2621 Router A. C:\>telnet 172.16.20.2 Connecting To 172.16.20.2 ...Could not open a connection to host: Connect failed C:\>
8.
Use the Host F menu to go to the 2621 Router A console.
9.
Verify that 2621 Router B can still telnet into 2621 Router A. 2621B#telnet 172.16.20.2 Trying 172.16.20.2 ... Open This is 2621 Router A User Access Verification Password: 2621A>
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 6.4: Extended IP Access-Lists In this lab we will remove the standard IP access-list on 2621 Router A and create a new access-list that is more succinct on 2621 Router A. We want Host F to use the services on the 172.16.40.0 network, but we don’t want them to telnet into 2950 Switch A.
Lab 6.4: Extended IP Access-Lists
Network Layout Work with the saved network that you used to configure devices in lab 6.3.
Lab Steps 1.
Remove the access-list on 2621 Router A. 2621A#config t 2621A(config)#no access-list 20
2.
Bring up the Host F console by using 2621 Router A’s menu.
517
518
3.
Access Lists
Verify that Host F can now ping 172.16.40.2 and 172.16.40.3. C:\ping 172.16.40.2 Pinging 172.16.40.2 with 32 bytes of data: Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.40.2: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>ping 172.16.40.3 Pinging 172.16.40.3 with 32 bytes of data: Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.40.3: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>
4.
Create an access-list on 2621 Router A to block telnet access into the 172.16.40.0 network, but still allow Host F to ping Host E. 2621A#config t 2621A(config)#access-list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet 2621A(config)#access-list 110 permit ip any any This access-list blocked source address 172.16.50.3 from telneting into 172.16.40.0.
5.
Apply this access-list to the serial interface 0/0 of 2621 Router A to filter the packets coming into the router. 2621A(config)#int s0/0 2621A(config-if)#ip access-group 110 in 2621A(config-if)#ctrl+z 2621A#
Lab 6.5: Verifying Extended IP Access-lists
6.
519
Test the access-list by trying to telnet 172.16.40.2 From Host F, (remember, you cannot telnet to a host). All other devices should be able to telnet to 172.16.40.2. C:\>telnet 172.16.40.2 Connecting To 172.16.40.2 ...Could not open a connection to host: Connect failed C:\
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 6.5: Verifying Extended IP Access-lists We will use the same command as we did to verify the IP Standard Access-Lists. Go to 2621 Router A (if you created the list on 2621 Router A) and verify your access-list. Remember that ping and telnet are really good tools to verify your network as well.
Network Layout Work with the saved network that you used to configure devices in lab 6.4.
520
Access Lists
Lab Steps 1.
From 2621 Router A, type the show access-list command to see the configured list. 2621A#show access-list Extended IP access list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet permit ip any any 2621A#
2.
Use the show access-list 110 command to see only list 110. 2621A#show access-list 110 Extended IP access list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet permit ip any any 2621A#
3.
You can also use show ip access-list to see only the IP access-list configured on your router. 2621A#show ip access-list Extended IP access list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet permit ip any any 2621A#
4.
Verify which interface has an access-list set by using the show ip interface command on 2621 Router A. 2621A#show ip interface Serial0/0 is up, line protocol is up Internet address is 172.16.20.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1514 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 110 [output cut] 2621A#
Lab 6.6: Removing Extended IP Access-lists
521
Lab 6.6: Removing Extended IP Access-lists To remove the extended IP access-list, perform the following steps.
Network Layout Work with the saved network that you used to configure devices in lab 6.4.
Lab Steps 1.
Remove the access-list on 2621 Router A. 2621A#config t 2621A(config)#no access-list 110
2.
Remove the access-list on the serial 0/0 interface of 2621 Router A. 2621A(config)#interface serial 0/0 2621A(config-if)#no ip access-group 110 in You can just type no access-list 110 on to remove the access-list, but you must type the whole command from the interface to remove the list from the interface on the router.
522
3.
Access Lists
Verify that you have removed the extended IP access-list. 2621A(config)#show run [output cut] ! interface Serial0/0 description connection to 2811A ip address 172.16.20.2 255.255.255.0 no ip directed-broadcast ! [output cut]
Practice Scenario: NAT and ACLs Configuring ACLs for Telnet and SSH Now that you have learned about some concepts and completed some hands-on work, try your problem-solving and troubleshooting skills with the following task. To complete your task you will need a network to interact with a scenario and the task(s) at hand. When you have finished with this scenario ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this scenario
NN
The expected configuration
NN
Your configuration
Lab 6.6: Removing Extended IP Access-lists
NN
NN
523
The result for each command. You will see a green check mark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Practice Scenarios, NAT and ACLs, and Configuring ACLs for Telnet and SSH.
524
Access Lists
Turn On Hostnames In some of the practice labs we refer to the hostname of a device. Therefore, we need to make sure that Hostnames is turned on for this lab. On the Network Visualizer screen click View and then click Hostnames so that it has a checkmark next to it.
Scenario Colorado Company RouterSim is planning and designing their new corporate Internetwork. You are the network administrator for the Denver network. Develop an extended access list that will block the California network from telneting into the DNVR_RTR router.
Task Configure access-list 150 on the DNVR_RTR router as close as possible to the source network. Set it up so that any router or switch in the 172.16.40 network is blocked.
NAT/PAT
Lab 7.1: Configuring Dynamic NAT This section will show you how to configure NAT to translate from real ISP assigned addresses to private addresses so that the inside network can communicate to the Internet.
Network Layout Use the network the you worked with in ICND1 lab 5.1. The network is Nat-Pat Layout.rsm or whatever you renamed it in the earlier lab. If you have not completed that lab, please go back and go through it.
Lab 7.1: Configuring Dynamic NAT
527
Lab Steps 1.
In this step, you’ll configure a dynamic NAT pool on 2811 Router B. Create a pool of addresses called RouterSim on 2811 Router B. The pool should contain a range of addresses of 171.16.10.50 through 171.16.10.55. 2811B(config)#ip nat pool RouterSim 171.16.10.50 171.16.10.55 net 255.255.255.0
2.
Create access-list 1. This list permits traffic from the 192.168.20.0 and 192.168.10.0 network to be translated. 2811B(config)#access-list 1 permit 192.168.20.0 0.0.0.255 2811B(config)#access-list 1 permit 192.168.10.0 0.0.0.255
3.
Map the access list to the pool that was created. 2811B(config)#ip nat inside source list 1 pool RouterSim
4.
Configure fa0/0 as an inside NAT interface. 2811B(config)#int fa0/0 2811B(config-if)#ip nat inside
5.
Configure serial 0/0/0 as an outside NAT interface. 2811B(config-if)#int s0/0/0 2811B(config-if)#ip nat outside
6.
Bring up the console for 2811 Router D. Telnet from 2811 Router D to 2811 Router A—do not disconnect. 2811D#telnet 171.16.10.1 Trying 171.16.10.1 ... Open Password required, but none set [Connection to 171.16.10.1 closed by foreign host] 2811D#
We received this message because we did not set up a telnet password on 2811 Router A. 7.
Go to the 2811 A router and set up a telnet password. 2811A#config t 2811ARouter(config)#line vty 0 1180 2811ARouter(config-line)#password todd2
8.
Try step 6 again and if you are successful, move on to step 9.
528
9.
NAT/PAT
Bring up the console for 2811 Router C. Telnet from the 2811 Router C to 2811 Router A—do not disconnect. 2811C#telnet 171.16.10.1
10. Go back to 2811 Router A and execute the command show users. (This shows who is
accessing the VTY lines). 2811A#show users Line User 0 con 0 2 vty 0 * 3 vty 1 Interface User 2811A#
Host(s) idle idle idle
Idle Location 00:00:00 00:00:40 171.16.10.50 00:00:17 171.16.10.51 Idle Peer Address
Mode
Notice that there is a one-to-one translation. Which means you must have a real IP address for every host that wants to get to the Internet, which is not always possible. 11. Leave the session open on 2811 Router A and connect back to 2811 Router B. 12. Bring up the console for 2811 Router B and view your current translations by entering the show ip nat translation command. You should see something like this: 2811B#sh ip nat translations Pro Inside global Inside local --- 171.16.10.50 192.168.20.2 --- 171.16.10.51 192.168.10.2 2811B#
Outside local -----
Outside global -----
Remember that the “inside local is before translation” and the “inside global is after translation”, and how you are known on the Internet. Exit out of the telnet session from 2811 Router D. 13. If you turn on debug ip nat on 2811 Router B and then ping through the router from
2811 Router D, you will see the actual NAT process take place, which will look something like this: 2811B#debug ip nat 2811D#ping 171.16.10.1 2811B# Feb 27 17:16:18.256: NAT*: s=192.168.20.2->171.16.10.52, d=171.16.10.1 [1] Feb 27 17:16:18.260: NAT*: s=171.16.10.1->171.16.10.52, d=192.168.20.2 [1]
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 7.2: Configuring PAT
529
Lab 7.2: Configuring PAT Port Address Translation (PAT), also called NAT Overload, uses TCP and UDP port numbers to uniquely identify hosts on the inside network so that everyone on the inside network can use only one real IP address to send packets to the Internet. Static NAT is a one-for-one translation, which means that each host uses a unique real IP address to send packets to the Internet. By using PAT, we save address space by using only one real IP address for all hosts. In this lab, you’ll configure Port Address Translation (PAT) on 2811 Router B. We will use PAT because we don’t want a one-to-one translation, but instead we want to just use one IP address for every user on the network.
Network Layout Use the network you worked with in lab 7.1.
530
NAT/PAT
Lab Steps 1.
Terminate the telnet sessions on 2811 Router C by using the exit command.
2.
On the 2811 Router B, delete the translation table and remove the dynamic NAT pool. 2811B#clear ip nat translation * 2811B#config t 2811B(config)#no ip nat pool RouterSim 171.16.10.50 171.16.10.55 netmask 255.255.255.0 2811B(config)#no ip nat inside source list 1 pool RouterSim
3.
On 2811 Router B, create a NAT pool with one address called Lammle. The pool should contain a single address 171.16.10.100. Enter the command below: 2811B(config)#ip nat pool Lammle 171.16.10.100 171.16.10.100 netmask 255.255.255.0
4.
Create access-list 2. It should permit networks 192.168.20.0 and 192.168.10.0 to be translated. 2811B(config)#access-list 2 permit 192.168.20.0 0.0.0.255 2811B(config)#access-list 2 permit 192.168.10.0 0.0.0.255
5.
Map the access-list 2 to the new pool, allowing PAT to occur by using the overload command. 2811B(config)#ip nat inside source list 2 pool Lammle overload
6.
Bring up the console for 2811 Router D and telnet to 2811 Router A. Then bring up the 2811 Router C and telnet to 2811 Router A.
7.
From the ISP router use the show users command. The output should look something like this: 2811A>sh users Line User 0 con 0 2 vty 0 * 3 vty 1 Interface User 2811A>
Host(s) idle idle idle Mode
Idle Location 00:00:00 00:00:29 171.16.10.100 00:00:21 171.16.10.100 Idle Peer Address
Lab 7.3: NAT/PAT Final Configuration Exercise
8.
From 2811 Router B use the show ip nat translations command. 2811B#sh ip nat translations Pro Inside global Inside local tcp 171.16.10.100:1723 192.168.10.2:1723 tcp 171.16.10.100:1723 192.168.20.2:1723 2811B#
9.
531
Outside local 171.16.10.1:23 171.16.10.1:23
Outside global 171.16.10.1:23 171.16.10.1:23
Exit the telnet session from 2811 Router D.
10. Also make sure that the debug ip nat command is on 2811 Router B. If you ping from
2811 Router C to 2811 Router A, the output will look like this: 01:12:36: 01:12:36: 01:12:36: 01:12:36: 01:12:36: 01:12:36: 01:12:36: 01:12:36: 01:12:37: 01:12:37:
NAT: s=192.168.10.2->171.16.10.100, d=171.16.10.1 NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2
[35] [35] [36] [36] [37] [37] [38] [38] [39]
Lab 7.3: NAT/PAT Final Configuration Exercise In this lab, you will configure two routers and a host so that the inside network can communicate with the outside network using Port Address Translation. You will not use the network layout used previously. You have six public IP address assigned to your company: 198.18.194.73 -78. There are 30 hosts that need to access the Internet simultaneously. NN
Hosts range on the inside network is 192.168.35.65- 94
NN
Inside global addresses are 198.18.194.73-78/29
NN
Inside local addresses are 192.168.35.65-94/27
532
NAT/PAT
Network Layout Load Nat-Pat Final Layout.rsm before going through the following lab.
1. On the Network Visualizer screen, click on the File menu and then click Open. 2. When the dialog box appears, make sure you are in the Networks folder. 3. Click on the file Nat-Pat Final Layout and click Open.
Lab Steps 1.
Double-click 2811 Router B to open the console screen.
Lab 7.3: NAT/PAT Final Configuration Exercise
2.
533
Configure 2811 Router B. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname 2811B 2811B(config)#int fa0/0 2811B(config-if)#ip address 192.168.35.94 255.255.255.224 2811B(config-if)#no shut 2811B(config-if)#int s0/0/0 2811B(config-if)#ip address 192.0.2.157 255.255.255.252 2811B(config-if)#clock rate 1000000 2811B(config-if)#no shut 2811B(config-if)#ctrl+z 2811B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811B#
3.
Configure 2811 Router A with IP addresses and default routing. Router>en Router#config t Router(config)#hostname 2811A 2811A(config)#int s0/0/1 2811A(config-if)#ip address 192.0.2.158 255.255.255.252 2811A(config-if)#no shut 2811A(config-if)#exit 2811A(config)#ip route 0.0.0.0 0.0.0.0 192.0.2.157
4.
Configure your host with the IP address 192.168.35.65/27. Don’t forget to set your default-gateway.
5.
Create an inside source list that will allow the inside hosts to access the NAT pool and allow the use of PAT. 2811B#config t 2811B(config)#ip nat inside source list 10 pool 2811B overload
6.
Next, create an access-list for IP range 192.168.35.65-94/27. 2811B(config)#access-list 10 permit 192.168.35.64 0.0.0.31
534
NAT/PAT
7.
Verify your access-list. 2811B(config)#do show run Building configuration... ! Current configuration : 960 bytes ! access-list 10 permit 192.168.35.64 0.0.0.31 [output cut] 2811B(config)#do show access-lists Standard IP access list 10 10 permit 192.168.35.64, wildcard bits 0.0.0.31 2811B(config)#
8.
Create the pool with the six available global hosts IP addresses. 2811B(config)#ip nat pool 2811B 198.18.194.73 198.18.194.78 netmask 255.255.255.248
9.
Configure the interfaces for use with NAT. 2811B(config)#int fa0/0 2811B(config-if)#ip nat inside 2811B(config-if)#int s0/0/0 2811B(config-if)#ip nat outside 2811B(config-if)#exit 2811B(config)#exit 2811B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811B#
10. Change the console screen to Host A and then ping 2811 Router A. C:\ping 192.0.2.158
11. Change to the console screen for 2811 Router B and verify your NAT/PAT configuration by enabling debug ip nat. 2811B#debug ip nat IP NAT debugging is on
Lab 7.3: NAT/PAT Final Configuration Exercise
535
Dec 3 16:48:09.484: NAT*: s=192.168.35.65->198.18.194.73, d=192.0.2.158 [1] Dec 3 16:48:09.500: NAT*: s=192.0.2.158->198.18.194.73, d=192.168.35.65 [1] 2811B#
12. Verify your NAT table with the following command: 2811B#sh ip nat translations Pro Inside global Inside local icmp 198.18.194.74:1 192.168.35.65:1 2811B#
Outside local 192.0.2.158:1
Outside global 192.0.2.158:1
13. Delete the NAT/PAT configuration on your routers. 14. Reconfigure the router with the following IP addresses on 2811 Router B (try to
configure this without looking at the answers for the NAT/PAT configuration we just finished): Interface f0/0: 192.168.76.94/27 Interface s0/0/0: 192.0.2.165/30 Inside global: 198.18.149.113-118/29 Inside local: 192.168.76.65-94/27 15. Verify your NAT configuration.
VLSM with Summarization
Lab 8.1: VLSM with Summarization Lab— Configuring Routers The following lab will have you configure a medium size network into block sizes of 32 (/27) using the EIGRP routing protocol and summarizing the classless boundaries. The switches will not be configured in this lab and they will behave just like hubs. You will configure each router in the lab with the appropriate IP addressing and verify the configuration in lab 8.2.
Network Layout Load VLSM Layout.rsm before going through the following lab.
1. On the Network Visualizer screen, click on the File menu and then click Open. 2. When the dialog box appears, make sure you are in the Networks folder. 3. Click on the file VLSM Layout.rsm and click Open.
Lab 8.1: VLSM with Summarization Lab—Configuring Routers
539
Routers 2811 A through 2811 E will be configured in the 192.168.10.32/27 network and routers 2811 F through 2811 J will be configured in the 192.168.10.64/27 network. In each network there are four block sizes of four (the WAN links) and two block sizes of eight (the LANs). To connect routers 2811 A and 2811 F across the backbone, we will use the 10.1.1.0/24 network. This is called discontiguous networking because we have one class of network (192.168.10.0) connecting across to the same network address through the 10.0.0.0 network— and this will not work by default. RIPv1 and IGRP can never work in this type of network. In order to use VLSM with discontiguous networking in your network, you must use one the following routing protocols: RIPv2, EIGRP, OSPF or ISIS (these are considered classless routing protocols). This lab will have you use EIGRP as the classless routing protocol.
Discontiguous Networking When a major network like 192.168.10.0 is separated by a different major network like 10.0.0.0. Example: The 192.168.10.0/24 network can be subnetted into two or more networks. The networks 192.168.10.36/30 and 192.168.10.80/29 are configured on different routers. The routers are using the 10.0.0.0 network to connect to each other, thus one major network being separated by another major network.
Here is the IP addressing scheme used in this lab for routers 2811 A through 2811 E: (notice how the four block sizes of four, and two block sizes of eight fit in one block size of 32—VLSM network addressing). Router
Block Sizes
2811 Router A
S0/0/0: 192.168.10.37/30 (subnet 36, block size of 4) S0/0/1: 192.168.10.33/30 (subnet 32, block size of 4) F0/0: 10.1.1.1/24
2811 Router B
S0/0/0: 192.168.10.41/30 (subnet 40, block size of 4) S0/0/1: 192.168.10.34/30 (subnet 32, connected to s0/0/1 of 2811 Router A)
2811 Router C
S0/0/0: 192.168.10.45/30 (subnet 44, block size of 4) S0/0/1: 192.168.10.38/30 (subnet 36, connected to s0/0/0 of 2811 Router A)
2811 Router D
S0/0/0: 192.168.10.42/30 (connected to s0/0/0 of router 2811 B) F0/0: 192.168.10.49/29 (subnet 48, block size of 8)
VLSM with Summarization
540
(continued) Router
Block Sizes
2811 Router E
S0/0/0: 192.168.10.46/30 (connected to s0/0/0 of router 2811 C) F0/0: 192.168.10.57/29 (subnet 56, block size of 8)
2811 Router F
S0/0/0: 192.168.10.69/30 (subnet 64, block size of 4) S0/0/1: 192.168.10.65/30 (subnet 68, block size of 4) F0/0: 10.1.1.2/24
2811 Router G
S0/0/0: 192.168.10.73/30 (subnet 72, block size of 4) S0/0/1: 192.168.10.66/30 (subnet 64, connected to s0/0/1 of 2811 Router F)
2811 Router H
S0/0/0: 192.168.10.77/30 (subnet 76, block size of 4) S0/0/1: 192.168.10.70/30 (subnet 68, connected to s0/0/0 of 2811 Router F)
2811 Router I
S0/0/0: 192.168.10.74/30 (connected to s0/0/0 of router 2811 G) F0/0: 192.168.10.81/29 (subnet 80, block size of 8)
2811 Router J
S0/0/0: 192.168.10.78/30 (connected to s0/0/0 of router 2811 H) F0/0: 192.168.10.89 (subnet 88, block size of 8)
Lab Steps 1.
Double-click on 2811 Router A to bring up the console screen.
2.
Configure 2811 Router A. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811A 2811A(config)#int s0/0/0 2811A(config-if)#ip address 192.168.10.37 255.255.255.252 2811A(config-if)#no shut 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 192.168.10.33 255.255.255.252 2811A(config-if)#no shut 2811A(config-if)#int f0/0
Lab 8.1: VLSM with Summarization Lab—Configuring Routers
2811A(config-if)#ip address 10.1.1.1 255.255.255.0 2811A(config-if)#no shut 2811A(config-if)#ctrl+z 2811A#copy run start
3.
Change to the console for 2811 Router B.
4.
Configure 2811 Router B. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811B 2811B(config)#int s0/0/0 2811B(config-if)#ip address 192.168.10.41 255.255.255.252 2811B(config-if)#no shut 2811B(config-if)#int s0/0/1 2811B(config-if)#ip address 192.168.10.34 255.255.255.252 2811B(config-if)#no shut 2811B(config-if)#ctrl+z 2811B#copy run start
5.
Change to the console for 2811 Router C.
6.
Configure 2811 Router C. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811C 2811C(config)#int s0/0/0 2811C(config-if)#ip address 192.168.10.45 255.255.255.252 2811C(config-if)#no shut 2811C(config-if)#int s0/0/1 2811C(config-if)#ip address 192.168.10.38 255.255.255.252 2811C(config-if)#no shut 2811C(config-if)#ctrl+z 2811C#copy run start
7.
Change to the console for 2811 Router D.
8.
Configure 2811 Router D. Router>en Router#config t
541
542
VLSM with Summarization
Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811D 2811D(config)#int s0/0/0 2811D(config-if)#ip address 192.168.10.42 255.255.255.252 2811D(config-if)#no shut 2811D(config-if)#int f0/0 2811D(config-if)#ip address 192.168.10.49 255.255.255.248 2811D(config-if)#no shut 2811D(config-if)#exit 2811D(config-if)#ctrl+z 2811D#copy run start
9.
Change to the console for 2811 Router E.
10. Configure 2811 Router E. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811E 2811E(config)#int s0/0/0 2811E(config-if)#ip address 192.168.10.46 255.255.255.252 2811E(config-if)#no shut 2811E(config-if)#int f0/0 2811E(config-if)#ip address 192.168.10.57 255.255.255.248 2811E(config-if)#no shut 2811E(config-if)#ctrl+z 2811E#copy run start
11. Change to the console for 2811 Router F. 12. Configure 2811 Router F. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811F 2811F(config)#int s0/0/0 2811F(config-if)#ip address 192.168.10.69 255.255.255.252 2811F(config-if)#no shut 2811F(config-if)#int s0/0/1 2811F(config-if)#ip address 192.168.10.65 255.255.255.252 2811F(config-if)#no shut 2811F(config-if)#int f0/0
Lab 8.1: VLSM with Summarization Lab—Configuring Routers
2811F(config-if)#ip address 10.1.1.2 255.255.255.0 2811F(config-if)#no shut 2811F(config-if)#ctrl+z 2811F#copy run start
13. Change to the console for 2811 Router G. 14. Configure 2811 Router G. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811G 2811G(config)#int s0/0/0 2811G(config-if)#ip address 192.168.10.73 255.255.255.252 2811G(config-if)#no shut 2811G(config-if)#int s0/0/1 2811G(config-if)#ip address 192.168.10.66 255.255.255.252 2811G(config-if)#no shut 2811G(config-if)#ctrl+z 2811G#copy run start
15. Change to the console for 2811 Router H. 16. Configure 2811 Router H. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811H 2811H(config)#int s0/0/0 2811H(config-if)#ip address 192.168.10.77 255.255.255.252 2811H(config-if)#no shut 2811H(config-if)#int s0/0/1 2811H(config-if)#ip address 192.168.10.70 255.255.255.252 2811H(config-if)#no shut 2811H(config-if)#ctrl+z 2811H#copy run start
17. Change to the console for 2811 Router I. 18. Configure 2811 Router I. Router>en Router#config t
543
544
VLSM with Summarization
Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811I 2811I(config)#int s0/0/0 2811I(config-if)#ip address 192.168.10.74 255.255.255.252 2811I(config-if)#no shut 2811I(config-if)#int f0/0 2811I(config-if)#ip address 192.168.10.81 255.255.255.248 2811I(config-if)#no shut 2811I(config-if)#ctrl+z 2811I#copy run start
19. Change to the console for 2811 Router J. 20. Configure 2811 Router J. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811J 2811J(config)#int s0/0/0 2811J(config-if)#ip address 192.168.10.78 255.255.255.252 2811J(config-if)#no shut 2811J(config-if)#int f0/0 2811J(config-if)#ip address 192.168.10.89 255.255.255.248 2811J(config-if)#no shut 2811J(config-if)#ctrl+z 2811J#copy run start
Rename and Save Your File: Make sure you save the actual network layout file that you have been working with. You might want to save it to another file name than VLSM Layout.rsm. This allows you to start over with a non-configured network if you wish. 1.
There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
Lab 8.2: VLSM with Summarization Lab—Configuring Hosts
545
2.
A dialog box will appear. At the bottom you will see the file name VLSM Layout.rsm. Rename the file. In the following example it is renamed to My VLSM Layout.rsm.
3.
Click the Save button. At this point your network layout has been saved to a new name. You then have the option of reloading VLSM Layout.rsm which is not configured.
Lab 8.2: VLSM with Summarization Lab—Configuring Hosts We will now configure all the hosts in the network.
Network Layout Use the saved network you were working with in Lab 8.1.
VLSM with Summarization
546
Lab Steps 1.
Right-click on Host A.
2.
Click on the Configs button.
3.
On Host A configure: NN
IP Address
N
Subnet Mask
NN
Default Gateway
IP Address:192.168.10.50 Subnet Mask: 255.255.255.248 Default Gateway:192.168.10.49
4. 5.
Click the OK button and then the Close button. On Host B configure: NN
IP Address
N
Subnet Mask
NN
Default Gateway
Lab 8.4: VLSM with Summarization Lab—Configuring EIGRP
547
IP Address:192.168.10.58 Subnet Mask: 255.255.255.248 Default Gateway:192.168.10.57
6.
Click the OK button and then the Close button.
7.
On Host C configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address:192.168.10.82 Subnet Mask: 255.255.255.248 Default Gateway:192.168.10.81
8. 9.
Click the OK button and then the Close button. On Host D configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address:192.168.10.90 Subnet Mask: 255.255.255.248 Default Gateway:192.168.10.89
10. Click the OK button and then the Close button.
Save Your File: Make sure you save the network layout file that you have been working on.
Lab 8.4: VLSM with Summarization Lab—Configuring EIGRP with Discontiguous Networking In this lab you will configure the classless routing protocol EIGRP on each router. EIGRP is an advanced Distance Vector routing protocol that supports VLSM and discontiguous networks. In addition, it can be used to manually summarize contiguous network boundaries, which is what we have. Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary hybrid routing protocol. It uses the properties of both distance vector and link state and uses an administrative distance of 90, so it will automatically overwrite RIP (which has a
548
VLSM with Summarization
default administrative distance of 120) routes in the routing table. Also, it uses autonomous systems (AS) to create groups of routers that share routing information. The major difference between IGRP and EIGRP is that EIGRP uses three different tables to create a stable routing environment and additionally EIGRP only sends updates when needed whereas IGRP broadcasts routing table entries every 90 seconds. Remember that although EIGRP is considered a classless routing protocol (which means it sends subnet mask information with each route update), it is configured in a classful manner. What this means is that you turn off all subnet bits and host bits to add each network statement—which is why the network statement is 192.168.10.0, not 192.168.10.32, 192.168.10.36, etc. for each subnet. EIGRP will find the subnets; you don’t type subnets in with the network statement. Router A is directly connected to the 192.168.10.0 network, but also the 10.1.1.0/24 network is directly connected off of F0/0. What is the network statement we will use? Remember, ALL subnet bits and host bits are off! Add EIGRP with AS 10 to each router, using the correct network statement. Also, add the network statement of network 192.168.10.0 under EIGRP 10 for each router, except for routers A and F, which will need the network 10.0.0.0 statement as well.
Network Layout Use the network you were working with in Lab 8.2.
Lab 8.4: VLSM with Summarization Lab—Configuring EIGRP
549
Lab Steps 1.
From each router global configuration prompt, add the routing protocol EIGRP with an AS number of 10: 2811A>en 2811A#config t 2811A(config)#router eigrp 10 2811A(config-router)#network 192.168.10.0 2811A(config-router)#network 10.0.0.0 2811A(config)#auto-summary 2811A(config-router)# 2811B>en 2811B#config t 2811B(config)#router eigrp 10 2811B(config-router)#network 192.168.10.0 2811B(config)#auto-summary 2811B(config-router)# 2811C>en 2811C#config t 2811C(config)#router eigrp 10 2811C(config-router)#network 192.168.10.0 2811C(config)#auto-summary 2811C(config-router)# 2811D>en 2811D#config t 2811D(config)#router eigrp 10 2811D(config-router)#network 192.168.10.0 2811D(config)#auto-summary 2811D(config-router)# 2811E>en 2811E#config t 2811E(config)#router eigrp 10 2811E(config-router)#network 192.168.10.0 2811E(config)#auto-summary 2811E(config-router)# 2811F>en 2811F#config t 2811F(config)#router eigrp 10 2811F(config-router)#network 192.168.10.0 2811F(config-router)#network 10.0.0.0
550
VLSM with Summarization
2811F(config)#auto-summary 2811F(config-router)# 2811G>en 2811G#config t 2811G(config)#router eigrp 10 2811G(config-router)#network 192.168.10.0 2811G(config)#auto-summary 2811G(config-router)# 2811H>en 2811H#config t 2811H(config)#router eigrp 10 2811H(config-router)#network 192.168.10.0 2811H(config)#auto-summary 2811H(config-router)# 2811I>en 2811I#config t 2811I(config)#router eigrp 10 2811I(config-router)#network 192.168.10.0 2811I(config)#auto-summary 2811I(config-router)# 2811J>en 2811J#config t 2811J(config)#router eigrp 10 2811J(config-router)#network 192.168.10.0 2811J(config)#auto-summary 2811J(config-router)#
2.
Now that we have added our directly connected networks under EIGRP (remember, add networks, not subnets!), we need to configure 2811 Router A and 2811 Router F to work using discontiguous networking. Take a look at the routing table of each router and notice that you can see the subnets in the routing table from each contiguous network only (2811 Router A through 2811 Router E and 2811 Router F through 2811 Router J). This is because discontiguous networking does not work by default. 2811A(config-router)#ctrl+z 2811A#sh ip route 2811F(config-router)#ctrl+z 2811F#sh ip route
Lab 8.4: VLSM with Summarization Lab—Configuring EIGRP
3.
551
We need to add the no auto-summary command to 2811 Router A and 2811 Router F to have this work. 2811A#config t 2811A(config)#router eigrp 10 2811A(config-router)#no auto-summary 2811F#config t 2811F(config)#router eigrp 10 2811F(config-router)#no auto-summary
Auto-summary The process of taking subnets like 192.168.10.4/30 or 192.168.10.56/29 and summarizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29 the networks are summarized to their Class C base network address of 192.168.10.0/24.
No auto-summary The process of taking the subnets like 192.168.10.4/30 or 192.168.10.56/29 and not summarizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29, the networks are never summarized to their Class C base network address of 192.168.10./24 when classful network boundaries are encountered.
4.
Now, let’s take a look at the routing tables of each router and notice that ALL subnets are now listed in each router’s routing table. 2811J#show ip route [output cut] 10.0.0.0/24 is subnetted, 1 subnets D 10.1.1.0 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 192.168.10.0/24 is variably subnetted, 12 subnets, 2 masks D 192.168.10.44/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.68/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.32/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
VLSM with Summarization
552
C C D D D D D D D
5.
192.168.10.76/30 192.168.10.88/29 192.168.10.36/30 192.168.10.40/30 192.168.10.64/30 192.168.10.48/29 192.168.10.80/29 192.168.10.72/30 192.168.10.56/29
is directly connected, Serial0/0/0 is directly connected, FastEthernet0/0 [90/2172416] via 192.168.10.77, 00:12:01, [90/2172416] via 192.168.10.77, 00:12:01, [90/2172416] via 192.168.10.77, 00:12:01, [90/2172416] via 192.168.10.77, 00:12:01, [90/2172416] via 192.168.10.77, 00:12:01, [90/2172416] via 192.168.10.77, 00:12:01, [90/2172416] via 192.168.10.77, 00:12:01,
Serial0/0/0 Serial0/0/0 Serial0/0/0 Serial0/0/0 Serial0/0/0 Serial0/0/0 Serial0/0/0
This is a small network and the routing tables are manageable.. However, if we had more routers, our routing tables would be rather large, which takes up memory and router processing parsing the routing table. What can we do to make our routing table smaller, more efficient, yet still keep all our connectivity from end to end? You guessed it! Summarization baby!
Lab 8.5: VLSM with Summarization Lab—Configuring Summarization Now that we have configured the internetwork from end to end using VLSM and discontiguous networking, and EIGRP with the no auto-summary command to support the discontiguous network, it is time to configure summarization. Summarization would be done on the boundaries of each contiguous configured network (routers 2811 A and 2811 F). Summarization is used by EIGRP under the interface configuration using the ip summary-address eigrp 10 network mask command. Before we add the summary commands to routers 2811 A and 2811 F, we need to know what network and mask to add to the summary command. Remember, summary addresses are configured in block sizes, just like subnets. The summary address for the 2811 Router A would be 192.168.10.32, since we are starting at subnet 32; however, what is our summary mask? Well, what is the block size of our contiguous networks? Thirty-two (32). What mask provides a block size of 32? A /27, which is 255.255.255.224; this is our summary mask. For the 2811 F configuration, we would start at subnet 192.168.10.64, which is also a summary mask of /27, since the contiguous networks fit in a block size of 32.
Lab 8.5: VLSM with Summarization Lab—Configuring Summarization
553
Network Layout Use the network you were working with in Lab 8.4.
Lab Steps 1.
Here is our configuration on both routers: 2811A#config t 2811A(config)#interface fa0/0 2811A(config-if)#ip summary-address eigrp 10 192.168.10.32 255.255.255.224 2811F#config t 2811F(config)#interface fa0/0 2811F(config-if)#ip summary-address eigrp 10 192.168.10.64 255.255.255.224
At this point, we have disabled automatic summarization under EIGRP since we need to support discontiguous networking. We then configured manual summarization at contiguous classful boundaries. 2.
If we take a look at the routing tables now, we can see that 2811 Router A is summarizing the contiguous network with a 192.168.10.32/27 route into the 2811 Router F routing tables, which is then sent to the other routers connected to 2811 Router F. 2811F>en 2811F#show ip route
554
VLSM with Summarization
[output cut] 192.168.10.0/24 is variably subnetted, 7 subnets, 3 masks C 192.168.10.64/30 is directly connected, Serial0/0/1 D 192.168.10.80/29 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1 C 192.168.10.68/30 is directly connected, Serial0/0/0 D 192.168.10.72/30 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1 D 192.168.10.76/30 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0 D 192.168.10.32/27 [90/2172416] via 10.1.1.1, 00:05:49, FastEthernet0/0 D 192.168.10.88/29 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/0
3.
For 2811 Router A, the routing table now looks like this, which is sent to all routers connected to 2811 Router A. 2811A#show ip route [output cut] 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/0 192.168.10.0/24 is variably subnetted, 7 subnets, 3 masks C 192.168.10.36/30 is directly connected, Serial0/0/0 D 192.168.10.64/27 [90/2172416] via 10.1.1.2, 00:02:53, FastEthernet0/0 D 192.168.10.44/30 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0 D 192.168.10.40/30 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1 D 192.168.10.48/29 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1 C 192.168.10.32/30 is directly connected, Serial0/0/1 D 192.168.10.56/29 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0
Our routing tables are smaller, more efficient, and easier for IP to parse.
Individual Labs (Comprehensive)
Introduction to Individual Labs We offer CCNA labs that are comprehensive and self-contained. They stand on their own, and do not require configurations from prior labs. These labs are typically longer than the accumulative labs because you are starting with a non-configured network each time you bring up an Individual lab. You are totally configuring the network for each lab, from beginning to finish. We provide step-by-step instructions for these labs.
Grading When you have finished with each Individual lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
Individual Lab: RIP Routing
557
Individual Lab: RIP Routing Configuring the routers with static and default routing is interesting to say the least. However, it is not very often that you would use just static and default routing in a network these days. This lab will have you configure Routing Information Protocol (RIP), one of the first dynamic routing protocols created. It is easy and works pretty well in small to medium size networks. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
RIP N
NN
N
NN
N
NN
Stands for routing information protocol. Sends routing-update messages at regular intervals (usually every 30 seconds) and when the network topology changes. Uses a single metric called a hop, which measures the distance between the source and destination. Is limited to a hop count of 15. It has a maximum hop count. This means a network cannot be more than 15 hops from the source to the destination. Otherwise the destination is deemed as unreachable. Has a timeout timer that is used on a period basis (usually every 30 seconds) for each known route. If the timer times out this usually means that path is no longer available. Therefore that route is removed from routing tables. Does not support VLSM.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
Individual Labs (Comprehensive)
558
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and RIP.
Individual Lab: RIP Routing
559
Lab Steps Copy and Paste Script Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into user mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter. 2621 Router A
2811 Router A
2621 Router B
enable
enable
enable
config t
config t
config t
hostname 2621A
hostname 2811A
hostname 2621B
line vty 0 4
line vty 0 1180
line vty 0 4
password todd
password todd
password todd
login
login
login
interface serial 0/0
interface serial 0/1/1
interface serial 0/0
IP address 172.16.20.2 255.255.255.0
IP address 172.16.20.1 255.255.255.0
IP address 172.16.30.2 255.255.255.0
description connection to 2811A
description connection to 2621A
description connection to 2811A
no shutdown
no shutdown
no shutdown
exit
interface serial 0/0/1
exit
exit
IP address 172.16.30.1 255.255.255.0
exit
copy run start
description connection to 2621B no shutdown exit exit copy run start
copy run start
560
1.
Individual Labs (Comprehensive)
Double-click 2621 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#ctrl+z 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#ctrl+z 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Individual Lab: RIP Routing
561
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
3.
Double-click 2621 Router B. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#ctrl+z 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
Dynamic Routing The process of routers in an Intranet or internet advertising route information automatically between each other. There is typically a common dynamic routing protocol configured on each router. RIP Version 1 and 2, OSPF, EIGRP, and BGP are some examples of dynamic routing protocols. When all routers have received routing updates and have updated routing tables, the network is said to have converged. Convergence means that all routers in the internetwork have the same routing information. At this point, a routed protocol, IP for example, can send user data throughout the internetwork.
4.
From 2621 Router A, configure RIP routing and tell RIP the network you want to advertise.
562
Individual Labs (Comprehensive)
Router RIP Command Turns on RIP routing.
Network Command Should be entered for each of the networks that the router is connected to and is a part of the RIP network. In our network we have only one network, network 172.16.0.0.
2621A#config t 2621A(config)#router rip 2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z
That’s all there is to it! Dynamic routing is easy on small networks. The important thing to notice here is that the network address is a classful address, which means you use the classful boundary.
Classful Routing Routing protocols (i.e., RIPv1 and IGRP) where subnet masks (routing masks) are not sent in the periodic routing updates. For example, we use a 172.16.0.0 class B network address and subnet that network with 24 bits of subnetting. This means the third octet is used for subnets and the fourth octet are the host addresses for each subnet. RIP is a classful routing protocol, which means that you do not type in any subnet addresses, only the class B address. When using a classful network protocol like RIP, make sure that all networked devices have the same subnet mask.
5.
From 2621 Router B, configure RIP routing and tell RIP the network you want to advertise. 2621B#config t 2621B(config)#router rip 2621B(config-router)#network 172.16.0.0 2621B(config-router)#ctrl+z
Individual Lab: RIP Routing
6.
563
From 2811 Router A, configure RIP routing and tell RIP the network you want to advertise. 2811A#config t 2811A(config)#router rip 2811A(config-router)#network 172.16.0.0 2811A(config-router)#ctrl+z
Verify Configurations 7.
From 2621 Router A, use the show ip route command to verify the routing table. 2621A#show ip route 172.16.0.0/24 is subnetted, 2 subnets R 172.16.30.0 [120/1] via 172.16.20.1, 00:00:21, Serial0/0 C 172.16.20.0 is directly connected, Serial0/0 2621A#
Notice the “R”, which means it is a RIP found route. The “C” is a directly connected network. You should see two directly connected routes and three RIP routes. 8.
From 2621 Router B, use the show ip route command to verify the routing table. 2621B#show ip route 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0 R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:13, Serial0/0 2621B#
9.
From 2811 Router A, use the show ip route command to verify the routing table. 2811A#show ip route 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0/1 C 172.16.20.0 is directly connected, Serial0/1/1
10. From 2621 Router B, use the debug ip rip command to see RIP updates being sent
and received on the router. 2621B#debug ip rip RIP protocol debugging is on 2621B# then after a few seconds .... *Oct 13 17:19:25.906: RIP: received v1 update from 172.16.30.1 on Serial0/0
564
Individual Labs (Comprehensive)
*Oct 13 17:19:25.906: 172.16.20.0 in 2 hops *Oct 13 17:19:25.906: RIP: received v1 update from 172.16.30.1 on Serial0/0 *Oct 13 17:19:25.906: 172.16.20.0 in 3 hops *Oct 13 17:19:25.906: RIP: received v1 update from 172.16.30.1 on Serial0/0 *Oct 13 17:19:25.906: 172.16.20.0 in 4 hops *Oct 13 17:19:25.906: RIP: received v1 update from 172.16.30.1 on Serial0/0 [output cut]
11. To turn off debugging, use the no debug ip rip command, or the undebug all
command. 2621B#undebug all
12. To see detailed information about currently configured protocols on a router, use the show ip protocols command. 2621B#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds, next due in 19 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Triggered RIP Key-chain Serial0/0 1 1 2 Automatic network summarization is in effect Maximum path: 4 Routing for networks: 172.16.0.0 Routing information sources: Gateway Distance Last Update 172.16.30.1 120 00:00:11 Distance: 2621B#
Notice the timers. RIP is sent out every 30 seconds by default. The administrative distance for RIP is 120 by default. Administrative distance is a measure of the trustworthiness of the source of the routing information. It is reported as a number between 0 and 255. The smaller the number, the more reliable the protocol. If you have, for example, two protocols IGRP and RIP configured on a router, the IGRP routes will be preferred over the RIP routes. This is because you have an administrative distance of 120 for RIP and 100 for IGRP.
Individual Lab: RIP Routing
Source
Default Distance Value
Connected interface
0
Static route
1
Enhanced Interior Gateway Routing Protocol (EIGRP) summary route
5
External Border Gateway Protocol (BGP)
20
Internal EIGRP
90
IGRP
100
OSPF
110
Intermediate System-to-Intermediate System (IS-IS)
115
Routing Information Protocol (RIP)
120
Exterior Gateway Protocol (EGP)
140
On Demand Routing (ODR)
160
External EIGRP
170
Internal BGP
200
Unknown
255
565
13. Another really good command is the show protocols command, which shows you the
routed protocol configuration of each interface. 2621B#show protocols Global values: Internet protocol routing is enabled Serial0/1 is administratively down, line protocol is down Serial0/0 is up, line protocol is up Internet address is 172.16.30.2/24 FastEthernet0/1 is administratively down, line protocol is down FastEthernet0/0 is administratively down, line protocol is down 2621B#
Individual Labs (Comprehensive)
566
14. From 2811 Router A, use the show protocols command. 2811A#show protocols Global values: Internet protocol routing is enabled Serial0/0/0 is administratively down, line protocol is down Serial0/0/1 is up, line protocol is up Internet address is 172.16.30.1/24 Serial0/1/0 is administratively down, line protocol is down Serial0/1/1 is up, line protocol is up Internet address is 172.16.20.1/24 FastEthernet0/0 is administratively down, line protocol is down FastEthernet0/1 is administratively down, line protocol is down 2811A#
RIPv2 You will now configure RIPv2. RIPv2 RIP does not carry subnet information. To overcome this, RIPv2 was created in 1994 to address some deficiencies in RIP. RIPv2 can carry subnet information. RIPv2 sends routing updates via multicast address 224.0.0.9. It also provides support for variable length subnet masks (VLSM) and discontiguous networking. RIPv2 is not automatically turned on with the router rip command. You must also specify it and use the version 2 command. 15. From 2621 Router A, configure RIP routing to use version 2. 2621A#config t 2621A(config)#router rip 2621A(config-router)#version 2 2621A(config-router)#ctrl+z
That’s all there is to it! Since we have already added our directly connected networks under router rip in our last lab, we now just have to tell it to run version 2. 16. From 2621 Router B, configure RIP routing to use version 2. 2621B#config t 2621B(config)#router rip 2621B(config-router)#version 2 2621B(config-router)#ctrl+z
Individual Lab: RIP Routing
567
17. From 2811 Router A, configure RIP routing to use version 2. 2811A#config t 2811Aconfig)#router rip 2811A(config-router)#version 2 2811A(config-router)#ctrl+z
Verify Configurations 18. From 2621 Router A, use the show ip route command to verify the routing table. 2621A#show ip route 172.16.0.0/24 is subnetted, 2 subnets R 172.16.30.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0 C 172.16.20.0 is directly connected, Serial0/0
Notice the “R”, which means it is a RIP found route. The “C” is a directly connected network. The routing tables will look the same as version 1 unless you have VLSM networks configured. 19. From the 2621 Router B, use the show ip route command to verify the routing table. 2621B#show ip route 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0 R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:09, Serial0/0
20. From 2811 Router A, use the show ip route command to verify the routing table. 2811A#show ip 172.16.0.0/24 C 172.16.30.0 C 172.16.20.0
route is subnetted, 2 subnets is directly connected, Serial0/0/1 is directly connected, Serial0/1/1
21. From 2621 Router A, use the debug ip rip command to see RIP updates being sent
and received on the router. 2621A#debug ip rip
22. To turn off debugging, use the no debug ip rip command, or the undebug all
command. 2621A#undebug all
Individual Labs (Comprehensive)
568
23. To see the routing protocol timers, use the show ip protocols command. 2621A#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds, next due in 23 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain Serial0/0 1 1 2 Automatic network summarization is in effect Maximum path: 4 Routing for networks: 172.16.0.0 Routing information sources: Gateway Distance Last Update 172.16.20.1 120 00:00:07 Distance: 2621A#
Notice the timers. RIP is sent out every 30 seconds by default. The administrative distance is 120 by default. Both RIPv1 and RIPv2 use the same timers.
Individual Lab: IPv6 Static Routing Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
Internet Protocol Version 6 (IPv6) is the new addressing scheme that will eventually replace all IPv4 addresses. The IPv4 address scheme is no longer adequate to meet the needs of the growing Internet, and growing Intranets. IPv6 was also designed to increase routing performance and network scalability issues. IPv6 addresses are 128 bits in length. Hexadecimal Groups IPv6 addresses are divided into eight, 16 bit hexadecimal groups. For example, 2001:0000:0000:0008:0000:0000:0000:0012 can be divided into ... 2001:
0000:
0000:
0008:
0000:
0000:
0000:
0012
1
2
3
4
5
6
7
8
Individual Lab: IPv6 Static Routing
569
The IPV6 address above can also be shortened to 2001:0:0:8:0:0:0:12 or 2001::8:0:0:0:12 Address Types
There are three IPv6 address types:
NN
Unicast
NN
Anycast
NN
Multicast
Unicast Types
There are four unicast address types:
NN
Link local
NN
Unique local
NN
Global
NN
Special
IPv6 Bits
IPv6 bit address can be divided into ...
48 bits
16 bits
64 bits
2001:0000:0000:
0008:
0000:0000:0000:0012
Global Prefix
Subnet
Interface ID
This lab will have you create an IPv6 network. In this network you will use IPv6 to create both default and static routing. The network used in this lab has IPv4 addresses already configured on each router interface. Having both IPv4 and IPv6 addresses on an interface is called DUAL stacking. You will also verify your IPv6 Static Routing configurations. When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
570
Individual Labs (Comprehensive)
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X. A score of the number of correct answers out of the total possible
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and Static IPv6.rsm.
Individual Lab: IPv6 Static Routing
Lab Steps 1.
Enable IPv6 routing and Cisco Express Forwarding (CEF) on each router. 2811A#en 2811A#config t 2811A(config)#ipv6 2811A(config)#ipv6 2811B#en 2811B#config t 2811B(config)#ipv6 2811B(config)#ipv6 2811C#en 2811C#config t 2811C(config)#ipv6 2811C(config)#ipv6
2.
unicast-routing cef
unicast-routing cef
unicast-routing cef
Configure IPv6 addresses on 2811 Router A. 2811A(config)#int fa0/0 2811A(config-if)#ipv6 address 2001::10:1/112 2811A(config-if)#int s0/0/0 2811A(config-if )ipv6 address 2001::20:1/112 2811A(config-if)#int s0/1/0 2811A(config-if)#ipv6 address 2001::30:1/112 2811A(config-if)#exit
3.
Configure IPv6 addresses on 2811 Router B. 2811B(config)#int fa0/0 2811B(config-if)#ipv6 address 2001::40:1/112 2811B(config-if)#interface serial 0/1/0 2811B(config-if)#ipv6 address 2001::30:2/112 2811B(config-if)#exit
4.
Configure IPv6 addresses on 2811 Router C. 2811C(config)#int fa0/0 2811C(config-if)#ipv6 address 2001::50:1/112 2811C(config-if)#int s0/0/0 2811C(config-if)#ipv6 address 2001::20:2/112 2811C(config-if)#exit
571
572
5.
Individual Labs (Comprehensive)
Configure two IPv6 static routes on 2811 Router A. 2811A(config)#ipv6 route 2001::40:0/112 2001::30:2 2811A(config)#ipv6 route 2001::50:0/112 2001::20:2 2811A(config)#exit 2811A#copy run start
The static routes will allow 2811 Router A to communicate with the rest of the network. 6.
Configure a IPv6 default route on 2811 Router B. 2811B(config)#ipv6 route 2811B(config)#exit 2811B#copy run start
::/0 2001::30:1
This default route will allow 2811 Router B to communicate with the rest of the network. 2811 Router B will use router 2811 A as a gateway of last resort. 7.
Configure a IPv6 default route on 2811 Router C. 2811C(config)#ipv6 route 2811C(config)#exit 2811C#copy run start
::/0 2001::20:1
This default route will allow 2811 Router C to communicate with the rest of the network. 2811 Router C will use router Router A as a gateway of last resort.
Verifying IPv6 Static Routing 8.
On 2811 Router A, issue the show running-configuration command to verify the IPv6 configurations. 2811A#show run [output cut] ! interface FastEthernet0/0 ip address 172.16.10.1 255.255.255.0 no ip directed-broadcast ipv6 address 2001::10:1/112 ! [output cut] ! interface Serial0/0/0
Individual Lab: IPv6 Static Routing
ip address 172.16.20.1 255.255.255.0 no ip directed-broadcast clockrate 2000000 ipv6 address 2001::20:1/112 ! [output cut] ! interface Serial0/1/0 ip address 172.16.30.1 255.255.255.0 no ip directed-broadcast clockrate 2000000 ipv6 address 2001::30:1/112 ! [output cut] ! ipv6 route 2001::40:0/112 2001::30:2 ipv6 route 2001::50:0/112 2001::20:2 ! [output cut] 2811A#
As you can see, each interface has an IPv6 address. You can also see the IPv6 static routes that are configured. 9.
On 2811 Router A, issue the show ipv6 interface command to see which router interfaces are configured for IPv6. 2811A#show ipv6 interface FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::21A:2FFF:FE55:D408 Global unicast address(es): 2001::10:1, subnet is 2001::10:0/112 Joined group address(es): FF02::1 FF02::2 FF02::1:FF10:1 FF02::1:FF55:D408 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled [output cut] Serial0/0/0 is up, line protocol is up
573
574
Individual Labs (Comprehensive)
IPv6 is enabled, link-local address is FE80::21A:2FFF:FE55:D408 Description: conn-to-2811A Global unicast address(es): 2001::20:1, subnet is 2001::30:0/112 Joined group address(es): FF02::1 FF02::2 FF02::1:FF20:1 FF02::1:FF55:D408 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled [output cut] Serial0/1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::21A:2FFF:FE55:D408 Description: conn-to-2811C Global unicast address(es): 2001::30:1, subnet is 2001::20:0/112 Joined group address(es): FF02::1 FF02::2 FF02::1:FF30:1 FF02::1:FF55:D408 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled [output cut] 2811A#
10. On 2811 Router A, issue the show ipv6 interface brief command to see a summary
of the router interfaces configured for IPv6. 2811A#show ipv6 interface brief FastEthernet0/0 [up/up] FE80::21A:2FFF:FE55:D408 2001::10:1 FastEthernet0/1 [administratively down/down] Serial0/0/0 [up/up] FE80::21A:2FFF:FE55:D408 2001::20:1 Serial0/0/1 [administratively down/down]
Individual Lab: IPv6 Static Routing
Serial0/1/0 FE80::21A:2FFF:FE55:D408 2001::30:1 Serial0/1/1 2811A#
575
[up/up]
[administratively down/down]
11. On 2811 Router A, issue the show ipv6 route command to see the IPv6 routing table. 2811A#show ipv6 route IPv6 Routing Table - 10 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2001::10:0/112 [0/0] via ::, FastEthernet0/0 L 2001::10:1/128 [0/0] via ::, FastEthernet0/0 C 2001::20:0/112 [0/0] via ::, Serial0/0/0 L 2001::20:1/128 [0/0] via ::, Serial0/0/0 C 2001::30:0/112 [0/0] via ::, Serial0/1/0 L 2001::30:1/128 [0/0] via ::, Serial0/1/0 S 2001::40:0/112 [1/0] via 2001::30:2 S 2001::50:0/112 [1/0] via 2001::20:2 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 2811A#
12. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of routers 2811 B and 2811 C.
Pinging will verify that your default and static routing configurations are correct. 2811A#ping ipv6 2001::40:1 Type escape sequence to abort.
576
Individual Labs (Comprehensive)
Sending 5, 100-byte ICMP Echos to 2001::40:1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms 2811A# 2811A#ping ipv6 2001::50:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::50:1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms 2811A#
Individual Lab: RIP IPv6 Routing (RIPng) Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
In this lab you will create an IPv6 RIPng network. The network used in this lab has IPv4 addresses already configured on each router interface. This will demonstrate DUAL stacking. You will also be given the commands to verify your RIPng routing configurations. When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
Individual Lab: RIP IPv6 Routing (RIPng)
NN
NN
577
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and RIP IPv6.rsm.
578
Individual Labs (Comprehensive)
Lab Steps 1.
Enable IPv6 routing and Cisco Express Forwarding (CEF) on each router. 2811A#en 2811A#config t 2811A(config)#ipv6 2811A(config)#ipv6 2811B#en 2811B#config t 2811B(config)#ipv6 2811B(config)#ipv6 2811C#en 2811C#config t 2811C(config)#ipv6 2811C(config)#ipv6
2.
unicast-routing cef
unicast-routing cef
unicast-routing cef
Configure IPv6 addresses on 2811 Router A. 2811A(config)#int fa0/0 2811A(config-if)#ipv6 address 2001::10:1/112 2811A(config-if)#int s0/0/0 2811A(config-if )ipv6 address 2001::20:1/112 2811A(config-if)#int s0/1/0 2811A(config-if)#ipv6 address 2001::30:1/112 2811A(config-if)#exit
3.
Configure IPv6 addresses on 2811 Router B. 2811B(config)#interface fastthernet 0/0 2811B(config-if)#ipv6 address 2001::40:1/112 2811B(config-if)#interface serial 0/1/0 2811B(config-if)#ipv6 address 2001::30:2/112 2811B(config-if)#exit
4.
Configure IPv6 addresses on 2811 Router C. 2811C(config)#int fa0/0 2811C(config-if)#ipv6 address 2001::50:1/112 2811C(config-if)#int s0/0/0 2811C(config-if)#ipv6 address 2001::20:2/112 2811C(config-if)#exit
Individual Lab: RIP IPv6 Routing (RIPng)
5.
579
On 2811 Router A, enable the IPv6 RIPng routing process from global and interface configuration mode. 2811A(config)#ipv6 router rip myripngprocess 2811A(config-rtr)#exit 2811A(config)#int fa0/0 2811A(config-if)#ipv6 rip myripngprocess enable 2811A(config-if)#int s0/0/0 2811A(config-if )ipv6 rip myripngprocess enable 2811A(config-if)#int s0/1/0 2811A(config-if)#ipv6 rip myripngprocess enable 2811A(config-if)#ctrl+z 2811A#copy run start
Remember that the ipv6 unicast-routing command must be configured on the router before the RIPng routing process can be enabled. The previous labs had you configure the command on all routers so we will not do it here. 6.
On 2811 Router B, enable the IPv6 RIPng routing process from global configuration mode. 2811B(config)#ipv6 router rip myripngprocess 2811B(config-rtr)#exit 2811B(config)#int fa0/0 2811B(config-if)#ipv6 rip myripngprocess enable 2811B(config-if)#interface serial 0/1/0 2811B(config-if)#ipv6 rip myripngprocess enable 2811B(config-if)#ctrl+z 2811B#copy run start
7.
On 2811 Router C, enable the IPv6 RIPng routing process from global configuration mode. 2811C(config)#ipv6 router rip myripngprocess 2811C(config-rtr)#exit 2811C(config)#int fa0/0 2811C(config-if)#ipv6 rip myripngprocess enable 2811C(config-if)#int s0/0/0 2811C(config-if)#ipv6 rip myripngprocess enable 2811C(config-if)#ctrl+z 2811C#copy run start
580
Individual Labs (Comprehensive)
Verifying RIP IPv6 Routing (RIPng) 8.
On 2811 Router A, issue the show running-configuration command to verify the IPv6 configurations. 2811A#show run [output cut] ! ipv6 unicast-routing ipv6 cef ! [output cut] ! interface FastEthernet0/0 ip address 172.16.10.1 255.255.255.0 no ip directed broadcast ipv6 address 2001::10:1/112 ipv6 rip myripngprocess enable ! [output cut] ! interface Serial0/0/0 ip address 172.16.20.1 255.255.255.0 no ip directed broadcast ipv6 address 2001::20:1/112 clock rate 8000000 ipv6 rip myripngprocess enable ! interface Serial0/1/0 ip address 172.16.30.1 255.255.255.0 no ip directed broadcast ipv6 address 2001::30:1/112 ipv6 rip myripngprocess enable clock rate 8000000 no cdp enable ! [output cut] ! ipv6 router rip myripngprocess [output cut] 2811A#
Individual Lab: RIP IPv6 Routing (RIPng)
581
As you can see, RIPng is configured on each interface. You can also see the ipv6 RIP (RIPng) routing process. 9.
On 2811 Router A, issue the show ipv6 route command to see the IPv6 routing table. 2811A#show ipv6 route IPv6 Routing Table - 10 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2001::10:0/112 [0/0] via ::, FastEthernet0/0 L 2001::10:1/128 [0/0] via ::, FastEthernet0/0 C 2001::20:0/112 [0/0] via ::, Serial0/0/0 L 2001::20:1/128 [0/0] via ::, Serial0/0/0 C 2001::30:0/112 [0/0] via ::, Serial0/1/0 L 2001::30:1/128 [0/0] via ::, Serial0/1/0 R 2001::40:0/112 [120/2] via FE80::215:FAFF:FED7:EDA0, Serial0/1/0 R 2001::50:0/112 [120/2] via FE80::21A:2FFF:FE52:4808, Serial0/0/0 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 2811A#
10. On 2811 Router A, issue the show ipv6 protocols command to see the IPv6 protocols
that are running on the router. 2811A#show ipv6 protocols IPv6 Routing Protocol is "connected" IPv6 Routing Protocol is "static" IPv6 Routing Protocol is "rip myripngprocess" Interfaces:
582
Individual Labs (Comprehensive)
Serial0/0/1 Serial0/0/0 FastEthernet0/0 Redistribution: None 2811A_aka_2811B#
11. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of routers 2811 B and
2811 C. Pinging will verify that your RIPng configurations are correct. 2811A#ping ipv6 2001::40:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::40:1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms 2621B_aka_2811A# 2811A#ping ipv6 2001::50:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::5 0:1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms 2621B_aka_2811A#
Individual Lab: PPP Encapsulation Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
The High-Level Data-Link Control protocol (HDLC) is a point-to-point protocol used on leased lines. No authentication can be used with HDLC and it is the default encapsulation used by Cisco routers over synchronous serial links. Cisco’s HDLC is proprietary—it won’t communicate with any other vendor’s HDLC implementation. If you wanted to either offer authentication on a serial link or to connect from a Cisco router to another vendor router, then we need to configure PPP on the serial interfaces.
Individual Lab: PPP Encapsulation
583
PPP (Point-to-Point Protocol) is a data-link protocol that can be used over asynchronous serial (dial-up) media and uses the LCP (Link Control Protocol) to build and maintain datalink connections. The basic purpose of PPP is to transport layer-3 packets across a Data Link layer point-to-point link. This lab will have you configure PPP on all four serial networks, and replace HDLC as the encapsulation method on our serial links. When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
584
Individual Labs (Comprehensive)
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, WAN, and PPP.
Individual Lab: PPP Encapsulation
585
Lab Steps Copy and Paste Script Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into user mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter. 2621 Router A
2811 Router A
2621 Router B
enable
enable
enable
config t
config t
config t
hostname 2621A
hostname 2811A
hostname 2621B
line vty 0 4
line vty 0 1180
line vty 0 4
password todd
password todd
password todd
login
login
login
interface serial 0/0
interface serial 0/1/1
interface serial 0/0
ip address 172.16.20.2 255.255.255.0
ip address 172.16.20.1 255.255.255.0
ip address 172.16.30.2 255.255.255.0
description connection to 2811A
description connection to 2621A
description connection to 2811A
no shutdown
no shutdown
no shutdown
exit
interface serial 0/0/1
exit
exit
ip address 172.16.30.1 255.255.255.0
exit
copy run start
description connection to 2621B no shutdown exit exit copy run start
copy run start
586
1.
Individual Labs (Comprehensive)
Double-click 2621 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#exit 2621A(config)#exit 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#ctrl+z 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Individual Lab: PPP Encapsulation
587
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
3.
Double-click 2621 Router B. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#ctrl+z 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
4.
Now, configure each router with OSPF. 2621A(config)#router ospf 100 2621A(config-router)#network 172.16.20.2 0.0.0.0 area 0 2621A(config-router)#network 172.16.40.0 0.0.0.255 area 0 2621A(config-router)#exit 2621B(config)#router ospf 101 2621B(config-router)#network 172.16.30.2 0.0.0.0 area 0 2621B(config-router)#network 172.0.0.0 0.255.255.255 area 0 2621B(config-router)#exit 2811A(config)#router ospf 102
588
Individual Labs (Comprehensive)
2811A(config-router)#network 172.16.10.1 0.0.0.0 area 0 2811A(config-router)#network 172.16.20.1 0.0.0.0 area 0 2811A(config-router)#network 172.16.30.1 0.0.0.0 area 0 2811A(config-router)#exit
5.
Bring up the console for 2811 Router A and change the encapsulation on the serial links from HDLC to PPP. 2811A(config)#int s0/0/1 2811A(config-if)#encapsulation ppp 2811A(config-if)#int s0/1/1 2811A(config-if)#encapsulation ppp 2811A(config-if)#ctrl+z 2811A#
6.
Connect to 2621 Router B and change the encapsulation on the serial links from HDLC to PPP. 2621B(config)#int s0/0 2621B(config-if)#encapsulation ppp 2621B(config-if)#ctrl+z 2621B#
7.
Connect to 2621 Router A and change the encapsulation on the serial link from HDLC to PPP. 2621A(config)#int s0/0 2621A(config-if)#encapsulation ppp 2621A(config-if)#ctrl+z 2621A#
That’s all there is to it. This part is easy.
Verifying PPP Encapsulation Once you have replaced HDLC as the serial encapsulation method, then you need to verify your network is still working properly. The first command to use is the show ip route command to make sure all your IP routes are still present. 8.
From 2621 Router A, use the show ip route command to verify the network is still running. 2621A#show ip route [output cut] 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
Individual Lab: PPP Encapsulation
O 172.16.30.0/24 [110/74] via 172.16.20.1, 07:50:33, Serial0/0 C 172.16.20.1/32 is directly connected, Serial0/0 C 172.16.20.0/24 is directly connected, Serial0/0 2621A#
9.
From 2621 Router B, use the show ip route command to verify the network is still running. 2621B#show ip route [output cut] 172.16.0.0/16 is C 172.16.30.1/32 C 172.16.30.0/24 O 172.16.20.0/24 2621B#
variably subnetted, 3 subnets, 2 masks is directly connected, Serial0/0 is directly connected, Serial0/0 [110/74] via 172.16.30.1, 07:50:33, Serial0/0
10. From 2811 Router A, use the show ip route command to verify the network is still
running. 2811A#show ip route [output cut] 172.16.0.0/16 is C 172.16.30.2/32 C 172.16.30.0/24 C 172.16.20.2/32 C 172.16.20.0/24 2811A#
variably subnetted, 4 subnets, 2 masks is directly connected, Serial0/0/1 is directly connected, Serial0/0/1 is directly connected, Serial0/1/1 is directly connected, Serial0/1/1
11. From 2811 Router A, use the show interface command to see the serial link
encapsulation. 2811A#show int s0/0/1 Serial0/0/1 is up, line protocol is up Hardware is GT96K Serial Description: connection to 2621B Internet address is 172.16.30.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set [output cut] 2811A#show int s0/1/1 Serial0/1/1 is up, line protocol is up Hardware is GT96K Serial Description: connection to 2621A
589
590
Individual Labs (Comprehensive)
Internet address is 172.16.20.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set
Configuring PPP Authentication with CHAP Now that the network should be up and working with PPP, you can use PPP authentication to stop unwanted users from connecting to your network. Although, this is typically used with dial-up, it still can be used with serial interfaces. This lab will have you configure PPP authentication on all router’s serial interfaces using the CHAP protocol. Challenge Authentication Protocol (CHAP) is used at the initial startup of a link and at period checkups on the link to make sure the router is still communicating with the same host. After PPP finishes its initial phase, the local router sends a challenge request to the remote device. The remote device sends a value calculated using a one-way hash function called MD5. The local router checks this hash value to make sure it matches. If the values don’t match, the link is immediately terminated. 12. To configure PPP authentication, first set the hostname of the router if it is not already
set (this is not an option!). Then set the username and password for the remote router connecting to your router. For example, if you are connected to 2621 Router A and want to configure authentication, you would set the hostname and then create a username that consists of the router you are going to connect to, in this example, 2811 Router A. This is shown below: Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname 2621A 2621A(config)#username 2811A password cisco
When using the hostname command, remember that the username is the hostname of the remote router connecting to your router. It is case-sensitive. Also, the password on both routers must be the same. It is a plain-text password and can be seen with a show run command. You must have a username and password configured for each remote system you are going to connect to. The remote routers must also be configured with usernames and passwords. 13. After you set the hostname, usernames, and passwords, choose the authentication as
shown in the following example: 2621A#config t Enter configuration commands, one per line. End with CNTL/Z. 2621A(config)#int s0/0
Individual Lab: PPP Encapsulation
591
2621A(config-if)#ppp authentication chap 2621A(config-if)#exit 2621A(config)#
14. Open a console to 2621 Router A and create a username of 2811 Router A and with
a password of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap. 2621A(config)#username 2811A password cisco 2621A(config)#int s0/0 2621A(config-if)#ppp authentication chap 2621A(config-if)#ctrl+z 2621A#
15. Open a console to 2621 Router B and create a username of 2811 Router A and with
a password of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap. 2621B#config t 2621B(config)#username 2811A password cisco 2621B(config)#int s0/0 2621B(config-if)#ppp authentication chap 2621B(config-if)#ctrl+z 2621B#
16. Open a console to 2811 Router A and create a username of 2621 Router A and 2621
Router B and with a password of cisco. Then configure the serial interfaces 0/0/1 and 0/1/1 to use ppp authentication of chap. 2811A(config)#username 2621A password cisco 2811A(config)#username 2621B password cisco 2811A(config)#int s0/0/1 2811A(config-if)#ppp authentication chap 2811A(config)#int s0/1/1 2811A(config-if)#ppp authentication chap 2811A(config-if)#ctrl+z 2811A#
Verifying PPP with Authentication Once you have configured PPP with authentication as the serial encapsulation method, then you need to verify your network is still working properly. The first command to use is the show ip route command to make sure all your IP routes are still present. The next command to use is the show interface command.
592
Individual Labs (Comprehensive)
17. From 2621 Router A, use the show ip route command to verify the network is still
running. 2621A#show ip route [output cut] 172.16.0.0/16 is O 172.16.30.0/24 C 172.16.20.1/32 C 172.16.20.0/24 2621A#
variably subnetted, 3 subnets, 2 masks [110/74] via 172.16.20.1, 08:08:48, Serial0/0 is directly connected, Serial0/0 is directly connected, Serial0/0
18. From 2621 Router B, use the show ip route command to verify the network is still
running. 2621B#show ip route [output cut] 172.16.0.0/16 is C 172.16.30.1/32 C 172.16.30.0/24 O 172.16.20.0/24 2621B#
variably subnetted, 3 subnets, 2 masks is directly connected, Serial0/0 is directly connected, Serial0/0 [110/74] via 172.16.30.1, 08:08:48, Serial0/0
19. From 2811 Router A, use the show ip route command to verify the network is still
running. 2811A#show ip route [output cut] 172.16.0.0/16 is C 172.16.30.2/32 C 172.16.30.0/24 C 172.16.20.2/32 C 172.16.20.0/24 2811A#
variably subnetted, 4 subnets, 2 masks is directly connected, Serial0/0/1 is directly connected, Serial0/0/1 is directly connected, Serial0/1/1 is directly connected, Serial0/1/1
20. From 2811 Router A, use the show interface command to see the serial link
encapsulation. 2811A#show int s0/0/1 Serial0/0/1 is up, line protocol is up Hardware is GT96K Serial Description: connection to 2621B Internet address is 172.16.30.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Keepalive set (10)
Individual Lab: PPP Encapsulation
Last input 00:00:02, output 00:00:06, output hang never Last clearing of "show interface" counters 02:41:59 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1645 packets input, 100265 bytes, 0 no buffer Received 1139 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1662 packets output, 105842 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up 2811A# 2811A#show int s0/1/1 Serial0/1/1 is up, line protocol is up Hardware is GT96K Serial Description: connection to 2621A Internet address is 172.16.20.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Keepalive set (10) Last input 00:00:02, output 00:00:06, output hang never Last clearing of "show interface" counters 02:41:59 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1645 packets input, 100265 bytes, 0 no buffer Received 1139 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1662 packets output, 105842 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets
593
594
Individual Labs (Comprehensive)
0 output buffer failures, 0 output buffers swapped out 2 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up
Individual Lab: Frame Relay Switching Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
Frame Relay provides connection-oriented, Data Link layer communication via virtual circuits. These virtual circuits are logical connections created between two DTEs across a packet-switched network, which is identified by a DLCI, or Data Link Connection Identifier. Also, Frame Relay uses both PVCs (Permanent Virtual Circuits) and SVCs (Switched Virtual Circuits, which is a form of dialup), although most Frame Relay networks use only PVCs. This virtual circuit provides the complete path to the destination network prior to the sending of the first frame. Frame Relay provides a communications interface between DTE (data terminal equipment) and DCE (data circuit-terminating equipment, such as packet switches) devices. DTE consists of terminals, PCs, routers, and bridges—customer-owned end-node and Internetworking devices. DCE consists of carrier-owned internetworking devices. Frame Relay sends packets at the Data Link Layer (layer 2) of the OSI model rather than at the network layer (layer 3). A frame can incorporate packets from different protocols. When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
Individual Lab: Frame Relay Switching
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, WAN, and Frame Relay.
595
596
Individual Labs (Comprehensive)
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
Understand Frame Relay Frame Relay Uses Virtual Circuits` Frame Relay provides connection-oriented, Data Link layer communication via virtual circuits. These virtual circuits are logical connections created between two DTEs across a packet-switched network, which is identified by a DLCI, or Data Link Connection Identifier. Also, Frame Relay uses both PVCs (Permanent Virtual Circuits) and SVCs (Switched Virtual Circuits, which is a form of dialup), although most Frame Relay networks use only PVCs. This virtual circuit provides the complete path to the destination network prior to the sending of the first frame.
Configuring Frame Relay Encapsulation When configuring Frame Relay on Cisco routers, you need to specify it as an encapsulation on serial interfaces. There are only two encapsulation types: Cisco and IETF (Internet Engineering Task Force). The following router output shows the two different encapsulation methods when choosing Frame Relay on your Cisco router: 2621A#config t 2621A(config)#int s0/0 2621A(config-if)#encapsulation frame-relay ? ietf Use RFC1490 encapsulation
The default encapsulation is Cisco unless you manually type in IETF, and Cisco is the type used when connecting two Cisco devices. You’d opt for the IETF-type encapsulation if you needed to connect a Cisco device to a non-Cisco device with Frame Relay.
Frame Relay DLCI Frame Relay virtual circuits (PVCs) are identified by Data Link Connection Identifiers (DLCIs). A Frame Relay service provider, such as the telephone company, typically assigns DLCI values, which are used by Frame Relay to distinguish between different virtual circuits on the network. Because many virtual circuits can be terminated on one multipoint Frame Relay interface, many DLCIs are often affiliated with it.
Individual Lab: Frame Relay Switching
597
For the IP devices at each end of a virtual circuit to communicate, their IP addresses need to be mapped to DLCIs. This mapping can function as a multipoint device—one that can identify to the Frame Relay network the appropriate destination virtual circuit for each packet that is sent over the single physical interface. The mappings can be done dynamically through IARP (Inverse ARP) or manually through the frame relay map command. DLCI numbers, used to identify a PVC, are typically assigned by the provider and start at 16. Configuring a DLCI number to be applied to an interface is shown below: 2621A(config-if)#frame-relay interface-dlci ? <16-1007> Define a DLCI as part of the current subinterface 2621A(config-if)#frame-relay interface-dlci 16
Frame Relay LMI The Local Management Interface (LMI) was developed in 1990 by Cisco Systems, StrataCom, Northern Telecom, and Digital Equipment Corporation and became known as the Gang-of-Four LMI or Cisco LMI. This gang took the basic Frame Relay protocol from the CCIT and added extensions onto the protocol features that allow internetworking devices to communicate easily with a Frame Relay network. The LMI is a signaling standard between a CPE device (router) and a frame switch. The LMI is responsible for managing and maintaining status between these devices. If you’re not going to use the auto-sense feature of LMI, you’ll need to check with your Frame Relay provider to find out which type to use instead. The default type is Cisco, but you may need to change to ANSI or Q.933A. The three different LMI types are depicted in the router output below. 2621A(config-if)#frame-relay lmi-type ? cisco ansi q933a 2621A(config-if)#frame-relay lmi-type ansi
You can have multiple virtual circuits on a single serial interface and yet treat each as a separate interface. These are known as subinterfaces. Think of a subinterface as a hardware interface defined by the IOS software. An advantage gained through using subinterfaces is the ability to assign different Network layer characteristics to each subinterface and virtual circuit, such as IP routing on one virtual circuit and IPX on another.
Subinterfaces with Frame Relay You define subinterfaces with the int s0.subinterface number command as shown below. You first set the encapsulation on the serial interface, and then you can define the subinterfaces. 2621A(config-int)#encapsulation frame-relay 2621A(config-int)#exit
598
Individual Labs (Comprehensive)
2621A(config)#int s0/0.? <0-4294967295> Serial interface number 2621A(config)#int s0/0.16 ? multipoint Treat as a multipoint link point-to-point Treat as a point-to-point link 2621A(config)#int s0/0.16 point-to-point 2621A(config-subif)#
You can define an almost limitless number of subinterfaces on a given physical interface (keeping router memory in mind). In the above example, we chose to use subinterface 16 because that represents the DLCI number assigned to that interface. However, you can choose any number between 0 and 4,292,967,295.
Configuring Frame-Relay Lab Steps Now that you should have a background on how to configure basic Frame Relay on a Cisco router, this lab will have you configure 2811 Router A as a Frame Relay switch. Then you’ll configure routers 2621 A and 2621 B as remote Frame Relay connections. 1.
Open a console for 2811 A and configure the hostname. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config)#
Once your router is clear, you can now make them a Frame Relay switch with the frame-relay switching command. However, that is the easy part. You need to map every DLCI on the switch. Of course the router only has two connections, so it is not too time consuming, but if you had dozens of PVCs, this could take a while. 2811 A serial 0/0/1 DLCI 16 serial 0/1/1 DLCI 17
On the frame relay switch, use the frame relay route command to map each and every DLCI. Here is an example: 2811A(config)#int s0/0/1 2811A(config-if)#frame-relay route 17 interface serial 0/1/1 16 2811A(config-if)#exit 2811A(config)#
Configuring Frame-Relay
599
This command tells the switch that if it receives a frame on serial 0/0/1 with a PVC of 16, then send it out serial 0/1/1 using a PVC of 17. Again, in our network, this configuration will only be two routes so it’s not a big deal. 2.
On 2811 Router A configure the Frame Switching. No IP addresses are assigned to the routes interfaces. Remember, this is a Data Link layer function only, so IP is irrelevant to this configuration. 2811A(config)#frame-relay switching 2811A(config)#int s0/0/1 2811A(config)#encapsulation frame-relay 2811A(config-if)#no shut 2811A(config-if)#frame intf-type dce 2811A(config-if)#frame-relay route 17 interface serial 0/1/1 16 2811A(config-if)#int s0/1/1 2811A(config)#encapsulation frame-relay 2811A(config-if)#no shut 2811A(config-if)#frame intf-type dce 2811A(config-if)#frame-relay route 16 interface serial 0/0/1 17 2811A(config-if)#ctrl+z 2811A#
Configuring Frame Relay with Subinterfaces Now that the Frame-Relay switching router is configured, you need to configure the remote routers. You will bring up the console for routers 2621 A and 2621 B and configure them for Frame Relay configuration using subinterfaces. Since the Frame-Relay switches are not using IP addressing, connecting from routers 2621 A to 2621 B, for example, will use one subnet and appear like a direct connection. Use subnet 172.16.100.0. 3.
Open a console on 2621 Router A and configure the serial 0/0 interface with a Frame Relay subinterface. To perform this, you must remove the IP address and IPX network number from the serial interface. In this lab we do not have an existing IP address but we wanted to include the configuration to remove it. You may be constructing your own network and already have an IP address for s0/0 and you will need to remember to remove it. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config)#int s0/0 2621A(config-if)#no ip address 2621A(config-if)#no shut 2621A(config-if)#encapsulation frame-relay 2621A(config-if)#int s0/0.16 point-to-point
600
Individual Labs (Comprehensive)
2621A(config-subif)#ip address 172.16.100.1 255.255.255.0 2621A(config-subif)#frame-relay interface-dlci 16 2621A(config-subif)#ctrl+z 2621A#
4.
Open a console on 2621 Router B and configure the serial 0/0 interface with a Frame Relay subinterface. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config)#int s0/0 2621B(config-if)#no ip address 2621B(config-if)#no shut 2621B(config-if)#encapsulation frame-relay 2621B(config-if)#int s0/0.17 point-to-point 2621B(config-subif)#ip address 172.16.100.2 255.255.255.0 2621B(config-subif)#frame-relay interface-dlci 17 2621B(config-subif)#ctrl+z 2621B#
5.
Verify the Frame-Relay connection is up and running. Ping from 2621 Router A to 2621 Router B. 2621A#ping 172.16.100.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.100.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2621A#
Verifying Frame Relay There are several ways to check the status of your interfaces and PVCs once you have Frame Relay encapsulation set up and running. You can use the show frame-relay command with a question mark (?) to get the command options: 2621A#show frame ? ip show frame relay IP statistics lapf show frame relay lapf status/statistics lmi show frame relay lmi statistics map Frame-Relay map table
Configuring Frame-Relay
pvc qos-autosense route rtp svc traffic
601
show frame relay pvc statistics show frame relay qos-autosense information show frame relay route show frame relay RTP statistics show frame relay SVC stuff Frame-Relay protocol statistics
6.
Change to the console for 2621 Router A.
7.
The show frame-relay lmi command will give you the LMI traffic statistics exchanged between the local router and the Frame Relay switch. 2621A#show frame lmi LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = CISCO Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Rcvd 1748 Num Status msgs Sent 1748 Num Update Status Sent 0 Num St Enq. Timeouts 0 2621A#
The router output from the show frame-relay lmi command shows you LMI errors as well as the LMI type. 8.
The show frame pvc command will list all configured PVCs and DLCI numbers. It provides the status of each PVC connection and traffic statistics. It will also give you the number of BECN and FECN packets received on the router. 2621A#show frame pvc PVC Statistics for interface Serial0/0 (Frame Relay DTE) DLCI = 16 , DLCI USAGE = LOCAL , PVC STATUS = ACTIVE , INTERFACE = Serial0/0.16 input pkts 11290 output pkts 11277 in bytes 898590 out bytes 899156 dropped pkts 2 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 11264 out bcast bytes 898468 pvc create time 13:25:57, last time pvc status changed 13:25:39 2621A#
9.
You can also use the show interface command to check for LMI traffic. The show interface command displays information about the encapsulation as well as layer-2 and layer-3 information. The LMI DLCI is used to define the type of LMI being used. If it is 1023, it is the default LMI type of Cisco. If the LMI DLCI is zero, then it is the ANSI LMI type.
602
Individual Labs (Comprehensive)
2621A#show int s0/0 Serial0/0 is up, line protocol is up Hardware is PowerQUICC Serial MTU 1500 bytes, BW 1544 Kbit, DLY 20000 0. reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY, loopback not set Keepalive set (10) FR SVC disabled, LAPF state down LMI enq sent 41, LMI stat recvd 22, LMI upd recvd 0, DTE LMI down LMI enq recvd 4, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0 [output cut] 2621A#
The show interface command displays line, protocol, DLCI and LMI information. 10. The show frame map command will show you the Network layer-to-DLCI mappings. 2621A#show frame map Serial0/0.16 (up): point-to-point dlci, dlci 16(0x66,0x1860), broadcast status defined, active 2621A#
Individual Lab: EIGRP Routing Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary hybrid routing protocol. If you want your routers to share information they must all: NN
NN
have EIGRP running use the same AS number When you have finished with this lab ...
Individual Lab: EIGRP Routing
603
EIGRP NN
Stands for Enhanced Interior Gateway Routing Protocol
NN
Uses properties of both distance vector and link state
NN
Has an administrative distance of 90
NN
Has a maximum hop count of 255
NN
NN
Will automatically overwrite RIP (which has a default administrative distance of 120) routes in the routing table Uses autonomous systems (AS) to create groups of routers that share routing information
NN
Classless routing protocol but configured in a classful manner
NN
Uses RTP Reliable Transport Protocol
NN
Uses DUAL Reliable Transport Protocol
NN
Supports VLSM, summarization, and discontiguous networking
NN
Supports IP v4 and v6, IPX, AppleTalk
You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
604
Individual Labs (Comprehensive)
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and EIGRP.
Individual Lab: EIGRP Routing
605
Lab Steps Copy and Paste Script Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into User mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter. 2621 Router A
2811 Router A
2621 Router B
enable
enable
enable
config t
config t
config t
hostname 2621A
hostname 2811A
hostname 2621B
line vty 0 4
line vty 0 1180
line vty 0 4
password todd
password todd
password todd
login
login
login
interface serial 0/0
interface serial 0/1/1
interface serial 0/0
ip address 172.16.20.2 255.255.255.0
ip address 172.16.20.1 255.255.255.0
ip address 172.16.30.2 255.255.255.0
description connection to 2811A
description connection to 2621A
description connection to 2811A
no shutdown
no shutdown
no shutdown
exit
interface serial 0/0/1
exit
exit
ip address 172.16.30.1 255.255.255.0
exit
copy run start
description connection to 2621B no shutdown exit exit copy run start
copy run start
606
1.
Individual Labs (Comprehensive)
Double-click 2621 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#ctrl+z 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#ctrl+z 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Individual Lab: EIGRP Routing
607
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
3.
Double-click 2621 Router B. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#ctrl+z 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
4.
Go to the console screen for 2621 Router A and ping interface s 0/0 on 2621 Router B. The packet will travel through 2811 Router A on its way to router 2621 B. 2621A#ping 172.16.30.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.30.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms 2621A# No routing protocol is set up. The routing table for router 2621 A does not know how to get to the destination address.
5.
Configure 2621 Router A to use EIGRP with an AS of 10. 2621A#config t 2621A(config)#router eigrp 10
608
Individual Labs (Comprehensive)
2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z 2621A#
6.
Configure 2621 Router B to use EIGRP with an AS of 10. 2621B#config t 2621B(config)#router eigrp 10 2621B(config-router)#network 172.16.0.0 2621B(config-router)
7.
Configure 2811 Router A to use EIGRP with an AS of 15. 2811A#config t 2811A(config)#router eigrp 15 2811A(config-router)#network 172.16.0.0 2811A(config-router)#exit 2811A(config)#
8.
Now that we have EIGRP on every router, go to router 2621 A and ping 172.16.30.2 on router 2621 B. 2621A#ping 172.16.30.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.30.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms 2621A#
It did not work. Click on the Net Detective icon to see if we can find out why the ping was not successful.
Individual Lab: EIGRP Routing
609
You will see the following information: 1.
Network 172.16.0.0 was not found in the routing tables for 2621 Router A.
2.
The desired address falls outside of the protocol networks set up for one or more of the devices.
3.
The desired IP address of 172.16.30.2 was not found. None of the interfaces in the current network have been configured with this IP address.
Net Detective® Unless you are an expert in using routers and switches, you might enter a command, have it not work, and not immediately know what you did wrong. We have tried to bridge that gap with Net Detective®. There are several hundred commands that Net Detective monitors. If something does not work properly, clicking on the Net Detective button may prove be helpful. For example, if you are unsuccessful in trying to ping between 2600 A and 2600 B, Net Detective® will provide a several suggestions as to what is possibly wrong.
We know that Network 172.16.0.0 is in the routing table. Maybe #2 is true. Ok, I found it. The AS number for 2811 Router A is wrong. Change it from 15 to 10. 9.
First, remove router eigrp 15 and put the correct command in. 2811A(config)#no router eigrp % Incomplete command. (We forgot to put 15 in the command. Try again) 2811A(config)#no router eigrp 15 2811A(config)#router eigrp 10 2811A(config-router)#network 172.16.0.0 2811A(config-router)#ctrl+z 2811A#
10. Now the ping should work. Go to 2621 Router A and ping interface f 0/0 on 2621 B. 2621A#ping 172.16.30.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.30.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2621A#
610
Individual Labs (Comprehensive)
Verifying EIGRP Since EIGRP has a better administrative distance then IGRP and RIP, all the routing tables should have EIGRP found routes (D). Use the show ip route command and other EIGRP show commands to verify EIGRP. 11. From 2621 Router A, use the show ip route command to verify the routing table. 2621A#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR, P - periodic downloaded static route T - traffic engineered route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets D 172.16.30.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0 C 172.16.20.0 is directly connected, Serial0/0 2621A#
Notice the route that begins with D. These are EIGRP routes. 12. Use the show ip protocol command from 2621 Router A. 2621A#show ip protocol Routing Protocol is "eigrp 10" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hop count 100 EIGRP maximum metric variance 1 Redistributing: eigrp 10 Automatic network summarization is in effect Maximum path: 4 Routing for networks: 172.16.0.0 Routing information sources: Gateway Distance Last Update 172.16.20.1 90 00:12:28 Distance: internal 90 external 170 2621A#
Individual Lab: EIGRP Routing
611
13. From 2621 Router B, use the show ip route command to verify the routing table. 2621B#show ip route [output cut] 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0 D 172.16.20.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0 2621B#
14. From 2811 Router A, use the show ip route command to verify the routing table. 2811A#show ip route [output cut] 172.16.0.0/24 is subnetted, 2 subnets C 172.16.30.0 is directly connected, Serial0/0/1 C 172.16.20.0 is directly connected, Serial0/1/1 2811A#
15. From 2621 Router A, use the show ip eigrp neighbors command to see the EIGRP
neighbor table. This table holds information about the router’s directly connected neighbors. 2621A#show ip eigrp neighbor IP-EIGRP neighbors for process 10 H Address Interface Type 0 172.16.20.1 2621A#
S0/0
Hold Uptime
SRTT
(sec) 12 02:28:04
(ms) 20
RTO
200
Q
Seq
cnt Num 0 1
16. From 2621 Router A, use the show ip eigrp topology command to see the EIGRP
topology table. This table shows the entire network as 2621 Router A understands it. 2621A#show ip eigrp topology IP-EIGRP Topology Table for AS(10)/ID(172.16.20.2) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 172.16.30.0/24, 1 successors, FD is 2172416 via 172.16.20.1 (2172416/28160), Serial0/1/1 P 172.16.20.0/24, 1 successors, FD is 2172416 via Connected, Serial0/0 2621A#
612
Individual Labs (Comprehensive)
Individual Lab: Single Area OSPF Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
This section will discuss the OSPF routing process. OSPF an open standards routing protocol that has been implemented by a wide variety of network vendors, including Cisco. The benefit of an approach based on open standards is that equipment from multiple vendors can interoperate as long as their implementations are compliant with the appropriate Requests for Comments (RFCs). This does not mean that vendors are forced to restrict their implementations to only the features documented in the RFCs. On the contrary, Cisco and others have added features to their versions of OSPF that may not be found in other vendors’ implementations. Knowing which features are standards based and which are proprietary becomes important when deploying multivendor OSPF networks. N
Stands for open shortest path first
NN
Uses the concept of an area, which is a grouping of contiguous OSPF networks and hosts
N
Is a link-state routing protocol
NN
Has no maximum hop count
N
Has an administrative distance of 110
NN
Includes equal-cost multipath routing
N
Supports VLSM and discontiguous networks
The easiest (and least scalable) way to configure OSPF is simply to use a single area, which requires a minimum of two commands. This program only supports a single area OSPF network, which will always be area 0.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
Individual Lab: Single Area OSPF
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and Single Area OSPF.
613
614
Individual Labs (Comprehensive)
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
Lab Steps Copy and Paste Script Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into User mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter.
Individual Lab: Single Area OSPF
2621 Router A
2811 Router A
2621 Router B
enable
enable
enable
config t
config t
config t
hostname 2621A
hostname 2811A
hostname 2621B
line vty 0 4
line vty 0 1180
line vty 0 4
password todd
password todd
password todd
login
login
login
interface serial 0/0
interface serial 0/1/1
interface serial 0/0
ip address 172.16.20.2 255.255.255.0
ip address 172.16.20.1 255.255.255.0
ip address 172.16.30.2 255.255.255.0
description connection to 2811A
description connection to 2621A
description connection to 2811A
no shutdown
no shutdown
no shutdown
exit
interface serial 0/0/1
exit
exit
ip address 172.16.30.1 255.255.255.0
exit
copy run start
description connection to 2621B
615
copy run start
no shutdown exit exit copy run start
1.
Double-click 2621 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#ctrl+z 2621A#copy run start Destination filename [startup-config]? [enter]
616
Individual Labs (Comprehensive)
Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-line)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#ctrl+z 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on the 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
3.
Double-click. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4
Individual Lab: Single Area OSPF
617
2621B(config-line)#password todd 2621B(config-line)#login 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#ctrl+z 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
The easiest (and least scalable) way to configure OSPF is simply to use a single area, which requires a minimum of two commands. The command to activate the OSPF routing process is as follows: 2621A(config)#router ospf ? <1-65535>
A value in the range 1– 65535 identifies the OSPF Process ID, which is a unique number on this router that groups a series of OSPF configuration commands under a specific running process. Different OSPF routers do not have to use the same Process ID in order to communicate. It’s purely a local value and its number is basically irrelevant. The only time an OPSF number would matter is when you have multiple OSPF Autonomous Systems(AS) connecting together on the same network. This lab will be pretty simple as far as OSPF goes. We’ll start the process on each router, then configure the interfaces to be in OSPF area 0. This is much more complicated then any of the other routing protocols we have configured, but simple nonetheless for OSPF. However, since EIGRP has a better administrative distance then OSPF, we need to also disable the EIGRP routing processes on each router. You will start the OSPF process by issuing the following command, as an example: 2621A(config)#router ospf 100
After starting the OSPF process (and disabling EIGRP on each router), you need to identify the interfaces on which to activate OSPF communications and the area in which each resides. This will also configure the networks you will advertise to others. This is achieved with the following command as an example: 2621A(config-router)#network 10.0.0.0 0.255.255.255 area ? <0-4294967295> OSPF area ID as a decimal value A.B.C.D OSPF area ID in IP address format
618
Individual Labs (Comprehensive)
A 0 (zero) octet in the wildcard mask indicates that the corresponding octet in the network must match exactly. A 255, on the other hand, indicates that you do not care what the corresponding octet is in the network number. A network and wildcard mask combination of 1.1.1.1 0.0.0.0 would match 1.1.1.1 only and nothing else. This is useful if you want to activate OSPF on a specific interface in a very clear and simple fashion. If you insist on matching a range of networks, the network and wildcard mask combination of 1.1.0.0 0.0.255.255 would match anything in the range 1.1.0.0–1.1.255.255. It’s simpler and safer to stick to using wildcard masks of 0.0.0.0 and identifying each OSPF interface individually. Remember that OSPF routers will only become neighbors if their interfaces share a network that is configured to belong to the same area number. The format of the area number is either a decimal value from the range 0–4294967295 or a value represented in standard dotted-decimal notation. Area 0.0.0.0 is a legitimate area, for example, and is identical to area 0. Again, we only support area 0 in this module at this time. 4.
Configure 2621 Router A to advertise both directly connected networks with OSPF. The router OSPF number does not matter; use whatever feels good to you. The number can even all be the same on all routers, or they can be different. In this lab we will use different numbers. 2621A(config)#config t 2621A(config)#router ospf 100 2621A(config-router)#network 172.16.20.2 0.0.0.0 area 0 2621A(config-router)#ctrl+z
Anatomy of a Command: Network 172.16.20.2 0.0.0.0 area 0 Network 172.16.20.2 0.0.0.0 area 0—tells the OSPF process to advertise the interface 172.16.20.2 into area 0. 172.16.20.2
The network number.
0.0.0.0 The wildcard mask of 0.0.0.0 tells the process to match each octet exactly. 0 The final argument is the area number. It indicates the area to which the interfaces identified in the network and wildcard mask portion belong. It tells the OSPF process to advertise the interface 172.16.20.2 into area 0. The combination of the two first two numbers identifies the interfaces that OSPF will operate on and that will also be included in its OSPF Link State Advertisements (LSA).
5.
Configure 2621 Router B to advertise both directly connected networks with OSPF. 2621B(config)#config t 2621B(config)#router ospf 101
Individual Lab: Single Area OSPF
619
2621B(config-router)#network 172.16.30.2 0.0.0.0 area 0 2621B(config-router)#ctrl+z
Now, let’s go over what we have configured on 2621 Router B. Please understand that all we are doing is advertising OSPF networks and this lab is showing the many ways to accomplish the same thing. The command network 172.16.30.2 0.0.0.0 area 0 tells the OSPF process to advertise the interface 172.16.30.2 into area 0. The wildcard mask of 0.0.0.0 tells the process to match all four octets exactly. 6.
Configure the 2811 A router to advertise all directly connected networks with OSPF. 2811A(config)#config t 2811A(config)#router ospf 102 2811A(config-router)#network 172.16.20.1 0.0.0.0 area 0 2811A(config-router)#network 172.16.30.1 0.0.0.0 area 0 2811A(config-router)#ctrl+z
Verify OSPF 7.
The show ip ospf command is used to display OSPF information for one or all OSPF processes running on the router. Information contained therein includes the Router ID, area information, SPF statistics, and LSA timer information. Here is a sample output from 2621 Router A: 2621A#show ip ospf Routing Process "ospf 100" with ID 172.16.20.2 Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) (Inactive) Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 7 times Area ranges are Number of LSA 5. Checksum Sum 0x2E2A0 Number of DCbitless LSA 0 Number of indication LSA 0
620
Individual Labs (Comprehensive)
Number of DoNotAge LSA 0 Flood list length 0 2621A#
8.
The information displayed by the show ip ospf database command indicates the number of links and the neighboring Router ID. The output is broken down by area. Here is a sample output from 2621 Router A: 2621A#show ip ospf database OSPF Router with ID (172.16.20.2) (Process ID 100) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 172.16.20.2 172.16.20.2 475 0x80000003 0x0030F9 3 172.16.30.1 172.16.30.1 475 0x80000003 0x0030F9 3 172.16.30.2 172.16.30.2 475 0x80000003 0x0030F9 3 2621A#
9.
The show ip ospf interface command displays all interface-related OSPF information. Data is displayed about OSPF information for all interfaces or for specified interfaces. Information includes the interface IP address, area assignment, Process ID, Router ID, network type, cost, priority, DR/BDR (if applicable), timer intervals, and adjacent neighbor information. Here is a sample output: 2621A#show ip ospf interface Serial0/0 is up, line protocol is up Internet Address 172.16.20.2/24, Area 0 Process ID 100, Router ID 172.16.20.2, Network Type POINT_TO_POINT, Cost: 64 Transmit Delay is 1 sec, State POINT_TO_POINT, No designated router on this network No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:08 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 172.16.30.1 Suppress hello for 0 neighbor(s) 2621A#
Individual Lab: Single Area OSPF
621
Notice in the above output that the hello timer is set to 10 seconds and the dead timer is set to 40. If two or more routers are connected together, the timers must be set exactly the same. 10. The show ip ospf neighbor command is very useful. It summarizes the pertinent
OSPF information regarding neighbors and the adjacency state. If a DR or BDR exists, that information is also displayed. Here is an output from 2621 Router A: 2621A#show ip ospf neighbor Neighbor ID Pri State 172.16.30.1 1 FULL/DROTHER 2621A#
Dead Time 00:00:36
Address 172.16.20.1
Interface serial
11. The show ip protocols command is useful whether you’re running OSPF, EIGRP,
IGRP, RIP, BGP, ISIS, or any other routing protocol you can configure on your router. It provides an excellent overview of the actual operation of all currently running protocols. 2621A#show ip protocols Routing Protocol is "ospf 100" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 172.16.20.2 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for networks: 172.16.20.2 0.0.0.0 area 0 172.16.40.0 0.0.0.255 area 0 Routing information sources: Gateway Distance Last Update 172.16.30.1 110 00:00:09 172.16.30.2 110 00:00:09 Distance: 2621A#
12. Based upon this output, you can determine the OSPF Process ID, OSPF Router ID,
type of OSPF area, networks and areas configured for OSPF, and OSPF Router IDs of neighbors.
622
Individual Labs (Comprehensive)
Individual Lab: OSPF DR and BDR Elections You need to fully understand the terms neighbors and adjacencies because they’re really crucial to the DR and BDR election process. The election process happens when a broadcast or nonbroadcast multi-access network is connected together. (Think Ethernet or Frame Relay.) Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab
N
The expected configuration
NN
Your configuration
Individual Lab: OSPF DR and BDR Elections
NN
NN
623
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Routing Protocols, and OSPF DR BDR.
624
Individual Labs (Comprehensive)
Neighbors Routers that share a common segment become neighbors on that segment. These neighbors are elected via the Hello protocol. Hello packets are sent periodically out of each interface using IP multicast. Two routers won’t become neighbors unless they agree on the following: Area-ID The idea here is that the two routers interfaces have to belong to the same area on a particular segment. And of course, those interfaces have to belong to the same subnet. Authentication OSPF allows for the configuration of a password for a specific area. Although authentication between routers isn’t required, you have the option to set it if you need to do so. Also, keep in mind that in order for routers to become neighbors, they need to have the same password on a segment if you’re using authentication. Hello and Dead Intervals OSPF exchanges Hello packets on each segment. This is a keepalive system used by routers to acknowledge their existence on a segment and for electing a designated router (DR) on both broadcast and nonbroadcast multi-access segments. The Hello interval specifies the amount of seconds between Hello packets. The Dead interval is the number of seconds that a router’s Hello packets can go without being seen before its neighbors declare the OSPF router dead (down). OSPF requires these intervals to be exactly the same between two neighbors. If any of these intervals are different, the routers won’t become neighbors on that segment. You can see these timers with the show ip ospf interface command. Adjacencies In the election process, adjacency is the next step after the neighboring process. Adjacent routers are routers that go beyond the simple Hello exchange and proceed into the database exchange process. In order to minimize the amount of information exchanged on a particular segment, OSPF elects one router to be a designated router (DR) and one router to be a backup designated router (BDR) on each multi-access segment. The BDR is elected as a backup router in case the DR goes down. The idea behind this is that routers have a central point of contact for information exchange. Instead of each router exchanging updates with every other router on the segment, every router exchanges information with the DR and BDR. The DR and BDR then relay the information to everybody else. DR and BDR Elections DR and BDR election is accomplished via the Hello protocol. Hello packets are exchanged via IP multicast packets on each segment. However, only segments that are broadcast and nonbroadcast multi-access networks (examples are Ethernet and Frame Relay) will perform DR and BDR elections. Point-topoint links, like a serial WAN for example, will not have a DR election process. On a broadcast or nonbroadcast multi-access network, the router with the highest OSPF priority on a segment will become the DR for that segment. This priority is shown with the show ip ospf interface command. The default priority for a router interface is one. If all routers have the default priority set, the router with the highest Router ID (RID) will win. The RID is determined by the highest IP address on any interface at the moment of OSPF startup. This can be overridden with a loopback (logical) interface. If you set a router’s interface to a priority value of zero, that router won’t participate in the DR or BDR election on that interface. The state of the interface with priority zero will then be DROTHER.
Individual Lab: OSPF DR and BDR Elections
Lab Steps 1.
Double-click 2621 Router A in order to bring up the console screen.
2.
Configure the hostname. Router>enable Router#config t Router(config)#hostname 2621A
3.
Configure the router with OSPF. 2621A(config)#router ospf 1 2621A(config-router)#network 10.10.10.0 0.0.0.255 area 0
4.
Configure interface Fa0/0 for the 2621 Router A router. 2621A(config)#int fa0/0 2621A(config-if)#ip address 10.10.10.1 255.255.255.0 2621A(config-if)#no shut 2621A(config-if)#ctrl+z 2621A#copy run start
5.
Use the menu to change to the console for the 2621 Router B.
6.
Configure the hostname. Router>enable Router#config t Router(config)#hostname 2621B
7.
Configure the router with OSPF. 2621B(config)#router ospf 1 2621B(config-router)#network 10.10.10.0 0.0.0.255 area 0
8.
Configure interface Fa0/0 for the 2621 B router. 2621B(config)#int fa0/0 2621B(config-if)#ip address 10.10.10.3 255.255.255.0 2621B(config-if)#no shut 2621B(config-if)#ctrl+z 2621B#copy run start
9.
Use the menu to change to the console for the 2811 Router A.
625
626
Individual Labs (Comprehensive)
10. Configure the hostname. Router>enable Router#config t Router(config)#hostname 2811A
11. Configure the router with OSPF. 2811A(config)#router ospf 1 2811A(config-router)#network 10.10.10.0 0.0.0.255 area 0
12. Configure interface Fa0/0 for the 2811 A router. 2811A(config)#int fa0/0 2811A(config-if)#ip address 10.10.10.2 255.255.255.0 2811A(config-if)#no shut 2811A(config-if)#exit 2811A(config-if)#copy run start
13. Use the menu to change to the console for the 2811 Router B. 14. Configure the hostname. Router>enable Router#config t Router(config)#hostname 2811B
15. Configure the router with OSPF. 2811B(config)#router ospf 1 2811B(config-router)#network 10.10.10.0 0.0.0.255 area 0
16. Configure interface Fa0/0 for the 2811 B router. 2811B(config)#int fa0/0 2811B(config-if)#ip address 10.10.10.4 255.255.255.0 2811B(config-if)#no shut 2811B(config-if)#ctrl+z 2811B#copy run start
17. In 2621 Router A verify the RID of your router. Use the show ip ospf command on
the router to gather this information. 2621A#show ip ospf Routing Process "ospf 1" with ID 10.10.10.1 Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Individual Lab: OSPF DR and BDR Elections
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) (Inactive) Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 7 times Area ranges are Number of LSA 4. Checksum Sum 0x2E2A0 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 2621A#
18. Enter the command show ip ospf interface fa0/0 to verify area ID, DR, BDR
information and the hello and dead timers of the interface connected to the 10.1.1.0 network. 2621A#show ip ospf interface fa0/0 FastEthernet0/0 is up, line protocol is up Internet Address 10.10.10.1/24, Area 0 Process ID 1, Router ID 10.10.10.1, Network Type BROADCAST, Cost: 64 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.10.10.4 , Interface address 10.10.10.4 Backup Designated router (ID) 10.10.10.3 , Interface address 10.10.10.3 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:04 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 3, Adjacent neighbor count is 3 Adjacent with neighbor 10.10.10.3(Backup Designated Router) Adjacent with neighbor 10.10.10.2(Other Designated Router) Adjacent with neighbor 10.10.10.4(Designated Router) Suppress hello for 0 neighbor(s) 2621A#
627
628
Individual Labs (Comprehensive)
19. By looking at the show ip ospf interface fa0/0 output, which router is the DR?
Which router is the BDR? 20. Verify the network type of your router. Since the connection is on an Ethernet LAN,
the Network Type is BROADCAST. What would the Network Type be if you were viewing a serial connection? Answer: point-to-point. 21. The priority of all routers, by default, is 1. If you were to change the priority to 0, then
the router would never participate in the election process for the LAN (remember that elections do not occur on serial point-to-point links). 22. Change the priority of a router that you choose to become the new DR. Choose any
router that is not the DR at this moment. 23. Enable the debugging process that allows you to see the DR and BDR election take place. Use the command debug ip ospf adjacency on the router that will become the DR. 24. For the router that was chosen to become the new DR, set your priority of the
FastEthernet 0/0 interface to 3. Here is how you do that: config t int fa0/0 ip ospf priority 3
25. Now shut down all the Fa0/0 interfaces of all four routers. 26. Now enable all four routers’ fa0/0 interfaces with the no shut command. 27. The election should take place and the router you have chosen with the highest priority
should now be the DR. 28. Type show ip ospf interface fa0/0 to verify the DR and BDR information.
Hopefully you also noticed the debug output of the election process. The priority of a router’s interface can be set all the way up to 255.
Individual Lab: Configuring VLANs Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
Configuring VLANs is the easy part of the job. It is trying to understand which users you want in each VLAN that is time consuming. Once you have decided the number of VLANs you want to create and the users that will be members of each VLAN, you can create your VLAN. We will set up VLANs on 3550 Switch A and 3560 Switch A. We will test intraVLAN routing and then use router 2811 A to create interVLAN routing.
Individual Lab: Configuring VLANs
629
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
630
Individual Labs (Comprehensive)
Network Layout On the Network Visualizer screen, click on the Labs menu and then choose Individual, VLANS and then VLANS and InterVLAN.
Individual Lab: Configuring VLANs
631
Lab Steps Setting Up VLANS 1.
Double-click 3550 Switch A to bring up the console screen. Switch>enable Switch#config t Switch#hostname 3550A 3550A#exit
2.
To configure VLANs on the 3550 series switch, you can configure the VLANs from the VLAN database. You do this from privileged mode, not configuration mode. Type vlan database: 3550A#vlan database
3.
To configure VLANs on the 3550 switch, use the vlan # name name command. The following shows an example of creating three VLANs. 3550A(vlan)#vlan 2 name Sales VLAN 2 added: Name: Sales 3550A(vlan)#vlan 4 name Marketing VLAN 4 added: Name: Marketing 3550A(vlan)#vlan 7 name Research VLAN 7 added: Name: Research 3550A(vlan)#exit APPLY completed. Exiting.... 3550A#
4.
You must apply your changes to the switch. You can either use the apply command or use the exit command which will then apply the changes.
5.
After you create the VLANs that you want, you can use the show vlan command to see the configured VLANs. However, notice that by default all ports on the switch are in VLAN 1. To change the VLAN associated with a port you need to go to each interface and tell it what VLAN to be a member of.
632
6.
Individual Labs (Comprehensive)
Once the VLANs are created, verify your configuration with the show vlan command. 3550A#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10 2 Sales active 4 Marketing active 7 Research active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active [output cut]
7.
You can configure each port to be in a VLAN by using the switchport access vlan # command. You can only configure VLANs one port at a time. In the following example, we configure interface 1 to VLAN 2, interface 5 to VLAN 7, and interface 10 to VLAN 4. 3550A#config t Enter configuration commands, one per line. 3550A(config)#int fa0/1 3550A(config-if)#switchport access vlan 2 3550A(config)#int fa0/5 3550A(config-if)#switchport access vlan 7 3550A(config-if)#int fa0/10 3550A(config-if)#switchport access vlan 4 3550A(config-if)#exit
8.
End with CNTL/Z
You must also set the port to be in access mode, which means that the interface will only be a member of one VLAN. 3550A(config)#int fa0/1 3550A(config-if)#switchport mode access 3550A(config)#int fa0/5 3550A(config-if)#switchport mode access 3550A(config-if)#int fa0/10 3550A(config-if)#switchport mode access 3550A(config-if)#exit 3550A(config)#exit 3550A#copy run start
Individual Lab: Configuring VLANs
633
Destination filename [startup-config]? Building configuration... [OK] 3550A#
9.
Now, type show vlan again to see the ports assigned to each VLAN. 3550A#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/2, Fa0/4, Fa0/6, Fa0/7 Fa0/8, Fa0/9 2 Sales active Fa0/1 4 Marketing active Fa0/10 7 Research active Fa0/5 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active [output cut]
Interface fa0/1 is a member of VLAN 2, interface fa0/05 a member of VLAN 5, and interface fa0/10 is a member of VLAN 4. 10. Another command you can use to see the ports assigned to a VLAN is show running-config. 3550A#show run [output cut] ! interface FastEthernet0/1 switchport access vlan 2 switchport mode access ! interface FastEthernet0/5 switchport access vlan 7 switchport mode access ! interface FastEthernet0/10 switchport access vlan 4 switchport mode access ! [output cut] 3550A#
634
Individual Labs (Comprehensive)
11. Now let us move on to 3560 Switch A. By using the console menu, change to the 3560
Switch A console screen.
12. Add a hostname to 3560 Switch A. switch>enable switch#config t switch#hostname 3560A 3560A#exit
13. Initially, let us issue the show vlan command to verify that there are no VLANs
associated with 3560 Switch A. 3560A#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Gi0/1 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active [output cut]
No VLANs! 14. We now need to configure two ports, one for each VLAN by using the switchport access vlan # command. You can only configure VLANs one port at a time. In the
following example, we configure interface 2 to VLAN 2 and interface 8 to VLAN 4. 3560A(config)#config t Enter configuration commands, one per line.
End with CNTL/Z
Individual Lab: Configuring VLANs
635
3560A(config)#int fa0/2 3560A(config-if)#switchport access vlan 2 3560A(config-if)#int fa0/8 3560A(config-if)#switchport access vlan 4
15. You must also set the port to be in access mode, which means that the interface will
only be a member of one VLAN. 3560A(config)#int fa0/2 3560A(config-if)#switchport mode access 3560A(config-if)#int fa0/8 3560A(config-if)#switchport mode access 3560A(config-if)#exit 3560A(config)#exit 3560A#copy run start Destination filename [startup-config]? Building configuration... [OK] 3560A#
16. We can verify what we did with the two ports with the show run command. 3560A#show run [output cut] ! interface FastEthernet0/2 switchport access vlan 2 switchport mode access ! interface FastEthernet0/8 switchport access vlan 4 switchport mode access ! [output cut] 3560A#
Setting Up Trunk Ports Now that we have set up VLANs on both switches, we will now set up trunking, first starting with 3550 Switch A. Trunk links are 100 or 1000 Mbps point-to-point links between two switches, between a switch and router, or between a switch and server. Trunked links carry the traffic of multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps links, nor would you want to. Remember that an access link is a port on a switch that is a member of only one VLAN.
636
Individual Labs (Comprehensive)
In this network 3560 Switch A is connected to 3550 Switch A via interface Fa0/3 on each device. That is what we are going to use to set our trunk port between the two switches. 17. Move to 3550 Switch A through the console menu.
18. To configure trunking on a 3550 port, use the interface command switchport mode trunk command. In this lab we will set it up for interface Fa0/3. 3550A#config t 3550A(config)#int fa0/3 3550A(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802.1q trunking encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface 3550A(config-if)#switchport trunk encapsulation dot1q 3550A(config-if)#switchport mode trunk
19. By default, traffic from all VLANs is sent over a trunk link. To change the VLANs permitted to send traffic on a trunk link, use the switchport trunk allowed vlan except # command. The command allows traffic from all VLANs except the VLANs listed.
Earlier we set up VLAN 7; for now we do not want to allow VLAN 7 to send traffic across the trunk link. 3550A(config-if)#switchport trunk allowed vlan except 7
20. The above command sets the trunking interface to allow traffic from all VLANs except
for VLAN 7.
Individual Lab: Configuring VLANs
637
21. To verify your trunk ports, use the show running-config command. 3550A(config-if)#exit 3550A(config)#exit 3550A#show run [output cut] ! interface FastEthernet0/3 switchport trunk allowed vlan 1-6,8-1005 switchport mode trunk switchport trunk encapsulation dot1q ! [output cut]
22. Notice in the above output that all VLANs are allowed except for VLAN 7. 23. Move to 3560 Switch A through the console menu. 24. To configure trunking on a 3560 port, use the interface command switchport mode trunk command. In this lab we will configure interface fa0/3. 3560A#config t 3560A(config)#int fa0/3 3560A(config)#switchport trunk encapsulation dot1q 3560A(config-if)#switchport mode trunk
25. To verify your trunk port, use the show running-config command. 3560A(config-if)#exit 3560A(config)#exit 3560A#show run [output cut] ! interface FastEthernet0/3 switchport mode trunk switchport trunk encapsulation dot1q ! [output cut]
Configuring VTP Domain Every Catalyst switch is configured by default to be a VTP server. To configure VTP, first configure the domain name you want to use, as discussed in the next section. Once you configure the VTP information on a switch, you need to verify the configuration.
638
Individual Labs (Comprehensive)
26. Move to 3550 Switch A through the console menu. 27. Use the vtp global configuration mode command to set this information. In the following example, we explicitly set 3550 Switch A to be a VTP server, which it already is, and then set the VTP domain to routersim. 3550A(config)#vtp mode server Device mode already VTP SERVER. 3550A(config)#vtp domain routersim Changing VTP domain name from NULL to routersim 3550A(config)#
28. After you configure the VTP information, you can verify it with the show vtp status
command. 3550A#show vtp status VTP Version : 2 Configuration Revision : 4 Maximum VLANs supported locally : 64 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : routersim VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x70 0x01 0xF2 0x72 0x97 0xA1 0x35 0xEB Configuration last modified by: 172.16.10.17 at 11-29-93 20:39:24 Local updater ID is 172.16.10.17 on interface Vl1 (lowest numbered VLAN interface found) 3550A#
The preceding switch output shows the VTP domain and the switch’s mode. 29. Move to 3560 Switch A through the console menu. 30. Set the switch to a VTP client and then set the VTP domain to routersim. 3560A(config)#config t 3560A(config)#vtp mode client Device mode already VTP CLIENT 3560A(config)#vtp domain routersim Changing VTP domain name from NULL to routersim 3560A(config)#exit
Individual Lab: Configuring VLANs
639
31. After you configure the VTP information, you can verify it with the show vtp command. 3560A#show vtp status VTP Version Configuration Revision Maximum VLANs supported locally Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode VTP V2 Mode VTP Traps Generation MD5 digest Configuration last modified by: Local updater ID is 172.16.10.3 interface found) 3560A#
: 2 : 3 : 64 : 7 : Client : routersim : Disabled : Disabled : Disabled : 0x70 0x01 0xF2 0x72 0x97 0xA1 0x35 0xEB 172.16.10.3 at 11-29-93 20:39:24 on interface Vl1 (lowest numbered VLAN
The preceding switch output shows the VTP domain and the switch’s mode. 32. VLAN information should now be propagated from 3550 Switch A to 3560 Switch A. Confirm this with the show vlan command. 3560A#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6, Fa0/7 Gi0/1 2 Sales active Fa0/2 4 Marketing active Fa0/8 7 Research active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active VLAN 7 will not be allowed to pass any traffic on the trunk link because we issued the command switchport trunk allowed vlan except 7 in step 18.
Individual Labs (Comprehensive)
640
IntraVLAN and InterVLAN Routing In previous labs we have set up VLANs 2 and 4 for the 3550 and 3560 switches. We will first set up the proper subnetting so that we can place Hosts A and C in VLAN 2 and Hosts B and D in VLAN 4. We will then have you test this by communicating with the VLANs. Then we will set up interVLAN routing so that Hosts from VLANs 2 and 4 can communicate with each other. Network devices in different VLANs cannot communicate with each other without sending traffic through a router. In this lab we will use 2811 A router to perform the 802.1q routing so that we can route traffic between the two VLANs. Two new subnets will be needed. We will use subnets 172.16.20.0/24 and 172.16.30.0/24. Router 2811 A FastEthernet 0/0 interface will stay at 172.16.10.1/24; however, the IP address needs to be moved to a subinterface, which we’ll do in a minute. 33. We should now configure our hosts. VLAN 2 will have a subnet of 172.16.20.0/24
and VLAN 4 will have a subnet of 172.16.30.0/24. We will now change the current IP addresses of the hosts so they are in their proper VLAN. Change the IP addresses and default gateways of the four hosts. Host
IP Address
New Default Gateway
Subnet Mask
A
172.16.20.2
172.16.20.1
255.255.255.0
B
172.16.30.3
172.16.30.1
255.255.255.0
C
172.16.20.3
172.16.20.1
255.255.255.0
D
172.16.30.2
172.16.30.1
255.255.255.0
34. Right mouse click Host A.
Individual Lab: Configuring VLANs
641
35. Click on the Configs button.
36. On Host A configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP address unique identification number for a device that is located on a network. An IP address is equivalent to the address of your home. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 172.16.10.6 could be an IP address. subnet mask when you split up an IP network it is used to determine what section or subnet the IP address of the networked device belongs to. An IP address has two parts, the network address and the host address. Let us examine IP address 172.16.10.6. Assuming this is part of a Class B network, the first two numbers (172.16) represent the Class B network address, and the second two numbers (10.6) identify a particular host on this network. default gateway IP address configured on a networked device that allows that device to communicate outside of its own subnet. A default gateway is usually a layer 3 device like a router. When a network device wants to get to the Internet, it uses a default gateway. A default gateway IP address is equivalent to the on ramp of a highway. IP Address: 172.16.20.2 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.20.1
37. Click the OK button and then the Close button.
On Host B configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.30.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.30.1
Individual Labs (Comprehensive)
642
38. On Host C configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.20.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.20.1
39. Click the OK button and then the Close button. 40. On Host D configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.30.2 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.30.1
41. Click the OK button and then the Close button. Now double-click Host A.
Individual Lab: Configuring VLANs
643
42. Verify you have set up the VLANs correctly by pinging from Host A to Host C. C:\>ping 172.16.20.3 Pinging 172.16.20.3 with 32 bytes of data: Reply from 172.16.20.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.20.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.20.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.20.3 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.20.3: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>
Once you can ping, you know you have configured at least one VLAN correctly. At this time, Host A and Host C cannot ping anything else in the network except each other. 43. At this point you should not be able to ping Host B even though it is connected to the
same switch. C:\>ping 172.16.30.3 Pinging 172.16.30.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping Statistics for 172.16.30.3: Packets Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\>
44. Verify you have set up the VLANs correctly by pinging from Host B to Host D. C:\>ping 172.16.30.2 Pinging 172.16.30.2 with 32 bytes of data: Reply from 172.16.30.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.30.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.30.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.30.2 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.30.2: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>
644
Individual Labs (Comprehensive)
Once you can ping, you know you have configured both VLANs correctly. At this time, Host B and Host D cannot ping anything else in the network except each other. 45. To have the hosts ping outside their own VLAN, you must setup some type of routing. You
also need to setup a trunk link between the switch and the router. Use the 2811 Router A FastEthernet 0/0 interface and create 802.1q routing. Create three subinterfaces, one for each VLAN. To establish a trunk link between 3550 Switch A and the 2811 router, configure FastEthernet 0/4, on 3550 Switch A as a trunk port with 802.1q encapsulation. 2811A>enable 2811A#config t 2811A(config)#int fa0/0.1 2811A(config-subif)#encapsulation dot1q 1 2811A(config-subif)#ip address 172.16.10.1 255.255.255.0 2811A(config-subif)#int fa0/0.2 2811A(config-subif)#encapsulation dot1q 2 2811A(config-subif)#ip address 172.16.20.1 255.255.255.0 2811A(config-subif)# int fa0/0.3 2811A(config-subif)#encapsulation dot1q 4 2811A(config-subif)#ip address 172.16.30.1 255.255.255.0 2811A(config-subif)#exit 2811A(config)#exit 2811A#copy run start Destination filename [startup-config]? Building configuration... [OK] 2811A# 3550A#config t 3550A(config)#int fa0/4 3550A(config-if)#switchport mode trunk 3550A(config-if)#switchport trunk encapsulation dot1q
46. Verify your sub-interface configurations with the show run command. 2811A(config)#show run [output cut] ! interface FastEthernet0/0 no ip address no ip directed-broadcast ! interface FastEthernet0/0.1
Individual Lab: Configuring VLANs on a 1900 Switch
645
encapsulation dot1Q 1 ip address 172.16.10.1 255.255.255.0 ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 172.16.20.1 255.255.255.0 ! interface FastEthernet0/0.3 encapsulation dot1Q 4 ip address 172.16.30.1 255.255.255.0 ! [output cut]
47. At this point, the hosts should be able to ping all hosts and 2811 Router A.
Individual Lab: Configuring VLANs on a 1900 Switch Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
Configuring VLANs is the easy part of the job. It is trying to understand which users you want in each VLAN that is time consuming. Once you have decided the number of VLANs you want to create and the users that will be members of each VLAN, you can create your VLAN. You can create up to 64 VLANs on a 1900 switch. When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
646
Individual Labs (Comprehensive)
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, 1900 Switch VLANs.
Individual Lab: Configuring VLANs on a 1900 Switch
647
Lab Steps 1.
Double-click switch 1900 A to bring up the console screen.
2.
To configure VLANs on the 1900 series switch, choose “k” from the initial user interface menu to get into IOS configuration. Press “k” to enter the CLI mode, and enter global configuration mode using the enable command and then config t. 1 user(s) now active on Management Console. User Interface Menu [M] Menus [K] Command Line Enter Selection: k CLI session with the switch is open. To end the CLI session, enter [Exit].
3.
Use the vtp global configuration mode command to set this information. In the following example, we set the switch to a VTP server and the VTP domain to routersim. A Catalyst is configured by default to be a VTP server, as are all switches. To configure VTP, first configure the domain name you want to use, as discussed in the next section. Once you configure the VTP information on a switch, you need to verify the configuration. Vtp is a protocol used between switches to simplify the management of VLANs. You can make configuration changes on one switch and have those changes automatically communicated to all the other switches in the network. You can designate one switch as the VTP Server and the others as VTP clients. The VTP Server then communicates changes to the VTP clients. 1900A(config)#config t 1900A(config)#vtp ? client VTP client domain Set VTP domain name password Set VTP password pruning VTP pruning server VTP server transparent VTP transparent trap VTP trap 1900A(config)#vtp server 1900A(config)#vtp domain routersim
4.
After you configure the VTP information, you can verify it with the show vtp command. 1900A(config)#exit 1900A#show vtp VTP version: 1
648
Individual Labs (Comprehensive)
Configuration revision: 3 Maximum VLANs supported locally: 1005 Number of existing VLANs: 7 VTP domain name : routersim VTP password : VTP operating mode : Server VTP pruning mode : Disabled VTP traps generation : Enabled Configuration last modified by: 172.16.10.16 at 00-00-0000 00:00:00 1900A#
The preceding switch output shows the VTP domain and the switch’s mode. 5.
To configure VLANs on an IOS-based switch, use the vlan [vlan#] name [vlan name] command. The following will demonstrate how to configure VLANs on the switch by creating three VLANs for three different departments. >en #config t Enter configuration commands, one per line. (config)#hostname 1900A 1900A(config)#vlan 2 name sales 1900A(config)#vlan 3 name marketing 1900A(config)#vlan 4 name mis 1900A(config)#exit
6.
End with CNTL/Z
After you create the VLANs that you want, you can use the show vlan command to see the configured VLANs. However, notice that by default all ports on the switch are in VLAN 1. To change the VLAN associated with a port you need to go to each interface and tell it what VLAN to be a member of. Once the VLANs are created, verify your configuration with the show vlan command. 1900A#show vlan VLAN Name Status Ports -------------------------------------1 default Enabled 1-12,A,B,AUI 2 sales Enabled 3 marketing Enabled 4 mis Enabled 1002 fddi-default Suspended 1003 token-ring-defau Suspended 1004 fddinet-default Suspended 1005 trnet-default Suspended -------------------------------------[output cut]
Individual Lab: Configuring VLANs on a 1900 Switch
7.
649
You can configure each port to be in a VLAN by using the vlan-membership command. You can only configure VLANs one port at a time. In the following example, we configure interface 2 to VLAN 2, interface 4 to VLAN 3, and interface 5 to VLAN 4. 1900A#config t Enter configuration commands, one per line. End with CNTL/Z 1900A(config)#int e0/2 1900A(config-if)#vlan-membership ? dynamic Set VLAN membership type as dynamic static Set VLAN membership type as static 1900A(config-if)#vlan-membership static ? <1-1005> ISL VLAN index 1900A(config-if)#vlan-membership static 2 1900A(config-if)#int e0/4 1900A(config-if)#vlan-membership static 3 1900A(config-if)#int e0/5 1900A(config-if)#vlan-membership static 4 1900A(config-if)#exit 1900A(config)#exit
8.
Now, type show vlan again to see the ports assigned to each VLAN. 1900A#show vlan VLAN Name Status Ports -------------------------------------1 default Enabled 1,3,6-12,A,B,AUI 2 sales Enabled 2 3 marketing Enabled 4 4 mis Enabled 5 1002 fddi-default Suspended 1003 token-ring-defau Suspended 1004 fddinet-default Suspended 1005 trnet-default Suspended -------------------------------------[output cut]
9.
Another command you can use to see the ports assigned to a VLAN is show vlanmembership. Notice that this command shows each port on the switch, which VLAN the port is a member of, and the membership type (static or dynamic). 1900A#show vlan-membership Port VLAN Membership Type ----------------------------1 1 Static 2 2 Static
Individual Labs (Comprehensive)
650
3 4 5 6 7 8 9 10 11 12 AUI A B 1900A#
1 3 4 1 1 1 1 1 1 1 1 1 1
Static Static Static Static Static Static Static Static Static Static Static Static Static
Configuring Trunk Ports Trunk links are 100 or 1000 Mbps point-to-point links between two switches, between a switch and router, or between a switch and server. Trunked links carry the traffic of multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps links. trunk port assigned to a port, allowing that port to carry traffic for any or all of the VLANs accessible by a particular switch. It marks frames with special identifying tags (i.e. 802.1Q) as they pass between switches, so each frame can be routed to its intended VLAN. 10. To configure trunking on a FastEthernet port, use the interface command trunk [parameter]. The following switch output shows the trunk configuration on interface
26 to trunk on. 1900A#config t Enter configuration commands, 1900A(config)#int fa0/26 1900A(config-if)#trunk ? auto Set DISL state desirable Set DISL state nonegotiate Set DISL state off Set DISL state on Set DISL state 1900A(config-if)#trunk on
one per line.
to to to to to
End with CNTL/Z
AUTO DESIRABLE NONEGOTIATE OFF ON
11. The following list describes the different options available when setting a trunk
interface. NN
The interface will become trunk only if the connected device is set to on or desirable
Individual Lab: Configuring VLANs on a 1900 Switch
NN
NN
NN
NN
651
If a connected device is either on, desirable, or auto, it will negotiate to become a trunk port. The interface becomes a permanent ISL trunk port and will not negotiate with any attached device. The interface is disabled from running trunking and tries to convert any attached device to be on-trunk as well. The interface becomes a permanent ISL trunk port. It can negotiate with a connected device to convert the link to trunk mode.
12. To verify your trunk ports, use the show trunk command. If you have more than one port trunking and want to see statistics on only one trunk port, you can use the show trunk [port_number] command.
FastEthernet port 0/26 is identified by trunk A and port 0/27 is identified by trunk B. Below we demonstrate how to view the trunk port on interface 26: 1900A#show trunk ? A Trunk A B Trunk B 1900A#show trunk a DISL state: On, Trunking: On, Encapsulation type: ISL
Notice in this output that DISL is on, trunking is on, and ISL is the VLANencapsulation type on trunk links.
Configuring Inter-Switch Link (ISL) Routing To support ISL routing on one FastEthernet 2600 interface, the router’s interface is divided into logical interfaces, one for each VLAN. These are called subinterfaces and Cisco also calls this router-on-a-stick. isl routing in a switched network, it allows you to identify VLAN membership of a frame as it travels between switches. Each of the hosts in their VLAN must use the same subnet addressing. To configure the router-on-a-stick for inter-VLAN routing, you need to complete three steps: NN
Enable ISL trunking on the switch port the router connects to
NN
Enable ISL encapsulation on the router’s subinterface
NN
Assign an IP address to the subinterface and other logical addressing if applicable (IP, for example)
13. To create a subinterface from global configuration mode, choose the FastEthernet interface, a period, and then a number. You will now be in the (config-subif) prompt
for the interface. We will use a 2621 router in this lab. 14. Move to the console screen for 2621 Router A.
652
Individual Labs (Comprehensive)
15. Before we work with a subinterface we need to make sure the main interface of f 0/0 is
up. Then let us go to the subinterface fa0/0.1. Router>enable Router#config t 2621A#hostname 2621A 2621A#(config-if)int fa0/0 2621A(config-if)#no shut 16:27:04 %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up 16:27:04 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up 2621A(config-if)#int fa0/0.1 2621A(config-subif)#
16. To configure ISL routing on a subinterface, use the encapsulation isl [vlan-number]
command. You can then assign an IP address to the subinterface. This is a unique subnet and all the hosts on that VLAN should be in that same subnet. 2621A(config-subif)#encapsulation isl 1 2621A(config-subif)#ip address 172.16.10.1 255.255.255.0
Grade Me Before you remove VTP, you might want to click the Grade Me button to check your work. 18. To delete the VTP information configured on a 1900 switch, you must use the delete vtp command. The following switch output shows how to delete the VTP NVRAM
database. 1900A#delete ? nvram NVRAM configuration vtp Reset VTP configuration to defaults 1900A#delete vtp
This command resets the switch with VTP parameters set to factory defaults. All other parameters will be unchanged. Reset system with VTP parameters set to factory defaults, [Y]es or [N]o? Yes Once you type in the command, you will be prompted to set the VTP information back to the factory default configuration.
Individual Lab: Standard IP Access-Lists
653
Individual Lab: Standard IP Access-Lists Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
This lab will have you block access to network 172.16.40.0 from Host F. Access-lists can be tricky because if you do not create your lists correctly, you can bring the network down. In this lab we will need to configure routers, hosts, and switches before we set up access-lists. standard IP access lists uses source addresses for filtering packets. A collection of permit and deny conditions is applied to IP addresses. When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab
N
The expected configuration
NN
Your configuration
N
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
654
Individual Labs (Comprehensive)
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Access-Lists, and Standard IP Access.
Lab Steps Copy and Paste Script Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into User mode, copy and paste the script into the
Individual Lab: Standard IP Access-Lists
655
console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter. 2621 Router A
2811 Router A
2621 Router B
enable
enable
enable
config t
config t
config t
hostname 2621A
hostname 2811A
hostname 2621B
line vty 0 4
line vty 0 1180
line vty 0 4
password todd
password todd
password todd
login
login
login
interface fastethernet 0/0
interface serial 0/1/1
interface fastethernet 0/1
ip address 172.16.40.1 255.255.255.0
ip address 172.16.20.1 255.255.255.0
ip address 172.16.50.1 255.255.255.0
description connection to LAN 40
description connection to 2621A
description connection to LAN 30
no shutdown
no shutdown
no shutdown
interface serial 0/0
interface serial 0/0/1
interface serial 0/0
ip address 172.16.20.2 255.255.255.0
ip address 172.16.30.1 255.255.255.0
ip address 172.16.30.2 255.255.255.0
description connection to 2811A
description connection to 2621B
description connection to 2811A
no shutdown
no shutdown
no shutdown
exit
exit
exit
exit
exit
exit
copy run start
copy run start
copy run start
656
1.
Individual Labs (Comprehensive)
Double-click 2621 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-line)#int fa0/0 2621A(config-if)#ip address 172.16.40.1 255.255.255.0 2621A(config-if)#description connection to LAN 40 2621A(config-if)#no shutdown 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#ctrl+z 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 2811A(config-if)#description connection 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 2811A(config-if)#description connection
255.255.255.0 to 2621A
255.255.255.0 to 2621B
Individual Lab: Standard IP Access-Lists
657
2811A(config-if)#no shutdown 2811A(config-if)#ctrl+z 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
3.
Double-click 2621 Router B. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621B(config-line)#int fa0/0 2621B(config-if)#ip address 172.16.50.1 255.255.255.0 2621B(config-if)#description connection to LAN 30 2621B(config-if)#no shutdown 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#ctrl+z 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
Individual Labs (Comprehensive)
658
4.
We need to add a routing protocol such as RIP. Add RIP for each router with a network of 172.16.0.0. 2621A#config t 2621A(config)#router rip 2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z 2621B#config t 2621B(config)#router rip 2621B(config-router)#network 172.16.0.0 2621B(config-router)#ctrl+z 2811A#config t 2811A(config)#router rip 2811A(config-router)#network 172.16.0.0 2811A(config-router)#ctrl+z
Configuring Hosts E and F 5.
Right-mouse click Host E.
6.
Click on the Configs button.
7.
On Host E configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
Individual Lab: Standard IP Access-Lists
IP Address: 172.16.40.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.40.1
8.
Click the OK button and then the Close button.
9.
Right-mouse click Host F.
10. Click on the Configs button.
11. On Host F configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.50.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.50.1
12. Click the OK button and then the Close button.
Configuring Switches We now need to configure 2950 Switch A and 2960 Switch A. 13. Bring up the console for switch 2950 A.
659
660
Individual Labs (Comprehensive)
14. To set the IP configuration on a 2950 switch, use the ip address command. However,
this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default. switch>enable switch#config t Enter configuration commands, one per line. End with CNTL/Z switch(config)#hostname 2950A 2950A(config)#int vlan 1 2950A(config-if)#ip address 172.16.40.2 255.255.255.0 2950A(config-if)#exit 2950A(config)#
15. The default gateway should also be set using the ip default-gateway command.
However, unlike the IP address, this is completed at global configuration mode. 2950A(config)#ip default-gateway 172.16.40.1 2950A(config)#exit 2950A#
IP Default-Gateway This is used on devices where no routing information is provided by the router that tells you how to get to the next, directly connected device. It tells us what pathway to use to send packets to the next, directly connected device. In the previous set of commands the ip default-gateway is 172.16.40.1 because that is the IP address of interface f0/0 on A.
Individual Lab: Standard IP Access-Lists
661
To change the IP address and default-gateway on the switch, you can either type in new addresses or remove the IP information with the no ip address and no ip defaultgateway commands, at the appropriate configuration prompt. 16. Change to the console so you can work with 2960 Switch A. 17. Configure 2960 Switch A with an IP address and default-gateway. switch>enable switch#config t Enter configuration commands, one per line. End with CNTL/Z switch(config)#hostname 2960A 2960A(config)#int vlan 1 2960A(config-if)#ip address 172.16.50.2 255.255.255.0 2960A(config-if)#exit 2960A(config)#ip default-gateway 172.16.50.1 2960A(config)#exit 2960A#
18. Close the console screen. 19. Double-click Host F on the network.
662
Individual Labs (Comprehensive)
20. Verify that you can ping to 2950 Switch A and that you can ping Host E from Host F.
C:\ping 172.16.40.2 Pinging 172.16.40.2 with 32 bytes of data: Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.40.2: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>ping 172.16.40.3 Pinging 172.16.40.3 with 32 bytes of data: Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.40.3: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>
Individual Lab: Standard IP Access-Lists
663
21. From the Host F menu, bring up the console for A.
22. Create an access-list that blocks access from host F trying to get to network
172.16.40.0. 2621A#config t 2621A(config)#access-list 10 deny host 172.16.50.3 2621A(config)#access-list 10 permit any
That’s all were going to do for the list. Remember that IP standard access-lists should be created closest to the destination network, which is why we built that access-list on 2621 Router A. It is directly connected to network 172.16.40.0.
664
Individual Labs (Comprehensive)
23. After creating an access-list for 2621 Router A, we now need to add the access-list to
the serial 0/0 interface of 2621 Router A.
2621A(config)#int s0/0 2621A(config-if)#ip access-group 10 in
This applied the access-list 10 to the serial 0/0 interface of 2621 Router A and filtered any incoming packets. 24. Check to see that Host F can no longer ping to 172.16.40.2 and 172.16.40.3. C:\>ping 172.16.40.2 Pinging 172.16.40.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. C:\> C:\>ping 172.16.40.3 Pinging 172.16.40.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. C:\>
Individual Lab: Standard IP Access-Lists
665
25. If the access-list is correct, all other devices should still be able to reach network
172.16.40.0. Ping from 2621 Router B and verify that you can reach 172.16.40.2 and 172.16.40.3. 2621B#ping 172.16.40.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.40.2, timeout is !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 2621B# 2621B#ping 172.16.40.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.40.3, timeout is !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max 2621B#
2 seconds: = 4/4/4 ms
2 seconds: = 4/4/4 ms
Verifying Standard IP Access-Lists Pinging and telneting through the internetwork is a really good way to verify the network and access-lists. However, using the Cisco IOS commands is also a good way to verify the lists. 26. Bring up the console for 2621 Router A and type show access-list to see the list
configured on the router. 2621A(config-if)#ctrl+z 2621A#show access-list Standard IP access list 10 deny 172.16.50.3 permit any 2621A#
27. You can also type either show ip access-list or show access-list 10 to gather specific list
configurations. 2621A#show access-list 10 Standard IP access list 10 deny 172.16.50.3 permit any 2621A#
28. To see which interface has access-lists applied, use the show ip interface command. 2621A#show ip interface [output cut] Serial0/0 is up, line protocol is up
666
Individual Labs (Comprehensive)
Internet address is 172.16.20.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1514 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 10 [output cut]
29. The show running-config is useful to see both the access-list and to verify the inter-
face where the access-list is applied. 2621A#show run [output cut] ! interface Serial0/0 description connection to 2811A ip address 172.16.20.2 255.255.255.0 no ip directed-broadcast ip access-group 10 in ! [output cut]
Applying an Access-List to a VTY Line You will have a difficult time trying to stop users from telnetting into a router because any active port on a router is fair game for VTY access. However, you can use a standard IP access list to control access by placing the access-list on the VTY lines themselves. To perform this function: 30. Create a standard IP access list that permits only the host or hosts you want to be able
to telnet into the routers. 31. Apply the access list to the VTY line with the access-class command.
This lab will have you stop Host F from telnetting into 2621 Router A. 32. Remove the access-list on 2621 Router A. 2621A#config t 2621A(config)#no access-list 10
33. Remove the access-list on the serial 0/0 interface of 2621 Router A. 2621A(config)#int s0/0 2621A(config-if)#no ip access-group 10 in
Individual Lab: Standard IP Access-Lists
667
You can just type no access-list 10 on to remove the access-list, but you must type the whole command from the interface to remove the list from the interface on the router.
34. Verify that Host F can telnet into 2621 Router A. C:\>telnet 172.16.20.2 Connecting To 172.16.20.2 ... This is 2621 Router A User Access Verification Password: 2621A>
35. Exit from your telnet session. 2621A>exit Connection to host lost. C:\>
36. Connect to 2621 Router A and block Telnet access for Host F, but allow all other
devices to telnet to 2621 Router A. 2621A#config t 2621A(config)#access-list 20 deny host 172.16.50.3 2621A(config)#access-list 20 permit any
37. Apply the access-list directly to the VTY lines and not to an interface. 2621A(config)#line vty 0 4 2621A(config-line)#access-class 20 in 2621A(config-line)#ctrl+z 2621A#
38. Verify that Host F can no longer telnet into 2621 Router A. C:\>telnet 172.16.20.2 Connecting To 172.16.20.2 ...Could not open a connection to host: Connect failed C:\>
668
Individual Labs (Comprehensive)
39. Use the Host F menu to go to the 2621 Router B console.
40. Verify that 2621 Router B can still telnet into 2621 Router A. 2621B#telnet 172.16.20.2 Trying 172.16.20.2 ... Open This is 2621 Router A User Access Verification Password: 2621A>
Individual Lab: Extended IP Access-Lists Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
In this lab we will create a new access-list that is more succinct on 2621 Router A. We want Host F to use the services on the 172.16.40.0 network, but we do not want them to telnet into 2950 Switch A. When you have finished with this lab ...
Individual Lab: Extended IP Access-Lists
669
You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
670
Individual Labs (Comprehensive)
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, Access-Lists, and Extended IP Access.
Lab Steps Copy and Paste Script Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into the console for each router. After you get into User mode, copy and paste the script into the
Individual Lab: Extended IP Access-Lists
671
console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter. 2621 Router A
2811 Router A
2621 Router B
enable
enable
enable
config t
config t
config t
hostname 2621A
hostname 2811A
hostname 2621B
line vty 0 4
line vty 0 1180
line vty 0 4
password todd
password todd
password todd
login
login
login
interface fastethernet 0/0
interface serial 0/1/1
interface fastethernet 0/1
ip address 172.16.40.1 255.255.255.0
ip address 172.16.20.1 255.255.255.0
ip address 172.16.50.1 255.255.255.0
description connection to LAN 40
description connection to 2621A
description connection to LAN 30
no shutdown
no shutdown
no shutdown
interface serial 0/0
interface serial 0/0/1
interface serial 0/0
ip address 172.16.20.2 255.255.255.0
ip address 172.16.30.1 255.255.255.0
ip address 172.16.30.2 255.255.255.0
description connection to 2811A
description connection to 2621B
description connection to 2811A
no shutdown
no shutdown
no shutdown
exit
exit
exit
exit
exit
exit
copy run start
copy run start
copy run start
672
1.
Individual Labs (Comprehensive)
Double-click 2621 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621A 2621A(config-line)#line vty 0 4 2621A(config-line)#password todd 2621A(config-line)#login 2621A(config-line)#int fa0/0 2621A(config-if)#ip address 172.16.40.1 255.255.255.0 2621A(config-if)#description connection to LAN 40 2621A(config-if)#no shutdown 2621A(config-if)#int s0/0 2621A(config-if)#ip address 172.16.20.2 255.255.255.0 2621A(config-if)#description connection to 2811A 2621A(config-if)#no shutdown 2621A(config-if)#ctrl+z 2621A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621A#
2.
Double-click 2811 Router A. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-line)#line vty 0 1180 2811A(config-line)#password todd 2811A(config-line)#login 2811A(config-if)#int s0/1/1 2811A(config-if)#ip address 172.16.20.1 255.255.255.0 2811A(config-if)#description connection to 2621A 2811A(config-if)#no shutdown 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 172.16.30.1 255.255.255.0 2811A(config-if)#description connection to 2621B 2811A(config-if)#no shutdown 2811A(config-if)#ctrl+z 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration...
Individual Lab: Extended IP Access-Lists
673
[OK] 2811A#
Clock Rate You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The clock rate for the serial interface is set by default to 2000000. However, on 2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the connection is interface serial 0/1/1 and serial 0/0/1.
3.
Double-click 2621 Router B. After the console screen comes up, perform the following commands. Router>enable Router#config t Router(config)#hostname 2621B 2621B(config-line)#line vty 0 4 2621B(config-line)#password todd 2621B(config-line)#login 2621B(config-line)#int fa0/0 2621B(config-if)#ip address 172.16.50.1 255.255.255.0 2621B(config-if)#description connection to LAN 30 2621B(config-if)#no shutdown 2621Bconfig-if)#int s0/0 2621B(config-if)#ip address 172.16.30.2 255.255.255.0 2621B(config-if)#description connection to 2811A 2621B(config-if)#no shutdown 2621B(config-if)#ctrl+z 2621B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2621B#
4.
We need to add a routing protocol such as RIP. Add RIP for each router with a network of 172.16.0.0. 2621A#config t 2621A(config)#router rip 2621A(config-router)#network 172.16.0.0 2621A(config-router)#ctrl+z 2621B#config t
Individual Labs (Comprehensive)
674
2621B(config)#router rip 2621B(config-router)#network 172.16.0.0 2621B(config-router)#ctrl+z 2811A#config t 2811A(config)#router rip 2811A(config-router)#network 172.16.0.0 2811A(config-router)#ctrl+z
Configuring Hosts E and F 5.
Right-mouse click Host E.
6.
Click on the Configs button.
7.
On Host E configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.40.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.40.1
Individual Lab: Extended IP Access-Lists
8.
Click the OK button and then the Close button.
9.
Right-mouse click Host F.
675
10. Click on the Configs button.
11. On Host F configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address: 172.16.50.3 Subnet Mask: 255.255.255.0 Default Gateway: 172.16.50.1
12. Click the OK button and then the Close button.
Configuring Switches We now need to configure 2950 Switch A and 2960 Switch A. 13. Bring up the console for 2950 Switch A. 14. To set the IP configuration on a 2950 switch, use the ip address command. However,
this is set under the VLAN1 interface, not at global configuration mode like on a 1900 switch. Remember that by default all interfaces are members of VLAN1, which is why the VLAN1 interface is configured by default. switch>enable switch#config t
676
Individual Labs (Comprehensive)
Enter configuration commands, one per line. End with CNTL/Z switch(config)#hostname 2950A 2950A(config)#int vlan 1 2950A(config-if)#ip address 172.16.40.2 255.255.255.0 2950A(config-if)#exit 2950A(config)#
15. The default gateway should also be set using the ip default-gateway command. How-
ever, unlike the IP address, this is completed at global configuration mode. 2950A(config)#ip default-gateway 172.16.40.1 2950A(config)#exit 2950A#
IP Default-Gateway This is used on devices where no routing information is provided by the router that tells you how to get to the next, directly connected device. It tells us what pathway to use to send packets to the next, directly connected device. In the previous set of commands the ip default-gateway is 172.16.40.1 because that is the IP address of interface f0/0 on 2621 Router A.
Individual Lab: Extended IP Access-Lists
16. Change to the console so you can work with 2960 Switch A. 17. Configure 2960 Switch A with an IP address and default-gateway. switch>enable switch#config t Enter configuration commands, one per line. End with CNTL/Z switch(config)#hostname 2960A 2960A(config)#int vlan 1 2960A(config-if)#ip address 172.16.50.2 255.255.255.0 2960A(config-if)#exit 2960A(config)#ip default-gateway 172.16.50.1 2960A(config)#exit 2960A#
18. Close the console screen and bring up the Host F console. 19. Verify that Host F can now ping 172.16.40.2 and 172.16.40.3. C:\ping 172.16.40.2 Pinging 172.16.40.2 with 32 bytes of data: Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.2 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.40.2: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>ping 172.16.40.3 Pinging 172.16.40.3 with 32 bytes of data: Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Reply from 172.16.40.3 ;bytes=32 time=22ms TTL=254 Ping Statistics for 172.16.40.3: Packets Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 23ms, Average = 22ms C:\>
677
678
Individual Labs (Comprehensive)
20. Create an access-list on 2621 Router A to block telnet access into the 172.16.40.0 net-
work, but still allow Host F to ping Host E. 2621A#config t 2621A(config)#access-list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet 2621A(config)#access-list 110 permit ip any any This access-list blocked source address 172.16.50.3 from telneting into 172.16.40.0.
21. Apply this access-list to the serial interface 0/0 of 2621 Router A to filter the packets
coming into the router. 2621A(config)#int s0/0 2621A(config-if)#ip access-group 110 in 2621A(config-if)#ctrl+z 2621A#
22. Test the access-list by trying to telnet 172.16.40.2 From Host F (remember, you cannot
telnet to a host). All other devices should be able to telnet to 172.16.40.2. C:\>telnet 172.16.40.2 Connecting To 172.16.40.2 ...Could not open a connection to host: Connect failed C:\>
Verifying Extended IP Access-lists We will use the same command as we did to verify the IP Standard Access-lists. Go to 2621 Router A (if you created the list on 2621 Router A) and verify your access list. Remember that ping and telnet are really good tools to verify your network as well. 23. From 2621 Router A, type the show access-list command to see the configured list. 2621A#show access-list Extended IP access list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet permit ip any any 2621A#
24. Use the show access-list 110 command to see only list 110. 2621A#show access-list 110 Extended IP access list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet
Individual Lab: Extended IP Access-Lists
679
permit ip any any 2621A#
25. You can also use show ip access-list to see only the IP access-list configured on
your router. 2621A#show ip access-list Extended IP access list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet permit ip any any 2621A#
26. Verify which interface has an access-list set by using the show ip interface command
on 2621 Router A. 2621A#show ip interface Serial0/0 is up, line protocol is up Internet address is 172.16.20.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1514 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 110 [output cut] 2621A#
Removing Extended IP Access-lists 27. Remove the access-list on 2621 Router A. 2621A#config t 2621A(config)#no access-list 110
28. Remove the access-list on the serial 0/0 interface of 2621 Router A. 2621A(config)#int s0/0 2621A(config-if)#no ip access-group 110 in You can just type no access-list 110 to remove the access-list, but you must type the whole command from the interface to remove the list from the interface on the router.
680
Individual Labs (Comprehensive)
29. Verify that you have removed the extended IP access-list. 2621A(config)#show run [output cut] ! interface Serial0/0 description connection to 2811A ip address 172.16.20.2 255.255.255.0 no ip directed-broadcast ! [output cut]
Individual Lab: Network Address Translation (NAT) and Port Address Translation When Do You Use NAT? At times NAT decreases the overwhelming amount of Public IP addresses required in your networking environment. And NAT comes in really handy when two companies that have duplicate internal addressing schemes merge. NAT is also great to have around when an organization changes its Internet Service Provider (ISP) and the networking manager doesn’t want to hassle with changing the internal address scheme. Here’s a list of situations when it’s best to have NAT on your side: NN
You need to connect to the Internet and your hosts do not have globally unique IP addresses.
NN
You change to a new ISP that requires you to renumber your network.
NN
You require two Intranets with duplicate addresses to merge. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
Advantages and Disadvantages of Implementing NAT Advantages
Disadvantages
Conserves legally registered addresses
Translation introduces switching path delays
Reduces address overlap occurrence
Loss of end-to-end IP traceability
Individual Lab: Network Address Translation (NAT) and Port Address Translation
Advantages
Disadvantages
Increases flexibility when connecting to Internet
Certain applications will not function with NAT enabled
681
Eliminates address renumbering as network changes
Initially, you will configure NAT on 2811 Router A to translate the private IP address of 192.168.10.0 to a public address of 171.16.10.0. When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: N
The name of the command entered for this lab
NN
The expected configuration
N
Your configuration
NN
N
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
682
Individual Labs (Comprehensive)
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, NAT-PAT, and NAT-PAT.
Individual Lab: Network Address Translation (NAT) and Port Address Translation
Command Summary for NAT/PAT Lab Command
Purpose
IP nat inside source list acl pool name
Translates IPs that match the ACL from the pool
IP nat inside source static inside_addr outside_addr
Statically maps an inside address to an outside address
IP nat pool name
Creates an address pool
IP nat inside
Sets an interface to be an inside interface
IP nat outside
Sets an interface to be an outside interface
Show ip nat translations
Shows current NAT translations
Setting up the NAT Lab You will set up IP addresses on Router interfaces, plus, turn on EIGRP on every router. Configure Routers with the IP addresses listed below: Router IP Address Scheme Router
Interface
IP Address
2811 A
S0/0/0
171.16.10.1/24
2811 B
F0/0
192.168.10.1/24
2811 B
S0/0/0
171.16.10.2/24
2811 C
F0/0
192.168.10.2/24
2811 C
F0/1
192.168.20.1/24
2811 Router D
F0/1
192.168.20.2/24
683
684
Individual Labs (Comprehensive)
Lab Steps 1.
Double-click 2811 Router A in order to bring up the console screen. Configure Router. Router>enable Router#config t Router(config)#hostname 2811A 2811A(config-if)#int s0/0/0 2811A(config-if)#ip address 171.16.10.1 255.255.255.0 2811A(config-if)#no shutdown 2811A(config-if)#exit 2811A(config)#router eigrp 15 2811A(config-router)#network 171.16.0.0 2811A(config-router)#ctrl+z 2811A#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811A#
2.
Use the console menu to bring up the console screen for 2811 Router B .
3.
Configure 2811 Router B. Router>enable Router#config t Router(config)#hostname 2811B 2811B(config-if)#int s0/0/0 2811B(config-if)#ip address 171.16.10.2 255.255.255.0 2811B(config-if)#no shutdown 2811B(config-if)#int fa0/0 2811B(config-if)#ip address 192.168.10.1 255.255.255.0 2811B(config-if)#no shutdown 2811B(config-if)#exit 2811B(config)#router eigrp 15 2811B(config-router)#network 171.16.0.0 2811B(config-router)#network 192.168.10.0 2811B(config-router)#no auto-summary 2811B(config-router)#ctrl+z 2811B#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811B#
Individual Lab: Network Address Translation (NAT) and Port Address Translation
Auto-summary The process of taking subnets like 192.168.10.4/30 or 192.168.10.56/29 and summarizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29 the networks are summarized to their Class C base network address of 192.168.10.0/24. Summarization occurs at classful network boundaries. Classful network boundaries occur when one class of networks meet a different class of networks, thus a network boundary. If subnet 192.168.10.4/30 or 192.168.10.56/29 were crossing over to another router connected by the 10.1.1.0/24 network, the classful network boundary is between the 10.0.0.0/8 and 192.168.10.0/24 networks.
No Auto-summary The process of taking the subnets 192.168.10.4/30 or 192.168.10.56/29 and not summarizing them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29, the networks are never summarized to their Class C base network address of 192.168.10./24 when classful network boundaries are encountered.
4.
Use the console menu to bring up the console screen for 2811 Router C.
5.
Configure 2811 Router C. Router>enable Router#config t Router(config)#hostname 2811C 2811C(config-if)#int fa0/0 2811C(config-if)#ip address 192.168.10.2 255.255.255.0 2811C(config-if)#no shutdown 2811C(config-if)#int fa0/1 2811C(config-if)#ip address 192.168.20.1 255.255.255.0 2811C(config-if)#no shutdown 2811C(config-if)#exit 2811C(config)#router eigrp 15 2811C(config-router)#network 192.168.10.0 2811C(config-router)#network 192.168.20.0 2811C(config-router)#ctrl+z 2811C#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811C#
685
686
Individual Labs (Comprehensive)
6.
Use the console menu to bring up the console screen for 2811 Router D.
7.
Configure 2811 Router D. Router>enable Router#config t Router(config)#hostname 2811D 2811D(config-if)#int fa0/1 2811D(config-if)#ip address 192.168.20.2 255.255.255.0 2811D(config-if)#no shutdown 2811D(config-if)#exit 2811D(config)#router eigrp 15 2811D(config-router)#network 192.168.20.0 2811D(config-router)#ctrl+z 2811D#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] 2811D#
8.
After you configure Routers, you should be able to ping from router to router. Verify that you can ping from 2811 Router A to 2811 Router D and from 2811 Router D router to 2811 Router A. If you cannot, STOP!, troubleshoot your network. 2811A#ping 192.168.20.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811A# 2811D#ping 171.16.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 171.16.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811D#
9.
You can also verify your EIGRP routes with the show ip route command. 2811A#show ip route [output cut] 171.16.0.0/24 is subnetted, 1 subnets C 171.16.10.0 is directly connected, Serial0/0/0 D 192.168.20.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0 D 192.168.10.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0
Individual Lab: Network Address Translation (NAT) and Port Address Translation
687
2811A# 2811B#show ip route [output cut] 171.16.0.0/24 is subnetted, 1 subnets C 171.16.10.0 is directly connected, Serial0/0/0 D 192.168.20.0 [90/2172416] via 192.168.10.2, 00:08:08, FastEthernet0/0 C 192.168.10.0/24 is directly connected, FastEthernet0/0 2811B# 2811C#show ip route [output cut] 171.16.0.0/24 is subnetted, 1 subnets D 171.16.10.0 [90/2172416] via 192.168.10.1, 01:03:55, FastEthernet0/0 C 192.168.10.0/24 is directly connected, FastEthernet0/0 C 192.168.20.0/24 is directly connected, FastEthernet0/1 2811C# 2811D#show ip route [output cut] 171.16.0.0/24 is subnetted, 1 subnets D 171.16.10.0 [90/2172416] via 192.168.20.1, 01:06:03, FastEthernet0/1 D 192.168.10.0 [90/2172416] via 192.168.20.1, 01:06:03, FastEthernet0/1 C 192.168.20.0/24 is directly connected, FastEthernet0/1 2811D#
Dynamic NAT We will now show you how to configure NAT to translate from real ISP assigned addresses to private addresses so that the inside network can communicate to the Internet. 10. In this step, you’ll configure a dynamic NAT pool on 2811 Router B. Create a pool
of addresses called RouterSim on 2811 Router B. The pool should contain a range of addresses of 171.16.10.50 through 171.16.10.55. 2811B(config)#ip nat pool RouterSim 171.16.10.50 171.16.10.55 net 255.255.255.0
11. Create access-list 1. This list permits traffic from the 192.168.20.0 and 192.168.10.0
network to be translated. 2811B(config)#access-list 1 permit 192.168.20.0 0.0.0.255 2811B(config)#access-list 1 permit 192.168.10.0 0.0.0.255
12. Map the access list to the pool that was created. 2811B(config)#ip nat inside source list 1 pool RouterSim
688
Individual Labs (Comprehensive)
13. Configure f0/0 as an inside NAT interface. 2811B(config)#int f0/0 2811B(config-if)#ip nat inside
14. Configure serial 0/0/0 as an outside NAT interface. 2811B(config-if)#int s0/0/0 2811B(config-if)#ip nat outside
15. Bring up the console for 2811 Router D. Telnet from 2811 Router D to 2811
Router A—do not disconnect. 2811D#telnet 171.16.10.1 Trying 171.16.10.1 ... Open Password required, but none set [Connection to 171.16.10.1 closed by foreign host] 2811D#
We received this message because we did not set up a telnet password on 2811 Router A. 16. Go to 2811 Router A and set up a telnet password. 2811A#config t 2811ARouter(config)#line vty 0 1180 2811ARouter(config-line)#password todd2
Try step 15 again and if you are successful, move on to step 18. 17. Bring up the console for 2811 Router C. Telnet from 2811 Router C to 2811
Router A—do not disconnect. 2811C#telnet 171.16.10.1
18. Go back to 2811 Router A and execute the command show users. (This shows who is
accessing the VTY lines). 2811A#show users Line 0 con 0 2 vty 0 * 3 vty 1 Interface 2811A#
User
User
Host(s) idle idle idle
Idle 00:00:00 00:00:40 00:00:17
Location
Mode
Idle
Peer Address
171.16.10.50 171.16.10.51
Notice that there is a one-to-one translation. Which means you must have a real IP address for every host that wants to get to the Internet, which is not always possible.
Individual Lab: Network Address Translation (NAT) and Port Address Translation
689
19. Leave the session open on 2811 Router A and connect back to 2811 Router B. 20. Bring up the console for 2811 Router B and view your current translations by entering
the show ip nat translation command. You should see something like this: 2811B#show ip nat translations Pro Inside global Inside local --- 171.16.10.50 192.168.20.2 --- 171.16.10.51 192.168.10.2 2811B#
Outside local -----
Outside global -----
Oh my gosh, this really works! Remember that the “inside local is before translation” and the “inside global is after translation”, and how you are known on the Internet. 21. Exit out of the telnet session from 2811 Router D. 22. If you turn on debug ip nat on 2811 Router B and then ping through Router from
2811 Router D, you will see the actual NAT process take place, which will look something like this: 2811B#debug ip nat 2811D#ping 171.16.10.1 2811B# Feb 27 17:16:18.256: NAT*: s=192.168.20.2->171.16.10.52, d=171.16.10.1 [1] Feb 27 17:16:18.260: NAT*: s=171.16.10.1->171.16.10.52, d=192.168.20.2 [1] Do not exit out of the telnet sessions for 2811 Router C and 2811 Router D.
Configuring PAT You will now configure Port Address Translation (PAT) on 2811 Router B. We will use PAT because we don’t want a one-to-one translation, but instead we want to just use one IP address for every user on the network. 23. Terminate the telnet sessions on 2811 Router C and 2811 Router D by using the exit
command. 24. On 2811 Router B, delete the translation table and remove the dynamic NAT pool. 2811B#clear ip nat translation * 2811B#config t 2811B(config)#no ip nat pool RouterSim 171.16.10.50 171.16.10.55 netmask 255.255.255.0 2811B(config)#no ip nat inside source list 1 pool RouterSim
690
Individual Labs (Comprehensive)
25. On 2811 Router B, create a NAT pool with one address called Lammle. The pool
should contain a single address: 171.16.10.100. Enter the command below: 2811B(config)#ip nat pool Lammle 171.16.10.100 171.16.10.100 netmask 255.255.255.0
26. Create access-list 2. It should permit networks 192.168.20.0 and 192.168.10.0 to be
translated. 2811B(config)#access-list 2 permit 192.168.20.0 0.0.0.255 2811B(config)#access-list 2 permit 192.168.10.0 0.0.0.255
27. Map the access-list 2 to the new pool, allowing PAT to occur by using the overload
command. 2811B(config)#ip nat inside source list 2 pool Lammle overload
28. Bring up the console for 2811 Router D and telnet to 2811 Router A. Then bring up
2811 Router C and telnet to 2811 Router A. 29. From 2811 Router A use the show users command. The output should look something
like this: 2811A>show users Line User 0 con 0 2 vty 0 * 3 vty 1 Interface User 2811A>
Host(s) idle idle idle
Idle Location 00:00:00 00:00:29 171.16.10.100 00:00:21 171.16.10.100 Idle Peer Address
Mode
30. From 2811 Router B use the show ip nat translations command. 2811B#show ip nat translations Pro Inside global Inside local tcp 171.16.10.100:1723 192.168.10.2:1723 tcp 171.16.10.100:1723 192.168.20.2:1723 2811B#
Outside local 171.16.10.1:23 171.16.10.1:23
Outside global 171.16.10.1:23 171.16.10.1:23
Exit out of the telnet session from 2811 Router D. 31. Also make sure that the debug ip nat command is on 2811 Router B. If you ping from
2811 Router D to 2811 Router A, the output will look like this: 01:12:36: 01:12:36: 01:12:36: 01:12:36: 01:12:36:
NAT: s=192.168.10.2->171.16.10.100, d=171.16.10.1 NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1
[35] [35] [36] [36] [37]
Individual Lab: VLSM with Summarization
01:12:36: 01:12:36: 01:12:36: 01:12:37: 01:12:37:
NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2
691
[37] [38] [38] [39]
Individual Lab: VLSM with Summarization The following lab will have you configure a medium size network into block sizes of 32 (/27) using the EIGRP routing protocol and summarizing the classless boundaries. The switches will not be configured in this lab and they will behave just like hubs. You will configure each router in the lab with the appropriate IP addressing. Enter all commands in lower case. The program’s grading feature expects lower case and may count an answer wrong if it is in upper case.
When you have finished with this lab ... You can check your work by clicking the Grade Me button in the upper right hand corner of the Network Visualizer screen.
You will see a report that will display: NN
The name of the command entered for this lab
NN
The expected configuration
NN
Your configuration
NN
NN
The result for each command. You will see a green checkmark (meaning that you got it correct) or a red X A score of the number of correct answers out of the total possible
692
Individual Labs (Comprehensive)
Network Layout On the Network Visualizer screen, click on the Labs menu then choose Individual, VLSM, and VLSM and Summarization.
Routers 2811 A through 2811 E should be configured in the 192.168.10.32/27 network and routers 2811 F through 2811 J will be configured in the 192.168.10.64/27 network. In each network there are four block sizes of four (the WAN links) and two block sizes of eight (the LANs). To connect routers 2811 A and 2811 F across the backbone, we will use the 10.1.1.0/24 network. This is called discontiguous networking because we have one class of network
Individual Lab: VLSM with Summarization
693
(192.168.10.0) connecting across to the same network address through the 10.0.0.0 network— and this will not work by default. RIPv1 and IGRP can never work in this type of network. In order to use VLSM with discontiguous networking in your network, you must use one the following routing protocols: RIPv2, EIGRP, OSPF or ISIS (these are considered classless routing protocols). This lab will have you use EIGRP as the classless routing protocol. Here is the IP addressing scheme used in this lab for routers 2811 A through 2811 E: (notice how the four block sizes of four, and two block sizes of eight fit in one block size of 32—VLSM network addressing). Router
Block Sizes
2811 Router A
S0/0/0: 192.168.10.37/30 (subnet 36, block size of 4) S0/0/1: 192.168.10.33/30 (subnet 32, block size of 4) F0/0: 10.1.1.1/24
2811 Router B
S0/0/0: 192.168.10.41/30 (subnet 40, block size of 4) S0/0/1: 192.168.10.34/30 (subnet 32, connected to s0/0/1 of 2811 Router A)
2811 Router C
S0/0/0: 192.168.10.45/30 (subnet 44, block size of 4) S0/0/1: 192.168.10.38/30 (subnet 36, connected to s0/0/0 of 2811 Router A)
2811 Router D
S0/0/0: 192.168.10.42/30 (connected to s0/0/0 of 2811 Router B) F0/0: 192.168.10.49/29 (subnet 48, block size of 8)
2811 Router E
S0/0/0: 192.168.10.46/30 (connected to s0/0/0 of 2811 Router C) F0/0: 192.168.10.57/29 (subnet 56, block size of 8)
2811 Router F
S0/0/0: 192.168.10.69/30 (subnet 64, block size of 4) S0/0/1: 192.168.10.65/30 (subnet 68, block size of 4) F0/0: 10.1.1.2/24
2811 Router G
S0/0/0: 192.168.10.73/30 (subnet 72, block size of 4) S0/0/1: 192.168.10.66/30 (subnet 64, connected to s0/0/1 of 2811 Router F)
2811 Router H
S0/0/0: 192.168.10.77/30 (subnet 76, block size of 4) S0/0/1: 192.168.10.70/30 (subnet 68, connected to s0/0/0 of 2811 Router F)
2811 Router I
S0/0/0: 192.168.10.74/30 (connected to s0/0/0 of 2811 Router G) F0/0: 192.168.10.81/29 (subnet 80, block size of 8)
2811 Router J
S0/0/0: 192.168.10.78/30 (connected to s0/0/0 of 2811 Router H) F0/0: 192.168.10.89 (subnet 88, block size of 8)
Individual Labs (Comprehensive)
694
Lab Steps Copy and Paste Script Steps 1-20 are necessary in order to perform this lab. If you do not want to manually complete these steps and want to accelerate steps 1 - 20, you can copy and paste the following script into the console for each router. After you get into User mode, copy and paste the script into the console. Click on the console and click your right mouse button. A pop-up menu will appear. Click Paste.
After pasting the script into the console, you will see the prompt Destination filename [startup-config]?. At this point, press Enter. 2811 Router A
2811 Router B
2811 Router C
enable
enable
enable
config t
config t
config t
hostname 2811A
hostname 2811B
hostname 2811C
int s0/0/0
int s0/0/0
int s0/0/0
ip address 192.168.10.37 255.255.255.252
ip address 192.168.10.41 255.255.255.252
ip address 192.168.10.45 255.255.255.252
no shut
no shut
no shut
int s0/0/1
int s0/0/1
int s0/0/1
ip address 192.168.10.33 255.255.255.252
ip address 192.168.10.34 255.255.255.252
ip address 192.168.10.38 255.255.255.252
no shut
no shut
no shut
int f0/0
exit
exit
ip address 10.1.1.1 255.255.255.0
exit
exit
copy run start
copy run start
no shut exit exit copy run start
Individual Lab: VLSM with Summarization
2811 Router D
2811 Router E
2811 Router F
enable
enable
enable
config t
config t
config t
hostname 2811D
hostname 2811E
hostname 2811F
int s0/0/0
int s0/0/0
int s0/0/0
ip address 192.168.10.42 255.255.255.252
ip address 192.168.10.46 255.255.255.252
ip address 192.168.10.69 255.255.255.252
no shut
no shut
no shut
int f0/0
int f0/0
int s0/0/1
ip address 192.168.10.49 255.255.255.248
ip address 192.168.10.57 255.255.255.248
ip address 192.168.10.65 255.255.255.252
no shut
no shut
no shut
exit
exit
int f0/0
exit
exit
copy run start
copy run start
ip address 10.1.1.2 255.255.255.0 no shut exit exit copy run start
2811 Router G
2811 Router H
2811 Router I
enable
enable
enable
config t
config t
config t
hostname 2811G
hostname 2811H
hostname 2811I
int s0/0/0
int s0/0/0
int s0/0/0
ip address 192.168.10.73 255.255.255.252
ip address 192.168.10.77 255.255.255.252
ip address 192.168.10.74 255.255.255.252
no shut
no shut
no shut
int s0/0/1
int s0/0/1
int f0/0
ip address 192.168.10.66 255.255.255.252
ip address 192.168.10.70 255.255.255.252
ip address 192.168.10.81 255.255.255.248
no shut
no shut
no shut
exit
exit
exit
exit
exit
exit
copy run start
copy run start
copy run start
695
Individual Labs (Comprehensive)
696
2811 Router J enable config t hostname 2811J int s0/0/0 ip address 192.168.10.78 255.255.255.252 no shut int f0/0 ip address 192.168.10.89 255.255.255.248 no shut exit exit copy run start
1.
Double-click on 2811 Router A to bring up the console screen.
2.
Configure 2811 Router A. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811A 2811A(config)#int s0/0/0 2811A(config-if)#ip address 192.168.10.37 255.255.255.252 2811A(config-if)#no shut 2811A(config-if)#int s0/0/1 2811A(config-if)#ip address 192.168.10.33 255.255.255.252 2811A(config-if)#no shut 2811A(config-if)#int fa0/0 2811A(config-if)#ip address 10.1.1.1 255.255.255.0 2811A(config-if)#no shut 2811A(config-if)#ctrl+z 2811A#copy run start
3.
Change to the console for 2811 Router B.
4.
Configure 2811 Router B. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z
Individual Lab: VLSM with Summarization
Router(config)#hostname 2811B 2811B(config)#int s0/0/0 2811B(config-if)#ip address 192.168.10.41 255.255.255.252 2811B(config-if)#no shut 2811B(config-if)#int s0/0/1 2811B(config-if)#ip address 192.168.10.34 255.255.255.252 2811B(config-if)#no shut 2811B(config-if)#ctrl+z 2811B#copy run start
5.
Change to the console for 2811 Router C.
6.
Configure 2811 Router C. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811C 2811C(config)#int s0/0/0 2811C(config-if)#ip address 192.168.10.45 255.255.255.252 2811C(config-if)#no shut 2811C(config-if)#int s0/0/1 2811C(config-if)#ip address 192.168.10.38 255.255.255.252 2811C(config-if)#no shut 2811C(config-if)#ctrl+z 2811C#copy run start
7.
Change to the console for 2811 Router D.
8.
Configure 2811 Router D. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811D 2811D(config)#int s0/0/0 2811D(config-if)#ip address 192.168.10.42 255.255.255.252 2811D(config-if)#no shut 2811D(config-if)#int fa0/0 2811D(config-if)#ip address 192.168.10.49 255.255.255.248 2811D(config-if)#no shut 2811D(config-if)#exit 2811D(config-if)#ctrl+z 2811D#copy run start
697
698
9.
Individual Labs (Comprehensive)
Change to the console for 2811 Router E.
10. Configure 2811 Router E. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811E 2811E(config)#int s0/0/0 2811E(config-if)#ip address 192.168.10.46 255.255.255.252 2811E(config-if)#no shut 2811E(config-if)#int fa0/0 2811E(config-if)#ip address 192.168.10.57 255.255.255.248 2811E(config-if)#no shut 2811E(config-if)#ctrl+z 2811E#copy run start
11. Change to the console for 2811 Router F. 12. Configure 2811 Router F. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811F 2811F(config)#int s0/0/0 2811F(config-if)#ip address 192.168.10.69 255.255.255.252 2811F(config-if)#no shut 2811F(config-if)#int s0/0/1 2811F(config-if)#ip address 192.168.10.65 255.255.255.252 2811F(config-if)#no shut 2811F(config-if)#int fa0/0 2811F(config-if)#ip address 10.1.1.2 255.255.255.0 2811F(config-if)#no shut 2811F(config-if)#ctrl+z 2811F#copy run start
13. Change to the console for 2811 Router G. 14. Configure 2811 Router G. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811G
Individual Lab: VLSM with Summarization
2811G(config)#int s0/0/0 2811G(config-if)#ip address 192.168.10.73 255.255.255.252 2811G(config-if)#no shut 2811G(config-if)#int s0/0/1 2811G(config-if)#ip address 192.168.10.66 255.255.255.252 2811G(config-if)#no shut 2811G(config-if)#ctrl+z 2811G#copy run start
15. Change to the console for 2811 Router H. 16. Configure 2811 Router H. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811H 2811H(config)#int s0/0/0 2811H(config-if)#ip address 192.168.10.77 255.255.255.252 2811H(config-if)#no shut 2811H(config-if)#int s0/0/1 2811H(config-if)#ip address 192.168.10.70 255.255.255.252 2811H(config-if)#no shut 2811H(config-if)#ctrl+z 2811H#copy run start
17. Change to the console for 2811 Router I. 18. Configure 2811 Router I. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811I 2811I(config)#int s0/0/0 2811I(config-if)#ip address 192.168.10.74 255.255.255.252 2811I(config-if)#no shut 2811I(config-if)#int fa0/0 2811I(config-if)#ip address 192.168.10.81 255.255.255.248 2811I(config-if)#no shut 2811I(config-if)#ctrl+z 2811I#copy run start
699
Individual Labs (Comprehensive)
700
19. Change to the console for 2811 Router J. 20. Configure 2811 Router J. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z Router(config)#hostname 2811J 2811J(config)#int s0/0/0 2811J(config-if)#ip address 192.168.10.78 255.255.255.252 2811J(config-if)#no shut 2811J(config-if)#int fa0/0 2811J(config-if)#ip address 192.168.10.89 255.255.255.248 2811J(config-if)#no shut 2811J(config-if)#ctrl+z 2811J#copy run start
Configuring Hosts We will now configure all the hosts in the network.
21. Right-click on Host A. 22. Click on the Configs button.
23. On Host A configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
Individual Lab: VLSM with Summarization
701
IP Address:192.168.10.50 Subnet Mask: 255.255.255.248 Default Gateway:192.168.10.49
24. Click the OK button and then the Close button. 25. On Host B configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address:192.168.10.58 Subnet Mask: 255.255.255.248 Default Gateway:192.168.10.57
26. Click the OK button and then the Close button. 27. On Host C configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address:192.168.10.82 Subnet Mask: 255.255.255.248 Default Gateway:192.168.10.81
28. Click the OK button and then the Close button. 29. On Host D configure: NN
IP Address
NN
Subnet Mask
NN
Default Gateway
IP Address:192.168.10.90 Subnet Mask: 255.255.255.248 Default Gateway:192.168.10.89
30. Click the OK button and then the Close button.
Verify Configurations From each router and each host, ping the directly connected neighbor and make sure that it is successful. If not, troubleshoot each problem. Remember, you cannot ping past a directly
702
Individual Labs (Comprehensive)
connected neighbor until a routing protocol is configured. In addition, use the command show ip route on each router to see the routing table. Only the directly connected networks will show in the routing tables until a routing protocol is configured. In this lab a representative sample of testing connectivity is performed, so not all possibilities are shown. 31. Display the console for 2811 Router D and ping Host A. 2811D#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.50, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811D#
32. Go to 2811 Router E and ping Host B. 2811E>ping 192.168.10.58 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.58, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811E>
33. Go to 2811 Router I and ping Host C. 2811I>ping 192.168.10.82 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.82, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811i>
34. Go to 2811 Router J and ping Host D. 2811J>ping 192.168.10.90 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.90, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 2811J>
35. Go to 2811 Router A and ping s0/0/1 on 2811 Router B. 2811A>ping 192.168.10.34 Type escape sequence to abort.
Individual Lab: VLSM with Summarization
703
Sending 5, 100-byte ICMP Echos to 192.168.10.34, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
36. From 2811 Router A and ping s0/0/1 on 2811 Router C. 2811A>ping 192.168.10.38 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.38, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
37. From 2811 Router A enter a show ip route command to view the directly connected
devices. 2811A>show ip route 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/0 192.168.10.0/30 is subnetted, 2 subnets C 192.168.10.36 is directly connected, Serial0/0/0 C 192.168.10.32 is directly connected, Serial0/0/1 2811A>
Configuring EIGRP with Discontiguous Networking You will now configure the classless routing protocol EIGRP on each router. EIGRP is an advanced Distance Vector routing protocol that supports VLSM and discontiguous networks. In addition, it can be used to manually summarize contiguous network boundaries, which is what we have. Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary hybrid routing protocol. It uses the properties of both distance vector and link state and uses an administrative distance of 90, so it will automatically overwrite RIP (which has a default administrative distance of 120) routes in the routing table. Also, it uses autonomous systems (AS) to create groups of routers that share routing information. The major difference between IGRP and EIGRP is that EIGRP uses three different tables to create a stable routing environment and additionally EIGRP only sends updates when needed, whereas IGRP broadcasts routing table entries every 90 seconds. Remember that although EIGRP is considered a classless routing protocol (which means it sends subnet mask information with each route update), it is configured in a classful manner. What this means is that you turn off all subnet bits and host bits to add each network statement—which is why the network statement is 192.168.10.0, not 192.168.10.32, 192.168.10.36, etc. for each subnet. EIGRP will find the subnets; you don’t type subnets in with the network statement.
704
Individual Labs (Comprehensive)
Router A is directly connected to the 192.168.10.0 network, but also the 10.1.1.0/24 network is directly connected off of F0/0. What is the network statement we will use? Remember, ALL subnet bits and host bits are off! Add EIGRP with AS 10 to each router, using the correct network statement. Also, add the network statement of network 192.168.10.0 under EIGRP 10 for each router, except for routers A and F, which will need the network 10.0.0.0 statement as well. 38. From each router global configuration prompt, add the routing protocol EIGRP
with an AS number of 10: 2811A>en 2811A#config t 2811A(config)#router eigrp 10 2811A(config-router)#network 192.168.10.0 2811A(config-router)#network 10.0.0.0 2811A(config-router)# 2811B>en 2811B#config t 2811B(config)#router eigrp 10 2811B(config-router)#network 192.168.10.0 2811B(config)#auto-summary 2811B(config-router)# 2811C>en 2811C#config t 2811C(config)#router eigrp 10 2811C(config-router)#network 192.168.10.0 2811C(config)#auto-summary 2811C(config-router)# 2811D>en 2811D#config t 2811D(config)#router eigrp 10 2811D(config-router)#network 192.168.10.0 2811D(config)#auto-summary 2811D(config-router)# 2811E>en 2811E#config t 2811E(config)#router eigrp 10 2811E(config-router)#network 192.168.10.0 2811E(config)#auto-summary 2811E(config-router)# 2811F>en 2811F#config t
Individual Lab: VLSM with Summarization
705
2811F(config)#router eigrp 10 2811F(config-router)#network 192.168.10.0 2811F(config-router)#network 10.0.0.0 2811F(config-router)# 2811G>en 2811G#config t 2811G(config)#router eigrp 10 2811G(config-router)#network 192.168.10.0 2811G(config)#auto-summary 2811G(config-router)# 2811H>en 2811H#config t 2811H(config)#router eigrp 10 2811H(config-router)#network 192.168.10.0 2811H(config)#auto-summary 2811H(config-router)# 2811I>en 2811I#config t 2811I(config)#router eigrp 10 2811I(config-router)#network 192.168.10.0 2811I(config)#auto-summary 2811I(config-router)# 2811J>en 2811J#config t 2811J(config)#router eigrp 10 2811J(config-router)#network 192.168.10.0 2811J(config)#auto-summary 2811J(config-router)#
39. Now that we have added our directly connected networks under EIGRP (remember,
add networks, not subnets!), we need to configure 2811 Router A and 2811 Router F to work using discontiguous networking. Take a look at the routing table of each router and notice that you can see the subnets in the routing table from each contiguous network only (routers A through E and routers F through J). This is because discontiguous networking does not work by default. 2811A(config-router)#ctrl+z 2811A#show ip route 2811F(config-router)#ctrl+z 2811F#show ip route
706
Individual Labs (Comprehensive)
40. We need to add the no auto-summary command to routers 2811 A and 2811 F to have
this work. 2811A#config t 2811A(config)#router eigrp 10 2811A(config-router)#no auto-summary 2811F#config t 2811F(config)#router eigrp 10 2811F(config-router)#no auto-summary
41. Now, let’s take a look at the routing tables of each router and notice that ALL subnets
are now listed in each router’s routing table. 2811J#show ip route [output cut] 10.0.0.0/24 is subnetted, 1 subnets D 10.1.1.0 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 192.168.10.0/24 is variably subnetted, 12 subnets, 2 masks D 192.168.10.44/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.68/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.32/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 C 192.168.10.76/30 is directly connected, Serial0/0/0 C 192.168.10.88/29 is directly connected, FastEthernet0/0 D 192.168.10.36/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.40/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.64/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.48/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.80/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.72/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0 D 192.168.10.56/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
42. This is a small network and the routing tables are manageable.. However, if we had
more routers, our routing tables would be rather large, which takes up memory and router processing parsing the routing table. What can we do to make our routing table smaller, more efficient, yet still keep all our connectivity from end to end? You guessed it! Summarization baby!
Configuring Summarization Now that we have configured the internetwork from end to end using VLSM and discontiguous networking, and EIGRP with the no auto-summary command to support the discontiguous network, it is time to configure summarization.
Individual Lab: VLSM with Summarization
707
Summarization would be done on the boundaries of each contiguous configured network (routers 2811 A and 2811 F). Summarization is used by EIGRP under the interface configuration using the ip summary-address eigrp 10 network mask command. Before we add the summary commands to routers 2811 A and 2811 F, we need to know what network and mask to add to the summary command. Remember, summary addresses are configured in block sizes, just like subnets. The summary address for 2811 Router A would be 192.168.10.32, since we are starting at subnet 32; however, what is our summary mask? Well, what is the block size of our contiguous networks? Thirty-two (32). What mask provides a block size of 32? A /27, which is 255.255.255.224; this is our summary mask. 43. For the 2811 F configuration, we would start at subnet 192.168.10.64, which is also a
summary mask of /27, since the contiguous networks fit in a block size of 32. Here is our configuration on both routers: 2811A#config t 2811A(config)#int fa0/0 2811A(config-if)#ip summary-address eigrp 10 192.168.10.32 255.255.255.224 2811F#config t 2811F(config)#int fa0/0 2811F(config-if)#ip summary-address eigrp 10 192.168.10.64 255.255.255.224
At this point, we have disabled automatic summarization under EIGRP since we need to support discontiguous networking. We then configured manual summarization at contiguous classful boundaries.
Verifying Summarization 44. If we take a look at the routing tables now, we can see that 2811 Router A is summa-
rizing the contiguous network with a 192.168.10.32/27 route into the 2811 Router F’s routing tables, which is then sent to the other routers connected to 2811 Router F. 2811F>en 2811F#show ip route [output cut] 192.168.10.0/24 is variably subnetted, 7 subnets, 3 masks C 192.168.10.64/30 is directly connected, Serial0/0/1 D 192.168.10.80/29 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1 C 192.168.10.68/30 is directly connected, Serial0/0/0 D 192.168.10.72/30 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1 D 192.168.10.76/30 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0 D 192.168.10.32/27 [90/2172416] via 10.1.1.1, 00:05:49, FastEthernet0/0
708
Individual Labs (Comprehensive)
D 192.168.10.88/29 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/0 2811F#
45. For 2811 Router A, the routing table now looks like this, which is sent to all routers
connected to 2811 Router A. 2811A#show ip route [output cut] 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/0 192.168.10.0/24 is variably subnetted, 7 subnets, 3 masks C 192.168.10.36/30 is directly connected, Serial0/0/0 D 192.168.10.64/27 [90/2172416] via 10.1.1.2, 00:02:53, FastEthernet0/0 D 192.168.10.44/30 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0 D 192.168.10.40/30 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1 D 192.168.10.48/29 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1 C 192.168.10.32/30 is directly connected, Serial0/0/1 D 192.168.10.56/29 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0 2811A#
Our routing tables are smaller, more efficient, and easier for IP to parse.
Net Assessment
Lab 1.1: Introduction to Net Assessment Net Assessment allows you to test and evaluate your problem solving and troubleshooting network skills. We have created a powerful and flexible tool for all to use, including teachers, students, individuals, etc. There are six basic steps in fully utilizing Net Assessment: NN
Load Net Assessment
NN
Load a fully configured network (Master network)
NN
Create a template that allows you to specify the configurations you want to test
NN
Create and distribute test networks that have their configurations altered in some way
NN
Ask others to troubleshoot/problem-solve the network
NN
Evaluate Test network against Master network Net Assessment only works with CCNA networks.
Several options are available to assist you in determining what configurations will be placed in the Test network. It depends on the audience for which the Test network is being created. The following are some examples.
For Instructors Scenario 1 Provide an empty network to students with instructions only. With this program you can insert instructions into a network by importing a file like a Microsoft Word file. Click on the Insert icon on the toolbar. When the dialog box appears select a file that includes instructions. You can embed any file that you wish; however, the student must have the same program on their computer.
Lab 1.1: Introduction to Net Assessment
711
When students open the Test network they will see a document object on the Network Visualizer screen. They double-click the object and the instructions open up. When they create, configure, and save the Test network, they return it to the instructor for evaluation. This program can automatically evaluate the Test network. An instructor would then load the Master network and evaluate Test networks one at a time or all at once. An instructor can also view and/or print results one at a time or all at once. Scenario 2 Provide a partially configured network to students, along with instructions. In this situation, an instructor has manually removed part of the configurations and expects students to problem solve and finish creating a fully configured network. Scenario 3 Provide a fully configured network to students where the program has randomly changed some of the configurations. This is an ideal situation for troubleshooting. An instructor can provide a randomized Test network to students in two different ways: NN
NN
They can choose specific configurations they want the program to randomly change values. They can choose specific configurations they want the program to randomly remove when the Test network is generated.
712
Net Assessment
From the total pool of configurations, have the program randomly change and/or remove a specific number of values. For example, an instructor can indicate they want any five configurations (out of a total of 25 configurations) changed by the program.
For Individuals Individuals can also use Net Assessment to evaluate their skills. You have several options available to you. For example, you can load a Master network and have the program randomly change a specific number of configurations. You would then generate a Test network and try to restore the network with the same values found in the Master network. You can also have the program randomly remove values. You can make it more complex by designating a specific number of values to be randomly changed and a specific number of values to be randomly removed. You will not know what configurations have been altered until you open the Test network. At that point it will not be apparent as to what values have been changed or removed until you go through your Test network. Almost anything in the network that had been originally configured is fair game for being changed by our program. When you have gone through the Test network and corrected any problems, you can compare it with the Master network and evaluate your work. Our Report section will display expected answers and your answers.
Lab 1.2: Making Changes and Inserting Instructions Before you start working with Net Assessment there are two important things that need to be mentioned about making changes to the file. Changes to the Master File Once you have created a Net Assessment template and saved the Master network, you cannot make any changes to the network. So, be sure that you have the network configured the way you want. Making additional changes and saving the Master network will cause the templates to be removed. Inserting Instructions You can insert instructions into the Master network but this needs to be done before you create any Net Assessment templates. Instructions are not required for you to work with Net Assessment, but a convenient way to instruct others as to what to do with a Test network that you generate. Unlike the Master network, you have another
Lab 1.2: Making Changes and Inserting Instructions
713
option with instructions in that you can insert them into a Test network at any time and save the file.
Lab Steps 1.
Use a third-party program to create instructions. This can be a text editor, word processor, html editor, spread sheet program, etc. The important thing to keep in mind is that the person using the Test network must have the same program on their computer that was used to create the instructions. Save the file as you normally would do.
2.
Using this program, load your Master network. There is nothing special about this network and any one will do. Make sure you have fully configured the network and plan no changes.
3.
There are two ways to insert a document. NN
Using the menu, click Insert and then File.
Net Assessment
714
NN
4.
Click the Insert button on the button bar.
Find your instruction file on your computer and then click the Close button on the dialog box. An object will appear on the network with file name of your instruction file.
Lab 1.3: Loading Net Assessment
5.
715
When the user gets the Test network, the network topology will look the same as the Master network. It will also display the instructions object. If they double-click on that object, instructions will display within a few minutes.
Lab 1.3: Loading Net Assessment Net Assessment can be loaded three ways. NN
NN
On any Network Visualizer screen, click on the toolbar button that looks like a paper and pencil.
From any Network Visualizer screen you can click on Tools and then Net Assessment in the drop-down menu.
716
NN
Net Assessment
Right-mouse click on any Network Visualizer screen and select Net Assessment from the pop-up menu.
The Net Assessment screen will appear.
Lab 1.4: Creating a Net Assessment Template
717
Lab 1.4: Creating a Net Assessment Template A fully configured network can potentially have several dozen or hundreds of configurations. If you want to test others on a concept it makes sense to use a manageable number of configurations. You need a way to accomplish this and a template allows you to create a small list of configurations. Selecting items for a template does not change any configuration values in the Master network. It just creates a list of values that you will alter in a future step.
Lab Steps 1.
After the Net Assessment screen appears you will want to load a fully configured network or what we refer to as a Master network. There is nothing special about this network and any one will do. Click on the file folder on the menu or click File menu and then Open.
2.
When the dialog box appears, make sure you are in the Networks folder.
3.
Click on the file Configured Network.rsm and click Open. You can confirm that you loaded this Master network because the title of the file will be at the top of the Net Assessment screen and also listed as Name of the Master network.
718
Net Assessment
4.
Click the Add button in the section Assessment Template, located in the upper left quadrant of the screen.
5.
The Assessment Template screen will appear. Put a name in for the template you are creating. For this example, enter Scenario1.
Lab 1.4: Creating a Net Assessment Template
719
You can create several templates for the same Master network. Each template can refer to different logical segments of configurations in the network. For example, you could have different templates that test (among others) for:
6.
NN
Passwords
NN
IP addresses
NN
Routing Protocol
NN
Routing Protocol Network
On the Assessment Template screen you will see a list of devices that are in the Master network. In this example you will see an expandable tree for the: NN
2621 A router
NN
2621 B router
NN
2811 A router
NN
3550 A switch
7.
Let’s begin with 3550 Switch A. Eventually we will ping from 3550 Switch A to 2621 Router A. We want to change the ip-default gateway on 3550 Switch A so that you cannot successfully ping. Click on the plus sign (+) next to 3550 Switch A and an expanded list of current configurations for that device will display.
8.
Click on the box IP Default-Gateway so that there is a check mark present.
9.
Click on the plus sign next to 2621 Router B.
10. Click on the plus sign next to Protocols. 11. Click on the plus sign next to RIP.
720
Net Assessment
12. Click on the box Networks so that there is a check mark present. We will eventually
alter the RIP network so that you cannot successfully ping from 2621 Router B to 2621 Router A.
We have now selected configurations from two devices that we will alter so that we can generate a Test network. These configurations will have to be corrected in the Test network in order for a ping to successfully work between 3550 Switch A to 2621 Router A, and from 2621 Router B to 2621 Router A. 13. Click the Save Values button and the Assessment Template screen will close.
14. You will then see a new entry in the Assessment Template field (Scenario1).
Lab 1.4: Creating a Net Assessment Template
721
15. This step is optional and is not required. You can password protect your Master
network. The password prevents others from loading a Master network and making changes. On the upper right hand side of the Net Assessment screen is a password field. Type in a password.
16. Save Your Network. When you click on the Save Values button, the newly created
template is only stored in memory. You will need to save the Master network to permanently store the new template. Click on the Diskette on the menu bar. Then click the Save button and overwrite your existing Master network.
722
Net Assessment
Lab 1.5: Net Assessment— Editing Values After you create a Net Assessment template, you are one step from generating a Test network. In Net Assessment lab 1.4 we create a template called Scenario1 in which a couple configuration types were chosen. Up to this point we have only decided as to the configuration types that will be tested for in the Lab network. We now need to alter some of the configurations. In this lab we will manually alter values; however, other labs in this section provide more sophisticated and automatic ways to alter configurations.
Lab Steps 1.
Make sure that the newly created template is still highligted.
Lab 1.5: Net Assessment—Editing Values
723
2.
Click on the Edit Value button on the top right side of the Net Assessment screen.
3.
On the Edit Values screen you will see a tree-like structure that lists all the devices you chose while creating a template. Actual configuration values (from the Master network) for each chosen configuration will be displayed. You can quickly see all values by the clicking the box at the bottom left position of the screen, titled Expand all values.
724
Net Assessment
Make sure that you only have values in the Edit Values section that you want to alter.
Do not select values for a template that are extraneous. These additional values will be used in the score calculation and skew an accurate assessment. For example, you want to test students on four passwords that will be altered. However, you also have an IP address, mask, and IP default-gateway listed in the Edit Values section. Let’s say that you do nothing to alter these values. When the Test network is evaluated you will receive credit for the correct IP address, mask, and ip default-gateway because these values will not have been altered and will match the Master network values. 4.
Change the RIP network value from 172.16.0.0 to 172.14.0.0.
5.
Change the IP Default-Gateway from 172.16.10.1 to 172.14.10.1 After you make a change in a file the background color changes from white to yellow. This provides feedback to you as to what fields have been altered.
Save Your Network. Click the Save Values button. When you click on the Save Values button, the altered values are only stored in memory. You will need to save the Master network to permanently save these changes. Click on the Diskette on the menu bar. Then click the Save button and overwrite your existing Master network.
Lab 1.6: Net Assessment—Creating A Test Network
725
Lab 1.6: Net Assessment—Creating A Test Network Creating a Test Network is relatively straight forward. If you have first selected an assessment template, you can click the Create Test Network button on the Net Assessment screen. The assumption is that you have already determined how you want to alter values in the creation of a Test network, so you do not have to view the Edit Values screen.
Lab Steps 1.
Make sure that the newly created template is still highlighted.
2.
On the Net Assessment Screen, click the button that says Create Test Network.
726
Net Assessment
A dialog box will appear with a suggested name for the Test network. It will be the name of the Master network plus “_test.rsm”. In the example we have been using, the name of the master file is Configured Network. The suggested file name would be “Configured Network _test.rsm”. However, you can name the Test network anything you wish. 3.
In this case, name it Scenario1 so that the full file name is Scenario1_test.rsm. If you are an instructor you might want to have each student save their Test network with some type of unique identifier when they finishing working on it. For example, you create a Test network called Scenario1_test.rsm. When Bill T. finishes working with his Test network, you have him save it as Billt_Scenario1_test.rsm or perhaps Scenario1_test_Billt.rsm.
Lab 1.7: Net Assessment—Assessing A Test Network One or more Test networks can be evaluated at the same time, against the same Master network.
Lab Steps 1.
Bring up the Net Assessment screen.
2.
After the Net Assessment screen appears, load the Master network. Click on the file folder on the menu or click the File menu and then Open.
Lab 1.7: Net Assessment—Assessing A Test Network
727
3.
When the dialog box appears, make sure you are in the Networks folder.
4.
Click on the file Configured Network.rsm and click OK. You can confirm that you loaded this Master network because the title of the file will be at the top of the Net Assessment screen and also listed as Name of the Master network.
5.
In the Assessment section (bottom left side of the screen), click the Add button. A dialog box will appear. Find and select Scenario1_test.rsm. We came up with this name in lab 16.6. The name of this file will display in the Assessment section window.
728
6.
Net Assessment
Click the Assess button. We have not made any changes to the Test network. Therefore, we should expect two incorrect configurations.
7.
Click the View button to view a detailed report. You will see a column labelled Expected Answer. Those configurations are derived from the Master network. The column Your Answer are the configurations entered and saved in the Test network. In this example we did not make any changes in the Test network.
Lab 1.8: Advanced Values Editing
729
Lab 1.8: Advanced Values Editing In Net Assessment lab 1.5 we used a straightforward process in editing values so that a Test network could be generated. We had you manually change a couple values. We did that so we could provide a quick and easy to understand method in changing values. However, Net Assessment provides you with more sophisticated and powerful methods in altering values. There are five ways to affect values:
730
Net Assessment
NN
Change a selected value
NN
Randomize a selected value
NN
Remove a selected value
NN
Auto-select and randomize any value(s)
NN
Auto-select and remove any value(s)
The first three options can be performed by the user. The last two options are performed by the program after you select the number of values to be affected. Options Can Be Used Together These options can be used in any combination and are not mutually exclusive. For example, you can manually change a couple values, select a couple other values to be randomly changed by the program, and a couple other values to be removed by the program. The auto-select options can also be used with other options. The following are some examples. Scenario 1 You manually change two values and select three other values to be randomly changed by the program. There will be a total of five values affected when a Test network is created. Scenario 2 You manually change two values, select one value to be randomly changed, and select four other values to be removed when the Test network is generated. There will be a total of seven values affected. Scenario 3 You choose three specific values to be randomly changed by the program. You also use the auto-select option to randomly select and randomly change two additional values. There will be a total of five values affected when a Test network is created. Scenario 4 You use the auto-select options to randomly select and change five values and randomly select and remove five additional values. There will be a total of ten values affected when a Test network is created.
Lab 1.9: Edit Values—Changing A Selected Value You can manually change values so that they appear differently in the Test network. Place your cursor in a field and type in a new value. Fields that you change will display a yellow background. There are also drop down fields that you can change values. For example, you
Lab 1.9: Edit Values—Changing A Selected Value
731
may want to change the VTP Operating mode from Server to Client. Click on the down arrow next to the word Server and a drop down list will appear. Select Client. This option would typically be used by an instructor because if you are an individual testing yourself, you would know what values have been changed.
The following are some examples of how to use this option: Scenario 1 For example, you have an IP address 192.168.1.1 and you want it to appear as 192.168.11.2 in the Test network when it is created. Find the IP Address configuration, place your cursor in the corresponding field containing this value and make the change. Scenario 2 Another use is entering bogus information that you expect the user to remove in the Test network. For example, you have two OSPF networks that the student should enter into the Test network but you don’t want to display them. You can simply manually remove these values. However, in place of these two values you could place two network values that should be removed by the student. Let’s say you have two values from the Master network: OSPF network 192.168.20.4 0.0.0.3 area 0 OSPF network 192.168.40.8 0.0.0.3 area 0
You want two bogus network values in place of these. In those two fields you could substitute the following values: OSPF network 192.168.20.0 0.0.0.255 area 1 OSPF network 192.168.40.9 0.0.0.4 area 0
The last two values from above will display in the Test network. However, remember that when you compare the Master network with the Test network, it will still have the values of: OSPF network 192.168.20.4 0.0.0.3 area 0 OSPF network 192.168.40.8 0.0.0.3 area 0
If those are not found in the Test network, these are marked as incorrect answers.
732
Net Assessment
During any of these processes the configuration values in the Master network are never changed. Changes are only reflected in the Test network.
Lab 1.10: Edit Values—Randomizing A Selected Value You can select specific values that you want the program to randomly change when the Test network is created. Find the values that you want to randomly change and click the Randomize check box that is to the right of the value. If you are an instructor you may have values that you do not want to manually change every time you create a Test network from a Master network’s Assessment Template. You may prefer, instead, to have the program randomly change specific values every time you create a Test network. In the following example, IP Default-Gateway and VTP Password have been selected to be randomized. The IP Default Gateway may display a value like 192.168.10.15 and the VTP Password might display a value like Cisco when the Test network is generated.
Lab 1.11: Edit Values—Removing A Selected Value
733
This option provides security in the Test networks that you generate for a class. Instead of giving every student the same test, every student can be tested on the same specified configurations but receive a different and random value for each one. You can manually change some values and have the program randomly change others; these two options are not mutually exclusive. During any of these processes the configuration values in the Master network are never changed. Changes are only reflected in the Test network.
If you are testing yourself, you can use this option but you will know beforehand which values are being randomized.
Lab 1.11: Edit Values—Removing A Selected Value You can select specific values that you want the program to remove when the Test network is created. Find the values that you want to remove and click the Remove check box that is to the right of the value. If you are an instructor you may want to test problem solving skills of your students. For example, an access list needs to be created by students in a Test network. You have access list 10 fully configured in the Master network but want to remove some elements like the IP Access Group In and IP Access Group Out configurations. As you see below the Remove checkbox has been selected for these two values. When the Test network is generated these two values will not appear.
734
Net Assessment
You can manually change some values, have the program randomly change others, and select specific values to be removed; these three options are not mutually exclusive and can be used in combination together. During any of these processes the configuration values in the Master network are never changed. Changes are only reflected in the Test network. If you are testing yourself, you can use this option but you will know beforehand which values are being removed.
Lab 1.12: Edit Values—Auto-Selecting and Randomizing Any Value You can have the program randomly select and randomly change any value that displays in the Edit Values screen. Decide how many values you want to randomize and increment the counter to match that number. For example, you may have 20 values that appear in the Values Editor. You can set the counter between 1 and 20. A number of one means that only one of the 20 values will be randomly selected and changed to a random value, by the program. In the following example the counter has been changed to 5. This option is ideal if you are testing yourself. You can set the counter to a specific number and create a Test network. You will not know what values have been altered until you open the Test network. At that point it will not be apparent as to what has changed until you go through your Test network. Almost anything in the network that had been originally configured is fair game for being changed by our program.
You can manually select, randomize, and remove values and still use this auto-select option.
These options are not mutually exclusive and can be used in combination with each other. However, keep in mind that if you use other options such as selecting a few values to be randomly removed, those values will not be in the pool of possible values that will be
Lab 1.13: Edit Values—Auto-Selecting and Removing Any Value
735
changed by this option. During this process the configuration values in the Master network are never changed. Changes are only reflected in the Test network.
Exceeding the Number of Configurations If you set the counter(s) to a number that exceeds the possible number of configurations on the Edit Value screen, the program will not affect more than the total number of configurations on the screen.
Lab 1.13: Edit Values—Auto-Selecting and Removing Any Value You can have the program randomly select and randomly remove any value that displays in the Edit Values screen. Decide how many values you want removed and increment the counter to match that number. For example, you may have 20 values that appear in the Values Editor. You can set the counter between 1 and 20. A number of one means that only one of the 20 values will be randomly selected and removed by the program. In the following example the counter has been changed to 3. This option is ideal if you are testing yourself. You can set the counter to a specific number and create a Test network. You will not know what values have been removed until you open the Test network. At that point it will not be apparent as to what has been removed until you go through your Test network. Almost anything in the network that had been originally configured is fair game for being removed by our program.
You can manually select, randomize, and remove values and still use this auto-select option.
736
Net Assessment
These options are not mutually exclusive and can be used in combination with each other. However, keep in mind that if you use other options such as selecting a few values to be randomly removed, those values will not be in the pool of possible values that will be changed by this option. During this process the configuration values in the Master network are never changed. Changes are only reflected in the Test network.
Exceeding the Number of Configurations If you set the counter(s) to a number that exceeds the possible number of configurations on the Edit Value screen, the program will not affect more than the total number of configurations on the screen.
Create Your Own Custom Labs
Lab 1.1: Creating a Custom Lab You can create your own labs. You can then make your labs available for others to use. This involves a three step process: NN
Create and configure a network
NN
Insert instructions
NN
Save your network into the folder Custom Networks and make it available to others
Lab Steps 1.
Open a Network Visualizer screen.
2.
Place the desired devices on the screen.
3.
Connect the devices.
4.
Configure the devices.
5.
Use a third-party program to create instructions. This can be a text editor, word processor, html editor, spread sheet program, etc. The important thing to keep in mind is that the person using labs/networks that you create must have the same program on their computer that was used to create the instructions. Save the file as you normally would do.
6.
There are two ways to insert a document. NN
Using the menu, click Insert and then File.
Lab 1.1: Creating a Custom Lab
NN
Click the Insert button on the button bar.
739
740
Create Your Own Custom Labs
7.
Find your instruction file on your computer and then click the Close button on the dialog box. An object will appear on the network with file name of your instruction file.
8.
Save your network. There are two ways you can save a network layout. The first way is by clicking on the Diskette button on the button bar, at the top of the Network Visualizer screen. You can also click File on the menu and choose Save from the drop down menu.
Lab 1.1: Creating a Custom Lab
9.
741
You will want to save your file to the custom networks folder. It can be found off the root folder (program files\routersim\ccnavl3\custom networks). Any network saved to this folder will display on the Network Visualizer menu. N
NN
You can save your files alphabetically - If you save your files alphabetically, that is how they will be sorted and displayed when presented on the Custom Labs menu. You can save your files with a numbering scheme. You can number your files which will allow you to specify the order of display, regardless of the alphabetical spelling of the file name. For example, let us say you have four network files that are being saved to the custom networks folder. You assign a number to the title of these files in this manner: 10_Cisco IOS 20_Defining and describing a network 30_CLI (command line interface) 40_Configuring an ISR router
742
Create Your Own Custom Labs
10. Close and re-open a Network Visualizer screen and you can now view your custom
labs under the menus Labs, Custom.
11. You can distribute your custom labs to others so that they show up on their menus.
Network It is straightforward to distribute the files if you have a network install. Save all the custom labs to the custom networks folder on the server. When anyone launches this program from their workstation, the custom labs will display on their Labs menu. Standalone You can also distribute the files to others or place these files yourself on standalone systems. Copy all the custom labs to the folder custom networks.