Ccna Virtual Lab

CCNA
Virtual Lab
T I TAN I U M E D I T I O N 3 . 0
Work with Practice Scenarios Based on
CCNA Exam Objectives
Set Up Custom Network Congurations
Easily with Drag-and-Drop Functionality
Hone Your Skills for the Exams with over
150 Hands-On Labs
Use an Unlimited Number of Switches,
Routers, and Hosts in Your Virtual Network
Get Useful Feedback with the Valuable
Net Assessment Tool
SERIOUS SKILLS.
William Tedder
BESTSELLING LAB SIMULATION SOFTWARE
C
O
P
Y
R
I
G
H
T
E
D

M
A
T
E
R
I
A
L
Senior Acquisitions Editor: Jeff Kellum
Development Editor: Tom Cirtin
Technical Editor: Troy McMillan
Production Editor: Christine OConnor
Editorial Manager: Pete Gaughan
Production Manager: Tim Tate
Vice President and Executive Group Publisher: Richard Swadley
Vice President and Publisher: Neil Edde
Supervising Producer, Vertical Websites: Richard Graves
Book Designers: Judy Fung and Bill Gibson
Compositor: Craig Woods, Happenstance Type-O-Rama
Proofreader: Josh Chase, Word One New York
Project Coordinator, Cover: Katherine Crocker
Cover Designer: Ryan Sneed
Copyright 2012 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-43199-3
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy
fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400,
fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions
Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax
(201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-
ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim
all warranties, including without limitation warranties of fitness for a particular purpose. No warranty
may be created or extended by sales or promotional materials. The advice and strategies contained herein
may not be suitable for every situation. This work is sold with the understanding that the publisher is not
engaged in rendering legal, accounting, or other professional services. If professional assistance is required,
the services of a competent professional person should be sought. Neither the publisher nor the author
shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this
work as a citation and/or a potential source of further information does not mean that the author or the
publisher endorses the information the organization or Web site may provide or recommendations it may
make. Further, readers should be aware that Internet Web sites listed in this work may have changed or
disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact
our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or
fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material
included with standard print versions of this book may not be included in e-books or in print-on-demand.
If this book refers to media such as a CD or DVD that is not included in the version you purchased, you
may download this material at http://booksupport.wiley.com. For more information about Wiley
products, visit www.wiley.com.
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of
John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used
without written permission. [Insert any third-party trademark language.] All other trademarks are the
property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor
mentioned in this book.
10 9 8 7 6 5 4 3 2 1
Contents
Introduction to CCNA Virtual Lab, Titanium Edition 3.0 Labs v
Network Environment 1
Lab 1.1: Loading a Network Layout 2
Lab 1.2: Adding a Device to the Network Visualizer Screen 4
Host 4
Lab 1.3: Connecting Devices 7
Lab Steps 7
Lab 1.4: Network Cables 9
Cable Thickness 12
Lab 1.5: Disconnecting Devices 13
Lab Steps 13
Lab 1.6: Entering Configurations and Changing
Console Screens 15
Changing Console Screens 16
Lab 1.7: Clearing A Network Visualizer Screen 17
Lab 1.8: Network Configurations Window 18
Password Lookups 21
Lab 1.9: Preferences 21
Background Color 22
Other colors 23
ICND1: Cisco IOS 25
Lab 1.1 RouterSim and Cisco Devices 26
Lab Steps 26
Lab 1.2: Logging In and Out of a Cisco Router 29
Lab Steps 30
Lab 1.3: Overview of Router Modes 32
Router Modes 33
Lab Steps 34
Lab 1.4: Editing and Help Features 37
Lab Steps 38
Lab 1.5: Using Shortcut Commands and Tab Completion
in Gathering Basic Router Information 43
Lab Steps 44
Lab 1.6: Setting Passwords 48
Lab Steps 49
Lab 1.7: Encrypting Your Passwords 52
Lab Steps 53
Lab 1.8: Saving Your Configurations 56
vi Contents
Lab 1.9: Setting Router Banners 57
Lab 1.10: Configuring Interfaces for the 2621 Router 59
Lab Steps 60
Lab Steps 64
Lab 1.12: Configuring Interfaces for the 3560 Switch 66
Lab Steps 68
Lab 1.13: Bringing Up an Interface 69
Lab Steps 70
Lab 1.14: Configuring an IP Address on an Interface 73
Lab Steps 73
Lab 1.15: Serial Interface Commands 75
Lab Steps 77
Lab 1.16: Setting the Router Hostnames 78
Lab Steps 78
Lab 1.17: Setting Interface Descriptions 79
Lab Steps 80
Lab 1.18: Verifying Your Configuration 81
Lab Steps 82
Lab 1.19: do Command 86
Lab Steps 87
IP Routing 91
Lab 2: Introduction to IP Routing 92
Lab 2.1: Configuring the SDM for the 2811 Router 94
Lab Steps 95
Lab 2.2: Connecting to the SDM using the 2811 Router 98
Lab Steps 99
Lab 2.3: Configuring an Interface with SDM 104
Lab Steps 106
Lab 2.4: Configuring a DHCP Pool with SDM 109
Lab Steps 111
Lab 2.5: Configuring Other Items with SDM 114
Lab Steps 116
Lab 2.6: Verifying Your Configurations with SDM 119
Lab Steps 120
Lab 2.7: Configuring the Routers 121
Lab Steps 122
Lab 2.9: Configuring Static Routing 127
Lab Steps 129
Lab 2.10: Verifying Static Routing 130
Lab Steps 131
Practice Scenario: Basic Cisco Router Operations 134
Lab 2.11: Configuring and Verifying the Hosts 137
Lab Steps 137
Contents vii
Lab 2.12: Configuring Default Routing 142
Lab Steps 143
Lab 2.13: Verifying Default Routing 145
Lab 2.14: Configuring RIPv2 149
Lab Steps 151
Lab 2.16: Using Traceroute 151
Lab Steps 152
Lab 2.17: Using Debug with a RIPv2 Network 156
Lab Steps 157
Lab 2.18: Configuring and Verifying a Loopback Interface 157
Lab Steps 158
Lab 2.19: Using ARP (Address Resolution Protocol) 161
Lab Steps 162
Managing a Cisco Internetwork 165
Lab 3: Introduction to Managing a Cisco Internetwork 166
Lab 3.1: Password Recovery Techniques 168
Lab Steps 169
Lab 3.11: Configuring IGRP Routing 172
Lab Steps 174
Lab 3.12: Verifying IGRP Routing 177
Lab Steps 178
Lab 3.2: Backing Up the Cisco IOS 179
Lab Steps 180
Lab 3.3: Restoring or Upgrading the Cisco Router IOS 181
Lab Steps 182
Lab 3.4: Backing Up the Cisco Configuration 182
Lab Steps 183
Lab 3.5: Restoring the Cisco Router Configuration from
a TFTP Server 185
Lab Steps 185
Lab 3.6: Using the Cisco Discovery Protocol to Gather
Information about Neighbor Devices 186
Lab Steps 187
Lab 3.7: Using Telnet 191
Lab Steps 192
Lab 3.8: Using Secure Shell in Place of Telnet 197
Lab Steps 198
Lab 3.9: Verifying Secure Shell in Place of Telnet 200
Lab Steps 201
Lab 3.10: Creating a Hosts Table on a Router and Resolve Host
Names to IP Addresses 202
Lab Steps 202
viii Contents
Configuring the Catalyst Switch 205
Lab 4: Introduction to Configuring the Catalyst Switch 206
Lab 4.1: Connecting to the 1900 Switch and Setting Passwords 207
Lab Steps 207
Lab 4.2: Configuring the 1900 Switch 212
Set the Hostname 212
Lab Step 213
Configure the IP Address 213
Configure Interfaces 214
Configure Interface Descriptions 216
View Interface Descriptions 217
Lab 4.3: Configuring the 1900 Switch Port Duplex 218
Lab Steps 219
Lab 4.4: Verifying 1900 Switch IP Connectivity 220
Lab Steps 221
Lab 4.5: Erasing the 1900 Switch Configuration 222
Lab Steps 223
Lab 4.6: Utilizing the 2950 and 2960 Switch 224
Lab 4.7: Setting Passwords on the 2950/2960 Switch 225
Lab Steps 227
Lab 4.8: Configuring the 2950/2960 Switch 229
Lab Steps 231
Lab 4.9: Verifying 2950/2960 Switch IP Connectivity 237
Lab 4.10: Saving and Erasing 2950/2960 Switch Configuration 239
Lab Steps 240
Lab 4.11: Utilizing the 3550 and 3560 Switch 241
Lab Steps 242
Lab Steps 246
Lab 4.15: Saving and Erasing the 3550/3560 Switch
Configuration 255
NAT 257
Lab 5: Introduction to Network Address Translation (NAT) 258
Lab 5.1: Configuring Your Routers 259
Setting up the NAT Lab creates an address pool 260
Lab Steps 261
Contents ix
Switch Security 267
Lab 6.1: Configuring Switch Security 268
Lab 6.2: Verifying Switch Security 271
Lab Steps 272
Individual Labs (Comprehensive) 275
Lab Steps 278
Launching SDM Via Host A 280
Configure IP Address Using SDM 284
Configure DHCP Pool with the SDM 288
Using the SDM to Configure Other Items 292
Verify Router Configurations 295
Individual Lab: Configuring Routers 297
Lab Steps 299
Individual Lab: Configuring the 1900 Switch 303
Lab Steps 304
Setting the Hostname 308
Configuring an IP Address 308
Configuring Interfaces 309
Configuring Interface Descriptions 311
Configuring Port Duplex 312
Grade Me 313
Erasing the Configuration 313
Individual Lab: Configuring 2950 Switch 314
Lab Steps 316
Configuring IP Address Information 319
Verifying the IP Connectivity 326
Grade Me 327
Saving and Erasing Your Configurations 327
Individual Lab: Configuring the 2960 Switch 328
Lab Steps 328
Configuring IP Address Information 331
Verifying the IP Connectivity 336
Grade Me 337
Saving and Erasing Your Configuration 337
Individual Lab: Static Routing 338
Lab Steps 340
Individual Lab: Telnet 346
Lab Steps 348
Individual Lab: Using the Cisco Discovery Protocol
to Gather Information about Neighbor Devices 356
Lab Steps 358
x Contents
Individual Lab: Working with a Router Interface 363
Lab Steps 364
Configuring an IP Address on an Interface 366
Serial Interface 367
Setting An Interface Description 370
Individual Lab: Configuring Hosts 371
Lab Steps 372
ICND2 383
RIP - IPv6 384
Lab 1.1: Configuring RIP Routing 384
Lab Steps 385
Lab 1.2: Verifying RIP Routing 388
Lab Steps 389
Lab 1.3: Configuring IPv6 Static Routing 392
Address Types 392
Unicast Types 393
IPv6 Bits 393
Lab Steps 394
Lab 1.4: Verifying IPv6 Static Routing 397
Lab Steps 398
Troubleshooting IPv6 Static Routing 401
(use Practice Scenario: 401
Troubleshooting Ipv6 ) 401
Turn On Hostnames 402
Scenario 403
Task 403
Lab 1.5: Configuring RIP IPv6 Routing (RIPng) 404
Lab Steps 404
Lab 1.6: Verifying RIP IPv6 Routing (RIPng) 406
Lab Steps 406
Cisco Wide Area Networks (WAN) 411
Lab 2: Introduction to Cisco Wide Area Network Support 412
Lab 2.1: Configuring PPP Encapsulation 413
Lab Steps 414
Lab 2.2: Verifying PPP Encapsulation 415
Lab Steps 416
Lab 2.3: Configuring PPP Authentication with CHAP 417
Lab Steps 419
Lab 2.4: Verifying PPP with Authentication 419
Lab Steps 420
Contents xi
Lab 2.5: Understanding Frame Relay Configuration 423
Frame Relay Uses Virtual Circuits 423
Configuring Frame Relay Encapsulation 423
Frame Relay DLCI 423
Frame Relay LMI 424
Subinterfaces with Frame Relay 424
Lab 2.6: Configuring Frame Relay Switching 425
Lab Steps 426
Lab 2.7: Configuring Frame Relay with Subinterfaces 429
Lab Steps 430
Lab 2.8: Verifying Frame Relay 431
Lab Steps 431
EIGRP 435
Lab 3: Introduction to EIGRP 436
Lab 3.1: Configuring EIGRP Routing 436
Lab Steps 437
Lab 3.2: Verifying EIGRP Routing 440
Lab 3.3: Configuring EIGRP Wild Card Masks 445
Lab Steps 445
Lab 3.4: Verifying EIGRP Wild Card Mask Configurations 446
Lab Steps 447
Lab 3.5: Configuring EIGRP Authentication 449
Lab Steps 450
Lab 3.6: Verifying EIGRP Authentication 452
Lab Steps 452
Lab 3.7: Configuring Advanced Commands with EIGRP 456
OSPF 459
Lab 4: Introduction to OSPF 460
Lab 4.1: Configuring Single Area OSPF 460
Lab Steps 462
Lab 4.2: Verifying Single Area OSPF 465
Lab 4.3: OSPF Authentication 468
Lab Steps 469
Lab 4.4: Stub Area Configuration 473
Lab Steps 474
Lab 4.5: Totally Stub 476
Lab Steps 476
Lab 4.6: OSPF DR and BDR Elections 478
Lab Steps 479
xii Contents
Virtual LANs (VLANs) 483
Lab 5: Introduction to Virtual LANs 484
Lab 5.1: Configuring VLANs on a 1900 Switch 485
Lab Steps 486
Lab Steps 490
Lab 5.4: Configuring Trunk Ports and VTP Domain on
a 3550 Switch 493
Lab Steps 493
Configure VTP Domain 494
Lab Steps 496
Lab 5.6: Configuring Trunk Ports and VTP Domain on
a 3550 Switch 498
Configure Trunk Ports 498
Lab Steps 498
Configure VTP Domain 499
Lab 5.7: IntraVLAN and InterVLAN Routing 500
Lab Steps 501
Access Lists 505
Lab 6: Introduction to Managing Traffic with Access Lists 506
Lab 6.1: Standard IP Access-Lists 507
Lab 6.2: Verifying Standard
IP Access-Lists 512
Lab Steps 513
Lab 6.3: Applying an Access-List to a VTY Line 514
Lab Steps 515
Lab 6.4: Extended IP Access-Lists 516
Lab Steps 517
Lab 6.5: Verifying Extended
IP Access-lists 519
Lab Steps 520
Lab 6.6: Removing Extended
IP Access-lists 521
Lab Steps 521
Practice Scenario: NAT and ACLs 522
Configuring ACLs for Telnet and SSH 522
Turn On Hostnames 524
Scenario 524
Task 524
Contents xiii
NAT/PAT 525
Lab 7.1: Configuring Dynamic NAT 526
Lab Steps 527
Lab 7.2: Configuring PAT 529
Lab Steps 530
Lab 7.3: NAT/PAT Final Configuration Exercise 531
Lab Steps 532
VLSM with Summarization 537
Lab 8.1: VLSM with Summarization LabConfiguring
Routers 538
Lab Steps 540
Lab 8.2: VLSM with Summarization
LabConfiguring Hosts 545
Lab Steps 546
LabConfiguring EIGRP with Discontiguous Networking 547
Lab Steps 549
LabConfiguring Summarization 552
Lab Steps 553
Individual Labs (Comprehensive) 555
Introduction to Individual Labs 556
Grading 556
Individual Lab: RIP Routing 557
Lab Steps 559
Verify Configurations 563
RIPv2 566
Individual Lab: IPv6 Static Routing 568
Lab Steps 571
Verifying IPv6 Static Routing 572
Individual Lab: RIP IPv6 Routing (RIPng) 576
Lab Steps 578
Verifying RIP IPv6 Routing (RIPng) 580
Individual Lab: PPP Encapsulation 582
Lab Steps 585
Verifying PPP Encapsulation 588
Configuring PPP Authentication with CHAP 590
Verifying PPP with Authentication 591
Individual Lab: Frame Relay Switching 594
Understand Frame Relay 596
xiv Contents
Configuring Frame-Relay 598
Lab Steps 598
Configuring Frame Relay with Subinterfaces 599
Verifying Frame Relay 600
Individual Lab: EIGRP Routing 602
Lab Steps 605
Verifying EIGRP 610
Individual Lab: Single Area OSPF 612
Lab Steps 614
Verify OSPF 619
Individual Lab: OSPF DR and BDR Elections 622
Lab Steps 625
Individual Lab: Configuring VLANs 628
Lab Steps 631
Setting Up VLANS 631
Setting Up Trunk Ports 635
Configuring VTP Domain 637
IntraVLAN and InterVLAN Routing 640
Individual Lab: Configuring VLANs on a 1900 Switch 645
Lab Steps 647
Configuring Trunk Ports 650
Configuring Inter-Switch Link (ISL) Routing 651
Grade Me 652
Individual Lab: Standard IP Access-Lists 653
Lab Steps 654
Configuring Hosts E and F 658
Configuring Switches 659
Verifying Standard IP Access-Lists 665
Applying an Access-List to a VTY Line 666
Individual Lab: Extended IP Access-Lists 668
Lab Steps 670
Configuring Hosts E and F 674
Configuring Switches 675
Verifying Extended IP Access-lists 678
Removing Extended IP Access-lists 679
Individual Lab: Network Address Translation (NAT) and
Port Address Translation 680
Setting up the NAT Lab 683
Lab Steps 684
Dynamic NAT 687
Configuring PAT 689
Individual Lab: VLSM with Summarization 691
Lab Steps 694
Configuring Hosts 700
Contents xv
Configuring EIGRP with Discontiguous Networking 703
Configuring Summarization 706
Verifying Summarization 707
Net Assessment 709
Lab 1.1: Introduction to Net Assessment 710
For Instructors 710
For Individuals 712
Lab 1.2: Making Changes and Inserting Instructions 712
Lab Steps 713
Lab 1.3: Loading Net Assessment 715
Lab 1.4: Creating a Net Assessment Template 717
Lab Steps 717
Lab 1.5: Net AssessmentEditing Values 722
Lab Steps 722
Lab 1.6: Net AssessmentCreating A Test Network 725
Lab Steps 725
Lab 1.7: Net AssessmentAssessing
A Test Network 726
Lab Steps 726
Lab 1.8: Advanced Values Editing 729
Lab 1.9: Edit ValuesChanging A Selected Value 730
Lab 1.10: Edit ValuesRandomizing
A Selected Value 732
Lab 1.11: Edit ValuesRemoving A Selected Value 733
Lab 1.12: Edit ValuesAuto-Selecting and Randomizing
Any Value 734
Exceeding the Number of Configurations 735
Lab 1.13: Edit ValuesAuto-Selecting and Removing
Any Value 735
Create Your Own Custom Labs 737
Lab 1.1: Creating a Custom Lab 738
Lab Steps 738
Introduction to CCNA Virtual Lab,
Titanium Edition 3.0 Labs
This program contains all the labs available for CCNA Virtual Lab, Titanium Edition 3.0.
Navigation
When you load the online documentation, a tree list on the left side of the screen allows you
to quickly navigate from one section and lab topic to another. Click on a book to expand the
list of labs for that section. You will then see a ? icon to the left of each topic. Click a topic
title to display lab content on the right side of the screen.
xviii Introduction
Types of Labs
CCNA Labs and Supporting Material
ICND1 and ICND2 Labs The presentation of CCNA labs has been reorganized into two
different areas. Individuals preparing for the Cisco
ICND (640-822) exam can easily bring

up documentation and networks for the 75 labs that help prepare them. Those preparing for
the Cisco
ICND 2 (640-816) exam can now nd these 78 labs and networks organized in
the same section.
Practice Scenarios Studying for the Cisco
CCNA exam is challenging. Trying to gure

out which exam topics to study for is difcult. This program assists you by providing Practice
Scenarios. We have designed our practice scenarios based on CCNA exam topics. Testing
yourself with our practice scenarios will give you the condence needed in preparing for the
Cisco
CCNA exam. After you go through accumulative and/or Individual labs you can
test your problem-solving and troubleshooting skills. In the lab documentation we present
Practice Scenarios which are interspersed in the lab documentation. With these scenarios you
are presented with partially or incorrectly congured networks and your task is to read the
instructions and correct the situation. These are gradable labs.
They can be found in two places on our menu tree. They are interspersed among the accu-
mulative labs. After you read about a concept and go through hands-on lab(s), you are then
presented with a practice scenario that tests your problem-solving and troubleshooting skills.
They can also be found in their own section so that you can quickly choose any of the labs,
instead of hunting for them in the accumulative labs.
Individual Labs We also offer CCNA labs that stand on their own, are comprehensive
and self-contained, and do not require congurations from prior labs. These labs are typically
longer than the accumulative labs because you are starting with a non-congured network
each time you bring up an Individual lab. You are totally conguring the network for each
lab, from beginning to nish. We provide step-by-step instructions for these labs. These are
gradable labs.
Net Assessment This feature allows you to test and evaluate your CCNA problem-solving
and trouble shooting network skills. This is a powerful and exible tool for all to use, includ-
ing teachers, students, individuals, etc. You can grade yourself or if you are an instructor, you
can grade your students. There are eight labs that walk you through an example in utilizing
Net Assessment. Net Assessment also provides you with more sophisticated and powerful
methods in altering values. That is covered in seven additional labs.
Accumulative Labs We provide step-by-step labs that, for the most part, build on each
other. Fourteen different network layouts are presented within these labs. When you start
working with a new section and encounter a new network layout, you are asked to save
your work. It is suggested that you save your network layout with another name so that
you always have a non-congured network to fall back on. An example would be saving
the original network layout, Standard Layout, as My Standard Layout.
Introduction xix
Network Layouts
Loading a Network Layout
1. On the Network Visualizer screen, click on the File menu and then click Open.
2. When the dialog box appears, make sure you are in the Networks folder.
3. Find and click on the file name and then click OK.
Custom Labs
With CCNA Virtual Lab, Titanium Edition 3.0, you can create your own labs. You can
then make your labs available for others to use. They will appear off the main menu of
the Network Visualizer screen. You can also imbed instructions into your labs/network.
Use a third-party program to create instructions. This can be a text editor, word proces-
sor, HTML editor, spreadsheet program, etc.
Network Environment
Lab 1.1: Loading a Network
Layout
There are three types of network layouts that you can load with this program.
Accumulative Labs In our lab documentation we provide step-by-step labs that, for the
most part, build on each other. Within the accumulative labs there are a handful of different
network layouts that you will load. The network layouts are specic to the tasks you will
encounter in the labs.
3. Find and click on the file name and then click Open.
Individual Labs We also offer labs that stand on their own, are self-contained, and do not
require congurations from prior labs. These labs are typically larger than the accumula-
tive labs because you are starting with a non-congured network each time you bring up
an Individual lab. You are totally conguring the network for each lab, from beginning
to nish. We provide step-by-step instructions for these labs. Some labs require extensive
congurations, Instead of manually entering the congurations, you have the ability to copy
Lab 1.1: Loading a Network Layout 3
and paste script into the console. This saves you time so that you do not have to manually
type in each command if you do not care to do so.
Practice Scenarios Studying for the Cisco
CCNA exam is challenging. Trying to gure out

which exam topics to study for is difcult. We assist you by providing Practice Scenarios. We
have designed our practice scenarios based on the CCNA exam topics. Testing yourself with
our practice scenarios will give you the condence needed in preparing for the Cisco
CCNA
exam. After you go through accumulative and/or Individual labs you can test your problem-
solving and troubleshooting skills. In the lab documentation we present Practice Scenarios
which are interspersed in the lab documentation. With these scenarios you are presented with
partially or incorrectly congured networks and your task is to read the instructions and cor-
rect the situation.
They can be found in two places on our menu tree. They are interspersed among the accu-
mulative labs. After you read about a concept and go through hands-on lab(s), you are then
presented with a practice scenario that tests your problem-solving and troubleshooting skills.
They can also be found in their own section so that you can quickly choose any of the labs,
instead of hunting for them in the accumulative labs.
4 Network Environment
Custom Networks With this program, you can create your own labs. You can then make
your labs available for others to use. You can distribute your custom labs to others so that
they show up on their menus. They can be loaded from the Network Visualizer menu.
Lab 1.2: Adding a Device to the Network
Visualizer Screen
This program offers several devices that you can interact with in our network layouts or
networks that you want to create. The following is a list of these devices and their features.
Host
1900 Switch It has 12 10BaseT switched ports and two FastEthernet switched ports.
2621 Router It has Enterprise edition 12.x software. The 2621 has two FastEthernet
interfaces and two serial interfaces.
2811 Router It has Enterprise edition 12.4 software, four serial ports and two FastEthernet
ports.
2950 Switch It has 12 FastEthernet, 10/100 ports to help you build your LANs and VLANs.
2960 Switch It has eight FastEthernet ports and one GigabitEthernet port.
3550 Switch It has 10 FastEthernet, 10/100 ports.
3560 Switch It has eight FastEthernet ports and one GigabitEthernet port.
Lab 1.2: Adding a Device to the Network Visualizer Screen 5
These devices are represented by device buttons at the top of the Network Visualizer screen.
Description of Toolbar Buttons
New Network Visualizer screen
Load a network
Save a network
Print network layout
Clear all devices off the Network Visualizer screen
Insert a file into the network. For example, this could be a text file,
Microsoft Word file, PDF file, graphic file, etc.
Insert a host onto the Network Visualizer screen
Insert a new 2621 router onto the Network Visualizer screen
Insert a new 2811 router onto the Network Visualizer screen
Insert a new 1900 switch onto the Network Visualizer screen
Description of Toolbar Buttons
Display the Net Assessment window
Display the Net Configs window
Display the Net Packet Monitor window
To add one or more of any device, click the device button that corresponds to the host,
router, or switch. A new object will appear in the left corner of the Network Visualizer screen.
Drag and drop it wherever you want. Devices are labeled sequentially. For example, if you
click on the 2811 device button, 2811 Router A will appear on the screen. If you click the
device button again, 2811 Router B will appear on the screen. The next one would be 2811
Router C, and so on.
There is an unlimited amount of devices that can be added to a Network
Visualizer screen. You are only limited by your computer resources.
(continued)
Lab 1.3: Connecting Devices 7
Lab 1.3: Connecting Devices
Once you have placed devices onto the Network Visualizer screen, only a couple steps
are required to connect them. They need to be connected so that the program knows
they are in the same network. All devices must be connected into the same network for
you to both congure and test for connectivity.
In the following example, we will connect serial interface 0/0/0 of the 2811 Router A to
serial interface 0/0/1 of 2811 Router B.
Lab Steps
1. Right-mouse click 2811 Router A. A graphical representation of its ports will appear. It
will appear on top of 2811 Router A.
2. Place your mouse over interface serial 0/0/0 and click your left mouse key.
3. As soon as you click a port, the large graphic disappears and you will see a line
attached to the cursor. Move the cursor over to 2811 Router B and click the right
mouse button.
4. When the graphical representation of the ports for 2811 Router B appears, click on
interface serial 0/0/1.
The large graphic will disappear and you should see 2811 Router A and 2811 Router B
connected with a serial cable. You have the option of viewing interface labels. On the
Network Visualizer screen click View and Hostnames.
Lab 1.4: Network Cables
This program provides three different types of cables that can be used when creating
networks.
Straight-Through is GREEN in color in our program and provides connectivity from
hosts to switches and from routers to switches. This is a twisted-pair cable that uses RJ-45
connectors.

Cross-Over is WHITE in color in our program and is used to connect switch to switch
and router to router on an Ethernet port. This cannot be used to connect hosts to switches
or switches to routers.
Serial WAN is RED in color in our program and is represented by a lightning bolt. This is
used to simulate a serial WAN connection and can only be connected to serial interfaces on
a router. These are point-to-point only and can connect from router to router only via their
serial ports. They cannot be used to connect to switches or hosts.
WAN connection
A network connection through routers which connects two geographically distanced
networks together. It typically connects several local area networks (LANs), usually
through the Internet.
Cable Thickness
You can change the thickness of cables used in your network. On the Network Visualizer
menu, click the View menu, put your mouse over the menu item Line Thickness, and then
select one of the three levels of line thickness.
Here is a network that is displays the smallest thickness of cables.
Lab 1.5: Disconnecting Devices 13
Here is a network that displays the largest thickness of cables.
Lab 1.5: Disconnecting Devices
Any network cable can be disconnected. If you want to remove several cables from a device,
you will need to do so, one by one. In the following example, we will disconnect the serial
cable between 2811 Router A and 2811 Router B.
Lab Steps
1. Place your cursor over 2811 Router A and click your right mouse button.
2. Place your cursor above the cable connector for interface serial 0/0/0 and click your left
mouse button.
3. You will be asked to confirm you removing the cable from the port. Click the Yes button.
4. The cable will now be removed and you will have two disconnected routers.
Lab 1.6: Entering Configurations and Changing Console Screens 15
Lab 1.6: Entering Configurations and
Changing Console Screens
Congurations are entered through a console screen. Only one console screen displays at
a time, however, you can display a separate console screen for any router or switch in your
network.
1. Place a couple 2811 routers onto a Network Visualizer screen.
2. Place your cursor over 2811 Router A and double-click you left mouse button. A con-
sole screen will appear.
3. When you first start out with a network you will need to press Enter to display the
User mode. From there you can change modes and enter configurations, ping, telnet,
and perform show commands.
4. Type enable and press Enter to go to the Privileged mode.
5. Type config t and press Enter so that you can enter Global Configuration mode. You
will enter your configurations in this mode and in other modes such as Interface mode.
Changing Console Screens
You can use the menu system on the console screen to view the consoles for any device on
the Network Visualizer screen. In the following example we have a 3550 and 3560 switch
on the Network Visualizer screen.
Lab 1.7: Clearing A Network Visualizer Screen 17
In this example you want to go from the console of the 3550 Switch A, to the console of
the 3560 Switch A. Click View on the menu, put your mouse over Console, go down and nd
the desired type of device (in this case it is Switch 3560), and then choose 3560 Switch A.
Lab 1.7: Clearing A Network
Visualizer Screen
There are two ways to clear a Network Visualizer screen.
N
Click the Edit menu and then select Clear.
N
You can also click the trash can icon on the tool bar.
You will be asked to conrm that you want to clear the current network layout.
Lab 1.8: Network Configurations Window
You can view the congurations for all devices on your Network Visualizer screen. To
view the Network Congs screen, click the Tools menu, and then Net Congs.
Lab 1.8: Network Configurations Window 19
Or click the Net Congs button on the button bar.
And the Net Congs screen will appear ...
Password Lookups
You may forget passwords that you enter while conguring devices. You can look them up
by clicking the Net Congs button.
You can display the console screen for any device listed in the Net Configs
window. Double-click on the name of any device.
Lab 1.9: Preferences
There are two preferences that you can set for the look and feel of this program.
N
Background color of the Network Visualizer screen
N
Autosize the Network Visualizer screen when you load a network
The Preferences window can be displayed by clicking Tools on the Network Visualizer
screen, then Preferences.
Background Color
You can easily change the background of your Network Visualizer screen. Eighteen basic
colors are available in choosing the background color. If you click the Default button, your
screen will display a dark Navy blue.
Other colors
If you want to choose another color, click on the Other button.
ICND1: Cisco IOS
Lab 1.1 RouterSim and
Cisco Devices
In this program you now have the option of also using traditional Cisco
graphical devices.
You can create networks from scratch using several types of devices, however, you cannot
mix them. The program will display all RouterSim devices or all Cisco
graphical devices.
You can load existing network layouts and easily change their appearance.
Lab Steps
1. On the Network Visualizer menu click View and then select Cisco Devices from the
drop down menu.
Lab 1.1 RouterSim and Cisco Devices 27
Network Layout
Load CiscoIOS Layout.rsm before going through the following lab.
3. Click on the le CiscoIOS Layout.rsm and click Open. You should see the following
non-congured network:
By default you will see Routersim devices on any network layout that comes with this
program.
28 ICND1: Cisco IOS
The network shown at the top of lab quickly changes and Cisco
devices are displayed.

If you display the device list, it will now display Cisco
devices.
2. You can change back and display RouterSim devices. On the Network Visualizer menu
click View and then select RouterSim Devices from the drop down menu.
Lab 1.2: Logging In and Out of a
Cisco Router
In this lab you bring up a router console and learn how to log in using the enable and
disable commands.
30 ICND1: Cisco IOS
Lab Steps
1. On the Network Visualizer screen, double-click on 2811 Router A. This will bring up
a console screen. You interact with each device through the console screen. You will
enter all your CLI commands such as configuring a device, testing connectivity, and
displaying output.
Network Layout
Load the network layout you have been working with for labs in section 1.
Connectivity
When testing for connectivity in a network, it refers to the ability of a source device
such as a router to connect to a remote device, or another router. If you ping a remote
router and it is unsuccessful, you have no connectivity. If your ping is successful, you
have connectivity.
Output
Information that is displayed on the console screen after you enter a show command.
For example, if you enter the command show run, you get the following output:
Building configuration...
Current configuration : 874 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
[output cut]
32 ICND1: Cisco IOS
2. Press Enter and the Router> prompt will appear. You are now in the User mode.
This mode is mostly used to view statistics, though it is also a stepping-stone to
logging into Privileged mode. You can only view and change the configuration of a
Cisco router in Privileged mode, which you enter with the enable command.
Router>
Router>enable
Router#
3. You now end up with a Router# prompt, which indicates you are in Privileged mode.
You can both view and change the configuration in Privileged mode. You can go back
from Privileged mode to user mode by using the disable command.
Router#disable
Router>
4. At this point you can type logout to exit the console.
Router>logout
Router con0 is now available
Press Return to get started.
5. Or you could just type logout or exit from the Privileged mode prompt to log out.
Router>enable
Router#logout
Press RETURN to get started.
Lab 1.3: Overview of Router Modes
It is important to understand the different prompts you can nd when conguring a router so
you can know where you are at any time within Conguration mode. In this lab, the prompts
that are used on a Cisco router will be demonstrated. Always check your prompts before
making any changes to a routers conguration.
Router Modes
Depending on what you want to do, you can go to different mode levels interacting with
interfaces and devices. Most commands are mode specic. That means that many com-
mands work in one mode but not another. That is why you have to change modes, depend-
ing on what command you want to enter. However, with the do command you can now
enter privileged mode commands in Global Conguration mode. This works on the 2811
router (IOS version 12.4) and the 2960 and 3560 switch (IOS version 12.2 SE). The follow-
ing chart displays the different modes you will encounter.
Network Layout
34 ICND1: Cisco IOS
Mode Prompt Typical Use
User Router> Usually the first login prompt when logged
in to a Cisco router.
Minimal, fundamental set of non configu-
ration commands in this mode.
Only basic router information is given in
this mode. Show commands can be given
which will result in output displayed in the
console screen. Only information about the
device is given.
Privileged Router# This mode is accessed by using the enable
command from user mode.
You can quit privilege mode by using the
disable command.
Can be and should be protected by an
enable or enable secret password.
All router functionality can be accessed
from this level.
Ping interfaces.
Telnet to devices.
Show commands that display routing
information, interface protocols, and the
systems entire running configuration.
Global Configuration Router(config#) Configure or make changes that affect the
entire router.
Change your device host name.
Change passwords.
Set up access lists.
Interface Router(config-if#) Allows you to configure specific interfaces.
Routing-Configuration Router(config-router) Allows you to configure the routing
protocol.
Lab Steps
1. On the Network Visualizer screen, double-click on 2811 Router A. This will bring up a
console screen.
2. Press Enter and the Router> prompt will appear. You are now in the User mode.
3. Change to the Privileged mode.
Router>
Router>enable
4. To configure a device from the CLI, you can make global changes to the router by typ-
ing configure terminal (config t for short), which puts you in Global Configuration
mode and changes what is known as the running-config. You can type config from
the Privileged mode prompt and then just press Enter to take the default of terminal.
Router#config
Configuring from terminal, memory, or network [terminal]?enter
Enter configuration commands, one per line. End with CTRL/Z.
Router(config)#
At this point you make changes that affect the router as a whole, hence the term
Global Conguration mode. Notice the prompt is now Router(cong)#.
5. To make changes to an interface, you use the interface command from Global Con-
figuration mode.
Router(config)#interface ?
Async Async interface
BRI ISDN Basic Rate Interface
BVI Bridge-Group Virtual Interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
Lex Lex interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
range interface range command
Router(config)#interface fastethernet 0/0
Router(config-if)#
Notice the prompt changed to Router(cong-if)# to tell you that you are in interface
conguration.
36 ICND1: Cisco IOS
6. Sub interfaces allow you to create virtual interfaces within the router. The prompt then
changes to Router(config-subif)#.
Router(config)#int f0/0.?
<0-4294967295> FastEthernet interface number
Router(config)#int f0/0.1
Router(config-subif)#
Type exit to go back to Global Conguration mode.
Router(config-subif)#exit
Router(config)#
7. To configure User mode passwords, use the line command. The prompt then becomes
Router(config-line)#.
Enter conguration commands, one per line. End with CTRL/Z.
Router(config)#line ?
<0-70> First Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
Router(config)#line console 0
Router(config-line)#
The line console 0 command is known as a major, or global, command, and any
command typed from the (cong-line) prompt is known as a subcommand.
8. Type exit to go back to Global Configuration mode.
Router(config-line)#exit
Router(config)#
9. The line vty 0 1180 command is used to control inbound telnet connections. This is
part of a series of commands that you use to set passwords for interfaces so that you
can set up interface security and telnet from one device to another.
Router(config)#line vty 0 1180
Router(config-line)#
10. Type exit to go back to Global Configuration mode.
Router(config)#
11. To configure routing protocols like RIP, use the prompt (config-router)#.
Router(config)#router rip
Router(config-router)#
Lab 1.4: Editing and Help Features 37
It is not important that you understand what each of these commands do
at this time. These will all be explained later in greater detail. What you
need to understand is the different prompts available. This program sup-
ports the line console and line vty commands.
12. Type control+z to go back to Global Configuration mode. Control+z is noted as ctrl+z.
Router(config-router)#ctrl+z
Router#
Lab 1.4: Editing and Help Features
You can use the Cisco
advanced editing features to help you congure your router or

switch. This lab will teach you how and where to use a question mark (?) from the CLI as
well as how to use keystrokes to help you edit your command strings.
Network Layout
38 ICND1: Cisco IOS
Lab Steps
console screen.
2. Press enter and the Router> prompt will appear. You are now in the User mode.
3. Change to the Privileged mode.
Router>
Router>enable
4. By using a question mark (?) at any prompt, you can see the list of commands available
from that prompt.
Router#?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
access-template Create a temporary Access-List entry
archive manage archive files
bfe For manual emergency modes setting
cd Change current directory
clear Reset functions
clock Manage the system clock
cns CNS subsystem
configure Enter configuration mode
connect Open a terminal connection
copy Copy from one file to another
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
erase Erase a filesystem
exit Exit from the EXEC
help Description of the interactive help system
--More--
At this point, you can press the spacebar to get another page of information, or you
can press Enter to go one command at a time. You can also press any other key to quit
and Enter to return to the prompt.
Lab 1.5 Using Shortcut Commands and Tab Completion 39
5. To find commands that start with a certain letter, use the letter and the question mark (?)
with no space between them.
Router#c?
clear
clock
cns
configure
connect
copy cd
Router#c
Notice that by typing c?, we receive a response of all the commands that start with
c. Also notice that the Router# prompt appeared with our command still present.
This is helpful when you have long commands and need the next possible command.
Supported Commands in CCNA Virtual Lab, Titanium Edition 3.0
Commands supported in this program were specically chosen to represent the most
important commands needed in conguring networks and in preparing for the CCNA
exam. When you enter a help command such as ?, you will see a complete list of IOS
commands. However, not all are available and supported in this program.
To view supported commands for CCNA Virtual Lab, Titanium Edition 3.0:
1. Bring up a console screen.
2. Click the View menu.
3. Click Supported Commands.
40 ICND1: Cisco IOS
6. To find the next command in a string, type the first command and then a question
mark. Set the routers clock by typing clock ? and following the help screens; set the
routers time and date.
Router#clock ?
set Set the time and date
Router#clock set ?
hh:mm:ss Current Time
Router#clock set 10:30:10 ?
<1-31> Day of the month
MONTH Month of the year
Router#clock set 10:30:10 28 ?
MONTH Month of the year
Router#clock set 10:30:10 28 december ?
<1993-2035> Year
Router#clock set 10:30:10 28 december 2007 ?
<cr>
Router#
By typing the clock command, then a space and a question mark, you will get a list of the
next possible commands and what they do. Notice that we just kept typing a command, a
space, and then a question mark until < cr> (carriage return) was our only option.
7. Type show clock to see the time and date you have set.
8. If you are typing commands and receive this:
Router#clock set 10:30:10
% Incomplete command.
Then you know that the command string is not complete. Just press the up arrow key
to view the last command entered, then continue with the command by using your
question mark.
9. Also, if you receive this error:
Router#clock shut 10:30:10 28 8
^
% Invalid input detected at '^' marker.
You have entered the command incorrectly. The caret (^) marks the point where you
have entered the command incorrectly. This is very helpful.
10. You may receive an error when you type in a command that the program cannot match
with any known command. For example,
Router#sh s
% Ambiguous command: "sh s"
It means you did not enter all the keywords or values required by this command. Use the
question mark to nd the command you need.
Router#sh s?
scp
sessions
slm
smas
smf
snapshot
snmp
spanning-tree
stacks
standby
startup-config
subscriber-polocy
subsys
11. Type show access-list 10. Dont press Enter.
12. Notice the cursor is at the end of the line. Type Ctrl+ A. This takes you to the begin-
ning of the line.
13. Type Ctrl+ E. This should take you back to the end of the line.
14. Type Ctrl+ A, then type Control+ F. This should move you forward one character.
15. Type Ctrl + B, which will move you back one character.
16. Press Enter, then type Ctrl + P. This will repeat the last command.
17. Press the up arrow on your keyboard. This will also repeat the last command.
18. Use the show history command to see the last 10 commands entered on the router.
Router#sh history
19. Use the show terminal command to verify the terminal history size.
Router#sh terminal
20. The terminal history size command, used from Privileged mode, can change the
size of the history buffer.
Router#terminal history size ?
<0-256> Size of history buffer
Router#terminal history size 25
42 ICND1: Cisco IOS
21. Verify the change with the show terminal command.
Router#sh terminal
22. Type terminal no editing . This turns off advanced editing. Repeat steps 9-13 to see
that the shortcut editing keys have no effect.
23. Type terminal editing and press Enter to re-enable advanced editing.
24. Type sh run, then press your tab key. This will finish typing the command for you.
Editing Command Table
The following table displays the editing commands:
Command Description
? Gives you a help screen
<ctrl A> Moves your cursor to the beginning of the line
<ctrl D> Deletes a single character
<ctrl E> Moves your cursor to the end of the line
<ctrl F> Moves forward one character
<ctrl-R> Redisplays a line
<ctrl-U> Erases a line
<ctrl-W> Erases a word
<ctrl-Z> Ends configuration mode and returns to EXEC
<esc B> Moves back one word
<esc F> Moves forward one word
backspace Deletes a single character
tab Finishes typing a command for you
Lab 1.5: Using Shortcut Commands
and Tab Completion in Gathering Basic
Router Information
In this lab you will learn about shortcut commands and the tab completion function. You
will use these concepts and commands used to gather basic information about a Cisco router.
Network Layout
44 ICND1: Cisco IOS
Lab Steps
console screen.
2. Press Enter and the Router> prompt will appear. You are now in the user mode.
3. Change to the privileged mode.
Router>
Router>en
Shortcut Commands
Most Cisco IOS commands do not have to be completely spelled out. To facilitate being
able to more quickly enter commands, you only have to enter part of a command, plus,
each word in a command can be abbreviated. For example the command enable can be
shortened to en. Another example is the command show running-configurations. You
can abbreviate that and just type in sh run. A nal example is when you have the com-
mand show interfaces. You only need to type in sh int. The router or switch knows
what you mean and correctly interprets and carries out that command.
You do need to type in enough letters for each word in a command for the router or
switch to correctly understand and interpret what you are trying to do. If you do not,
you will receive feedback that one or more of your words are ambiguous. The reason
for that is that letters in one or more of the words in your command can be used to
spell out different words. In that case the device does not know what you want to do;
there are too many possibilities.
For example, type the following:
Router>#s ver
I get 2811A#s ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)
T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.[output cut]
Router>A#s v
% Ambiguous command: show v
2811 Router A recognized s to mean show but it did not recognize v.
Lab 1.5: Using Shortcut Commands and Tab Completion 45
Enter the following command:
Router>#s v?
vc-group version vlan-range vlan-switch
vlans voice voip vpdn
vrrp vsp vtemplate vtp
In this case v could be the rst letter in 12 different words.
On a real 2800 device you would get the output with 12 different words. This program
does not have 12 different words; therefore, your output will be different.
Try this:
2811A#s v?
Version
Router>#s ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)
T1, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
[output cut]
The 2811 A router recognized s to mean show but it did not recognize v.
Enter the following command:
Router>#s v?
% incomplete command
Try this:
2811A#s ve?
Now you only have one word, so, the command s ve will work, along with sh ver,
show ver, etc.
46 ICND1: Cisco IOS
4. The command show version will provide basic configuration for the system hardware
as well as the software version, the names and sources of configuration files, and the
boot images.
Router#sh ver [press the tab key]
Router#sh version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Router uptime is 4 weeks, 6 days, 18 hours, 29 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2811 (revision 53.51) with 249856K/12288K bytes of memory.
Processor board ID FTX1048A54G
2 FastEthernet interfaces
4 Serial(sync/async) interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Router#
The version number can be found on the rst line of ouput ...
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12),
RELEASE SOFTWARE (fc1).
Lab 1.5: Using Shortcut Commands and Tab Completion 47
The show version command gives you how long the router has been running, how it
was restarted, the IOS lename running, the model hardware and processor versions,
and the amount of DRAM. Also, the conguration register value is listed last. The
above router has 256 megabytes of RAM and 64 megabytes of Flash.
5. You can view the router files by typing the command show running-config or show
startup-config from privileged mode. The sh run command, which is the shortcut for
show running-config, tells us that we are viewing the current configuration.
Router#sh run
!
version 12.4
!
hostname Router
[cut]
6. The sh start command, which is the shortcut for the show startup-config com-
mand, shows us the configuration that will be used the next time the router is reloaded
and also shows us the amount of NVRAM used to store the startup-config file.
Router#sh start
!
version 12.4
Tab Completion Function
Most of the time you will use shortcut commands to congure devices because they
are quick and convenient. However, if for any reason you want to enter all the words in
a command, there is an alternative to manually entering every character. You can use
the Tab Completion function to spell out any word. Just type part of the word and then
press your tab key. It will complete the word. As shown in the earlier command in this
lab you can type sh ver and press the tab key. The word version will be spelled out.
48 ICND1: Cisco IOS
!
hostname Router
[cut]
7. You can delete the startup-config file by using the command erase startup-config.
Once you perform this command, you will receive an error if you try to view the startup-
config file.
Router#erase startup-config
Erasing the nvram file system will remove all configuration files! Continue?
[confirm] (press Enter)
[OK]
Erase of nvram: complete
Router#
00:13:30: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of ...
[cut]
8. Verify that you have erased the startup configuration.
Router#sh start
startup-config is not present
Router#
Lab 1.6: Setting Passwords
There are ve passwords used to secure Cisco routers.
N
The first two passwords discussed in this lab are used to set your enable password,
which is used to secure privileged mode. This will prompt a user for a password when
the enable command is used.
N
The other three are used to configure a password when user mode is accessed either
through the console port, the auxiliary port, or Telnet.
Lab Steps
console screen.
Router>
Router>enable
4. Set the two enable passwords on your router. You set the enable passwords from
Global Configuration mode.
Router(config)#enable ?
last-resort Define enable action if no TACACS servers respond
Network Layout
50 ICND1: Cisco IOS
password Assign the privileged level password
secret Assign the privileged level secret
use-tacacs Use TACACS to check enable passwords
The enable secret and enable password commands are the only enable passwords
that are supported in our program at this time.
Router(config)#enable secret todd
Router(config)#enable password cisco
Since the enable secret supercedes the enable password, dont bother to use the
enable password since it will never be used if the enable secret is set.
5. Set your user mode passwords by using the line command.
Router(config)#line ?
aux Auxiliary line
tty Terminal controller
x/y Slot/Port for Modems
x/y/z Slot/Subslot/Port for Modems
N
Router(config)#line Aux is used to set the user-mode password for the auxiliary
port. This is typically used for configuring a modem on the router but can be used
as a console as well.
N
Console is used to set a console user-mode password.
N
Vty is used to set a Telnet password on the router. If the password is not set, then
Telnet cannot be used by default.
N
This program does not support the tty and x/y and x/y/y modem line commands.
To congure the user mode passwords, you congure the line you want and use either
the login or no login command to tell the router to prompt for authentication.
6. Set the auxiliary password on your router. To configure the auxiliary password, go to
global configuration mode and type line aux?. Notice that you only get a choice of 00
because there is only one port.
Router#config t
Router(config)#line aux ?
Router(config)#line aux 0
Router(config-line)#login
% Login disabled on line 65, until 'password' is set
Router(config-line)#password todd
It is important to remember the login command, or the auxiliary port wont prompt for
authentication. However, in the newer IOS that we are now running, the login command
cannot be set until you set a password. The reason they added this feature is because if
you set the login command and not a password, you are locked out from that line.
7. Set your console password on your router. To set the console password, use the line
console 0 command. However, notice that when we tried to type line console 0 ? from
the aux line configuration, we got an error. You can still type line console 0 and it will
accept it; however, the help screens do not work from that prompt. Type Exit to get
back one level if you want to use the help option.
Router(config-line)#line console ?
% Unrecognized command
Router(config)#line console ?
Router(config)#line console 0
% Login disabled on line 0, until 'password' is set
Router(config-line)#password todd1
Since there is only one console port, we can only choose line console 0. The new login
feature works on the console line too.
8. Set the optional console port commands on your router. There are a few other impor-
tant commands to know for the console port.
The exec-timeout 0 0 command sets the timeout for the console EXEC session to
zero, or to never time out. To have fun with your friends at work, set it to 0 1, which
makes the console time out in 1 second! The way to x that is to continually press the
down arrow key while changing the timeout time with your free hand.
Logging synchronous is a nice command, and I think it should be a default command,
but it is not. What this command provides is to stop console messages from popping up
and disrupting input you are trying to type. This command makes reading your input
messages much easier.
Here is an example of how to congure both commands:
Router(config)#line con 0
Router(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
52 ICND1: Cisco IOS
Router(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds
<cr>
Router(config-line)#exec-timeout 0 0
Router(config-line)#logging synchronous
9. Set your Telnet password on your router. To set the user-mode password for Telnet
access into the router, use the line vty command.
Router(config)#line vty 0 ?
<1-4> Last Line number
<cr>
Router(config)#line vty 0 1180
Router(config-line)#password todd2
Notice we did not use the login command with this line conguration. The login com-
mand is set by default on the VTY lines, which stops anyone telneting into the router until
you set a password.
If you try to telnet into a router that does not have a VTY password set, you will
receive an error stating that the connection is refused because the password is not set.
You can tell the router to allow Telnet connections without a password by using the no
login command.
By setting this next command, you will not be prompted for password when telneting
into the router. This is not recommended, but this is how you would do that:
Router(config-line)#line vty 0 4
Router(config-line)#no login
Router(config-line)#ctrl+z
Router#
After your routers are congured with an IP address, you can use the Telnet program to
congure and check your routers. You can use the Telnet program by typing telnet from
any command prompt (DOS or Cisco).
Lab 1.7: Encrypting Your Passwords
Only the enable secret password is encrypted by default. You need to manually congure
the user mode and enable passwords.
Lab Steps
console screen.
Change to the privileged mode.
Router>
Router>enable
3. Notice that you can see all the passwords except the enable secret when performing
a show running-config command on a router.
Router#sh run
Network Layout
54 ICND1: Cisco IOS
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
!
hostname Router
!
enable secret 5 $1$F/gZ$mNTwylb4ZJ4J1WW97nUJG.
enable password cisco
!
[output cut]
line con 0
password todd1
logging synchronous
login
line aux 0
password todd
login
line vty 0 4
password todd2
login
line vty 5 15
password todd2
login
!
!
end
Router#
The line ... enable secret 5 $1$F/gZ$mNTwylb4ZJ4J1WW97nUJG shows an encrypted
enable password.
4. To manually encrypt your passwords, use the service password-encryption command.
Here is an example of how to perform manual password encryption.
Router#config t
Router(config)#service password-encryption
Router(config)#exit
5. The show running-config command, you can see the enable password and the line
passwords are all encrypted. If you dont type show running-config, it does not
encrypt the passwords.
Router#show running-config
[cut]
hostname Router
!
enable secret 5 $1$F/gZ$mNTwylb4ZJ4J1WW97nUJG.
enable password 7 05080F1C2243
!
[cut]
!
line con 0
password 7 111D16011343
logging synchronous
login
line aux 0
password 7 044F04020B
login
line vty 0 4
password 7 051F090B251E
login
line vty 5 15
password 7 105A061D0145
login
!
6. Since the service password-encryption is a router process, you do not want to keep this
running in the background. Once you perform a show running-config and see the
encrypted passwords, turn off the process. After entering the command no service
password-encryption, your passwords will still be encrypted until they are reset.
Router#config t
Router(config)#no service password-encryption
Router(config)#ctrl+z
56 ICND1: Cisco IOS
Lab 1.8: Saving Your Configurations
If you have made changes to a device you will want to permanently save the congurations.
Your running conguration is only in memory and if something happened; for example,
if you lost power to a device, you would lose all unsaved entries. That is why you want to
save your running congurations (DRAM) to the permanently stored startup congurations
(NVRAM). You can manually save the le from DRAM to NVRAM by using the copy
running-config startup-config command. You can also use the shortcut copy run start.
Lab Steps
1. Save the configuration on 2811 Router A.
Router#copy run start
Destination filename [startup-config]?enter
Network Layout
Lab 1.9: Setting Router Banners 57
This will now place the le you created into NVRAM, which will be used the next
time the router is booted up.
2. You can view this file with the show startup config command.
Router#show start
Lab 1.9: Setting Router Banners
You can set a banner on a Cisco
router so that when either a user logs into the router or

an administrator telnets into the router, for example, a banner will give them information
you want them to have. Another reason for having a banner is to add a security notice to
users dialing into your internetwork.
Network Layout
58 ICND1: Cisco IOS
The command to use is from global conguration mode and shown below:
Router(config)#banner ?
LINE c banner-text c, where 'c' is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
This program only supports the MOTD banner.
console screen.
2. The Message of the Day is the most used and gives a message to every person dialing in
or connecting to the router, via Telnet, auxiliary port, or console port.
Router(config)#banner motd ?
LINE c banner-text c, where 'c' is a delimiting character
Router(config)#banner motd #
Enter TEXT message. End with the character '#'.
If you are not authorized to be in RouterSim.com network, then you must
disconnect immediately.
#
Router(config)#ctrl+z
Router#
00:25:12: %SYS-5-CONFIG_I: Configured from console by console
Router#exit
Press RETURN to get started.
If you are not authorized to be in RouterSim.com network, then you must
disconnect immediately.
Router>
Lab 1.10: Configuring Interfaces
for the 2621 Router
Interface conguration is one of the most important congurations of the router. Without
interfaces, the router is useless. Interface congurations must be exact to be able to com-
municate with other devices. Interface conguration will be presented for three different
devices (in labs 1.10 - 1.12) so that you can see differences among the interfaces:
N
2621 Router
N
2811 Router
N
3560 Switch
Network Layout
60 ICND1: Cisco IOS
Interfaces correspond to the physical ports available on a device. In this instance the
2621 router has two serial ports and two Fast Ethernet ports:
N
s0/0
N
s0/1
N
fa0/0
N
fa0/1
As you read through the following steps you will notice a correspondence between inter-
face and port names. This means you have to use the same names or shortcut commands as
the names of the ports.
Lab Steps
a console screen.
Router>
Router>enable
4. Change to the Global Configuration mode.
Router#config
Router(config)#
5. Type interface ? to see all the interfaces available on the router.
BRI ISDN Basic Rate Interface
Lex Lex interface
Null Null interface
The output will vary depending on the type of router device you are connected to.
6. Type the command interface serial ?. To configure the 2621 router interfaces, the con-
figuration would be interface type slot/port. The output below shows a 2621 router
with 2 serial interfaces, which are labeled 0/0 and 0/1. The first option is the slot and
the second option is the port. Each 2621 has two slots that can be filled with physical
interfaces. The routers we use in this program only have interfaces in slot 0.
Router(config)#interface serial ?
<0-1> Serial interface number
Router(config)#int serial 0
Router(config)#int serial 0?
/
Router(config)#int serial 0/?
7. At this point you must choose the interface you want to configure. Once you do that,
you will be in interface configuration for that interface. The command to choose serial
port 1, for example, would be:
Router(config)#interface serial 0/1
Router(config-if)#exit
62 ICND1: Cisco IOS
8. The 2621 router also has two FastEthernet 10/100BaseT ports. For example, the
FastEthernet interface configuration is shown below:
Router(config)#interface fastethernet ?
Router(config)#int fastethernet 0
Router(config)#int fastethernet 0?
/
Router(config)#int fastethernet 0/?
Notice that you cannot type int fastethernet 0/. You must type the full command,
which is type slot/port, or int fastethernet 0/0. You can type the shortcut int fa 0/0
as well.
you will be in interface configuration for that interface. The command to choose Fast
Ethernet port 1, for example, would be:
Router(config)#int fastethernet 0/1
Router(config)#>ctrl+z
Lab 1.11: Configuring Interfaces for the
2811 Router
Interface conguration is one of the most important congurations of the router. Without
interfaces, the router is useless. Interface congurations must be exact to be able to com-
N
2621 Router
N
2811 Router
N
3560 Switch
2811 router has four serial ports and two Fast Ethernet ports:
N
s0/0/0
N
s0/0/1
N
s0/1/0
N
s0/1/1
N
fe0/0
N
fe0/1
Network Layout
64 ICND1: Cisco IOS
As you read through the following steps you will notice a correspondence between inter-
face and port names. This means you have to use the same names or shortcut commands as
the names of the ports.
Lab Steps
console screen.
Router>
Router>enable
Router#config
Router(config)#
CDMA-Ix CDMA Ix interface
Lex Lex interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Serial Serial
Virtual-PPP Virtual PPP interface
XTagATM Extended Tag ATM interface
6. Type the command interface serial ?. To configure the 2811 router interfaces, the con-
figuration would be interface type router/slot/port. The output below shows a 2811
router with 2 serial interfaces, which are labeled 0/0/0 and 0/0/1. The first option is
the router, the second option is the slot, and the third option is the port. Each 2811 has
two slots that can be filled with physical interfaces.
Router(config)#interface serial ?
Router(config)#int serial 0
Router(config)#int serial 0?
/
Router(config)#int serial 0/?
Router(config)#int serial 0/0?
. / : <0-19>
Router(config)#int serial 0/0/
you will be in interface configuration for that interface. The command to choose serial
port 1, for example, would be:
Router(config)#interface serial 0/0/1
66 ICND1: Cisco IOS
8. The 2811 router also has two FastEthernet 10/100BaseT ports. For example, the
FastEthernet interface configuration is shown below:
Router(config)#interface fastethernet ?
Router(config)#int fastethernet 0
Router(config)#int fastethernet 0?
/
Router(config)#int fastethernet 0/?
which is type slot/port, or int fastethernet 0/0. You can type the shortcut int fa
0/0 as well.
you will be in interface configuration for that interface. The command to implement
FastEthernet port 1, for example, would be:
Router(config)#int fastethernet 0/1
Router(config)#>ctrl+z
Lab 1.12: Configuring Interfaces for the
3560 Switch
Interface conguration is one of the most important congurations of the switch. Without
interfaces, the switch is useless. Interface congurations must be exact to be able to com-
N
2621 Router
N
2811 Router
N
3560 Switch
Lab 1.12: Configuring Interfaces for the 3560 Switch 67
3560 switch has eight Fast Ethernet ports. As you read through the following steps you will
notice a correspondence between interface and port names. This means you have to use the
same names or shortcut commands as the names of the ports.
Network Layout
68 ICND1: Cisco IOS
Lab Steps
1. On the Network Visualizer screen, double-click on 3560 Switch A. This will bring up a
console screen.
2. Press Enter and the Switch> prompt will appear. You are now in the user mode.
Switch>
Switch>enable
Switch#config
Switch(config)#
Switch(config)#interface ?
Filter Filter interface
Filtergroup Filter Group interface
GigabitEthernet GigabitEthernet IEEE 802.3z
Lex Lex interface
Null Null interface
Portgroup Portgroup interface
Pos-channel POS Channel of interfaces
Vlan Catalyst Vlans
fcpa Fiber Channel
6. The 3560 switch has eight Fast Ethernet 10/100BaseT ports. For example, the Fast Eth-
ernet interface configuration is shown below:
Switchconfig)#interface fastethernet ?
Switch(config)#int fastethernet 0
Switch(config)#int fastethernet 0?
/
Switch(config)#int fastethernet 0/?
which is type slot/port, or int fastethernet 0/0. You can type the shortcut int fa
0/0 as well.
you will be in interface configuration for that interface. The command to implement
FastEthernet port 1, for example, would be:
Switch(config)#int fasthernet 0/1
Switch(config-if)#exit
Switch(config)#>ctrl+z
Lab 1.13: Bringing Up an Interface
By default, interfaces are shut down and turned off. That means that packets cannot travel
through the device to another connected device. You can turn an interface on with the no
shutdown command. You can turn off or shut down an interface with the shutdown com-
mand. You can check the status of an interface by using the show interface command.
If an interface is shut down, it will display administratively down when using the show
interface command, and the show running-config command will also show the interface
as shut down.
70 ICND1: Cisco IOS
Lab Steps
1. On the Network Visualizer screen, double-click 2621 Router A. This will bring up a
console screen.
Router>
Router>enable
4. Type show interface fastethernet 0 and see that it is administratively down.
Router#show int fa0/0
FastEthernet0/0 is administratively down, line protocol is up
[output cut]
Network Layout
5. Bring up interface FastEthernet 0/0 with the no shutdown command.
Router#config t
Router(config)#int fa0/0
Router(config-if)#no shutdown
Router(config-if)#ctrl+z
00:57:08: %LINK-3-UPDOWN: Interface Fastethernet 0/0, changed state to up
00:57:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface Fastethernet 0/0,
changed state to up
Router#sh int fa0/0
Fastethernet 0/0 is up, line protocol is up
6. Configure the router to enable all interfaces by issuing the no shutdown command on
all interfaces.
Interface and Connection States
There are four possible states that you can have in examining if interfaces are turned on
and devices properly connected.
FastEthernet Interface
FastEthernet0/0 is administratively down, line protocol is down There are a couple pos-
sibilities with this current state.
N
The two devices are not connected and each f0/0 interface on both routers is
explicitly shutdown.
N
The two devices are connected and each f0/0 interface on both routers is explicitly
shutdown.
FastEthernet0/0 is up, line protocol is down If the two devices are connected this output
means that one interface is turned up and the other interface f0/0 is shut down.
Router(config)#int f0/0
Router(config-if)#no shut
23:03:18 %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
72 ICND1: Cisco IOS
23:03:18 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
FastEthernet0/0 is up, line protocol is up This means that the routers are connected and
the interfaces are turned on for both routers with the no shut command.
Serial Interface
Serial0/0 is administratively down, line protocol is down There are a couple possibilities
with this current state.
N
The two devices are not connected and each s0/0 interface on both routers is
explicitly shutdown.
N
The two devices are connected and each s0/0 interface on both routers is explicitly
shutdown.
Serial0/0 is down, line protocol is down If the two devices are connected this output
means that one interface is turned up and the other interface s0/0 is shut down.
Router(config)#int s0/0
23:03:18 %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
23:03:18 %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed
state to up
Serial0/0 is up, line protocol is up This means that the routers are connected and the
interfaces are turned on for both routers with the no shut command.
Lab 1.14: Configuring an IP Address on an Interface 73
Lab 1.14: Configuring an IP Address
on an Interface
You dont have to use IP on your routers; however, IP is typically used on all routers and
it certainly is used in this program. To congure IP addresses on an interface, use the ip
address command from interface conguration mode.
Lab Steps
1. Configure the FastEthernet 0/0 interface on 2621 Router A with the IP address of
172.16.10.2/24.
Router#config t
Router(config)#int fa0/0
Network Layout
74 ICND1: Cisco IOS
Router(config-if)#ip address 172.16.10.2 255.255.255.0
Notice that in order to enable an interface, we use the no shut command. Remember
to look at the command show interface fa0/0, for example, which will show you if
it is administratively shut down or not. Showrunning-config will also show you if the
interface is shut down.
2. If you want to add a second subnet address to an interface, then you must use the sec-
ondary command.
If you type another IP address and press Enter, it will replace the existing IP address
and mask. To add a secondary IP address, use the secondary command.
Router(config-if)#ip address 172.16.20.2 255.255.255.0 secondary
3. You can verify both addresses are configured on the interface with the show running-
config command (show run for short).
Router#show run
Current configuration:
[output cut]
!
interface Fastethernet 0/0
IP address
Unique identication number for a device that is located on a network. An IP address is
equivalent to the address of your home. The format of an IP address is a 32-bit numeric
address written as four numbers separated by periods. Each number can be zero to
255. For example, 172.16.10.6 could be an IP address.
Subnet Address
Is a range of logical addresses within the address space of an organization. This allows
you to take one network and turn it into many more, smaller networks. This allows for
less network trafc on each network and faster and more efcient networks.
ip address 172.16.20.2 255.255.255.0 secondary
ip address 172.16.10.2 255.255.255.0
Lab 1.15: Serial Interface Commands
To congure a serial interface, there are a couple of specics that need to be discussed.
Serial Interface
You have a connection between two devices where data is sent between the two, one
bit at a time. This occurs in only one direction at a time.
76 ICND1: Cisco IOS
Typically, when in production, the interface will be attached to a CSU/DSU type of
device that provides clocking for the line. However, if you have a back-to-back congura-
tion used in a lab environment, for example, one end must provide clocking. This would
be the DCE end of the cable. Cisco routers, by default, are all DTE devices, and you must
tell an interface to provide clocking if it is to act as a DCE device. If you dont completely
understand this right now, dont worry, you will. Just run through the commands below for
now and I promise it will become clear to you later.
CSU/DSU
A telecommunication device used to connect a carrier circuit to a router. The carrier
circuit can be a DS1 or DS3, T1 or T3. The CSU/DSU converts the DS1 signal into signal
that the local network can understand. The CSU/DSU also converts the signal from the
local network into a DS1 signal so it can be carried back across the DS1 circuit.
Network Layout
Lab Steps
1. Double-click on router 2621 Router A to bring up the console. Go to the privileged
mode.
2. You can configure a DCE serial interface with the clock rate command. Configure an
interface that has a DCE connection.
Router#config t
Router(config)#int s0/0
Router(config-if)#clock rate ?
Speed (bits per second)
1200
2400
4800
9600
19200
38400
56000
64000
72000
125000
148000
250000
500000
800000
1000000
1300000
2000000
4000000
<300-4000000> Choose clockrate from list above
Router(config-if)#clock rate 64000
Router(config-if)#int s0/1
Router(config-if)#clock rate 64000
It does not hurt anything to try and put a clock rate on an interface. Notice that the
clock rate command is in bits per second.
If you are not on an interface that is set to DCE, you will receive an error
when trying this command.
78 ICND1: Cisco IOS
3. The next command you need to understand is the bandwidth command. Every Cisco
router ships with a default serial link bandwidth of a T1, or 1.544Mbps. However,
understand that this has nothing to do with how data is transferred over a link. The
bandwidth of a serial link is used by routing protocols such as IGRP, EIGRP, and
OSPF to calculate the best cost to a remote network. If you are using RIP routing, then
the bandwidth setting of a serial link is irrelevant.
Router(config-if)#bandwidth ?
<1-10000000> Bandwidth in kilobits
Router(config-if)#bandwidth 64
4. Notice that unlike the clock rate command, the bandwidth command is configured
in kilobits.
Lab 1.16: Setting the Router Hostnames
You can uniquely identify a device by giving it a hostname; you use the hostname com-
mand. This is only locally signicant for the administrator, which means it has no bearing
on how the router performs name lookups on the internetwork.
On a router the default hostname is Router and Switch on switches. This
stays in effect until you intentionally change the hostname.
Lab Steps
1. Set the hostname of 2621 Router A.
Router#config t
Router(config)#hostname 2621A
2621A(config)#
2. Notice that when you press Enter the command takes effect immediately.
Lab 1.17: Setting Interface Descriptions 79
Lab 1.17: Setting Interface Descriptions
Setting descriptions on an interface is helpful to the administrator and, like the hostname,
only locally signicant. For example, this is a helpful command because it can be used to
keep track of circuit numbers.
Network Layout
80 ICND1: Cisco IOS
Lab Steps
1. On 2621 Router A, set the description of interface FastEthernet 0/0 to Sales LAN and
the serial 0/0 interface to WAN to Miami with a circuit number of 6fdda4321.
2621A(config)#int fa0/0
2621A(config-if)#description Sales LAN
2621A(config-if)#int s0/0
2621A(config-if)#desc Wan to Miami circuit:6fdda4321
2. You can view the description of an interface either with the show running-config
command or the show interface command.
2621A#show run
[output cut]
interface FastEthernet0/0
Network Layout
description Sales LAN
ip address 172.16.10.2 255.255.255.0
no ip directed-broadcast
!
interface Serial0/0
description Wan to Miami circuit:6fdda4321
no ip address
shutdown
2621A#show int fa0/0
FastEthernet 0/0 is up, line protocol is up
Hardware is AmdFE, address is 00b0.6483.2120 (bia 00b0.6483.2120)
Description: Sales LAN
[cut]
2621A#show int s0/0
Serial 0/0 is administratively down, line protocol is down
Hardware is HD64570
Description: Wan to Miami circuit:6fdda4321
[cut]
2621A#
Lab 1.18: Verifying Your Configuration
Once you take a look at the running-config, and it appears that everything is in order, you
can verify your conguration with utilities, like Ping and Telnet.
Troubleshooting Tip
If you have a local host, to remote host connection issue ...
N
Use the ping command to ping your PCs local ip address
N
Use the ping command to ping your PCs default gateway
N
Ping the ip address of the machine or web page you are trying to reach
N
Traceroute the ip address of the machine or web page you are trying to reach
Depending on which of the above tasks fail is where you should begin your search for
the connection issue. Always make sure to check if your subnets and mask are correct
from end to end.
82 ICND1: Cisco IOS
Lab Steps
1. Bring up the console for 2621 Router A.
2. You can ping with different protocols, and you can see this by typing ping ? at the
router user mode or privileged mode prompt, but not configuration mode.
Network Layout
Ping
A diagnostic program that sees if a specic IP address is accessible. Packets are sent to
the specied location and if they return correctly, communication was successful. This
is used to verify connection to a remote host. Ping works at layer 3 of the OSI model.
2621A#ping ?
WORD Ping destination address or hostname
clns CLNS echo
ip IP echo
tag Tag encapsulated IP echo
<cr>
This program only supports IP ping at this time.
3. You can also use the traceroute program to find the path a packet takes as it traverses
an internetwork. Traceroute can also be used with multiple protocols.
2621A#traceroute ?
WORD Trace route to destination address or hostname
appletalk AppleTalk Trace
clns ISO CLNS Trace
ip IP Trace
ipv6 IPv6 Trace
ipx IPX Tra
<cr>
This program only supports IP with the trace command.
4. Telnet can be used to test IP connectivity and to gain access into remote routers. Once
you gain access into the remote router you can interact with the device as though you
are physically in front of it. From the router prompt, you do not need to type the telnet
command. If you just type a hostname or IP address, it will assume you want to telnet.
The following example shows how to use Telnet from a router prompt. However, you
need to have a configured a working network and destination host for Telnet to be suc-
cessful. We will use Telnet more in other labs.
2621A#telnet ?
WORD IP address or hostname of a remote system
<cr>
Traceroute
A TCP/IP utility that allows a user to determine if two computers are communicating
successfully with each other. This network tool is used to determine the route taken by
packets across an IP network. The time and location of the route taken to reach its des-
tination computer is displayed. Traceroute works at layer 3 of the OSI model.
84 ICND1: Cisco IOS
5. Another way to verify your configuration is by typing show interface commands. The first
command is show interface?, which shows us all the available configured or physical
interfaces for a device. The only interfaces that are not logical are FastEthernet and Serial.
2621A#show int ?
Null Null interface
Serial Serial
accounting Show interface accounting
crb Show interface routing/bridging info
dampening Show interface dampening info
description Show interface description
irb Show interface routing/bridging info
mac-accounting Show interface MAC accounting info
mpls-exp Show interface MPLS experimental accounting info
precedence Show interface precedence accounting info
rate-limit Show interface rate-limit info
<cr>
6. You can be specific with the command and use show interface fastethernet 0/0, or
serial 0/0.
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 00b0.af40.3e18 (bia 00b0.af40.3e18)
Description: Sales Lan
Internet address is 172.16.10.2/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliablility 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full -duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:50, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 0 packets/sec
588 packets input, 74628 bytes
Received 588 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast
0 input packets with dribble condition detected
231 packets output, 53712 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
--More--
[output cut]
7. Use the show controllers command to display information about the physical interface
itself. It will also give you the type of serial cable plugged into a serial port. Typically
this will only be a DTE cable, which then plugs into a type of Data Service Unit (DSU).
2621A#show controllers s 0/0
Interface Serial0/0
Hardware is PowerQUICC MPC860
DCE V.35, clock rate 64000
idb at 0x813CA7B4, driver data structure at 0x813D1CE8
[output cut]
8. Clear all configurations. You will want to clear the configurations for any router for
which you have entered information, up to this point. This will allow you to configure
the devices according to the suggested labs without any extraneous information.
2621A#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[con
firm]enter
[OK]
2621A#
01:58:09: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
2621A#reload
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm] enter
Would you like to enter the initial configuration dialog? [yes/no]: n
86 ICND1: Cisco IOS
Lab 1.19: do Command
The do command allows you ping other devices and view congurations while in the global
conguration mode. Before IOS version 12.3, you could not use the do command. You had to
be in user or privileged mode in order to ping other devices or view congurations. However,
beginning with IOS version 12.3 you can use the do command in the conguration mode to
accomplish this. With IOS version 12.2 you can also use the do command if you have the IOS
Special Edition (SE). The do command is convenient because you do not have to exit the cur-
rent conguration mode and perform the command in the privileged mode.
With this program, there are three devices that will allow you to use the do command in
global conguration mode:
N
2811 router
N
2960 switch
N
3560 switch
Network Layout
Lab Steps
console screen.
2. Press enter and the Router> prompt will appear. You are now in the user mode.
Router>
Router>enable
4. Change to the Global Configuration mode. Perform the do show run command and
the do show int s /0/0/0 command.
Router#
Router#config t
Router(config)#do show run
!
version 12.4
!
[output cut]
Router(config)#do show int s 0/0/0
Serial0/0/0 is administratively down, line protocol is down
Hardware is GT96K Serial
Encapsulation HDLC, loopback not set
Keepalive set (10)
Last clearing of "show interface" counters 02:41:59
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
88 ICND1: Cisco IOS
1645 packets input, 100265 bytes, 0 no buffer
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
5. On the Network Visualizer screen, double-click on 3560 Switch A. This will bring up a
console screen.
6. Press Enter and the Switch> prompt will appear. You are now in the user mode.
Switch>
Switch>enable
8. Change to the global configuration mode. Perform the do show run command.
Switch#
Switch#config t
3560A(config)#do show run
!
version 12.2
no service pad
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
[output cut]
IP Routing
Lab 2: Introduction
to IP Routing
This section will discuss the IP routing process. This is an important subject to understand as
it pertains to all routers and congurations that use IP. IP routing is the process of moving
packets from one network to another network and delivering the packets to hosts. This section
will give you the background on how to congure and verify IP routing with Cisco routers.
The following labs are covered in this section:
N
2.1: Configuring the SDM for the 2811 Router
N
2.2: Connecting to the SDM using the 2811 Router
N
2.3: Configuring an Interface with SDM
N
2.4: Configuring DHCP with SDM
N
2.5: Configuring Other Items with SDM
N
2.6: Verifying Configurations with SDM
N
2.7: Configuring the Routers
N
2.8: Verifying the Configurations
N
2.9: Configuring Static Routing
N
2.10: Verifying Static Routing
N
2.11: Configuring and Verifying Hosts
N
2.12: Configuring Default Routing
N
2.13: Verifying Default Routing
N
2.14: Configuring RIPv2
N
2.15: Verifying RIPv2
N
2.16: Using Traceroute
N
2.17: Using Debug with a RIPv2 Network
N
2.18: Configure and Verify a Loopback Interface
N
2.19: Using ARP (Address Resolution Protocol)
Lab 2: Introduction to IP Routing 93
The following commands are used in this section:
Command Meaning
debug ip igrp events Provides a summary of the IGRP routing information
running on the network
debug ip igrp transactions Shows message requests from neighbor routers asking
for an update and the broadcasts sent from your router
towards that neighbor router
debug ip rip Sends console messages displaying information
about RIP packets being sent and received on a router
interface
ip classless Global configuration command used to tell a router to
forward packets to a default route when the destination
network is not in the routing table
ip route Creates static and default routes on a router
network Tells the routing protocol what network to advertise
no auto-summarization Disables auto summarization
no ip route Removes a static or default route
router eigrp as Turns on IP EIGRP routing on a router
router igrp as Turns on IP IGRP routing on a router
router rip Turns on IP RIP routing on a router
show ip protocols Shows the routing protocols and timers associated with
each routing protocol configured on a router
show ip route Displays the IP routing table
show protocols Shows the routed protocols and network addresses
configured on each interface
version 2 Enables rip version 2
94 IP Routing
Lab 2.1: Configuring the SDM for the
2811 Router
Cisco
SDM is a Web-based device-management tool for routers. The SDM is a graphical

user interface that allows you to quickly congure the 2811 router. After the initial setup,
no interaction with the command line interface (CLI) is required.
Before you can use SDM, you must first manually configure 2811 Router
A with the CLI. In this lab we will configure 2811 Router A. Then, there are
two more steps that must be finished before you can launch the SDM:
1. Congure Host A because that is where we will launch SDM
2. Set up https services on the router so you can congure 2811
Router A via a secure web browser
Network Layout
Load SDMLayout.rsm before going through the following lab.
3. Click on the le SDM Layout.rsm and click Open.
Lab Steps
1. Double-click 2811 Router A. After the console screen comes up set the hostname and
IP addresses of each interface.
Router>enable
Router#config t
2811A(config-line)#interface fastethernet 0/0
2811A(config-if)#ip address 172.16.10.1 255.255.255.0
2811A(config-if)#no shutdown
Router(config-if)#interface fastethernet0/1
2811A(config)#exit
2811A#copy run start
Destination filename [startup-config]? [enter]
[OK]
2811A#
2. Close the console screen.
3. Right-click on Host A.
4. Click on the Configs button.
96 IP Routing
5. On Host A configure:
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.10.5
Subnet Mask: 255.255.255.0
Default Gateway: 172.16.10.1
6. Click the OK button and then the Close button.
7. Bring up the console screen for 2811 Router A by double clicking on the router. Verify
you can reach Host A.
2811A#ping 172.16.10.5
If all is well, you should get the following output from the router!
Sending 5, 100-byte ICMP Echos to 172.16.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
2811A#
8. Configure HTTPS on the 2811 Router A and verify your configurations.
2811A(config-if)#exit
2811A(config)#ip http server
2811A(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
2811A(config)#ip http authentication local
2811A(config)#username cisco privilege 15 password 0 cisco
2811A(config)#line console 0
2811A(config-line)#login local
2811A(config-line)#line vty 0 1180
2811A(config-line)#privilege level 15
2811A(config-line)#transport input telnet ssh
2811A(config-line)#exit
Before IOS version 12.3, you could not use the do command. You had to
be in user or privileged mode in order to ping other devices or view con-
figurations. However, beginning with IOS version 12.3 you can use the
do command in the configuration mode to accomplish this.
You should now be able to launch the SDM.
Rename and Save Your File: Make sure you save the actual network layout le that
you have been working with. You might want to save it to another le name than SDM
Layout.rsm. This allows you to start over with a non-congured network if you wish.
1. There are two ways you can save a network layout. The first way is by clicking on the
Diskette button on the button bar, at the top of the Network Visualizer screen. You
can also click File on the menu and choose Save from the drop down menu.
98 IP Routing
2. A dialog box will appear. At the bottom you will see the file name SDMLayout.rsm.
Rename the file. For example, you could name it My SDM Layout.rsm.
3. Click the Save button. At this point your network layout has been saved to a new name.
You then have the option of reloading SDM Layout.rsm which is non-configured.
Lab 2.2: Connecting to the SDM using
the 2811 Router
Now that we have congured 2811 Router A with HTTPS, we can launch SDM via Host A.
Lab Steps
1. Put your cursor over Host A and click your right mouse button.
Network Layout
Load SDM Layout.rsm or whatever you named the le when you saved your work in
the prior lab.
100 IP Routing
2. Click the Web Browser button.
3. When the web browser appears, enter the URL https://172.16.10.1 and press Enter.
4. Select Yes when the Security Alert Dialog appears.
The following screen may be different, depending on the web browser that
you use.
5. When the username and password dialog appears, enter the username and password
that you created, in Lab 5.1, Step 8.
Username: cisco
Password: cisco
102 IP Routing
6. The SDM Launch screen will appear.
Do not close this window, it will shut down the SDM. Just minimize the
window until you shut down SDM.
7. When the Warning Security Dialog appears, check the Always trust content from
publisher option and then select Yes.
8. When the username and password dialog appears again, enter the username and pass-
word that you created, in Lab 2.1, Step 8.
Username: cisco
Password: cisco
9. When the Change Default User Name and Password dialog screen appears, change
your username and password.
You will not see the following screen after your initial launch of the SDM.
104 IP Routing
You will be prompted to enter the new username and password that you just created.
The SDM will load the conguration from router 2811A and you should now be connected
to the router via the SDM application.
10. When you are finished with the SDM, close the SDM application, SDM launch page,
and the Web browser.
Lab 2.3: Configuring an
Interface with SDM
In this lab you will learn how to congure an IP address on a router interface of 2811
Router A, using the SDM.
You must manually configure the interface of 2811 Router A before using
the SDM to modify it. See Lab 2.1 on how to configure 2811 Router A. If the
SDM is not running, refer to Lab 2.2 on how to load it.
Network Layout
Load SDM Layout.rsm or whatever you named the le when you saved your work.
106 IP Routing
Now that you have the SDM application up and running, you will see the main
SDM window.
Lab Steps
1. Click on the Configure button (upper left corner of the screen) and a configuration
window is displayed.
2. Then click on the Interface and Connections button.
3. Click the Edit Interface/Connection tab, and the Edit Interface connection tab is
displayed.
4. Double click on the line that displays FastEthernet0/1.
108 IP Routing
. . . and the Interface Feature Edit Dialog screen appears:
5. With the Interface Feature Edit dialog open, you can enter a new IP Address and sub-
net mask in the appropriate fields.
6. Click the OK button to change the IP Address and subnet mask or click the Cancel
button to exit. When a new configuration is sent to the router a Command Delivery
Status dialog appears.
When a new configuration is sent to the router a Command deliver window
appears.
7. Save your configuration by clicking the Save button at the top of the screen.
8. You will see the following dialog box. Click the Yes button to continue.
Lab 2.4: Configuring a DHCP
Pool with SDM
This lab will have you use the SDM to congure a DHCP Pool on 2811 Router A.
110 IP Routing
Network Layout
Lab Steps
1. Click on the Additional Tasks button located on the sidebar menu at the bottom left of
the screen. If the Additional Task button is not visible, scroll the side bar menu down
until it appears. The Additional Task window will appear.
2. Expand the DHCP tree item by clicking the plus sign next to DHCP.
112 IP Routing
3. Click on DHCP Pools and the DHCP Pools window will appear.
4. Click the Add button and the DHCP Pool Dialog screen will appear.
5. Configure your DHCP pool and then select the OK button.
When a new configuration is sent to the router a Command Delivery Status
window appears.
114 IP Routing
6. Save your configuration by clicking the Save button.
Lab 2.5: Configuring Other
Items with SDM
This lab will have you use the SDM to congure the hostname, the banner (message of the
day), the IP domain-name, and the enable secret password.
Network Layout
116 IP Routing
Lab Steps
1. Click on the Router Properties tree item and the Device Properties screen will appear.
2. Click the Edit button on the upper right side of the screen and the Device Properties
dialog screen will appear.
3. Enter a hostname, an IP domain-name, and the message of the day banner.
4. With the Device Properties dialog still open, click on the Secret Password tab and con-
figure your new password and then click OK.
118 IP Routing
dialog appears.
Lab 2.6: Verifying Your Configurations with SDM 119
Lab 2.6: Verifying Your Configurations
with SDM
This lab will have you verify your new router congurations.
You must manually configure the interface of the 2811 Router A before
using the SDM to modify it. See Lab 2.1 on how to configure 2811 Router A.
If the SDM is not running, refer to Lab 2.2 on how to load it.
Network Layout
Load SDMLayout.rsm or whatever you named the le when you saved your work.
120 IP Routing
Lab Steps
1. From your current SDM window, click on the Home button located at the top of the
screen. You should see the following screen:
2. Click on the View Running Config button on the middle right area of the screen. The
Show Running Configuration screen will appear.
3. Scroll through the running configuration so you can view your configurations.
4. Click the Close button when you are finished.
5. Close the SDM application.
Lab 2.7: Configuring the Routers
In this lab you will interact with routers, starting with 2621 Router A and working through
2811 Router A, and then nishing with 2621 Router B. After the congurations are complete,
we will then build the routing tables.
122 IP Routing
Lab Steps
1. Double-click 2621 Router A. After the console screen comes up set the
N
Hostname
N
Passwords
N
Interface descriptions
N
Banners
N
IP addresses of each interface
Router>enable
Router#config t
2621A(config)#enable secret todd
2621A(config-line)#password todd
2621A(config-line)#login
2621A(config-line)#line aux 0
Network Layout
Load Standard Layout.rsm before going through the following lab.
3. Click on the le Standard Layout.rsm and click Open.
2621A(config-line)#int fa0/0
2621A(config-if)#description connection to LAN 40
2621A(config-if)#description connection to 2811A
2621A(config)#banner motd #
This is the router 2621A
#
2621A(config)#exit
[OK]
2621A#
N
Hostname
N
Passwords
N
N
Banners
N
Router>enable
Router#config t
124 IP Routing
2811A(config-if)#int s0/1/1
2811A(config-if)#description connection to 2621B
2811A(config)#banner motd #
This is the router 2811A
#
2811A(config)#exit
[OK]
2811A#
Clock Rate
It is important to understand clocking on and interface. On a real connection, clocking
issues will typically cause data loss and or packet errors. You will also see framing slips
on a carrier circuit when there is a clocking issue.
You do not have to set a clock rate if the DCE side of your connection is a 2811 router.
The clock rate for the serial interface is set by default to 2000000. However, on the 2621
router you still need to explicitly set the clock rate. In our lab the DCE side of the connec-
tion is interface serial 0/1/1 and serial 0/0/1.
The DCE connection is associated with s0/1/1 and a clockrate of 2000000.
3. Double-click 2621 Router B. After the console screen comes up set the
N
Hostname
N
Passwords
N
N
Banners
N
Router>enable
Router#config t
Router(config)#hostname 2621B
2621B(config)#enable secret todd
2621B(config)#line console 0
2621B(config-line)#password todd
2621B(config-line)#login
2621B(config-line)#line aux 0
2621B(config-line)#line vty 0 4
2621B(config-line)#int fa0/1
Finding DCE
DCE (data communications equipment) is the side of the connection that provides the
clocking. Unless it is a 2811 router, you would enter the clock rate on the DCE side of a
connection between routers. If you cannot remember what side of your connection is
DCE, you can use the show controllers command. Here is an example:
2811#show controllers s0/1/1
Interface Serial0/1/1
Hardware is GT96K
DCE V.35, clock rate 2000000
idb at 0x454E69C8, driver data structure at 0x454EE0EC
wic_info 0x454EE6E8
Physical Port 0, SCC Num 0
[output cut]
126 IP Routing
2621B(config-if)#ip address 172.16.50.1 255.255.255.0
2621B(config-if)#description connection to LAN 50
2621B(config-if)#no shutdown
2621Bconfig-if)#int s0/0
2621B(config-if)#description connection to 2811A
2621B(config-if)#exit
2621B(config)#banner motd #
This is the router 2621B
#
2621B(config)#exit
2621B#copy run start
[OK]
2621B#
Rename and Save Your File: Make sure you save the actual network layout le that you
have been working with. You might want to save it to another le name than Standard
2. A dialog box will appear. At the bottom you will see the file name Standard Layout.rsm.
Rename the file. In the following example it is renamed My Standard Layout.rsm.
You then have the option of reloading Standard Layout.rsm which is non-configured.
Lab 2.9: Configuring Static Routing
This lab will have you build the routing tables by hand, which means you will create static
routing tables on each router. This will allow you to route throughout the entire network.
At this point you can only route to directly connected networks of each router. Remember
that the routing will not work until all static routes are congured in all routers.
static route is a manually hard coded routing statement that creates a route in the rout-
ing table of a router. The static route species how the router will get to a certain network by
using a certain path. Static routing refers to the manual method used to set up routing. This
method has the advantage of being simple to create and predictable in its functionality. It is
easy to manage in small networks but in larger ones it is difcult to set up and manage all
128 IP Routing
possible static routes. Static routes are not dynamically responsive to topology changes in a
network.
Network Layout
Load Standard Layout.rsm or whatever you named the le when you saved your work.
Lab Steps
1. From 2621 Router A, use the ip route command to configure static routing. 2621
Router A is connected to networks 172.16.20.0 and 172.16.40.0 and a static route
must be configured for EVERY network that is not directly connected. The next hop
gateway is always 172.16.20.1 (router 2811 A).
2621A#config t
2621A(config)#ip route 172.16.10.0 255.255.255.0 172.16.20.1
2621A(config)#ip route 172.16.30.0 255.255.255.0 172.16.20.1
2621A(config)#ip route 172.16.50.0 255.255.255.0 172.16.20.1
2621A(config)#exit
2. From 2621 Router, use the ip route command to configure static routing. 2621
Router B is connected to networks 172.16.30.0 and 172.16.50.0 and a static route
must be configured for EVERY network that is not directly connected. The next hop
gateway is always 172.16.30.1 (router 2811 A).
2621B#config t
2621B(config)#ip route 172.16.10.0 255.255.255.0 172.16.30.1
2621B(config)#ip route 172.16.20.0 255.255.255.0 172.16.30.1
2621B(config)#ip route 172.16.40.0 255.255.255.0 172.16.30.1
2621B(config)#exit
Router A is connected to networks 172.16.10.0, 172.16.20.0 and 172.16.30.0 and a
static route must be configured for EVERY network that is not directly connected. The
next hop gateway will be either to 2621 Router A or the 2621 Router B.
2811A#config t
2811A(config)#ip route 172.16.40.0 255.255.255.0 172.16.20.2
Anatomy of a Command:IP Route 172.16.10.0 255.255.255.0 172.16.20.1
ip route tells the system we are entering a static route
172.16.10.0 this is the destination ip network address, where we want to send packets
255.255.255.0 the mask of the destination ip network
172.16.20.1 the IP address of the next hop used to reach the destination address
130 IP Routing
2811A(config)#ip route 172.16.50.0 255.255.255.0 172.16.30.2
2811A(config)#exit
Save Your File: Make sure you save the network layout le that you have been work-
ing with.
Lab 2.10: Verifying Static Routing
It is important to be able to verify your congurations. The best command to use is show
ip route. However, if a route is not in your routing table, make sure it is correctly cong-
ured in the running-config. If you see a routing entry in the running-config but it is not
in the routing table, check the entry for a typo. If it is correct, then make sure the link to
that network is up.
Directly Connected Routes
In the preceding set of ip route commands for 2811 Router A, routes are not estab-
lished for networks 20 and 30. 2811 Router A knows about these networks (routes)
because they are directly connected to the router. Therefore you do not have to enter
ip route commands for these two networks; only for networks that are not directly
connected to 2811 Router A, such as networks 40 and 50.
Network Layout
Lab Steps
1. From 2621 Router A, use the show ip route command to verify your routing table.
2621A#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate
default
U - per-user static route, o - ODR, P - periodic downloaded static
route
T - traffic engineered route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 5 subnets
S 172.16.30.0 [1/0] via 172.16.20.1
C 172.16.40.0 is directly connected, FastEthernet0/0
S 172.16.50.0 [1/0] via 172.16.20.1
C 172.16.20.0 is directly connected, Serial0/0
S 172.16.10.0 [1/0] via 172.16.20.1
2621A#
Anatomy of a Routing Table
Output Description Metric
172.16.0.0/24 is sub-
netted, 5 subnets
class B network 172.16.0.0
is subnetted into 5 class C
networks.
/24 means a class C network
The 5 subnetted Class C networks are:
172.16.50.0
172.16.40.0
172.16.30.0
172.16.20.0
172.16.10.0
S 172.16.30.0 [1/0] via
172.16.20.1
any packets destined for
network 172.16.30.0 are
forwarded to the next hop
router with the ip address
of 172.16.20.1
S means the route is a static route
and was manually added using the
ip route command.
[1/0] is the administrative distance (1)
and routing metric (0).
132 IP Routing
C 172.16.40.0 is directly
connected, FastEther-
net0/0
any packets destined
for network 172.16.40.0
are forwarded to the ip
address assigned to the
FastEthernet0/0 interface
C means the route is directly con-
nected to the local routers FastEth-
ernet0/0 interface The route is
automatically added to the local rout-
ing table when F0/0 is assigned an ip
address, has a physical cable connec-
tion, and is turned up for service.
S 172.16.50.0 [1/0] via
172.16.20.1
of 172.16.20.1
ip route command.
and routing metric (0)
C 172.16.20.0 is directly
connected, Serial0/0
forwarded to ip address
assigned to the Serial0/0
interface
C means the route is directly con-
nected to the local routers Serial0/0
interface The route is automatically
added to the local routing table when
S0/0 is assigned an ip address, has
a physical cable connection, and is
turned up for service.
S 172.16.10.0 [1/0] via
172.16.20.1
of 172.16.20.1
ip route command.
and routing metric (0).
2. From 2621 Router B, use the show ip route command to verify your routing table.
2621B#show ip route
default
route
Anatomy of a Routing Table (continued)
S 172.16.40.0 [1/0] via 172.16.30.1
S 172.16.20.0 [1/0] via 172.16.30.1
S 172.16.10.0 [1/0] via 172.16.30.1
2621B#
3. From the 2811 Router A, use the show ip route command to verify your routing
table. We will purposely go into the global configuration mode in order to use the do
command.
2811A#config t
2811A(config#)do show ip route
default
route
C 172.16.30.0 is directly connected, Serial0/0/1
S 172.16.40.0 [1/0] via 172.16.20.2
S 172.16.50.0 [1/0] via 172.16.30.2
2811A#
4. Once you verify the routing tables in all routers, use the ping command to verify
IP connectivity between routers.
2621A#ping 172.16.50.1
2621A#ping 172.16.30.2
2621B#ping 172.16.40.1
2621B#ping 172.16.20.2
134 IP Routing
Practice Scenario: Basic Cisco Router Operations
Configuring Static or Default Routes
Now that you have learned about some concepts and completed some hands-on work, try
your problem-solving and troubleshooting skills with the following task. To complete your
task you will need a network to interact with a scenario and the task(s) at hand.
When you have nished with this scenario ...
You can check your work by clicking the Grade Me button in the upper right hand cor-
ner of the Network Visualizer screen.
You will see a report that will display:
N
The name of the command entered for this scenario
N
The expected configuration
N
Your configuration
N
The result for each command. You will see a green check mark (meaning that you got
it correct) or a red X
N
A score of the number of correct answers out of the total possible
Turn On Hostnames
In some of the practice labs we refer to the hostname of a device. Therefore, we need to
make sure that Hostnames is turned on for this lab. On the Network Visualizer screen click
View and then click Hostnames so that it has a checkmark next to it.
136 IP Routing
Network Layout
On the Network Visualizer screen, click on the Labs menu then choose Practice Sce-
narios, Basic Cisco Router Operations, and Conguring Static or Default Routes - 1.
Scenario
The senior network administrator at Smoke-Alarm Inc. would like you to setup static routing
on all network routers.
Task
N
Configure static routing on the R&D_R1 router
N
Configure static routing on the MARKETING_R1 router
N
Configure static routing on the Plant-1 router
Lab 2.11: Configuring and
Verifying the Hosts
We will now congure all the hosts in the network and then verify the congurations.
Lab Steps
Network Layout
Load the network layout you have been working with in section 2.
138 IP Routing
N
IP address
N
Subnet Mask
N
Default Gateway
IP address unique identication number for a device that is located on a network. An IP
address is equivalent to the address of your home. The format of an IP address is a 32-bit
numeric address written as four numbers separated by periods. Each number can be zero to
subnet mask when you split up an IP network it is used to determine what section or sub-
net the ip address of a networked device belongs to. An IP address has two parts, the net-
work address and the host address.
Lets examine IP address 172.16.10.6. Assuming this is part of a Class B network, the rst
two numbers (172.16) represent the Class B network address, and the second two numbers
(10.6) identify a particular host on this network.
default gateway IP address congured on a networked device that allows that device to
communicate outside of its own subnet. A default gateway is usually a layer 3 device like
a router. When a network device wants to get to the Internet, it uses a default gateway.
A default gateway IP address is equivalent to the on ramp of a highway.
IP Address: 172.16.10.5
Subnet Mask: 255.255.255.0
5. On Host B configure:
N
IP address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.10.6
Subnet Mask: 255.255.255.0
7. On Host C configure:
N
IP address
N
Subnet Mask
N
Default Gateway
140 IP Routing
IP Address: 172.16.10.7
Subnet Mask: 255.255.255.0
9. On Host D configure:
N
IP address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.10.8
Subnet Mask: 255.255.255.0
11. On Host E configure:
N
IP address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.40.3
Subnet Mask: 255.255.255.0
13. On Host F configure:
N
IP address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.50.3
Subnet Mask: 255.255.255.0
15. From each host, ping all other hosts. Here is an example where we ping all other hosts
from Host.
16. Double-click Host D on the network.
142 IP Routing
C:\>ping 172.16.10.5
C:\>ping 172.16.10.6
C:\>ping 172.16.10.7
C:\>ping 172.16.40.3
C:\>ping 172.16.50.3
ing with.
Lab 2.12: Configuring Default Routing
Static routing is great in small networks, and is even better when you are trying to learn
IP routing since you really have to understand how the network works to make static routing
perform correctly. Conguring default routing on a router is not like setting the default gate-
way on a host. Remember that a router is the default gateway and you cannot set a default
gateway on a router. However, you can set what is called a Gateway of Last Resort.
You can only congure default routing on a router that is connected to a stub network,
which means that there is not another router on the connected networks. In other words,
there is only one way in and out. Routers 2621 A and 2621 B are stub routers to the LANs
because they are the only way in and out of the LAN. Router 2811 A cannot use default
routing because it is connected to multiple routes.
Gateway of Last Resort
If a packet is destined for a network that is not listed in the routing table, the router
will forward the packet to the default route.
Lab 2.12: Configuring Default Routing 143
To congure default routing, use the ip route command, but instead of using the net-
work and subnet mask, you use all zero (0s), which mean all networks all masks. You must
also use the ip classless command when using default routing. This tells the router to not
drop packets, but instead to forward them to the default route address.
Instead of typing all the commands by hand, you can use your up-arrow key to get the
command you want to remove. Then press ctrl+a to move your cursor to the beginning of
the line, then type no and press Enter. This is just an easier way to remove the static routes.
Lab Steps
1. Before configuring routers 2621 A and B with default routing, you must remove the
static routes we created in lab 5.8. Use the no ip route command.
2621A#config t
2621A(config)#no ip route 172.16.10.0 255.255.255.0 172.16.20.1
2621A(config)#exit
Network Layout
144 IP Routing
2. Remove the static routes from 2621 Router B.
2621B#config t
2621B(config)#no ip route 172.16.10.0 255.255.255.0 172.16.30.1
2621B(config)#exit
3. Verify the 2621 Router A and 2621 Router B only have the directly connected net-
works in the routing table.
2621A#show ip route
[output cut]
2621B#show ip route
[output cut]
4. From the 2621 Router A, add the default route to 2811 Router A. The default route
command will tell the router to send all packets destined for any network not in the
routing table to the router 2811 A, which will then route the packet.
2621A(config)#ip route 0.0.0.0 0.0.0.0 172.16.20.1
2621A(config)#ip classless
2621A(config)#exit
Anatomy of a Command: No ip route 172.16.10.0 255.255.255.0 172.16.20.1
no ip route tells the system we are removing a static route
5. From 2621 Router B, add the default route to 2811 Router A. The default route com-
mand will tell the router to send all packets destined for any network not in the routing
table to the router 2811 A, which will then route the packet.
2621B#config t
2621B(config)#ip route 0.0.0.0 0.0.0.0 172.16.30.1
2621B(config)#ip classless
2621B(config)#exit
Save Your File: Make sure you save the network layout le that you have been working on.
Lab 2.13: Verifying Default Routing
To verify the congurations of the default route, use the show ip route and ping commands.
Anatomy of a Command: [default] ip route 0.0.0.0 0.0.0.0 172.16.20.1
ip route tells the system we are removing a static route
0.0.0.0 this is a destination ip network address prex that is not in the local routing table
0.0.0.0 this is a destination ip network mask prex that is not in the local routing table
172.16.20.1 the IP address of the next hop router where packets destined for net-
works that have no local routing table entry will be forwarded
Network Layout
146 IP Routing
1. Verify that the network is working by using the show ip route command on 2621
Router A to verify the routing tables.
2621A#show ip route
[output cut]
Gateway of last resort is 172.16.20.1 to network 0.0.0.0
S* 0.0.0.0 [1/0] via 172.16.20.1
2621B#show ip route
[output cut]
S* 0.0.0.0 [1/0] via 172.16.30.1
The Gateway of Last Resort has now been set because a default route was
configured for each router. In 2621 Router B, for example, it is denoted by
the routing table entry S* 0.0.0.0 [1/0] via 172.16.30.1.
2. Verify your network is working. Ping each host from Host D. Double-click Host D on
the network.
C:\>ping 172.16.10.5
C:\>ping 172.16.10.6
C:\>ping 172.16.10.7
C:\>ping 172.16.40.3
C:\>ping 172.16.50.3
Configuring Static or Default Routes
N
N
N
Your configuration
N
N
148 IP Routing
Network Layout
narios, Basic Cisco Router Operations, and Conguring Static or Default Routes - 2 .
Lab 2.14: Configuring RIPv2 149
Turn On Hostnames
Scenario:
The senior network administrator at Widget Inc. would like you to setup default routing.
Task:
Congure default routing on the R&D_R1 router
Congure default routing on the Plant-1 router
Lab 2.14: Configuring RIPv2
This lab will have you congure RIPv2.
RIPv2 RIP does not carry subnet information. To overcome this, RIPv2 was created in
1994 to address some deciencies in RIP. RIPv2 can carry subnet information. RIPv2 sends
150 IP Routing
routing updates via multicast address 224.0.0.9. It also provides support for variable length
subnet masks (VLSM) and discontiguous networking. RIPv2 is not automatically turned on
with the router rip command. You must also specify it and use the version 2 command.
VLSM (Variable Length Subnet Mask) the network IP address 192.168.10.0/24 can
be used to create subnets that have different subnet masks. You can create subnets
192.168.10.36/30 and 192.168.10.80/29 out of the 192.168.10.0/24 network IP address.
You can use the 192.168.10.36/30 networks on your WAN links and 192.168.10.80/29 on
one of your LAN segments. It is useful to use VLSM when you have different numbers of
networked devices at each of your branch ofces. VLSM helps IP administrators use their
IP address resources more efciently.
discontiguous networking when a major network like 192.168.10.0 is separated by a
different major network like 10.0.0.0. Example: The 192.168.10.0/24 network can be sub-
netted into two or more networks. The networks 192.168.10.36/30 and 192.168.10.80/29
are congured on different routers. The routers are using the 10.0.0.0 network to connect
to each other, thus one major network is being separated by another major network.
Network Layout
Load the network layout you have been working with in ICND 2 labs.
Lab Steps
1. From 2621 Router A, configure RIP routing to use version 2.
2621A#config t
2621A(config)#router rip
2621A(config-router)#version 2
2621A(config-router)#ctrl+z
Thats all there is to it! Since we have already added our directly connected networks
under router rip in our last lab, we now just have to tell it to run version 2.
2. From 2621 Router B, configure RIP routing to use version 2.
2621B#config t
2621B(config)#router rip
2621B(config-router)#version 2
2621B(config-router)#ctrl+z
3. From the 2811 Router A, configure RIP routing to user version 2.
2811A#config t
2811Aconfig)#router rip
Lab 2.16: Using Traceroute
With the traceroute command you can display a list of routers on a path from a source to
a destination in your network.
152 IP Routing
Lab Steps
We will rst congure all the devices with IP addresses.
1. Double-click 2621 Router A. After the console screen comes up configure interface s0/0.
Router>enable
Router#config t
2621A(config-if)#ctrl+z
Network Layout
Load Traceroute Layout.rsm before going through the following lab.
3. Click on the le Traceroute Layout.rsm and click Open.
[OK]
2621A#
2. Bring up the console for 2811 Router A. After the console screen configure the
interfaces.
Router>enable
Router#config t
[OK]
2811A#
Please Note: You do not have to set the DCE connection associated with s0/1/1 which
has a clockrate of 2000000. It is there by default.
3. Double-click 2621 Router B. After the console screen comes up configure interface s0/0.
Router>enable
Router#config t
2621B(config-if)#ctr+z
[OK]
2621B#
154 IP Routing
4. On each the 2621 routers, enter the command show ip route. You should only see
directly connected networks in the routing table.
2621B#show ip route
2621A#show ip route
Congure each device with RIPv2
2621A#config t
2621A(config-router)#network 172.16.0.0
2621B#config t
2621B(config-router)#network 172.16.0.0
2811A#config t
RIPv2
RIP does not carry subnet information. To overcome this, RIPv2 was created in 1994
to address some deciencies in RIP. RIPv2 can carry subnet information. RIPv2 sends
routing updates via multicast address 224.0.0.9. It also provides support for variable
length subnet masks (VLSM) and discontiguous networking. RIPv2 is not automati-
cally turned on with the router rip command. You must also specify it and use the
version 2 command.
Verify RIPv2 congurations
8. On both 2621 routers, use the show ip route command to verify the routing table. It
should now have entries for router rip.
2621A#show ip route
R 172.16.30.0 [120/2] via 172.16.20.1, 00:00:20, Serial0/0
9. From 2621 Router B, use the show ip route command to verify the routing table.
2621B#show ip route
R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:24, Serial0/0
10. Ping the interfaces on 2811 Router A.
From 2621 Router A, ping s0/0/1 on 2811 Router A. It should succeed.
2621A#ping 172.16.30.1
From 2621 Router B, ping s0/1/1 on 2811 Router A. It should succeed.
2621B#ping 172.16.20.1
Use Traceroute
12. On 2621 Router A, trace the route to interface s0/0 of 2621 Router B.
2621A#traceroute 172.16.30.2
Type escape sequence to abort.
Tracing the route to 172.16.30.2
1 172.16.20.1 12 msec 14 msec 12 msec
2 172.16.30.2 32 msec * 28 msec
Save Your File: Make sure you save the network layout le that you have been working
on. You might want to save it with a different network name than Traceroute Layout.rsm.
That allows you to load noncongured Traceroute Layout.rsm if you want to go through
the lab again.
156 IP Routing
Lab 2.17: Using Debug with
a RIPv2 Network
Other than using the traceroute command to view network activity, you can use the debug
command.
Network Layout
Load Traceroute Layout.rsm or whatever you named it in lab 2.16.
3. Click on the le Traceroute Layout.rsm and click Open.
Lab Steps
1. Double-click 2811 Router A. After the console screen comes up enter the command
debug ip rip. It will take several seconds for output to appear in the console.
2811A>enable
2811A#debug ip rip
*Feb 25 04:59:00.819: RIP: received v2 update from 172.16.20.2 on Serial0/1/1
*Feb 25 04:59:00.819: 172.16.30.0/24 via 0.0.0.0 in 3 hops
*Feb 25 04:59:00.819: 172.16.20.0/24 via 0.0.0.0 in 1 hops
*Feb 25 04:59:16.146: RIP: sending v2 update to 224.0.0.9 via Serial0/0/1
(172.16.30.1)
*Feb 25 04:59:16.146: RIP: build update entries
*Feb 25 04:59:16.146: 172.16.20.0/24 metric 1, tag 0
*Feb 25 04:59:16.146: 172.16.20.0/24 metric 1, tag 0
*Feb 25 04:59:16.147: RIP: sending v2 update to 224.0.0.9 via Serial0/1/1
(172.16.20.1)
*Feb 25 04:59:16.147: RIP: build update entries
*Feb 25 04:59:16.147: 172.16.30.0/24 metric 1, tag 0
*Feb 25 04:59:16.147: 172.16.30.0/24 metric 1, tag 0
*Feb 25 04:59:18.562: RIP: received v2 update from 172.16.30.2 on Serial0/0/1
*Feb 25 04:59:18.562: 172.16.30.0/24 via 0.0.0.0 in 1 hops
*Feb 25 04:59:18.562: 172.16.20.0/24 via 0.0.0.0 in 2 hops
2. The debug activity will keep displaying information until you stop it. Press any key to
stop information from displaying on the console screen. Then enter the no debug ip rip
command. You will then see confirmation that debugging has been turned off.
2811A#no debug ip rip
RIP protocol debugging is off
Lab 2.18: Configuring and Verifying
a Loopback Interface
A loopback interface is not a real, hardware-based interface like serial 0/0/0/ or fa0/1. It is
a logical or virtual interface that is always up unlike a hardware interface that may be
up or down. It is the best interface to ping in order to see if the router is up.
In this lab you will create a loopback network.
158 IP Routing
Lab Steps
1. Create a loopback interface on Router 2811 A.
2811A>en
2811A(config)#config t
2811A(config)#int loopback 0
2. Enter an ip address for the loopback interface.
Network Layout
Load Loopback Layout.rsm.
3. Verify the loopback interface on Router 2811 A.
2811A#show ip interface brief
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 172.16.10.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 172.16.30.1 YES manual up up
Loopback0 172.16.40.1 YES manual up up
4. From 2811 Router A, ping the loopback interface.
2811A#ping 172.16.40.1
!!!!!
5. You can see the loopback entry in the running configs of 2811 Router A.
2811A#show run
!
!
interface Loopback0
ip address 172.16.40.1 255.255.255.0
!
description connection to LAN 10
ip address 172.16.10.1 255.255.255.0
duplex auto
!
[output cut]
160 IP Routing
6. You should be able to successfully ping the loopback interface from another device. Go
to Router 2621 A and ping the loopback interface on 2811 Router A. Interface s0/0 is
administratively up.
2621A#ping 172.16.40.1
!!!!!
7. Unlike the physical interfaces on a router, a loopback interface is virtual and can be
removed.
2811A#config t
2811A(config)#no interface loopback 0
2811A(config)#ctl+z
2811A#
8. You can confirm the removal of loopback interface 0.
2811A#show run
!
!
!
ip address 172.16.10.1 255.255.255.0
duplex auto
!
[output cut]
9. You can also use the show ip interface brief command to verify the removal of the
loopback interface.
2811A#show ip interface brief
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 172.16.10.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Lab 2.19: Using ARP (Address Resolution
Protocol)
ARP nds the unique hardware address of network devices based on IP addresses of the
interface. If IP cannot nd the destination of the hardware address, the system uses ARP to
retrieve this information. In sending data (packets) the source must also have a destination
MAC address. If the source does not know the MAC address of the destination, it has to
get that address before data can be sent.
To obtain the unknown layer 2 address when the layer 3 address is known, the source
transmits an ARP Request. All devices on the path will see it but the only device that will
answer it is the one with the matching layer 3 address. That device will send an ARP Reply,
unicast back to the source. The sender will then have a MAC address to go with the IP
address and can then transmit.
Network Layout
Load ARP Layout.rsm before going through the following lab.
3. Click on the le ARP Layout.rsm and click Open.
162 IP Routing
Lab Steps
1. Bring up the console for 2811 Router A. After the console screen appears, create a
hostname.
Router>enable
Router#config t
2811A(config)#exit
2811A#
2. Before any devices are configured the ARP table should have no entries. Use the command
show arp to confirm this.
2811A#show arp
Protocol Address Age (min) Hardware Addr Type Interface
3. Configure 2811 Router A.
2811A(config-if)#int fa0/1
2811A#
4. Use the show arp command on 2811 Router A to view the ARP table again. Notice the
unique mac addresses associated with the two IP addresses.
2811A#show arp
Internet 172.16.30.1 - 00b0.b250.5f37 ARPA FastEthernet0/0
Internet 172.16.20.1 - 00b0.8911.1e7e ARPA FastEthernet0/1
5. Double-click 2621 Router A. After the console screen comes up configure the interface.
Router>enable
Router#config t
2621A#
6. Double-click 2621 Router B. After the console screen comes up configure the interface.
Router>enable
Router#config t
2621Bconfig-if)#int fa0/0
2621B(config-if)#ctr+z
2621B#
7. Go back to 2811 Router A and issue the show arp command. Notice that every
IP address has an accompanying, unique MAC address or hardware address..
2811A#show arp
Internet 172.16.30.1 - 00b0.b250.5f37 ARPA FastEthernet0/0
Internet 172.16.20.2 30 00b0.76f0.f7c5 ARPA FastEthernet0/1
Internet 172.16.20.1 - 00b0.8911.1e7e ARPA FastEthernet0/1
Internet 172.16.0.2 28 00b0.1dc0.652f ARPA FastEthernet0/0
Managing a Cisco
Internetwork
Lab 3: Introduction
to Managing a Cisco
Internetwork
In this section, you will learn how to manage Cisco routers in an internetwork. The
Internetworking Operating System (IOS) and conguration les reside in different loca-
tions in a Cisco device, and it is important to understand where these les are located
and how they work.
Host E is running a TFTP server daemon and will be used in this section to both back
up and restore the Cisco IOS and conguration of the 2621 A router.
The following labs are covered:
N
3.1: Password Recovery Techniques
N
3.2: Backing up a Cisco IOS to a TFTP server
N
3.3: Upgrading or restoring a Cisco IOS from a TFTP server
N
3.4: Backing up a Cisco router configuration using a TFTP server
N
3.5: Restoring a Cisco router configuration from a TFTP server
N
3.6: Using the Cisco Discovery Protocol to gather information about neighbor devices
N
3.7: Using Telnet
N
3.8: Using Secure Shell in Place of Telnet
N
3.9: Verifying Secure Shell in Place of Telnet
N
3.10: Creating a hosts table on a router and resolving host names to IP addresses
N
3.11: Configuring IGRP Routing
N
3.12: Verifying IGRP Routing
The commands covered in this section are as follows:
Command Description
cdp enable Turns on CDP on an individual interface
cdp holdtime Changes the holdtime of CDP packets
cdp run Turns on CDP on a router
cdp timer Changes the CDP update timer
Lab 3: Introduction to Managing a Cisco Internetwork 167
Command Description
config-register (confreg) Tells the router how to boot and to change the configu-
ration register setting
copy flash tftp Copies a file from flash memory to a tftp host
copy run start Copies the running-config file to the startup-config
file
copy run tftp Copies the running-config file to a tftp host
copy tftp flash Copies a file from a tftp host to flash memory
copy tftp run Copies a configuration from a tftp host to the running-
config file
Ctrl+Shift+6, then X (keyboard
combination)
Used to take you back to the originating router when
you telnet to numerous routers
disconnect Disconnects a connection to a remote router from the
originating router
erase startup-config Deletes the contents of NVRAM on a router
exit Disconnects a connection to a remote router via Telnet
ip host Creates a host table on a router
no cdp enable Turns off CDP on an individual interface
no cdp run Turns off CDP completely on a router
no ip host Removes a hostname from a host table
o/r 0x2142 Changes a router to boot without using the contents of
NVRAM
show cdp Displays the CDP timer and holdtime frequencies
show cdp entry * Same as show cdp neighbor detail, but does not work
on a 1900 switch
show cdp neighbor Shows the directly connected neighbor and the details
about them
168 Managing a Cisco Internetwork
Command Description
show cdp neighbor detail Shows the IP address and IOS version and type, and
includes all of the information from the show cdp
neighbor command
show cdp traffic Shows the CDP packets sent and received on a device
and any errors
show flash Views the files in flash memory
show hosts Shows the contents of the host table
show run Displays the running-config file
show sessions Shows your connections via Telnet to remote devices
show start Displays the startup-config file
show version Displays the IOS type and version as well as the con-
figuration register
Lab 3.1: Password Recovery Techniques
All Cisco
routers have a 16-bit software register, which is written into NVRAM. By default,
the conguration register is set to load the Cisco IOS from ash memory and to look for and
load the startup-config le from NVRAM.
By changing the conguration register, you can perform password recovery on a
Cisco router.
If you are locked out of a router because you forgot the password, you can change the
conguration register to help you recover. Bit 6 in the conguration register is used to tell
the router whether or not to use the contents of NVRAM to load a router conguration.
The default conguration register value for bit 6 is 0x2102 (the 0 is bit 6), which means
that bit 6 is off. With the default setting, the router will look for and load a router congu-
ration stored in NVRAM (startup-config). To recover a password, you need to turn on
bit 6, which will tell the router to ignore the NVRAM contents. The conguration register
value to turn on bit 6 is 0x2142.
(continued)
Lab Steps
1. You can see the current value of the configuration register by using the show version
command (sh version or show ver for short), as in the following example on 2621
Router A:
2621A#show version
Cisco Internetwork Operating System Software
IOS (tm) C2621 Software (C2621-BIN-M), Version 12.2(13)T1, RELEASE
SOFTWARE (fc1)
[output cut]
Configuration register is 0x2102
The last information given from this command is the value of the conguration register.
In this example, the value is 0x2102, which is the default setting.
2. You can change the configuration register by using the config-register command.
For example, the following commands tell the router to boot from ROM monitor mode
and then to verify the current configuration register value:
2621A(config)#config-register 0x0101
2621A(config)#ctrl+z
Network Layout
Load Standard Layout.rsm or whatever you named the le when you saved your work
while working in section 2.
2621A#sh ver
[output cut]
Configuration register is 0x2102 (will be 0x0101 at next reload)
Notice that the show version command shows the current conguration register value,
as well as what it will be when the router reboots. Any change to the conguration reg-
ister will not take effect until the router is reloaded.
3. From 2621 Router A, type reload at the privileged mode prompt.
2621A#reload
4. You will then see this output on your screen: System configuration has been modified.
Save? [yes/no]: . Press Y.
5. You will then be asked to confirm the reload. Press Enter.
6. When the router is rebooting, press and hold ctrl+break on the keyboard, until it takes
you into rom monitor mode.
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by Cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff0a530, Vector = 0x500, SP = 0x680127b0
C2621 platform with 32768 Kbytes of main memory
PC = 0xfff0a530, Vector = 0x500, SP = 0x80004374
monitor: command "boot" aborted due to user interrupt rommon 1 >
7. To change the bit value on a Cisco 2621 series router, simply enter the confreg (mean-
ing config register) command at the <rommon 1> prompt:
rommon 1 >confreg 0x2142
You must reset or power cycle for new cong to take effect.
8. At this point, reset the router.
rommon 1 >reset
9. When the router reloads, say no to entering setup mode.
10. Enter privileged mode and then type copy startup-config running-config.
11. Change your passwords and then save your configuration with the copy run start
command.
12. Change your configuration register back to 0x2102.
rommon 1 > confreg 0x2102
Viewing Passwords on Net Configs screen
If you want to take a peek at all the passwords set for the currently loaded network, you
can view these on the Net Congs screen.
1. Click Tools on the main menu of the Network Visualizer screen. Then click the Net
Configs sub-menu selection. Or, right mouse click on the Network Visualizer screen
and choose Net Configs from the pop-up menu.
FROM THE MAIN MENU
FROM THE POP-UP WINDOW
The following information will appear on the Net Congs screen, displaying passwords
for every network device.
Lab 3.11: Configuring IGRP Routing
Interior Gateway Routing Protocol (IGRP) is a Cisco proprietary distance vector rout-
ing protocol. It is an updated RIP routing protocol that uses an administrative distance of
100, so it will automatically overwrite RIP found routes in the routing table. Also, it uses
Autonomous Systems (AS) to create groups of routers that share routing information.
To congure IGRP, it is basically the same as RIP except you choose your AS number.
All routers must use the same number as you want them to share information.
Network Layout
Load IGRP Layout.rsm before going through the following lab.
3. Click on the le IGRP Layout.rsm and click Open. You should see the following
non-congured network:
Lab Steps
1. Double-click 2621 Router A. After the console screen comes up, perform the following
commands.
Router>enable
Router#config t
2621A(config-if)#interface serial 0/1
2621A(config)#exit
[OK]
2621A#
2. Change the console screen so that you can enter configurations for 2621 Router B. Use the
console menu to achieve this. After the console screen comes up, perform the following
commands.
Router>enable
Router#config t
2621Bconfig-if)#interface serial 0/0
2621Bconfig-if)#clock rate 64000
2621Bconfig-if)#interface serial 0/1
2621Bconfig-if)#clock rate 64000
2621B(config)#exit
[OK]
2621B#
3. Change the console screen so that you can enter configurations for 2621 Router C.
Use the console menu to achieve this. After the console screen comes up, perform the
following commands.
Router>enable
Router#config t
Router(config)#hostname 2621C
2621Cconfig-if)#interface serial 0/0
2621C(config-if)#ip address 172.16.20.2 255.255.255.0
2621C(config-if)#no shutdown
2621C(config-if)#exit
2621C(config)#exit
2621C#copy run start
[OK]
2621C#
4. Configure 2621 Router A to use IGRP with an AS of 10.
2621A#config t
2621A(config)#router igrp 10
2621A#
5. Configure 2621 Router B to use IGRP with an AS of 10.
2621B#config t
2621B(config)#router igrp 10
2621B#
6. Configure 2621 Router C to use IGRP with an AS of 10.
2621C#config t
2621C(config)#router igrp 10
2621C(config-router)#network 172.16.0.0
2621C(config-router)#ctrl+z
2621C#
you have been working with. You might want to save it to another le name than IGRP
Lab 3.12: Verifying IGRP Routing 177
2. A dialog box will appear. At the bottom you will see the file name IGRP Layout.rsm.
Rename the file. For example, you could name it My IGRP Layout.rsm.
You then have the option of reloading IGRP Layout.rsm which is non-configured.
Lab 3.12: Verifying IGRP Routing
Since IGRP has a better administrative distance then RIP, all the routing tables should
have IGRP found routes. Use the show ip route command and then the debugging tools
to verifying IGRP.
Network Layout
Load IGRP Layout.rsm or whatever you named the le when you saved your work in
Lab 3.11.
Lab Steps
1. From 2621 Router A, use the show ip route command to verify the routing table.
2621A#show ip route
[output cut]
I 172.16.20.0 [100/160250] via 172.16.10.1, 00:00:14, Serial0/1
2621A
Notice the I found routes. This is IGRP.
2. Use the show ip protocol command from 2621 Router A.
2621A#show ip protocol
Routing Protocol is "igrp 10"
Sending updates every 90 seconds, next due in 25 seconds
Invalid after 270 seconds, hold down 270, flushed after 630
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
IGRP maximum hop count 100
IGRP maximum metric variance 1
Redistributing: igrp 10
Routing for networks:
172.16.0.0
Routing information sources:
Gateway Distance Last Update
172.16.10.1 100 00:01:05
Distance: <default is 100>
2621A#
Notice that the timer for IGRP to send out updates is every 90 seconds.
2621B#show ip route
[output cut]
C 172.16.10.0 is directly connected, Serial
2621B#
Lab 3.2: Backing Up the Cisco IOS 179
Routing tables take a small amount of time to update.
4. From 2621 Router C, use the show ip route command to verify the routing table.
2621C#show ip route
I 172.16.10.0 [100/160250] via 172.16.20.1, 00:00:48, Serial0/0
2621C#
5. Use the debug ip igrp events command to see IGRP updates being sent and received
on the router. See above.
2621A#debug ip igrp events
IGRP protocol debugging is on
ld23h: IGRP: sending update to 255.255.255.255 via Serial0/1 <172.16.10.2>
ld23h: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes.
ld23h: IGRP: Total routes in update: 1
2621A#
6. Turn off debugging with the no debug ip igrp events command, or the undebug all
command.
2621A#undebug all
7. Use the debug ip igrp transactions command to see a summary of the IGRP events
being processed on the router.
2621A#debug ip igrp transactions
IGRP protocol debugging is on
2621A#
ld23h: IGRP: sending update to 255.255.255.255 via Serial0/1 <172.16.10.2>
ld23h: subnet 172.16.10.0, metric=189250
2621A#
8. You can turn off the debug ip igrp transactions command.
2621A#no debug ip igrp transactions
Lab 3.2: Backing Up the Cisco IOS
Before you upgrade or restore a Cisco
IOS, you should copy the existing le to a tftp host

as a backup in case the new image does not work. You can use any tftp host to perform
this function. By default, the ash memory in a router is used to store the Cisco
IOS. The
following sections describe how to check the amount of ash memory, copy the Cisco
IOS
from ash memory to a tftp host, and then copy the IOS from a tftp host to ash memory.
Lab Steps
1. Before you attempt to upgrade the Cisco
IOS on your router with a new IOS file, you

should verify that your flash memory has enough room to hold the new image. You can
verify the amount of flash memory and the file or files being stored in flash memory by
using the show flash command:
2621A#show flash
System flash directory:
File Length Name/status
1 6973004 c2600-bin-mz.122-13.T1.bin
[6973068 bytes used, 1415540 available, 8388608 total]
8192K bytes of processor board System flash (Read/Write)
Flash Memory
Is computer memory that can hold information even when the device is powered
down. Information can be be written to and stored in this memory.
Network Layout
Lab 3.3: Restoring or Upgrading the Cisco Router IOS 181
2. The last line in the router output shows that the flash is 8192K or 8MB, which is
plenty of room for a new file that we want to use that is 6MB in size. Once you verify
that the flash memory can hold the IOS you want to copy into flash memory, you can
continue with your backup operation.
3. The key to success in this backup routine is to make sure you have good connectivity to
the tftp host. You can check this by pinging the device from the router console prompt,
as in the following example:
2621A#ping 172.16.40.3
!!!!!
4. After you ping the tftp host to make sure that IP is working, you can use the copy
flash tftp command to copy the IOS to the tftp host, as shown below. Notice that
after you enter the command, the name of the file in flash memory is displayed. This
makes it easy for you.
2621A#copy flash tftp
Source filename []? c2600-bin-mz.122-13.T1.bin
Address or name of remote host []? 172.16.40.3
Destination filename [c2600-bin-mz.122-13.T1.bin]?(press enter)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[output cut]
6973004 bytes copied in 57.704 secs (120841 bytes/sec)
2621A#
5. In this example, the content of flash memory was copied successfully to the tftp host.
The address of the remote host is the IP address of the tftp host. The source filename
is the file in flash memory. This was a pretty simple process as long as your router can
talk to the tftp host.
Lab 3.3: Restoring or Upgrading the
Cisco Router IOS
You may need to restore the Cisco
IOS to ash memory to replace an original le that has

been damaged or to upgrade the IOS. You can download the le from a tftp host to ash
memory by using the copy tftp flash command. This command requires the IP address
of the tftp host and the name of the le you want to download to ash memory.
No real files are used in this lab. This is just an exercise to show how it
is done.
Lab Steps
1. Type copy tftp flash command from the 2621 A routers privileged mode prompt. You
will see a message informing you that the router must reboot and run a ROM-based
IOS image to perform this operation:
2621A#copy tftp flash
Source filename []? c2600-bin-mz.122-13.T1.bin
Destination filename [c2600-bin-mz.122-13.T1.bin]? (press enter)
%Warning:There is a file already existing with this name
Do you want to over write? [confirm] (press enter)
Accessing tftp://172.16.40.3/c2600-bin-mz.122-13.T1.bin...
Erase flash: before copying? [confirm] (press enter)
Erasing the flash filesystem will remove all files! Continue? [confirm]
(press enter)
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading c2600-bin-mz.122-13.T1.bin from 1.1.1.1 (via FastEthernet0/0):
!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [output cut]
2. After you tell the router where the file is and the filename, it asks you to confirm that
you understand the contents of flash memory will be erased as shown in the output
above. You are prompted twice, just to make sure that you really want to proceed with
erasing flash memory.
3. The row of e characters shows the contents of flash memory being erased. Each excla-
mation point (!) means that one UDP segment has been successfully transferred.
Lab 3.4: Backing Up the Cisco
Configuration
Any changes that you make to the router conguration are stored in the running-config le.
If you do not perform a copy run start command after you make a change to running-
config, that change will be gone if the router reboots or gets powered down. You may want
Lab 3.4: Backing Up the Cisco Configuration 183
to make another backup of the conguration information as an extra precaution in case the
router or switch completely dies or for documentation. The following lab describes how to
copy the conguration of a router to a tftp host.
Lab Steps
1. To copy the routers configuration from a router to a tftp host, you can use either the
copy running-config tftp or copy starting-config tftp command. Either com-
mand will back up the router configuration that is currently running in DRAM or that
is stored in NVRAM.
2. To verify the configuration in DRAM, use the show running-config command (show
run for short), as follows:
2621A#show run
!
version 12.2
[output cut]
Network Layout
The current conguration information indicates that the router is now running version
12.2 of the IOS.
3. Next, you would check the configuration stored in NVRAM. To see this, use the show
startup-config command (show start for short), as follows:
2621A#show start
Using 781 out of 32762 bytes
!
version 12.2
[output cut]
The second line shows how much room your backup conguration is using. In this
example, NVRAM is 32KB and only 781 bytes of it are used. Notice that the version of
conguration in NVRAM is 12.2.
If you are not sure that the les are the same, and the running-config le is what you
want to use, then use the copy running-config startup-config to make sure both les
are the same. By copying running-config to NVRAM as a backup, as shown below, you
are assured that your running-config will always be reloaded if the router gets rebooted.
Destination filename [startup-config]?(press enter)
[OK]
4. Now when you enter the show starting-config command, the version shows the latest
configuration.
2621A#show startup-config
Using 781 out of 32762 bytes
!
version 12.2
5. Once the file is copied to NVRAM, you can make a second backup to a tftp host by
using the copy running-config tftp command (copy run tftp for short), as follows:
2621A#copy run tftp
Destination filename [2621A-confg]? enter
!!
2621A#
6. Notice that this took only two exclamation points (!), which are two UDP acknowledg-
ments. If you have a hostname configured, the command will automatically use the
hostname plus the extension config as the name of the file.
Lab 3.5: Restoring the Cisco Router Configuration from a TFTP Server 185
Lab 3.5: Restoring the Cisco Router
Configuration from a TFTP Server
If you have changed your routers running-config and want to restore the conguration
to the version in startup-config, the easiest way to do this is to use the copy startup-
config running-config command (copy start run for short). You can also use the older
Cisco
command, config mem, to restore a conguration. Of course, this will work only if
you rst copied running-config into NVRAM before making any changes.
Lab Steps
1. If you copied the routers configuration to a tftp host as a second backup, you can
restore the configuration using the copy tftp running-config command (copy tftp
run for short) or the copy tftp startup-config command (copy tftp start for
short), as shown below.
2621A#copy tftp run
Source filename []? 2621A-confg
Destination filename [running-config]?(press enter)
Network Layout
Accessing tftp://172.16.40.3/2621A-confg...
Loading 2621A-confg from 172.16.40.3 (via Fastethernet 0/0):
!!
[OK - 487/4096 bytes]
2621A#
00:38:31: %SYS-5-CONFIG: Configured from tftp://172.16.40.3/2621A-confg
2621A#
2. After you copy your configuration from a tftp host to your router, you must then
enable your interfaces as they are automatically shut down.
Lab 3.6: Using the Cisco Discovery
Protocol to Gather Information about
Neighbor Devices
Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help admin-
istrators collect information about both locally attached and remote devices. You can
gather hardware information, as well as protocol information about neighbor devices. This
information is useful for troubleshooting and documenting the network.
Network Layout
Lab 3.6: Using the Cisco Discovery Protocol to Gather Information about Neighbor Devices 187
Lab Steps
2621 Router A and 2621 Router B need to be configured in order for output
to appear when you go through this lab.
1. First gather CDP information on your router by getting CDP Timers and Holdtime
Information. Use the show cdp command (sh cdp for short) which shows information
about two CDP global parameters that can be configured on Cisco devices. The output
on a router looks like this:
2811A#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
2811A#
N
CDP timer is how often CDP packets are transmitted to all active interfaces.
N
CDP holdtime is the amount of time that the device will hold packets received
from neighbor devices.
Both the Cisco routers and the Cisco switches use the same parameters.
2. Use the global commands cdp holdtime and cdp timer to configure the CDP holdtime
and timer on a router.
2811A#config t
2811A(config)#cdp ?
advertise-v2 CDP sends version-2 advertisements
holdtime Specify the holdtime (in sec) to be sent in packets
log Log messages generated by CDP
run Enable CDP
source-interface Insert the interface's IP in all CDP packets
timer Specify rate (in sec) at which CDP packets are sent>
2811A(config)#cdp timer 90
2811A(config)#cdp holdtime 240
3. You can turn off CDP completely on the router with the no cdp run command from
global configuration mode of a router. Enable CDP with the cdp run command.
2811A(config)#no cdp run
2811 (config)#cdp run
4. To turn off or on CDP on a router interface, use the no cdp enable and cdp enable
commands. Enable CDP on the interface with the cdp enable command.
2811A(config)#interface fastethernet 0/0
2811A(config-if)#no cdp enable
2811A(config-if)#cdp enable
5. The show cdp neighbor command (show cdp nei for short) shows information about
directly connected devices. It is important to remember that CDP packets are not
passed through a Cisco switch, and you only see what is directly attached. On a router
connected to a switch, you will not see the other devices connected to the switch. The
following output shows the show cdp neighbor command used on the 2811 A router.
2811A#show cdp nei
Device ID Local Intrfce Holdtme Capability Platform Port ID
2621B Ser 0/0 170 R 2621
Ser 0/0/1
2621A Ser 0/0 170 R 2621
Ser 0/1/1
2811A#
The following table summarizes the information displayed by the show cdp neighbor
command for each device.
Field Description
Device ID The hostname of the device directly connected.
Local Interface The port or interface on which you are receiving the CDP packet.
Holdtime The amount of time the router will hold the information before
discarding it if no more CDP packets are received.
Capability The neighbors capability, such as router, switch, or repeater. The
capability codes are listed at the top of the command output.
Platform The type of Cisco device. In the above output, a 2811 router, two
2621 routers, a 3550 switch, and a 3560 switch are attached.
Port ID The neighbor devices port or interface on which the CDP packets
are broadcasted out.
Lab 3.6: Using the Cisco Discovery Protocol to Gather Information about Neighbor Devices 189
6. Another command that provides neighbor information is the show cdp neighbor
detail command (show cdp nei de for short), which also can be run on the router
or switch. This command shows detailed information about each device connected
to the device, as in the router output below.
2811A#show cdp neighbor detail
-------------------------
Device ID: 2621B
Entry address(es):
IP Address: 172.16.30.2
Platform: cisco 2621, Capabilities: Router
Interface: Serial0/0, Port ID (outgoing port): Serial0/0/1
Holdtime : 146 sec
Version :
IOS (tm) C2600 Software (C2600-BIN-M), Version 12.2(13)T1, RELEASE SOFTWARE
(fc1)
TAC Support: http://www.cisco.com/tac
Compiled Sat 04-Jan-03 05:58 by ccai
advertisement version: 2
-------------------------
Device ID: 2621A
Entry address(es):
IP Address: 172.16.20.2
Holdtime : 146 sec
Version :
(fc1)
-------------------------
2811A#
The output above shows the hostname and IP address of the directly connected devices.
In addition to the same information displayed by the show cdp neighbor command, the
show cdp neighbor detail command also shows the IOS version of the neighbor device.
7. The show cdp entry * command displays the same information as the show cdp
neighbor details command. The following is an example of the router output of
the show cdp entry * command.
2811A#show cdp entry *
-------------------------
Device ID: 2621B
Entry address(es):
IP Address: 172.16.30.2
Holdtime : 146 sec
Version :
(fc1)
-------------------------
Device ID: 2621A
Entry address(es):
IP Address: 172.16.20.2
Holdtime : 146 sec
Version :
(fc1)
-------------------------
2811A#
8. The show cdp traffic command displays information about interface traffic, including
the number of CDP packets sent and received and the errors with CDP. The following
output shows the show cdp traffic command used on a router.
2811A#show cdp traffic
CDP counters :
Total packets output: 14556, Input: 7366
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0, Fragmented: 0
CDP version 1 advertisements output: 0, Input: 0
2811A#
Lab 3.7: Using Telnet
Telnet is a virtual terminal protocol that is part of the TCP/IP protocol suite. Telnet allows
you to make connections to remote devices and gather information and run programs. To
start a Telnet session, logging into a another device requires a valid username and password
on the destination hardware.
After your routers and switches are congured, you can use the Telnet program to
congure and check your routers and switches instead of needing to use a console cable.
You use the Telnet program by typing telnet from any command prompt (DOS or Cisco).
VTY passwords must be set on the routers for this to work.
You cannot use CDP to gather information about routers and switches that are not directly
connected to your device. However, you can use the Telnet application to connect to your
neighbor devices and then run CDP on those remote devices to gather CDP information about
remote devices.
In this lab we will telnet from 2621 Router B into 2621 Router A and 3550 Switch A. In
a prior lab we have congured 2621 Router A but now we need to congure 3550 Switch
A at the start of this lab.
Lab Steps
1. Double-click 3550 Switch A in order to bring up the console screen.
2. Perform the following commands:
Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z
Switch(config)#
3. To set the IP configuration on a 3550 switch, use the ip address command. However,
this is set under the VLAN1 interface, not at global configuration mode like on a 1900
switch. Remember that by default all interfaces are members of VLAN1, which is why
Network Layout
while working in section 2. You need a congured network in order to complete this lab.
the VLAN1 interface is configured by default. Lets also set the hostname so that we
can more clearly identify this device when we telnet into it in subsequent steps.
Switch(config)#hostname 3550A
3550A(config)#interface vlan 1
4. The default gateway should also be set using the ip default-gateway command.
However, unlike the IP address, this is completed at global configuration mode.
3550A(config)#ip default-gateway 172.16.10.1
5. We need to set up a VTY password for the 3550 Switch A.
3550A(config)#line vty 0 15
3550A(config-line)#ctrl+z
6. Switch to 2621 Router A via the console menu.
7. For this lab, remove the telnet and enable passwords from the 2621 Router A.
2621A>enable
2621A#config t
2621A(config)#no enable secret
2621A(config)#no enable password
2621A(config-line)#no password
2621A#
8. You can issue the telnet command from any router prompt, as in the following example
from 2621 Router B to 2621 Router A:
2621B#telnet 172.16.20.2
Trying 172.16.10.2 ... Open
Password required, but none set
[Connection to 172.16.20.2 closed by foreign host]
2621B#
Remember that the VTY ports on a router are congured as login, which means that
you must either set the VTY passwords or use the no login command.
9. On a Cisco router, you do not need to use the telnet command. If you just type in an
IP address from a command prompt, the router will assume you want to telnet to the
device, as shown below:
2621B#172.16.20.2
Trying 172.16.10.2 ... Open
2621B#
10. Its time to set VTY passwords on the router I want to telnet into. Here is an example
of what I did:
2621A#config t
2621A#
11. Now, lets try connecting to the router again (from the 2621 Router B console).
2621B#172.16.20.2
Trying 172.16.20.2 ... Open
User Access Verification
Password:
2621A>
12. Remember that the VTY password is the user mode password, not the enable pass-
word. Watch what happens when I try to go into privileged mode after telneting into
2621 Router A:
2621A>en
% No password set
2621A>
This is a good security feature. You dont want anyone just telneting onto your device and
then being able to just type the enable command to get into privileged mode. You must set
your enable password or enable secret password to use telnet to congure remote devices.
13. Now, exit out of 2621 Router A.
2621A>exit
2621B#
14. If you telnet to a router or switch, you can end the connection by typing exit at any
time. However, what if you want to keep your connection to a remote device but still
come back to your original router console? To keep the connection, you can press the
Ctrl+Shift+6 key combination, release it, and then press X.
Heres an example of connecting to multiple devices from 2621 Router B router console:
2621B#telnet 172.16.20.2
Trying 172.16.20.2 ... Open
Password:
2621A> [press ctrl+shift+6 then x]
2621B#
In the example above, I telneted to the 2621 Router A, then typed the password to
enter user mode. I then pressed Ctrl+Shift+6, then x (this doesntt show on the screen
output). Notice the command prompt is now back at the 2621 Router B.
15. You can also telnet into a switch. In the following example, we telnet to switch 3550 A.
2621B#telnet 172.16.10.17
Trying 172.16.10.17 ... Open
Password:
3550A>
16. At this point, press Ctrl+Shift+6, then X, which will take you back to 2621 Router B
console.
2621B#
17. To see the connections made from your router to a remote device, use the show sessions
command, as shown below.
2621B#show sessions
Conn Host Address Byte Idle Conn Name
1 172.16.20.2 172.16.20.2 0 0 172.16.20.2
* 2 172.16.10.17 172.16.10.17 0 0 172.16.10.17
2621B#
18. Notice the asterisk (*) next to connection 2. This means that session 2 was the last
session. You can return to your last session by pressing enter twice. You can also
return to any session by typing the number of the connection and pressing enter twice.
Here is an example:
2621B#1
[Resuming connection 1 to 172.16.20.2 ... ] [press enter]
2621A>
When changing windows from Router to Router do not close the window
with the x or the Telnet information will be lost.
19. You can list all active consoles and VTY ports in use on your router with the show
users command. Type show users from the 2621 Router A, which the 2621 Router B
had telneted into.
2621A>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:00
* 2 vty 0 idle 00:25:12 172.16.30.2
Interface User Mode Idle Peer Address
2621A>
In the output, the con represents the local console. In this example, the console is con-
nected to two remote IP addresses, or devices. This output shows that the console is
active and that VTY port 0 is being used. The asterisk represents the current terminal
session user.
20. You can end Telnet sessions a few different ways. Typing exit or disconnect is probably
the easiest and quickest. To end a session from a remote device, use the exit command,
as shown below.
2621A#exit
2621B#
21. To end a session from a local device, use the disconnect command, as shown below.
2621B#show sessions
* 2 172.16.10.17 172.16.10.17 0 0 172.16.10.17
2621B#disconnect 2
Closing connection to 172.16.10.17 [confirm] [enter]
2621B#
In this example, we used the session number 2 because that was the connection to 3550
Switch A that we wanted to end. As explained earlier, you can use the show sessions com-
mand to see the connection number.
Lab 3.8: Using Secure Shell
in Place of Telnet
The last lab had you set your ve basic passwords that can be used on a router. In order to
gain access to the console (user mode) through the network (called in-band), you set a pass-
word on your VTY lines. This allowed Telnet access. However, Telnet is insecure because
everything including passwords are sent in the clear. However, we can x that by using
Secure Shell (SSH). This is basically the same as using Telnet, but is a secure connection.
We will congure our routers to use SSH on the VTY lines.
Network Layout
Load Secure Shell Layout.rsm or whatever you previously named it, before going
through the following lab.
3. Click on the le Secure Shell Layout.rsm and click Open.
Lab Steps
console screen.
Router>
Router>enable
4. We need to set a hostname on 2811 Router A.
Router#config t
Router(config)#hostname2811A
2811A(config)#
5. The next thing we need to do is set a username and password to use for login when
using SSH.
2811A(config)#username todd password lammle
6. In addition, a domain name must be set. This is a required step when using SSH.
However, it is not important what you set it to unless you are using a DNS server for
domain lookups on the router.
2811A(config)#ip domain-name lammle.com
7. Now a key needs to be generated on the router. This will be used to encrypt the pass-
word when connecting with SSH to the router.
2811A(config)#crypto key generate rsa
The name for the keys will be: 2811A.lammle.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: [press enter]
2811A(config)#
Now, we need to set our VTY line commands. The vty lines are used to set a Telnet
password on the router. If the password is not set, then telnet cannot be used by
default. However, we dont have to use Telnet, we can use SSH instead, or with Telnet.
We no longer use the login command by itself. We need to use the login local to have
the vty lines look for the username and password congured locally on the router. Lets
take a look.
8. Use the line vty command to enter into line mode.
2811A(config)#line vty 0 ?
<1-1180> Last Line number
<cr>
9. After settting the lines to use the username and password configured on the local
router, we need to tell the vty lines to use SSH.
2811A(config-line)#transport input ssh
10. The above command allows only SSH session on the vty lines. You can use the follow-
ing command to allow both SSH and Telnet into your router (although, if you can use
SSH, Telnet is not recommended).
2811A(config-line)#transport input ssh telnet
have been working with. You might want to save it to another le name than Secure Shell
2. A dialog box will appear. At the bottom you will see the file name Secure Shell
Layout.rsm. Rename the file. In the following example it is renamed My Secure
Shell Layout.rsm.
3. Click the Save button. At this point your network layout has been saved to a new
name. You then have the option of reloading Secure Shell Layout.rsm which is non-
configured.
Lab 3.9: Verifying Secure Shell
in Place of Telnet
In Lab 3.8 we had congured 2811 Router A to be an SSH server. In this lab, we will use
2811 Router B to connect to 2811 Router A and verify that SSH is working. As we discussed
in Lab 3.8, the reason we want to use SSH is because Telnet is insecure. However, we can x
that by using Secure Shell (SSH). This is basically the same as using Telnet, but is a secure
connection. Lets congure verify our SSH server on 2811 Router A.
Lab 3.9: Verifying Secure Shell in Place of Telnet 201
Lab Steps
1. On the Network Visualizer screen, double-click 2811 Router B. This will bring up a
console screen.
2. The first thing we need to do is ping 2811 Router A from 2811 Router B to verify
network connectivity.
2811B(config)#exit
2811B#ping 172.16.20.1
3. Now, lets SSH into 2811 Router A and verify our connection. We need to use the
username configured on the 2811 Router A (from Lab 6.8) as our login. We do this
with the -l option. The name used in the ssh command is case sensitive.
2811B#ssh -l todd 172.16.20.1
Password: [lammle is the password, does not appear when you type]
2811A>
Network Layout
Work with the saved network that you used to congure devices in Lab 3.8.
4. You can verify your connection on 2811 Router A with the show users command:
2811A>show users
* 66 vty 0 Vail idle 00:00:00 192.0.2.157
2811A>
Lab 3.10: Creating a Hosts Table on
a Router and Resolve Host Names to
IP Addresses
You can use a hostname to connect to a remote device rather than use an IP address. The
device that you are using to make the connection from must be able to translate the hostname
to an IP address. This lab will show you how to create a hosts table on your router to resolve
host names to IP addresses.
Lab Steps
1. A host table provides name resolution only on the router on which it was built. The
command to build a host table on a router is:
ip host name ip_address
2. Here is an example of configuring a host table on the 2621 Router B with two entries
to resolve the names for the 2621 Router A and the 3550 Switch A:
2621B#config t
Enter conguration commands, one per line. End with CTRL/Z.
2621B(config)#ip host ?
WORD Name of host
2621B(config)#ip host 2621A ?
<0-65535> Default telnet port number
A.B.C.D Host IP address
additional Append addresses
2621B(config)#ip host 2621A 172.16.20.2 ?
A.B.C.D Host IP address (maximum of 8)
<cr>
Lab 3.10: Creating a Hosts Table on a Router and Resolve Host Names to IP Addresses 203
2621B(config)#ip host 2621A 172.16.20.2
2621B(config)#ip host 3550A 172.16.10.17
2621B(config)#ctrl+z
3. To see the host table, use the show hosts command, as shown below.
2621B#sh hosts
Default domain is not set
Name/address lookup uses domain service
Network Layout
Work with the saved network that you used to congure devices in Lab 3.9. You need a
congured network in order to complete this lab.
Name servers are 255.255.255.255
Host Flags Age Type Address(es)
2621A (perm, OK) 0 IP 172.16.20.2
3550A (perm, OK) 0 IP 172.16.10.17
2621B#
In the router output above, you can see the two hostnames and their associated IP
addresses. The perm in the Flags column means the entry is manually congured. If it
said temp, it would be an entry resolved by DNS.
4. To verify that the host table resolves names, try typing the hostnames at a router
prompt. Remember that if you dont specify the command, the router assumes you
want to telnet. Use the hostnames we just created to telnet into the remote devices and
then press Ctrl+Shift+6, then X to return to the main console of the 2621B router.
2621B#2621A
Trying 2621A (172.16.20.2)... Open
Password:
2621A>(control+shift+6,then x)
2621B#
2621B#3550A
Trying 3550A (172.16.40.2)... Open
Password:
3550A#
5. Notice in the entries in the show session output below that the hostname now shows up
instead of the IP address because the IP addresses has been resolved.
3550A#sh sess
1 2621A 172.16.20.2 0 0 2621A
* 2 3550A 172.16.10.17 0 0 3550A
6. You can remove a hostname from the table by using the no ip host command, as in
the following example:
3550A>(control+shift+6,then x)
2621B#
2621B#config t
2621B(config)#no ip host 2621A
7. Now remove the other hostname from the table by using the no ip host command.
2621B(config)#no ip host 3550A
Configuring the
Catalyst Switch
Lab 4: Introduction to
Configuring the Catalyst
Switch
The CCNA exam covers specic switch commands for the 2950/2960 and 3550/3560
switches. The following labs will teach you how to connect to the 1900 switch and
Catalyst 2950/2960 and 3550/3560 switches and congure LAN switching.
The labs covered in this section include:
N
4.1: Connecting to the 1900 Switch and setting the passwords
N
4.2: Configuring the 1900 Switch
N
4.3: Configuring the 1900 Switch Port Duplex
N
4.4: Verifying the 1900 Switch IP Connectivity
N
4.5: Erasing the 1900 Switch Configuration
Labs 4.1 - 4.5 are for the 1900 switch, which is not used in our standard
network layouts, but is included for your educational purpose. The 1900
switch is an older switch and is end-of-life from Cisco.
N
4.6: Utilizing the 2950/2960 Switch
N
4.7: Setting Passwords on the 2950/2960 Switch
N
4.8: Configuring the 2950/2960 Switch
N
4.9: Verifying the 2950/ 2960 Switch IP Connectivity
N
4.10: Saving and Erasing the 2950/2960 Switch Configuration
N
4.11: Utilizing the 3550/3560 Switch
N
4.12: Setting Passwords on the 3550/3560 Switch
N
4.13: Configuring the 3550/3560 Switch
N
4.14: Verifying the 3550 /3560 Switch IP Connectivity
N
4.15: Saving and Erasing the 3550/3560 Switch Configuration
Lab 4.1: Connecting to the 1900 Switch
and Setting Passwords
This lab will have you work with a switch and router, enter an IP address on a router, enter
global conguration mode and then set the passwords.
Lab Steps
1. Double click the 1900 switch to view the the 1900 switch console.
OR
Network Layout
Load 1900 Switch Layout.rsm before going through the following lab.
3. Click on the le 1900 Switch Layout.rsm and click Open.
208 Configuring the Catalyst Switch
Go to the 1900 switch via the console menu.
2. You will then see the following output. Press K to enter the CLI.
1 user(s) now active on Management Console.
User Interface Menu
[M] Menus
[K] Command Line
[I] IP Configuration
Enter Selection: K
CLI session with the switch is open.
To end the CLI session, enter [Exit].
>
3. The first thing that you should configure on a switch is the passwords. You dont
want unauthorized users connecting to the switch. You can set both the user mode
and privileged mode passwords, just like a router. Enter privileged mode by using the
enable command and then enter global configuration mode by using the config t
command. The switch following output shows an example of how to get into enable
mode, and then into global configuration mode.
>enable
#config t
Enter configuration commands, one per line. End with CTRL/Z
(config)#
4. Once you are in global configuration mode, you can set the user mode and enable
mode passwords by using the enable password command. The switches output below
shows the configuration of both the user mode and enable mode passwords.
(config)#enable password ?
level Set exec level password
(config)#enable password level ?
<1-15> Level number
5. To enter the user mode password, use level number 1. To enter the enable mode pass-
word, use level mode 15. Remember the password must be at least four characters,
but not longer then eight characters. The switch output below shows the user mode
password being set and denied because it is more than eight characters.
(config)#enable password level 1 toddlammle
Error: Invalid password length.
Password must be between four and eight characters.
6. The following output is an example of how to set both the user mode and enable mode
passwords on the 1900 switch.
(config)#enable password level 1 todd
(config)#enable password level 15 todd1
(config)#exit
#exit
7. At this point, you can press enter and test your passwords. You will be prompted for
a user mode password after you press K and then an enable mode password after you
type enable.
Catalyst 1900 Management Console
Copyright (c) Cisco Systems, Inc. 1993-1998
All rights reserved.
Enterprise
Edition Software
Ethernet Address: 00-30-80-CC-7D-00
PCA Number: 73-3122-04
PCA Serial Number: FAB033725XG
Model Number: WS-C1912-A
System Serial Number: FAB0339T01M
Power Supply S/N: PHI031801CF
PCB Serial Number: FAB033725XG,73-3122-04
-------------------------------------------------
User Interface Menu
[M] Menus
[K] Command Line
Enter Selection: K
Enter password: ****
>en
#
8. The enable secret password is a more secure password and supersedes the enable pass-
word if set. You set this password the same way you set the enable secret password
on a router. If you have an enable secret set, you dont even need to bother setting the
enable mode password.
#config t
(config)#enable secret todd2
9. You can use show running-config (show run for short) to see the current configuration
on the switch.
(config)#exit
#sh run
enable secret 5 $1$FMFQ$wFVYVLYn2aXscfB3J95.w.
enable password level 1 "TODD"
enable password level 15 "TODD1"
[output cut]
Notice the enable mode passwords are not encrypted by default, but the enable secret is.
This is the same password conguration technique that you will nd on a router. One more
thing to notice is that even though I typed the password as lowercase, the running-config
shows the passwords as uppercase. It doesnt matter how you type it in or how it shows in
the conguration because the passwords are not case sensitive on the switch.
have been working with. You might want to save it to another le name than 1900 Switch
2. A dialog box will appear. At the bottom you will see the file name 1900 Switch
Layout.rsm. Rename the file. In the following example it is renamed to My 1900
Switch Layout.rsm.
You then have the option of reloading 1900 Switch Layout.rsm which is non-configured.
Lab 4.2: Configuring the 1900 Switch
Use the saved network layout le from Lab 4.1. The le name is 1900 Switch Layout.rsm
or whatever you named it when you saved it in Lab 4.1.
Set the Hostname
The hostname on a switch, as well as on a router, is only locally signicant. This means
that it does not have any function on the network or name resolution whatsoever. However,
it is helpful to set a hostname on a switch so that you can identify the switch when connect-
ing to it. A good rule of thumb is to name the switch after the location it is serving.
Lab Step
1. The 1900 switch command to set the hostname is exactly like any router: you use the
hostname command. Remember, it is one word. The switch output below shows the con-
sole screen. Press K to go into user mode, enter the password, use the enable command
and enter the enable secret password. From global configuration mode, type the command
hostname hostname.
User Interface Menu
[M] Menus
[K] Command Line
Enter Selection: K
>en
#config t
(config)#hostname 1900A
1900A(config)#exit
Notice that as soon as I pressed enter, the hostname of the switch appeared. Remember
that from global conguration mode, which you enter by using the config t command, it
changes the running-config. Any changes you make in this mode take effect immediately.
Configure the IP Address
You do not have to set any IP conguration on the switch to make it work. You can just
plug in devices and they should start working, just like they would on a hub. The reason
you would set the IP address information on the switch is so you can either manage the
switch via Telnet or other management software, or you wanted to congure the switch
with different VLANs and other network functions. VLANs are discussed in later labs.
2. By default, no IP address or default-gateway information is set. You would set both the
IP address and the default-gateway on a layer-two switch, just like any host. By typing
the command show ip (or sh ip), you can see the default IP configuration of the switch.
1900A#show ip
IP Address: 0.0.0.0
Subnet Mask: 0.0.0.0
Management VLAN: 1
Domain name:
Name server 1: 0.0.0.0
HTTP server : Enabled
HTTP port : 80
RIP : Enabled
Notice in the above switch output that no IP address, default-gateway, or other IP
parameters are congured.
3. To set the IP configuration on a 1900 switch, use the ip address command. The
default gateway should also be set using the ip default-gateway command.
The switch output below shows an example of how to set the IP address and default-
gateway on a 1900 switch.
1900A#config t
1900A(config)#ip address 172.16.10.16 255.255.255.0
1900A(config)#exit
4. Once you have your IP information set, use the show ip command to verify your changes.
You can view this information with the show running-config command as well.
1900A#show ip
IP Address: 172.16.10.16
Subnet Mask: 255.255.255.0
Management VLAN: 1
Domain name:
HTTP port : 80
RIP : Enabled
1900A#
To change the IP address and default-gateway on the switch, you can either type in new
addresses or remove the IP information with the no ip address and no ip default-gateway
commands, at the global conguration prompt.
Configure Interfaces
It is important to understand how to access switch ports. The 1900 switch uses the type
slot/port command. For example, FastEthernet 0/3 is 10BaseT port 3. Another example
would be FastEthernet 0/26 which is the rst of the two FastEthernet ports available on
the 1900 switch.
The 1900 switch type slot/port command can be used with either the interface com-
mand or the show command. The interface command allows you to set interface specic
congurations. The 1900 switch has only one slot: zero (0).
5. To configure an interface on a 1900 switch, go to global configuration mode and use
the interface command. From global configuration, use the interface command
and the type, either Ethernet or FastEthernet interface. I am going to demonstrate
the Ethernet interface configuration first.
1900A#config t
1900A(config)#int ethernet ?
<0-0> IEEE 802.3
6. The previous output asks for the slot. Since the 1900 switch is not modular, there is only
one slot. The next output gives us a slash (/) to separate the slot/port configuration.
1900A(config)#int ethernet 0?
/
1900A(config)#int ethernet 0/?
<1-25> IEEE 802.3
7. After the 0/configuration command, the above output shows the amount of ports you
can configure. The output below shows the completed command.
1900A(config)#int ethernet 0/1
8. Once you are in interface configuration, the prompt changes to (config-if). After
you are at the interface prompt, you can use the help commands to see the available
commands.
1900A(config-if)#?
Interface configuration commands:
cdp Cdp interface subcommands
description Interface specific description
duplex Configure duplex operation
exit Exit from interface configuration mode
no Negate a command or set its defaults
port Perform switch port configuration
shutdown Shutdown the selected interface
spantree Spanning tree subsystem
vlan-membership VLAN membership configuration
1900A(config-if)#?exit
You can switch between interface conguration by using the int e 0/# command at
any time from global conguration mode.
9. The switch output below shows the configuration of a FastEthernet port on the 1900
switch. Notice that the command is interface fastethernet, but the slot is still 0.
The only ports available are 26 and 27.
1900A(config)#int fastethernet ?
<0-0> FastEthernet IEEE 802.3
1900A(config)#int fastethernet 0/?
1900A(config)#int fastethernet 0/26
1900A(config-if)#int fast 0/27
1900A(config-if)#ctl+z
10. After you make any changes you want to the interfaces, you can view the different inter-
faces with the show interface command. The switch output below shows the command
used to view a 10BaseT interface and the command to view a fastethernet interface.
1900A#show int e0/1
ethernet 0/1 is Suspended-no-linkbeat
Hardware is Built-in 10Base-T
Address is 0030.80CC.7D01
MTU 1500 bytes, BW 10000 Kbits
802.1d STP State: Forwarding Forward Transitions: 1
[output cut]
1900A#show int f0/26
Fastethernet 0/26 is Suspended-no-linkbeat
Hardware is Built-in 100Base-TX
Address is 0030.80CC.7D1A
802.1d STP State: Blocking Forward Transitions: 0
[output cut]
Configure Interface Descriptions
You can administratively set a name for each interface on the 1900 switch. Like the
hostname, the descriptions are only locally signicant. For the 1900 series switch, use
the description command. You cannot use spaces with the description command, but
you can use underlines if you need to.
11. To set the descriptions, you need to be in interface configuration mode. From interface
configuration mode, use the description command to describe each interface. You can
make the descriptions more then one word, but you cant use spaces. You will have to
use the underline as shown below:
1900A#config t
1900A(config)#int e0/1
1900A(config-if)#description Finance_VLAN
1900A(config-if)#int f0/26
1900A(config-if)#description trunk_to_Building_4
1900A(config-if)#ctl+z
In the conguration example above, we set the description on both a 10Mbps port and
a 100Mbps port.
View Interface Descriptions
Once you have congured the descriptions you want on each interface, you can then view the
descriptions with either the show interface command, or show running-config command.
12. View the configuration of the Ethernet interface 0/1 by using the show interface
ethernet 0/1 command.
1900A#show int e0/1
Ethernet 0/1 is Enabled
Port monitoring: Disabled
Unknown unicast flooding: Enabled
Unregistered multicast flooding: Enabled
Description: Finance_VLAN
Duplex setting: Half duplex
Back pressure: Disabled
13. Use the show running-config command to view the interface configurations as well.
1900A#show run
!
hostname "1900A"
!
ip address 172.16.10.16 255.255.255.0
ip default-gateway 172.16.10.1
!
enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0
!
interface Ethernet 0/1
description "Finance_VLAN"
[output cut]
Lab 4.3: Configuring the 1900 Switch
Port Duplex
The 1900 switch has only 12 or 24 10BaseT ports and comes with one or two FastEthernet
ports. You can only set the duplex on the 1900 switch, as the ports are all xed speeds.
Network Layout
Use the saved network that you have been working with.
Lab 4.3: Configuring the 1900 Switch Port Duplex 219
Lab Steps
1. Use the duplex command in interface configuration.
In the switch output below, notice the options available on the FastEthernet ports.
1900A(config)#int f0/26
1900A(config-if)#duplex ?
auto Enable auto duplex configuration
full Force full duplex operation
full-flow-control Force full duplex with flow control
half Force half duplex operation
1900A(config-if)#duplex full
The following Table shows the different duplex options available on the 1900 switches.
The 1900 FastEthernet ports default to auto duplex, which means they will try and auto
detect the duplex the other end is running.
TABLE : Duplex Options
Parameter Definition
Auto Set the port into auto-negotiation mode. Default for all
100BaseTX ports.
Full Forces the 10 or 100Mbps ports into full duplex mode.
Full-flow-control Works only with 100BaseTX ports, uses flow control so buffers
wont overflow.
Half Default for 10BaseT ports, forces the ports to work only in half
duplex mode.
2. Once you have the duplex set, you can use the show interface command to view the
duplex configuration.
Fastethernet 0/26 is enabled
Address is 0030.80CC.7D1A
802.1d STP State: Blocking Forward Transitions: 0
Description: trunk to Building 4
Duplex setting: Full duplex
Back pressure: Disabled
3. In the output above, the duplex setting shows full duplex.
Lab 4.4: Verifying 1900 Switch
IP Connectivity
It is important to test the switch IP conguration. You can use the ping program, and you
can telnet into the 1900 switch. However, you cannot telnet from the 1900 switch or use
traceroute.
Network Layout
Use the saved network that you are using while working with the 1900 switch.
Lab 4.4: Verifying 1900 Switch IP Connectivity 221
Lab Steps
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.10.9
Subnet Mask: 255.255.255.0
5. Ping the host from the switch 1900 A.
1900A#ping 172.16.10.9
Sending 5, 100-byte ICMP Echos to 172.16.10.9, time out is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max 0/2/10/ ms
The output on a successful ping: exclamation point (!). If you receive
periods (.) instead of exclamation points, that signifies a timeout.
6. Telnet to the host.
1900A#telnet 172.16.10.9
^
% Invalid input detected at '^' marker.
In the Telnet example above, notice the error when you try to telnet from the 1900
switch. The command is not available on the 1900 switch. However, you can telnet into a
switch at any time, as long as the switch is congured correctly.
Lab 4.5: Erasing the 1900 Switch
Configuration
The switch conguration is stored in NVRAM, just as any router. You cannot view the
startup-config, or contents of NVRAM. You can only view the running-config. When
you make a change to the switches running-config, the switches automatically copy the
conguration on the switch to NVRAM.
You can delete the conguration in NVRAM on the 1900 switch if you want to start
over on the switches conguration. To delete the contents of NVRAM on a 1900 switch,
use the delete nvram command.
Lab 4.5: Erasing the 1900 Switch Configuration 223
Lab Steps
1. Type delete ? from a 1900 Switch A, privileged mode prompt. Notice in the switch out-
put below that there are two options: nvram and vtp. We want to delete the contents of
NVRAM to the factory default settings.
1900A#delete ?
nvram NVRAM configuration
vtp Reset VTP configuration to defaults
1900A#delete nvram
This command resets the switch with factory defaults. All system parameters will revert
to their default factory settings. All static and dynamic addresses will be removed.
2. Reset system with factory defaults, [Y]es or [N]o? Yes
Notice the message received from the switch when the delete nvram command is used.
Once you say yes, the conguration is gone.
Network Layout
Use the saved network that you are using while working with the 1900 switch.
3. To confirm the configuration is gone, use the show run command.
#show run
!
!
!
!
[output cut]
Lab 4.6: Utilizing the 2950 and
2960 Switch
The 2950 and 2960 switches are very similar and basically support the same commands. The
conguration commands between the two switches differ because:
N
The Catalyst 2950 switch runs Cisco IOS 12.1EA software, and the Catalyst 2960
switch runs Cisco IOS 12.2SE software.
N
The hardware is different. In this program the 2950 switch has 12 FastEthnet ports ...
N
and the 2960 switch has eight FastEthernet ports and one GigabitEthernet port ...
If you use a 2950 switch command, it might not be supported on the 2960 switch.
The 2960 switch software handles the incompatible commands by either:
N
accepting it and translating them
N
rejecting the command
In this program the supported commands for these two switches are
identical.
Lab 4.7: Setting Passwords on
the 2950/2960 Switch
This lab will have you work with a 2950/2960 switch. The commands used in conguring
the 2950 or 2960 switches are identical in this program. You can choose which device you
would like to work with in setting passwords. In this lab, enter the global conguration
mode and then set the passwords.
Network Layout
in earlier labs.
Lab Steps
1. Double-click 2950 Switch A or 2960 Switch A to open the console screen.
2. Press Enter to connect to the console.
Switch>
3. For the user mode of the switch, you can use the help screen just like a router.
Switch>?
Exec commands:
<1-99> Session number to resume
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
name-connection Name an existing network connection
ping Send echo messages
rcommand Run command on remote switch
resume Resume an active network connection
show Show running system information
systat Display information about terminal lines
telnet Open a telnet connection
terminal Set terminal line parameters
traceroute Trace route to destination
tunnel Open a tunnel connection
--More--
[output cut]
4. The first thing that you should configure on a switch are the passwords. You dont
want unauthorized users connecting to the switch. You can set both the user mode
and privileged mode passwords, just like a router. Enter the enable mode by using the
enable command and then enter global configuration mode by using the config t
command. The switch following output shows an example of how to get into enable
mode, and then into global configuration mode.
Switch>enable
Switch#config t
Switch(config)#
mode passwords by using the enable password and enable secret command. The
switches output below shows the configuration of both the user mode and enable
mode passwords.
Switch(config)#enable password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) 'enable' password
Switch(config)#enable password todd
Switch(config)#enable secret cisco
Switch(config)
If you set your enable secret, the enable password is superseded and not
used, just like in a router.
6. In addition to the enable password and enable secret, the 2950/2960 switch allows you to
set a console and Telnet password as well using the line commands, just like in a router.
Switch(config)line ?
Switch(config)#line console 0
Switch(config-line)#password console
Switch(config-line)#login
Switch(config-line)#line vty ?
7. Remember that just like in a router, you cannot get help for a line command from
within line configuration mode. Type Exit to go back one step.
Switch(config-line)#exit
Switch(config)#line vty ?
Switch(config)#line vty 0 15
Switch(config-line)#password telnet
Switch(config-line)#ctrl+z
Switch#
on the switch.
!
version 12.1
no service pad
!
hostname Switch
!
enable secret 5 $1$yNgO$9uU0Z6NG1ib4vlt05bmMW1
enable password todd
!
ip subnet-zero
!
!
!
no ip address
!
no ip address
--More--
Notice the enable mode password is not encrypted by default, but the enable secret is.
This is the same password conguration technique that you will nd on a router.
Lab 4.8: Configuring the
2950/2960 Switch
the 2950 or 2960 switches are identical in this program. Even though the step-by-steps refer
to the 2950 switch, you can also congure the 2960 with the same steps.
Set the Hostname
The hostname on a switch, as well as on a router, is only locally signicant. This means that
it does not have any function on the network and is not used for name resolution whatsoever.
However, it is helpful to set a hostname on a switch so that you can identify the switch when
connecting to it. A good rule of thumb is to name the switch after the location it is serving.
Network Layout
The 2950/2960 switch command to set the hostname is exactly like any router: you use
the hostname command. Remember, it is one word. From global conguration mode, type the
command hostname hostname.
Lab Steps
1. Double-click 2950 Switch A or 2960 Switch A to open the console screen.
Switch>enable
Switch#config t
2950A(config)#exit
2950A#
Notice that as soon as you press enter, the hostname of the switch appears. Remember
2. By default, no IP address or default-gateway information is set. You would set both
the IP address and the default-gateway on a layer-two switch, just like any host. By
typing the command show running-config you can see the default IP configuration of
the switch. Notice in your switch output that no IP address, default-gateway, or other
IP parameters are configured.
the VLAN1 interface is configured by default.
2950A#config t
2950A(config)#
4. The default gateway should also be set using the ip default-gateway command. How-
ever, unlike the IP address, this is completed at global configuration mode.
2950A(config)#exit
2950A#
commands, at the appropriate conguration prompt.
It is important to understand how to access switch ports. The 2950/2960 switch uses
the type slot/port command, just like a 2621 router. For example, Fastethernet 0/3 is
10/100BaseT port 3.
The 2950/2960 switch type slot/port command can be used with either the interface
command or the show command. The interface command allows you to set interface specic
congurations. The 2950/2960 switch has only one slot: zero (0), just like the 1900.
5. To configure an interface on a 2950/2960 switch, go to global configuration mode and
use the interface command as shown. Since the 2950/2960 switch is not modular, there
is only one slot, which is 0, although it lists 0-2 for some odd reason. However, you can
IP Default-Gateway
This is used on devices where no routing information is provided by the router that
tells you how to get to the next, directly connected device. It tells us what pathway to
use to send packets to the next, directly connected device. In the previous set of com-
mands the ip default-gateway is 172.16.40.1 because that is the IP address of interface
f0/0 on Router 2621 A.
only type in 0 as the slot in this program. Any other slot number will give you an
error. The next output gives us a slash (/) to separate the slot/port configuration.
2950A#config t
2950A(config)#interface fastethernet ?
2950A(config)#interface fastethernet 0?
/
2950A(config)#interface fastethernet 0/?
2950A(config-if)#
7. Once you are in interface configuration, the prompt changes to (config-if). You can
switch between interface configurations by using the int fa 0/# command at any time
from global configuration mode. Now, lets look at the duplex and speed configura-
tions for a switch port.
auto Enable AUTO duplex configuration
half Force half-duplex operation
2950A(config-if)#
2950A(config-if)#speed ?
10 Force 10 Mbps operation
auto Enable AUTO speed configuration
2950A(config-if)#
8. Since the switch ports duplex and speed settings are already set to auto by default, you
do not need to change the switch port settings. It is recommended that you allow the
switch port to auto negotiate speed and duplex settings in most situations. In a rare
situation, when it is required to manually set the speed and duplex of a switch port,
you can use the following configuration.
Duplex will not be set until speed is set to non-auto value
2950A(config-if)#speed 100
9. Notice in the above command that to run full duplex, you must set the speed to
non-auto value.
10. In addition to the duplex and speed commands that can be configured on the switch
port, you also can turn on what is called portfast. The portfast command allows
a switch port to come up quickly. Typically a switch port waits 50 seconds for the
spanning-tree to go through its gotta make sure there are no loops! cycle. However,
if you turn portfast on, then you better be sure you do not create a physical loop on the
switch network. A spanning-tree loop can severely hurt or bring your network down.
Here is how you would enable portfast on a switch port.
2950A(config-if)#spanning-tree ?
bpdufilter Dont send or receive BPDUs on this interface
bpduguard Don't accept BPDUs on this interface
cost Change an interface's spanning tree port path cost
guard Change an interface's spanning tree guard mode
link-type Specify a link type for spanning tree protocol use
port-priority Change an interface's spanning tree port priority
portfast Enable an interface to move directly to forwarding on link
up
stack-port Enable stack port
vlan VLAN Switch Spanning Tree
11. The command above shows the available options for the spanning-tree command.
We want to use the portfast command.
2950A(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
2950A(config-if)#
12. Notice the message the switch provides when enabling portfast. Although it seems like
the command did not take effect, as long as the port is in access mode (discussed in a
minute), the port will now be in portfast mode.
13. After you make any changes you want to the interfaces, you can view the different
interfaces with the show interface command. The switch output below shows the
command used to view a 10/100BaseT interface on the 2950/2960 switch.
2950A#show int f0/1
FastEthernet0/1 is down line protocol is down (notconnect)
Hardware is FastEthernet, address is 00b0.9eb1.bcd0 (bia 00b0.9eb1.bcd0)
reliability 255/255, txload 1/255, rxload 1/255
Half-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
0 runts, 0 giants, 0 throttles
0 watchdog, 3752639 multicast, 0 pause input
14. In addition to the show interface command, you can use the show running-config
command to see the interface configuration as well.
[output cut]
!
duplex full
speed 100
spanning-tree portfast
!
[output cut]
15. You can administratively set a name for each interface on the 2950/2960 switch. Like the
hostname, the descriptions are only locally significant. For the 2950/2960 series switch,
use the description command. You can use spaces with the description command, but
To set the descriptions, you need to be in interface conguration mode. From interface
conguration mode, use the description command to describe each interface.
2950A#config t
2950A(config)#int fa 0/1
2950A(config-if)#description Sales VLAN
2950A(config-if)#int fa 0/8
2950A(config-if)#description trunk to Building 8
2950A(config-if)#
In the conguration example above, we set the description on both port 1 and 12.
16. Once you have configured the descriptions you want on each interface, you can then
view the descriptions with either the show interface command, or show running-
config command. View the configuration of the Ethernet interface 0/1 by using the
show interface ethernet 0/1 command.
2950A#show int fa 0/1
Description: Sales VLAN
(output cut)
2950A#show run
[output cut]
!
description "Sales VLAN"
!
[output cut]
Notice in the above switch output that the show int fa0/1 command and the show run
command both show the description command set on an interface.
Save the network that you have been working on.
Lab 4.9: Verifying 2950/2960 Switch
IP Connectivity
to the 2950 switch, you can also congure the 2960 with the same steps. It is important to
test the switch IP conguration. You can use the ping program, and you can telnet into the
2950/2960 switch. However, you cannot telnet from the 2950/2960 switch or use traceroute.
1. In the following example, ping Host E on the network from 2950 Switch A. Notice the
output on a successful ping: exclamation point (!). If you receive periods (.) instead of
exclamation points, that signifies a timeout.
Network Layout
2950A#ping 172.16.40.3
!!!!!
2. In the following example, ping Host F on the network from the 2960 A switch.
2960A#ping 172.16.50.3
!!!!!
Lab 4.10: Saving and Erasing 2950/2960 Switch Configuration 239
Lab 4.10: Saving and Erasing 2950/2960
Switch Configuration
The switch conguration is stored in NVRAM, just as any router, and placed in RAM
when the switch boots. The le in RAM is called the running-config and the le in NVRAM
is called the startup-config. You can view the startup-config, also called the backup con-
guration, with the show startup-config command.
Network Layout
Lab Steps
1. To save the switch configuration, you type copy running-config startup-config, or
copy run start, just like on a router.
Destination filename [startup-config]?press Enter
[OK]
2950A#
2. You can delete the configuration in NVRAM on the 2950 switch if you want to start
over on the switches configuration. To delete the contents of NVRAM on a 2950
switch, use the erase startup-config command as shown. However, you still need
to reload the switch to erase the running-config.
Erasing the nvram file system will remove all files! Continue? [confirm]
press Enter
[OK]
2950A#sh start
%% Non-volatile configuration memory is not present
2950A#
3. Again, just because you have erased the contents of NVRAM with the erase
startup-config command, you need to remember that the running-config is
still in RAM. To erase the running-config you have to reload the switch.
4. Change to the console screen for 2960 Switch A. Save your configuration.
[OK]
2960A#
5. To delete the contents of NVRAM on a 2960 switch, use the erase startup-config
command as shown. However, you still need to reload the switch to erase the
running-config.
Erasing the nvram file system will remove all files! Continue? [confirm]
press Enter
[OK]
2960A#sh start
2960A#
Lab 4.11: Utilizing the 3550
and 3560 Switch
The 3550 and 3560 switches are very similar and basically support the same commands. The
conguration commands between the two switches differ because:
N
The Catalyst 3550 switch runs Cisco IOS 12.1EA software, and the Catalyst 3560
switch runs Cisco IOS 12.2SE software.
N
The hardware is different. In this program, the 3550 switch has 10 FastEthnet ports ...
N
and the 3560 switch has eight FastEthernet ports and one GigabitEthernet port ...
In this program, the supported commands for these two switches are
identical.
Lab 4.12: Setting Passwords
on the 3550/3560 Switch
Enter global conguration mode and then set the passwords.
Lab Steps
1. Double-click 3550 Switch A to open the console screen.
3550A>
3. The first thing that you should configure on a switch is the passwords. You dont want
unauthorized users connecting to the switch. You can set both the user mode and
privileged mode passwords, just like a router. Enter enable mode by using the enable
command and then enter global configuration mode by using the config t command.
The following output shows an example of how to get into enable mode, and then into
global configuration mode.
3550A>enable
3550A#config t
Switch(config)#
Network Layout
in earlier labs.
mode passwords.
3550A(config)#enable password ?
3550A(config)#enable password todd
3550A(config)#enable secret cisco
3550A(config)
6. In addition to the enable password and enable secret, the 3550/3560 switch allows you to
set a console and Telnet password as well using the line commands, just like in a router.
3550A(config)line ?
3550A(config-line)#password console
3550A(config-line)#password telnet
The telnet password was already set for 3550 Switch A in an earlier lab.
on the switch.
3550A#show run
!
version 12.1
no service single-slot-reload-enable
no service pad
!
hostname 3550A
!
!
ip subnet-zero
!
!
!
!
switchport mode dynamic desirable
!
[output cut]
The enable mode password is not encrypted by default, but the enable
secret is. This is the same password configuration technique that you will
find on a router.
Lab 4.13: Configuring the
3550/3560 Switch
This lab will have you work with a 3550 switch. The commands used in conguring the
3550 or 3560 switches are identical in this program. Even though the step-by-steps refer to
the 3550 switch, you can also congure the 3560 with the same steps.
The hostnames on a switch, as well as on a router, is only locally signicant. This means
that it does not have any function on the network and is not used for name resolution what-
soever. However, it is helpful to set a hostname on a switch so that you can identify the
switch when connecting to it. A good rule of thumb is to name the switch after the location
it is serving.
Set the Hostname
The hostnames on a switch, as well as on a router, is only locally signicant. This means that
it does not have any function on the network and is not used for name resolution whatsoever.
Network Layout
Lab Steps
1. The 3550/3560 switch command to set the hostname is exactly like any router: you use
the hostname command. Remember, it is one word. From global configuration mode,
type the command hostname hostname.
Switch>enable
Switch#config t
3550A(config)#exit
3550A#
Notice that as soon as you press Enter, the hostname of the switch appears. Remember
changes the running-config.
Any changes you make in this mode take effect immediately.
the command show running-config you can see the default IP configuration of the
switch. Notice in your switch output that no IP address, default-gateway, or other
IP parameters are configured.
3. To set the IP configuration on a 3550/3560 switch, use the ip address command.
However, this is set under the VLAN1 interface, not at global configuration mode like
on a 1900 switch. Remember that by default all interfaces are members of VLAN1,
which is why the VLAN1 interface is configured by default.
3550A#config t
3550A(config)#
3550A(config)#exit
3550A#
It is important to understand how to access switch ports. The 3550/3560 uses the type
slot/port command, just like a 2621 router and just like the 3550/3560. For example,
Fastethernet 0/3 is 10/100BaseT port 3.
The 3550/3560 type slot/port command can be used with either the interface com-
congurations. The 3550/3560 has only one slot: zero (0), just like the 1900.
5. To configure an interface on a 3550/3560, go to global configuration mode and use the
interface command as shown.
3550A#config t
3550A(config)#interface ?
Lex Lex interface
Null Null interface
Transparent Transparent interface
Vlan Catalyst Vlans
fcpa Fiber Channel
3550A(config)#interface
6. The next output asks for the slot. Since the 3550/3560 is not modular, there is only one
slot, which is 0, although it lists 0-2 for some odd reason. However, you can only type
in 0 as the slot in this program. Any other slot number will give you an error. The
next output gives us a slash (/) to separate the slot/port configuration.
/
3550A(config-if)#
8. Once you are in interface configuration mode, the prompt changes to (config-if).
After you are at the interface prompt, you can use the help commands to see the
available commands.
3550A(config-if)#?
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
channel-group Etherchannel/port bundling configuration
default Set a command to its defaults
delay Specify interface throughput delay
dot1x IEEE 802.1X subsystem
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
keepalive Enable keepalive
load-interval Specify interval for load calculation for an
interface
logging Configure logging for interface
mac-address Manually set interface MAC address
mls mls interface commands
mvr MVR per port configuration
ntp Configure NTP
--More--
You can switch between interface congurations by using the int fa 0/# command at
9. Lets look at the duplex and speed configurations for a switch port.
3550A(config-if)#
3550A(config-if)#speed?
auto Enable AUTO speed configuration
3550A(config-if)#
10. Since the switch ports duplex and speed settings are already set to auto by default, you
do not need to change the switch port settings. It is recommended that you allow the
switch port to auto negotiate speed and duplex settings in most situations. In a rare
situation, when it is required to manually set the speed and duplex of a switch port,
you can use the following configuration.
11. Notice in the above command that to run full duplex, you must set the speed to non-
auto value.
Full Duplex
Transmission of data in two directions simultaneously. It has a higher throughput than
half duplex.
N
There are no collision domains with this setting
N
Both sides must have the capability of being set to full duplex
N
Both sides of the connection must be congured with full duplex
N
Each side transmits and receives at full bandwidth in both directions
port, you also can turn on what is called portfast. The portfast command allows a
switch port to come up quickly. Typically a switch port waits 50 seconds for spanning-
tree to go through its gotta make sure there are no loops! cycle. However, if you turn
portfast on, then you better be sure you do not create a physical loop on the switch
network. A spanning-tree loop can severely hurt or bring your network down. Here is
how you would enable portfast on a switch port.
bpdufilter Don't send or receive BPDUs on this interface
bpduguard Don't accept BPDUs on this interface
portfast Enable an interface to move directly to forwarding on link up
Use with CAUTION
3550A(config-if)#
the command did not take effect, as long as the port is in access mode (discussed in a
command used to view a 10/100BaseT interface on the 3550/3560.
3550A#show int f0/4
Hardware is Fast Ethernet, address is 00b0.c5e4.e2cf (bia 00b0.c5e4.e2cf)
Full duplex, 100Mb/s
input flow-control is off, output flow-control is off
Last input never, output 1w6d, output hang never
Output queue :0/40 (size/max)
0 lost carrier, 0 no carrier, 0 PAUSE output
3550A#
3550A#show run
[output cut]
!
!
[output cut]
17. You can administratively set a name for each interface on the 3550/3560. Like the
hostname, the descriptions are only locally significant. For the 3550 series switch, use
the description command. You can use spaces with the description command, but
3550A#config t
3550A(config-if)#description Marketing VLAN
3550A(config-if)#
Hardware is Fast Ethernet, address is 00b0.1a09.2097 (bia 00b0.1a09.2097)
Description: Marketing VLAN
(output cut)
3550A#show run
[output cut]
!
description "Marketing VLAN"
duplex full
speed 100
!
[output cut]
Save the network that you have been working on.
Lab 4.14: Verifying 3550/3660 Switch
IP Connectivity
It is important to test the switch IP conguration. You can use the ping program, and
you can telnet into the 3550/3560 switch. However, you cannot telnet from the 3550/3560
switch or use traceroute.
1. In the following example, ping Host B on the network from the 3550 Switch A . Notice
the output on a successful ping: exclamation point (!). If you receive periods (.) instead
of exclamation points, that signifies a timeout.
Network Layout
3550A#ping 172.16.10.6
!!!!!
2. In the following example, ping Host C on the network from the 3560 A switch.
3560A#ping 172.16.10.7
!!!!!
Lab 4.15: Saving and Erasing the 3550/3560 Switch Configuration 255
Lab 4.15: Saving and Erasing the
3550/3560 Switch Configuration
The switch conguration is stored in NVRAM, just as any router and placed in RAM
when the switch boots. The le in RAM is called the running-config and the le in
NVRAM is called the startup-config. You can view the startup-config, also called
the backup conguration, with the show startup-config command.
Network Layout
[OK]
3550A#
2. You can delete the configuration in NVRAM on the 3550 switch if you want to start
over on the switches configuration. To delete the contents of NVRAM on a 3550
switch, use the erase startup-config command as shown. However, you still need
to reload the switch to erase the running-config.
Erasing the nvram filesystem will remove all files! Continue? [confirm]
press Enter
[OK]
3550A#sh start
3550A#
3. Again, just because you have erased the contents of NVRAM with the erase startup-
config command, you need to remember that the running-config is still in RAM. To
erase the running-config you have to reload the switch.
4. Change to the console screen for 3560 Switch A. Save your configuration.
[OK]
3560A#
command as shown. However, you still need to reload the switch to erase the running-
config.
press Enter
[OK]
3560A#sh start
3560A#
NAT
Lab 5: Introduction
to Network Address
Translation (NAT)
What Does NAT Do? NAT splits networks into two distinct sections, outside and inside.
Inside addresses are usually assigned PRIVATE IP addresses and the outside addresses are
assigned PUBLIC IP addresses on the Internet.
When Do You Use NAT? NAT, at times, decreases the overwhelming amount of Public
IP addresses required in your networking environment. And NAT comes in really handy
when two companies that have duplicate internal addressing schemes merge. NAT is also
great to have around when an organization changes its Internet Service Provider (ISP) and
the networking manager doesnt want to hassle with changing the internal address scheme.
Heres a list of situations when its best to have NAT on your side:
N
You need to connect to the Internet and your hosts do not have globally unique
IP addresses.
N
You change to a new ISP that requires you to renumber your network.
N
You require two Intranets with duplicate addresses to merge.
Advantages and Disadvantages of Implementing NAT
Advantages Disadvantages
Conserves legally registered addresses Translation introduces switching path delays
Reduces address overlap occurrence Loss of end-to-end IP traceability
Increases flexibility when connecting to
Internet
Certain applications will not function with NAT
enabled
Eliminates address renumbering as
network changes
Lab 5.1: Configuring Your Routers
In this lab, you will congure NAT on 2811 Router A to translate the private IP address of
192.168.10.0 to a public address of 171.16.10.0.
Network Layout
Load Nat-Pat Layout.rsm before going through the following lab.
3. Click on the le Nat-Pat Layout.rsm and click Open.
260 NAT
Command Summary for NAT/PAT Lab
Command Purpose
IP nat inside source list acl pool name Translates IPs that match the ACL from
the pool
IP nat inside source static inside_addr
outside_addr
Statically maps an inside address to an
outside address
IP nat pool name Creates an address pool
IP nat inside Sets an interface to be an inside interface
IP nat outside Sets an interface to be an outside interface
Show ip nat translations Shows current NAT translations
Setting up the NAT Lab creates an address pool
You will set up IP addresses on the router interfaces, plus, turn on EIGRP on every router.
Congure the routers with the IP addresses listed below:
Router IP Address Scheme
Router Interface IP Address
2811 A S0/0/0 171.16.10.1/24
2811 B F0/0 192.168.10.1/24
2811 B S0/0/0 171.16.10.2/24
2811 C F0/0 192.168.10.2/24
2811 C F0/1 192.168.20.1/24
2811 D F0/1 192.168.20.2/24
Lab Steps
1. Double-click 2811 Router A in order to bring up the console screen. Configure the router.
Router>enable
Router#config t
2811A(config-if)#interface serial 0/0/0
2811A(config)#router eigrp 15
[OK]
2811A#
2. Use the console menu to bring up the console screen for 2811 Router B.
3. Configure 2811 Router B.
Router>enable
Router#config t
2811B(config-if)#interface serial 0/0/0
2811B(config-if)#interface f0/0
2811B(config)#router eigrp 15
2811B(config-router)#no auto-summary
262 NAT
[OK]
2811B#
4. Use the console menu to bring up the console screen for 2811 Router C.
5. Configure 2811 Router C.
Router>enable
Router#config t
2811C(config-if)#interface f0/0
2811C(config-if)#interface f0/1
Auto-Summary
The process of taking subnets like 192.168.10.4/30 or 192.168.10.56/29 and sum-
marizing them down to their base network class. In the case of 192.168.10.4/30 or
192.168.10.56/29 the networks are summarized to their Class C base network address
of 192.168.10.0/24.
Summarization occurs at classful network boundaries. Classful network boundaries
occur when one class of networks meet a different class of networks, thus a network
boundary. If subnet 192.168.10.4/30 or 192.168.10.56/29 were crossing over to another
router connected by the 10.1.1.0/24 network, the classful network boundary is between
the 10.0.0.0/8 and 192.168.10.0/24 networks.
No Auto-Summary
The process of taking the subnets like 192.168.10.4/30 or 192.168.10.56/29 and not
summarizing them down to their base network class. In the case of 192.168.10.4/30 or
192.168.10.56/29, the networks are never summarized to their Class C base network
address of 192.168.10. /24 when classful network boundaries are encountered.
2811C(config)#router eigrp 15
[OK]
2811C#
6. Use the console menu to bring up the console screen for 2811 Router D.
7. Configure 2811 Router D.
Router>enable
Router#config t
Router(config)#hostname 2811D
2811D(config-if)#interface f0/1
2811D(config-if)#ip address 192.168.20.2 255.255.255.0
2811D(config-if)#no shutdown
2811D(config-if)#exit
2811D(config)#router eigrp 15
2811D(config-router)#network 192.168.20.0
2811D(config-router)#ctrl+z
2811D#copy run start
[OK]
2811D#
8. After you configure the routers, you should be able to ping from router to router. Verify
that you can ping from 2811 Router A to 2811 Router D and from 2811 Router D to 2811
Router A. If you cannot, STOP!, troubleshoot your network.
2811A#ping 192.168.20.2
!!!!!
2811A#
2811D#ping 171.16.10.1
264 NAT
!!!!!
2811D#
9. You can also verify your EIGRP routes with the show ip route command.
2811A#show ip route
[output cut]
D 192.168.20.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0
D 192.168.10.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0
2811A#
2811B#show ip route
[output cut]
D 192.168.20.0 [90/2172416] via 192.168.10.2, 00:08:08, FastEthernet0/0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
2811B#
2811C#show ip route
[output cut]
2811C#
2811D#show ip route
[output cut]
2811D#
you have been working with. You might want to save it to another le name than Nat-Pat
266 NAT
2. A dialog box will appear. At the bottom you will see the file name Nat-Pat Layout.rsm.
Rename the file. In the following example it is renamed to My Nat-Pat Layout.rsm.
You then have the option of reloading Nat-Pat Layout.rsm which is non-configured.
Switch Security
Lab 6.1: Configuring
Switch Security
In this lab you will congure a switch to mitigate security attacks.
In some networks it may be desirable to implement security on switchports in order to
restrict which computers can access the network. This is accomplished through switchport
security commands. Through such commands an administrator can control how many
computers can be connected to a given port as well as specify, based on MAC addresses,
which computers are allowed to connect to the port.
The lab topology consists of 2960 Switch A with a connection to Hosts A and B.
Host MAC Address
Host A 8e36.6b21.6e25
Host B 1175.3e8b.d4f0
Lab Steps
1. First you will enable switchport security on interface FastEthernetst 0/1 on 2960
Switch A. This and the subsequent security commands are entered in the interface
configuration mode.
Switch>enable
Switch#config t
Switch#hostname 2960A
2960A(config-if)#switchport mode access
2960A(config-if)#switchport port-security
2. Configure 2960 Switch A to limit the devices that can connect through interface
FastEthernet 0/1. You will set the maximum number of devices to 1.
2960A(config-if)#switchport port-security maximum 1
3. Set the MAC address that can be learned through the interface.
2960A(config-if)#switchport port-security mac-address b21f.135f.d81e
Lab 6.1: Configuring Switch Security 269
4. The switch response when port security is violated depends on which response state
has been configured. These states are as follows:
Protect Once the maximum number of secure MAC addresses is reached on a port
additional addresses will not be learned and packets from unknown addresses are
dropped. No notication is sent.
Restrict Once the maximum number of secure MAC addresses is reached on a port
additional addresses will not be learned and packets from unknown addresses are
dropped. An SNMP trap is sent, a syslog message is logged and the violation counter
increases.
Shutdown Once the maximum number of secure MAC addresses is reached on a port
the receipt of a packet from an unknown address causes the port to be error disabled
and the port LED turns off. An SNMP trap is sent, a syslog message is logged and the
violation counter increases.
Network Layout
Load Switchport Security Layout.rsm before going through the following lab.
3. Click on the le Switchport Security Layout.rsm and click Open. You should see
the following non-congured network:
270 Switch Security
Shutdown VLAN This mode is implemented on a per VLAN basis. Once the maxi-
mum number of secure MAC addresses is reached on a port for a designated VLAN,
the receipt of a packet from an unknown address causes the port to be error disabled
for that VLAN.
5. Configure FastEthernet 0/1 to be shut down upon a violation.
2960A(config-if)#switchport port-security violation shutdown
6. Configure interface FastEthernet 0/2 to only allow one MAC address to be learned
through the interface but will use the sticky method for that MAC address to be
learned and placed in the configuration.
2960A(config-if)#switchport port-security
2960A(config-if)#switchport port-security maximum 1
2960A(config-if)#switchport port-security mac-address sticky
7. Go back to the enable mode.
2960A#
have been working with. You might want to save it to another le name than Switchport
Security Layout.rsm. This allows you to start over with your initial, non-congured net-
work if you wish.
There are two ways you can save a network layout. The rst way is by clicking on the
Diskette button on the button bar, at the top of the Network Visualizer screen. You can
also click File on the menu and choose Save from the drop down menu.
Lab 6.2: Verifying Switch Security
Now that the switch conguration is complete, you will verify that the switch security con-
guration effectively prevents the attachment of an unauthorized host machine.
272 Switch Security
Lab Steps
1. Issue the show mac-address-table command from 2960 Switch A. This should con-
firm that MAC addresses of host A and host B are in the MAC address table.
The addresses are listed below.
Network Layout
Load Switchport Security Layout.rsm or whatever you named the le when you saved
your work. You need a congured network in order to complete this lab.
3. Click on the le Switchport Security Layout.rsm and click Open.
Host MAC Address IP Address
Host A 8e36.6b21.6e25 10.1.1.1
Host B 1175.3e8b.d4f0 10.1.1.2
Host C 2c9b.00e9.9c64 10.1.1.3
If the addresses are not in the table, issue a ping from host A to host B (ping 10.1.1.2
from host A).
2960A#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 8e36.6b21.6e25 STATIC Fa0/1
1 1175.3e8b.d4f0 STATIC Fa0/2
2. Next issue the show run command. You should see the following output.
2960A#show run
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address b21f.135f.d81e
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security mac-address sticky 1175.3e8b.d4f0
3. Next you will confirm the effectiveness of these commands by disconnecting host B
from FastEthernet port 0/2 on 2960 Switch A and connecting host C to FastEthernet
port 0/2.
a. Right-click on host B and click on the Ethernet 0/0 interface.
b. When asked if you want to remove this connection, click Yes.
c. Right-mouse click host C, click Ethernet port 0/0, then move the mouse pointer
over to 2960 Switch A.
274 Switch Security
d. Right-mouse click 2960 Switch A and then click FastEthernet 0/2 to complete the
connection.
Once you have done so return to the switch command prompt. You should see the
following messages displayed:
2960A#
%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed
state to down
%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to up
state to up
Press the Enter key if necessary.
4. Bring up the DOS screen for host A. Ping from host A to host C (ping 10.1.1.3). Once
you have done so return to the switch command prompt. You should see the following
messages displayed:
%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively
down
state to down
This conrms that the interface was disabled when it saw a new MAC address con-
nected to the port.
Individual Labs (Comprehensive)
Please Note: Enter all commands in lower case. The programs grading feature expects
lower case and may count an answer wrong if it is in upper case.
Introduction to Individual Labs
We offer CCNA labs that are comprehensive and self-contained. They stand on their own,
and do not require congurations from prior labs. These labs are typically longer than
the accumulative labs because you are starting with a non-congured network each time
you bring up an Individual lab. You are totally conguring the network for each lab, from
beginning to nish. We provide step-by-step instructions for these labs.
Grading
When you have nished with each Individual lab ...
N
The name of the command entered for this lab.
N
The expected configuration.
N
Your configuration.
N
The result for each command. You will see a green checkmark (meaning that you got it
correct) or a red X.
N
A score of the number of correct answers out of the total possible.
276 Switch Security
Individual Lab: Cisco 2811 Router and Security
Device Manager (SDM)
Cisco
SDM is a Web-based device-management tool for routers. The SDM is a graphical

user interface that allows to quickly congure the 2811 router. No interaction with the com-
mand line interface (CLI) is required.
Please Note: Before you can use SDM, you must first manually configure
the 2811 router with the CLI.
In this lab we will:
N
Configure 2811 Router A
N
Configure Host A because that is where we will be launching the SDM
N
Set up https services on the router so you can configure 2811 Router A via a secure
web browser
When you have nished with this lab ...
You can check your work by clicking the Grade Me button in the upper right hand corner
of the Network Visualizer screen.
N
N
N
Your configuration.
N
N
Network Layout
On the Network Visualizer screen, click on the Labs menu then choose Individual, IP
Routing, and 2811 Router and SDM.
278 Switch Security
Lab Steps
1. Double-click 2811 Router A. After the console screen comes up set the hostname and
IP addresses of each interface.
Router>enable
Router#config t
2811A(config)#exit
[OK]
2811A#
N
IP address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.10.5
Subnet Mask: 255.255.255.0
6. Bring up the console screen for 2811 Router A by double-clicking on the router. Verify
you can reach Host A.
2811A#ping 172.16.10.5
If all is well, you should get the following output from the router!
!!!!!
2811A#
7. Configure HTTPS on the 2811 Router A and verify your configurations.
2811A#config t
2811A(config)#ip http server
2811A(config)#ip http secure-server
2811A(config)#ip http authentication local
2811A(config)#username cisco privilege 15 password 0 cisco
280 Switch Security
2811A(config-line)#privilege level 15
2811A(config-line)#transport input telnet
2811A(config-line)#transport input telnet ssh
Before IOS version 12.3, you could not use the do command. You had to be
in user or privileged mode in order to ping other devices or view configura-
tions. However, beginning with IOS version 12.3 you can use the do com-
mand in the configuration mode to accomplish this.
You should now be able to launch SDM.
Launching SDM Via Host A
Now that we have congured 2811 Router A with HTTPS, we can launch SDM via Host A.
8. Put your cursor over Host A and click your right mouse button.
9. Click the Web Browser button.
10. When the web browser appears, enter the URL https://172.16.10.1
11. Select Yes when the Security Alert Dialog appears.
The following screen may be different, depending on the web browser that
you use.
Network Layout
If it is not already loaded, bring up Standard Layout.rsm before going through the
following lab.
12. When the username and password dialog appears, enter the username and password
that you created earlier.
282 Switch Security
Username: cisco
Password: cisco
13. The SDM Launch screen will appear.
Do not close this window, it will shut down the SDM. Just minimize the window until
you shut down the SDM.
14. When the Warning Security Dialog appears, check the Always trust content from pub-
lisher option and then select Yes.
15. When the username and password dialog appears again, enter the username and pass-
word that you created earlier.
Username: cisco
Password: cisco
16. When the Change Default User Name and Password dialog screen appears, change
your username and password.
You will not see the following screen after your initial launch of the SDM.
284 Switch Security
You will be prompted to enter the new username and password that you just created.
The SDM will load the conguration from 2811 RouterA and you should now be connected
to the router via the SDM application.
Configure IP Address Using SDM
You will now learn how to congure an IP address on a router interface of 2811 Router A,
using the SDM. Now that you have the SDM application up and running, you will see the
main SDM window.
17. Click on the Configure button (upper left corner of the screen) and a configuration
window is displayed.
286 Switch Security
18. Then click on the Interface and Connections button.
19. Click the Edit Interface/Connection tab, and the Edit Interface connection tab is
displayed.
20. Double-click on the line that displays FastEthernet0/1.
. . . and the Interface Feature Edit Dialog screen appears:
21. With the Interface Feature Edit dialog open, you can enter a new IP Address and sub-
net mask in the appropriate fields.
22. Click the OK button to change the IP Address and subnet mask or click the Cancel
button to exit.
When a new configuration is sent to the router a Command deliver window
appears.
288 Switch Security
23. Save your configuration by clicking the Save button at the top of the screen.
You will see the following dialog box. Click the Yes button to continue.
Configure DHCP Pool with the SDM
You will now use the SDM to congure a DHCP Pool on your 2811 Router A.
24. Click on the Additional Tasks button located on the sidebar menu and at the bottom
left of the screen. If the Additional Task button is not visible, scroll the side bar menu
until it appears. The Additional Task window will appear.
25. Expand the DHCP tree item by clicking the plus sign next to DHCP.
290 Switch Security
26. Click on DHCP Pools and the DHCP Pools window will appear.
27. Click the Add button and the DHCP Pool Dialog screen will appear.
28. Configure your DHCP pool and then select the OK button.
window appears.
292 Switch Security
Using the SDM to Configure Other Items
You will now use the SDM to congure the hostname, the banner (message of the day), the
IP domain-name, and the enable secret password.
30. Click on the Router Properties tree item and the Device Properties screen will appear.
31. Click the Edit button on the upper right side of the screen and the Device Properties
dialog screen will appear.
32. Enter a hostname, an IP domain-name, and the message of the day banner.
294 Switch Security
33. With the Device Properties dialog still open, click on the Secret Password tab and con-
figure your new password and then click OK.
dialog appears.
Verify Router Configurations
You will now verify your new router congurations.
35. From your current SDM window, click on the Home button located at the top of the
screen. You should see the following screen:
296 Switch Security
36. Click on the View Running Config button on the middle right area of the screen. The
Show Running Configuration screen will appear.
37. Scroll through the running configuration so you can view your configurations.
38. Click the Close button when you are finished.
39. Close the SDM application.
40. The SDM launch page and browser need to be closed manually.
Individual Lab: Configuring Routers
In this lab you will connect to the routers starting with 2621 Router A and working
through 2811 Router A, and then nishing with 2621 Router B. After the congurations
are complete, we will then build the routing tables. Then we will verify congurations
with the show run command and the show ip route command.
Enter all commands in lower case. The programs grading feature expects
N
N
N
Your configuration.
N
N
298 Switch Security
Network Layout
Routing, and Conguring Routers.
Lab Steps
N
Hostname
N
Passwords
N
N
Banners
N
Router>enable
Router#config t
2621A(config)#exit
[OK]
2621A#
N
Hostname
N
Passwords
N
300 Switch Security
N
Banners
N
Router>enable
Router#config t
2811A(config)#exit
[OK]
2811A#
Clock Rate
It is important to understand clocking on and interface. On a real connection, clocking
issues will typically cause data loss and or packet errors. You will also see framing slips
on a carrier circuit when there is a clocking issue.
The clock rate for the serial interface is set by default to 2000000. However, on the
2621 router you still need to explicitly set the clock rate. In our lab the DCE side of
the connection is interface serial 0/1/1 and serial 0/0/1.
N
Hostname
N
Passwords
N
N
Banners
N
Router>enable
Router#config t
2621B(config)#enable secret todd
2621B(config)#line console 0
2621B(config-line)#line aux 0
2621B(config)#exit
[OK]
2621B#
4. Starting at 2621 Router A and finishing at 2621 Router B, run the following two
commands:
2621A#show run
!
version 12.2
302 Switch Security
!
hostname 2621A
!
!
ip subnet-zero
!
no ip address
shutdown
!
interface Serial0/0
description connection to 2811A
ip address 172.16.20.2 255.255.255.0
!
[output cut]
2621A#show ip route
default
route
2621A#
Show IP Route
Is used to see the routing table on your router. It is important to notice that only the
directly connected networks are showing. This means the routers can only route to the
directly connected networks. In order to send packets to another network not in the
routing table, we must congure the routing table with this network and how to get to
the remote network.
Notice that the running-config command shows the complete conguration your
router is running.
5. Run through the verification commands on the other routers.
2811A#show run
2811A#show ip route
default
route
2811A#
This table shows a directly connected route to routers 2621 A and 2621 B.
Please Note: Enter all commands in lower case. The programs grading feature expects
2621B#show run
2621B#show ip route
Individual Lab: Configuring the 1900 Switch
In this lab you will work with a switch and router to:
N
Enter an IP address on 2621 Router A
N
Set the passwords on 1900 Switch A
N
Set the Hostname
N
Configure an IP Address
N
N
Configure Interface Descriptions
N
Configure Port Duplex
N
Erase the Configuration
304 Switch Security
N
N
N
Your configuration.
N
The result for each command. You will see a green checkmark (meaning that you
got it correct) or a red X.
N
Lab Steps
1. Double-click 1900 Switch A to view the 1900 Switch A console.
2. You will then see the following output. Press K to enter the CLI.
User Interface Menu
[M] Menus
[K] Command Line
Enter Selection: K
>
unauthorized users connecting to the switch. You can set both the user mode and privi-
leged mode passwords, just like a router. Enter enable mode by using the enable com-
Network Layout
On the Network Visualizer screen, click on the Labs menu then choose Individual,
Layer 2 Switching, and 1900 Switch A.
306 Switch Security
mand and then enter global configuration mode by using the config t command. The
switch following output shows an example of how to get into enable mode, and then
into global configuration mode.
>enable
#config t
(config)#
mode passwords by using the enable password command. The switches output below
shows the configuration of both the user mode and enable mode passwords.
(config)#enable password ?
(config)#enable password level ?
<1-15> Level number
5. To enter the user mode password, use level number 1. To enter the enable mode pass-
word, use level mode 15. Remember the password must be at least four characters, but
no longer than eight characters. The switch output below shows the user mode pass-
word being set and denied because it is more than eight characters.
(config)#enable password level 1 toddlammle
Error: Invalid password length.
Password must be between four and eight characters.
6. The following output is an example of how to set both the user mode and enable mode
passwords on 1900 Switch A.
(config)#enable password level 1 todd
(config)#enable password level 15 todd1
(config)#exit
#exit
7. At this point, you can press enter and test your passwords. You will be prompted for
a user mode password after you press K and then an enable mode password after you
type enable.
Catalyst 1900 Management Console
Copyright (c) Cisco Systems, Inc. 1993-1998
All rights reserved.
Enterprise
Edition Software
Ethernet Address: 00-30-80-CC-7D-00
PCA Number: 73-3122-04
PCA Serial Number: FAB033725XG
Model Number: WS-C1912-A
System Serial Number: FAB0339T01M
Power Supply S/N: PHI031801CF
PCB Serial Number: FAB033725XG,73-3122-04
-------------------------------------------------
User Interface Menu
[M] Menus
[K] Command Line
Enter Selection: K
>en
#
8. The enable secret password is a more secure password and supersedes the enable pass-
word if set. You set this password the same way you set the enable secret password
on a router. If you have an enable secret set, you dont even need to bother setting the
enable mode password.
#config t
(config)#enable secret todd2
on the switch.
(config)#exit
#show run
enable secret 5 $1$FMFQ$wFVYVLYn2aXscfB3J95.w.
[output cut]
Notice the enable mode passwords are not encrypted by default, but the enable secret is.
This is the same password conguration technique that you will nd on a router. One more
thing to notice is that even though I typed the password as lowercase, the running-config
shows the passwords as uppercase. It does not matter how you type it in or how it shows in
the conguration because the passwords are not case sensitive on the switch.
308 Switch Security
Setting the Hostname
that it doesnt have any function on the network or name resolution whatsoever. However,
it is helpful to set a hostname on a switch so that you can identify the switch when connect-
ing to it. A good rule of thumb is to name the switch after the location it is serving.
10. Enter a hostname for 1900 Switch A.
#config t
1900A(config)#exit
Notice that as soon as I pressed enter, the hostname of the switch appeared.
Remember that from global conguration mode, which you enter by using the config t
command, it changes the running-config. Any changes you make in this mode take
effect immediately.
Configuring an IP Address
the command show ip, you can see the default IP configuration of the switch.
1900A#show ip
IP Address: 0.0.0.0
Subnet Mask: 0.0.0.0
Management VLAN: 1
Domain name:
HTTP port : 80
RIP : Enabled
Notice in the above switch output that no IP address, default-gateway, or other IP
parameters are congured.
12. To set the IP configuration on a 1900 Switch A, use the ip address command. The
default gateway should also be set using the ip default-gateway command. The
switch output below shows an example of how to set the IP address and default-gate-
way on a 1900 Switch A.
1900A#config t
1900A(config)#ip address 172.16.10.16 255.255.255.0
1900A(config)#exit
13. Once you have your IP information set, use the show ip command to verify your changes.
You can view this information with the show running-config command as well.
1900A#show ip
IP Address: 172.16.10.16
Subnet Mask: 255.255.255.0
Management VLAN: 1
Domain name:
HTTP port : 80
RIP : Enabled
1900A#
commands, at the global conguration prompt.
Configuring Interfaces
It is important to understand how to access switch ports. 1900 Switch A uses the type
slot/port command. For example, FastEthernet 0/3 is 10BaseT port 3. Another example
would be FastEthernet 0/26 which is the rst of the two Fast Ethernet ports available on
1900 Switch A.
1900 Switch A type slot/port command can be used with either the interface command
or the show command. The interface command allows you to set interface specic congura-
tions. 1900 Switch A has only one slot: zero (0).
14. To configure an interface on a 1900 Switch A, go to global configuration mode and
use the interface command. From global configuration, use the interface command
310 Switch Security
and the type, either Ethernet or FastEthernet interface. I am going to demonstrate the
ethernet interface configuration first.
1900A#config t
1900A(config)#int ethernet ?
<0-0> IEEE 802.3
15. The previous output asks for the slot. Since 1900 Switch A is not modular, there is only
one slot. The next output gives us a slash (/) to separate the slot/port configuration.
1900A(config)#int ethernet 0?
/
1900A(config)#int ethernet 0/?
<1-25> IEEE 802.3
1900A(config)#int ethernet 0/1
17. Once you are in interface configuration, the prompt changes to (config-if). After you
are at the interface prompt, you can use the help commands to see the available com-
mands.
1900A(config-if)#?
cdp Cdp interface subcommands
port Perform switch port configuration
shutdown Shutdown the selected interface
spantree Spanning tree subsystem
vlan-membership VLAN membership configuration
1900A(config-if)#?exit
You can switch between interface conguration by using the int e 0/# command at
18. The switch output below shows the configuration of a FastEthernet port on 1900
Switch A. Notice that the command is interface fastethernet, but the slot is still 0.
The only ports available are 26 and 27.
1900A(config)#int fastethernet 0/26
1900A(config-if)#int fast 0/27
19. After you make any changes you want to the interfaces, you can view the different inter-
faces with the show interface command. The switch output below shows the command
used to view a 10BaseT interface and the command to view a FastEthernet interface.
1900A#show int e0/1
ethernet 0/1 is Suspended-no-linkbeat
[output cut]
FastEthernet 0/26 is Enabled
Address is 00b0.8f36.3eac
[output cut]
Configuring Interface Descriptions
You can administratively set a name for each interface on 1900 Switch A. Like the hostname,
the descriptions are only locally signicant. For a 1900 series switch, use the description>
command. You cannot use spaces with the description command, but you can use under-
lines if you need to.
20. To set the descriptions, you need to be in interface configuration mode. From interface
configuration mode, use the description command to describe each interface. You can
make the descriptions more than one word, but you cant use spaces. Youll have to use
the underline as shown below:
1900A#config t
1900A(config-if)#description Finance_VLAN
1900A(config-if)#description trunk_to_Building_4
1900A(config-if)#
312 Switch Security
In the conguration example above, we set the description on both a 10Mbps port and a
100Mbps port.
Configuring Port Duplex
1900 Switch A has only 12 or 24 10BaseT ports and comes with one or two FastEthernet
ports. You can only set the duplex on 1900 Switch A, as the ports are all xed speeds.
21. Use the duplex command in interface configuration.
In the switch output below, notice the options available on the FastEthernet
ports.
auto Enable auto duplex configuration
full-flow-control Force full duplex with flow control
half Force half duplex operation
The following table shows the different duplex options available on 1900 Switch A.
1900 Switch A FastEthernet ports default to auto duplex, which means they will try
and auto-detect the duplex the other end is running.
Duplex Options
Parameter Definition
Auto Set the port into auto-negotiation mode. Default for all
100BaseTX ports.
Full Forces the 10 or 100Mbps ports into full duplex mode.
Full-flow-control Works only with 100BaseTX ports; uses flow control so buf-
fers wont overflow.
Half Default for 10BaseT ports; forces the ports to work only in half
duplex mode.
22. Once you have the duplex set, you can use the show interface command to view the
duplex configuration.
FastEthernet 0/26 is Enabled
Address is 00b0.8f36.3eac
Description: trunk_to_Building_4
Duplex/Flow Control setting: Full duplex
Enhanced Congestion Control: Disabled
23. In the output above, the duplex setting shows full duplex.
Grade Me
Before you move on and erase your congurations, you should click the Grade Me button
to check out your work.
Erasing the Configuration
The switch conguration is stored in NVRAM, just as any router. You cannot view the
startup-config, or contents of NVRAM. You can only view the running-config. When
you make a change to the switches running-config, the switches automatically copy the
conguration on the switch to NVRAM.
You can delete the conguration in NVRAM on 1900 Switch A if you want to start over
on the switches conguration. To delete the contents of NVRAM on a 1900 Switch A, use
the delete nvram command.
24. Type delete ? from a 1900 A privileged mode prompt. Notice in the switch output
below that there are two options: nvram and vtp. We want to delete the contents of
NVRAM to the factory default settings.
1900A#delete ?
1900A#delete nvram
This command resets the switch with factory defaults. All system parameters will
revert to their default factory settings. All static and dynamic addresses will be
removed.
Reset system with factory defaults, [Y]es or [N]o? Yes
Notice the message received from the switch when the delete nvram command is used.
Once you say yes, the conguration is gone.
25. To confirm the configuration is gone, use the show run command.
#show run
!
314 Switch Security
!
!
!
[output cut]
Individual Lab: Configuring 2950 Switch
This lab will have you work with a 2950 switch, enter global conguration mode and then
set the passwords.
You can check your work by clicking the Grade Me button in the upper right hand
corner of the Network Visualizer screen.
N
N
N
Your configuration.
N
N
Network Layout
Layer 2 Switching, and 2950 Switch.
316 Switch Security
Lab Steps
2. Press enter to connect to the console
Switch>
3. For the user mode of the switch, you can use the help screen just like a router.
Switch>?
Exec commands:
<1-99> Session number to resume
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
name-connection Name an existing network connection
ping Send echo messages
rcommand Run command on remote switch
resume Resume an active network connection
show Show running system information
systat Display information about terminal lines
telnet Open a telnet connection
terminal Set terminal line parameters
traceroute Trace route to destination
tunnel Open a tunnel connection
--More--
[output cut]
unauthorized users connecting to the switch. You can set both the user mode and privi-
leged mode passwords, just like a router. Enter the enable mode by using the enable
command and then enter global configuration mode by using the config t command.
The switch following output shows an example of how to get into enable mode, and
then into global configuration mode.
Switch>enable
Switch#config t
Switch(config)#
mode passwords.
Switch(config)#enable password ?
Switch(config)
6. Remember, if you set your enable secret, the enable password is superseded and not
7. In addition to the enable password and enable secret, 2950 allows you to set a console
and Telnet password as well using the line commands, just like in a router.
Switch(config)line ?
Switch(config-line)#line vty ?
within line configuration mode. Type exit to go back one step.
Switch(config)#line vty ?
318 Switch Security
Switch#
9. You can use show running-config (show run for short) to see the current configura-
tion on the switch.
!
version 12.1
no service pad
!
hostname Switch
!
enable secret 5 $1$yNgO$9uU0Z6NG1ib4vlt05bmMW1
!
ip subnet-zero
!
!
!
no ip address
!
no ip address
--More--
The hostname on a switch, as well as on a router, is only locally signicant. This means that
it doesnt have any function on the network and is not used for name resolution whatsoever.
hostname command. Remember, it is one word. From global configuration mode, type
the command hostname hostname.
Switch>enable
Switch#config t
2950A(config)#exit
2950A#
Notice that as soon as you press Enter, the hostname of the switch appears. Remember
Configuring IP Address Information
with different VLANs and other network functions. VLANs are discussed later labs.
the command show running-config you can see the default IP configuration of the
switch. Notice in your switch output that no IP address, default-gateway, or other IP
parameters are configured.
2950A#config t
2950A(config)#int vlan 1
2950A(config)#
13. Before we perform step 14, we need to configure 2621 Router A.
Router>enable
Router#config t
320 Switch Security
2950A(config)#exit
2950A#
IP Default-Gateway
f0/0 on 2621 Router A.
slot/port command, just like a 2600 router and just like 2950 switch. For example,
FastEthernet 0/3 is 10/100BaseT port 3.
congurations. The 2960 switch has only one slot: zero (0), just like the 1900.
the interface command as shown.
2950A#config t
2950A(config)#interface ?
Lex Lex interface
Null Null interface
Transparent Transparent interface
Vlan Catalyst Vlans
fcpa Fiber Channel
2950A(config)#interface
16. The next output asks for the slot. Since a 2950 switch is not modular, there is only one
slot, which is 0, although it lists 0-2 for some odd reason. However, you can only type
in 0 as the slot in this program. Any other slot number will give you an error. The
next output gives us a slash (/) to separate the slot/port configuration.
2950A(config)#int fastethernet 0?
/
322 Switch Security
17. After the 0/ configuration command, the above output shows the amount of ports you
2950A(config-if)#
18. Once you are in interface configuration, the prompt changes to (config-if). After you are
at the interface prompt, you can use the help commands to see the available commands.
2950A(config-if)#?
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
channel-group Etherchannel/port bundling configuration
default Set a command to its defaults
delay Specify interface throughput delay
dot1x IEEE 802.1X subsystem
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
keepalive Enable keepalive
load-interval Specify interval for load calculation for an
interface
logging Configure logging for interface
mac-address Manually set interface MAC address
mls mls interface commands
mvr MVR per port configuration
ntp Configure NTP
--More--
You can switch between interface congurations by using the int fa 0/# command at
19. There are a couple of interface commands that you can configure on the switch. The
commands we are interested in are the duplex command and the portfast command.
2950A#config t
Enter configuration commands, one per line. End with CNTL/Z.
2950A(config-if)#
20. Since the switch ports are set to auto by default, you can change each of the switch
ports to always be in full-duplex mode for better performance. This is recommended.
auto value.
port, you also can turn on what is called portfast. The portfast command allows a
switch port to come up quickly. Typically a switch port waits 50 seconds for spanning-
tree to go through its gotta make sure there are no loops! cycle. However, if you turn
portfast on, then you better be sure you do not create a physical loop on the switch
network. A spanning-tree loop can severely hurt or bring your network down. Here is
how you would enable portfast on a switch port.
bpdufilter Do not send or receive BPDUs on this interface
bpduguard Do not accept BPDUs on this interface
Use with CAUTION
2950A(config-if)#
324 Switch Security
the command didnt take effect, as long as the port is in access mode (discussed in a
command used to view a 10/100BaseT interface on a 2950 switch.
2950A#ctrl+z
2950A#show int f0/9
Full duplex, 100Mb/s
input flow-control is off, output flow-control is off
Last input never, output 1w6d, output hang never
Output queue :0/40 (size/max)
0 lost carrier, 0 no carrier, 0 PAUSE output
2950A#
[output cut]
!
!
[output cut]
27. You can administratively set a name for each interface on a 2950 switch. Like the host-
name, the descriptions are only locally significant. For a 2950 series switch, use the
description command. You can use spaces with the description command, but you
can use underlines if you need to.
2950A#config t
2950A(config-if)#description Finance VLAN
2950A(config-if)#
Description: Finance VLAN
(output cut)
2950A#show run
[output cut]
!
description "Finance VLAN"
!
[output cut]
326 Switch Security
Verifying the IP Connectivity
traceroute. At this point we will congure Host E so that we can perform step 33.
30. Right-mouse click Host E.
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.40.3
Subnet Mask: 255.255.255.0
33. In the following example, ping Host E from 2950 Switch A. Notice the output on a
successful ping: exclamation point (!). If you receive periods (.) instead of exclamation
points, that signifies a timeout.
2950A#ping 172.16.40.3
!!!!!
Grade Me
Saving and Erasing Your Configurations
The switch conguration is stored in NVRAM, just as any router, and placed in RAM
NVRAM is called the startup-config. You can view the startup-config, also called the
backup conguration, with the show startup-config command.
[OK]
2950A#
35. To delete the contents of NVRAM on a 2950 switch, use the erase startup-config com-
mand as shown. However, you still need to reload the switch to erase the running-config.
Erasing the nvram filesystem will remove all files! Continue? [confirm] press
Enter
[OK]
2950A#showstart
2950A#
328 Switch Security
Individual Lab: Configuring the 2960 Switch
This lab will have you work with a 2960 switch, enter global conguration mode and then
set the passwords.
N
N
N
Your configuration.
N
N
Lab Steps
Switch>
3. Enter the enable mode by using the enable command and then enter global configura-
tion mode by using the config t command.
Switch>enable
Switch#config t
Switch(config)#
mode passwords.
Switch(config)
Network Layout
Layer 2 Switching, and 2960 Switch.
330 Switch Security
5. In addition to the enable password and enable secret, the 2960 switch allows you to set
a console and Telnet password as well using the line commands, just like in a router.
within line configuration mode. Type exit to go back one step.
Switch#
on the switch.
Switch#show run
!
version 12.2
no service pad
!
hostname switch
!
!
no aaa new-model
system mtu routing 1500
no ip subnet-zero
[output cut]
that it does not have any function on the network and is not used for name resolution what-
soever. However, it is helpful to set a hostname on a switch so that you can identify the
switch when connecting to it. A good rule of thumb is to name the switch after the location
it is serving.
hostname command. From global configuration mode, type the command hostname
hostname.
Switch>enable
Switch#config t
2960A(config)#exit
2960A#
Any changes you make in this mode take effect immediately.
Configuring IP Address Information
2960A#config t
2960A(config)#int vlan1
2960A(config)#
10. Before we perform step 11, we need to configure router 2621 B.
Router>enable
Router#config t
332 Switch Security
2960A(config)#exit
2960A#
addresses or remove the IP information with the no ip address and no ip default-gate-
way commands, at the appropriate conguration prompt.
slot/port command, just like a 2621 router and just like the 2960 switch. For example,
FastEthernet 0/3 is 10/100BaseT port 3.
congurations. The 2960 switch has only one slot: zero (0), just like the 1900.
the interface command as shown. Since the 2960 switch is not modular, there is only
one slot, which is 0, although it lists 0-2 for some odd reason. However, you can only
type in 0 as the slot in this program. Any other slot number will give you an error.
The next output gives us a slash (/) to separate the slot/port configuration.
2960A#config t
/
2960A(config-if)#
14. Once you are in interface configuration, the prompt changes to (config-if). You can
switch between interface configurations by using the int fa 0/# command at any time
from global configuration mode. There are a couple of interface commands that you
can configure on the switch. The commands we are interested in are the duplex com-
mand and the portfast command.
2960A(config-if)#
15. Since the switch ports are set to auto by default, you can change each of the switch
ports to always be in full-duplex mode for better performance. This is recommended.
auto value.
17. In addition to the duplex commands that can be configured on the switch ports, you
also can turn on what is called portfast. This enables a switch port to come up quickly
and not to wait the typical 50 seconds for spanning-tree to go through its I gotta
make sure there are no loops! cycle. However, if you turn portfast on, then you better
be sure you do not create a physical loop on the switch network or it will bring your
network down. You are basically telling the switch to not check for loops using these
ports. Here is how you would enable portfast on a switch port.
bpdufilter Do not send or receive BPDUs on this interface
bpduguard Do not accept BPDUs on this interface
18. The command above shows the available options for the spanning-tree command. We
want to use the portfast command.
334 Switch Security
Use with CAUTION
2960A(config-if)#
the command didnt take effect, as long as the port is in access mode (discussed in a
command used to view a 10/100BaseT interface on the 2960 switch.
2960A#show int f0/1
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
0 runts, 0 giants, 0 throttles
[output cut]
!
!
[output cut]
22. You can administratively set a name for each interface on the 2960 switch. Like the
hostname, the descriptions are only locally significant. For the 2960 series switch, use
the description command. You can use spaces with the description command, but
2960A#config t
2960A(config-if)#description Sales VLAN
2960A(config-if)#
Description: Sales VLAN
(output cut)
336 Switch Security
2960A#show run
[output cut]
!
description "Sales VLAN"
!
[output cut]
Verifying the IP Connectivity
traceroute.
25. Right-mouse click Host F.
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.50.3
Subnet Mask: 255.255.255.0
28. In the following example, ping Host F on the network from the 2960 A switch.
2960A#ping 172.16.50.3
!!!!!
Grade Me
Saving and Erasing Your Configuration
The switch conguration is stored in NVRAM, just as any router and placed in RAM
NVRAM is called the startup-config. You can view the startup-config, also called the
backup conguration, with the show startup-config command.
copy run start , just like on a router.
[OK]
2960A#
command as shown. However, you still need to reload the switch to erase the running-
config.
press Enter
[OK]
338 Switch Security
2960A#show start
2960A#
Individual Lab: Static Routing
This lab will have you build the routing tables by hand, which means you will create static
routing tables on each router. This will allow you to route throughout the entire network.
At this point you can only route to directly connected networks of each router. Remember
that the routing will not work until all static routes are congured on all routers.
N
N
N
Your configuration.
N
N
Network Layout
Routing, and Static Routing.
340 Switch Security
Lab Steps
Copy and Paste Script
Steps 1-3 are necessary in order to perform this lab. If you do not want to manually complete
these steps and want to accelerate steps 1 - 3, you can copy and paste the following script into
the console for each router. After you get into user mode, copy and paste the script into the
Static Route
Is a manually hard coded routing statement that creates a route in the routing table
of a router. The static route species how the router will get to a certain network by
using a certain path. Static routing refers to the manual method used to set up rout-
ing. This method has the advantage of being simple to create and predictable in its
functionality. It is easy to manage in small networks but in larger ones it is difcult to
set up and manage all possible static routes. Static routes are not dynamically respon-
sive to topology changes in a network.
console. Click on the console and click your right mouse button. A pop-up menu will appear.
Click Paste.
After pasting the script into the console, you will see the prompt Destination filename
[startup-config]?. At this point, press Enter.
2621 Router A 2811 Router A 2621 Router B
enable
config t
hostname 2621A
line vty 0 4
password todd
login
int s0/0
ip address 172.16.20.2
255.255.255.0
description connection
to 2811A
no shutdown
exit
exit
copy run start
enable
config t
hostname 2811A
line vty 0 1180
password todd
login
int s0/1/1
ip address 172.16.20.1 255.255.255.0
no shutdown
int s0/0/1
ip address 172.16.30.1 255.255.255.0
description connection to 2621B
no shutdown
exit
exit
copy run start
enable
config t
hostname 2621B
line vty 0 4
password todd
login
int s0/0
255.255.255.0
description connec-
tion to 2811A
no shutdown
exit
exit
copy run start
commands.
Router>enable
Router#config t
342 Switch Security
2621A(config)#exit
[OK]
2621A#
commands.
Router>enable
Router#config t
2811A(config)#exit
[OK]
2811A#
3. Double-click 2811 Router B. After the console screen comes up, perform the following
commands.
Router>enable
Router#config t
2621B(config)#exit
[OK]
2621B#
Router A is connected to network 172.16.20.0 and a static route must be configured
for EVERY network that is not directly connected. The next hop gateway is always
172.16.20.1 (router 2811 A).
2621A#config t
2621A(config)#ip route 172.16.30.0 255.255.255.0 172.16.20.1
2621A(config)#exit
Clock Rate
router you still need to explicitly set the clock rate. In our lab the DCE side of the con-
nection is interface serial 0/1/1 and serial 0/0/1.
344 Switch Security
5. From 2621 Router B, use the ip route command to configure static routing. is con-
nected to network 172.16.30.0 and a static route must be configured for EVERY
network that is not directly connected. The next hop gateway is always 172.16.30.1
(router 2811 A).
2621B#config t
2621B(config)#ip route 172.16.20.0 255.255.255.0 172.16.30.1
2621B(config)#exit
6. From 2621 Router A, use the show ip route command to verify your routing table.
2621A#show ip route
default
route
Anatomy of a Command: IP Route 172.16.30.0 255.255.255.0 172.16.20.1
ip route tells the system we are entering a static route
Directly Connected Routes
In the preceding set of ip route commands for 2621 Router B, routes are not estab-
lished for network 30. 2621 Router B knows about network 30 because it is directly
connected to it. Therefore you do not have to enter ip route commands for network 30;
only for networks that are not directly connected to 2621 Router B, such as network 20.
S 172.16.30.0 [1/0] via 172.16.20.1
2621A#
anatomy of a routing table
172.16.0.0/24 is subnetted, 2
subnets
class B network 172.16.0.0 is
subnetted into two class C
networks
/24 means a class C network
The two subnetted Class C
networks are
172.16.30.0
172.16.20.0
S 172.16.30.0 [1/0] via
172.16.20.1
router with the ip address of
172.16.20.1
S means the route is a static
route and was manually
added using the ip route
command
[1/0] is the administrative
distance (1) and routing met-
ric (0)
C 172.16.20.0 is directly con-
nected, Serial0/0
forwarded to ip address
assigned to the Serial0/0
interface
C means the route is directly
connected to the local routers
Serial0/0 interface. The route
is automatically added to the
local routing table when S0/0
is assigned an ip address, has
a physical cable connection,
and is turned up for service
7. From 2621 Router B, use the show ip route command to verify your routing table.
2621B#show ip route
default
route
346 Switch Security
S 172.16.20.0 [1/0] via 172.16.30.1
2621B#
8. Once you verify the routing tables in all routers, use the ping command to verify IP
connectivity between routers.
2621A#ping 172.16.30.2
2621B#ping 172.16.20.2
Individual Lab: Telnet
Telnet is a virtual terminal protocol that is part of the TCP/IP protocol suite. Telnet allows
you to make connections to remote devices and gather information and run programs.
After your routers and switches are congured, you can use the Telnet program to con-
gure and check your routers and switches instead of needing to use a console cable. You
use the Telnet program by typing telnet from any command prompt (DOS or Cisco). VTY
passwords must be set on the routers for this to work.
You cannot use CDP to gather information about routers and switches that are not
directly connected to your device. However, you can use the Telnet application to connect
to your neighbor devices and then run CDP on those remote devices to gather CDP infor-
mation about remote devices.
In this lab we will telnet from 2621 Router B into 2621 Router A and 3550 Switch A.
N
N
N
Your configuration.
N
N
Network Layout
Cisco Internetwork, and Telnet.
348 Switch Security
Lab Steps
Click Paste.
Router 2621 A Router 2811 A Router 2621 B
enable
config t
hostname 2621A
line vty 0 4
password todd
login
interface s0/0
255.255.255.0
description connection to
2811A
no shutdown
exit
exit
copy run start
enable
config t
hostname 2811A
line vty 0 1180
password todd
login
interface fastethernet 0/0
255.255.255.0
LAN 10
no shutdown
interface s0/1/1
255.255.255.0
2621A
no shutdown
interface s0/0/1
255.255.255.0
2621B
no shutdown
exit
exit
copy run start
enable
config t
hostname 2621B
line vty 0 4
password todd
login
interface s0/0
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
1. Double-click 2621 Router A. After the console comes up, perform the following com-
mands.
Router>enable
Router#config t
350 Switch Security
2621A(config)#exit
[OK]
2621A#
commands.
Router>enable
Router#config t
2811A(config-line)#int fastethernet 0/0
2811A(config)#exit
[OK]
2811A#
commands.
Router>enable
Router#config t
2621Bconfig-if)#interface s0/0
2621B(config)#exit
[OK]
2621B#
4. We need to add a routing protocol such as RIP. Add RIP for each router with a
network of 172.16.0.0.
2621A#config t
2621B#config t
2811A#config t
Clock Rate
You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The
clock rate for the serial interface is set by default to 2000000. However, on the 2621 router
you still need to explicitly set the clock rate. In our lab the DCE side of the connection is
interface serial 0/1/1 and serial 0/0/1.
352 Switch Security
5. Go to the console for 3550 Switch A and perform the following commands:
switch>en
switch#config t
switch(config)#
the VLAN1 interface is configured by default. Lets also set the hostname so that we
can more clearly identify this device when we telnet into it in subsequent steps.
switch(config)#hostname 3550A
8. We need to set up a VTY password for the 3550 Switch A.
9. Switch to the 2621 B router via the console menu.
10. You can issue the telnet command from any router prompt, as in the following example
from 2621 Router B to 2621 Router A:
2621B#telnet 172.16.20.2
Trying 172.16.10.2 ... Open
2621B#
Remember that the VTY ports on a router are congured as login, which means that
you must either set the VTY passwords or use the no login command.
11. On a Cisco router, you do not need to use the telnet command. If you just type in an
IP address from a command prompt, the router will assume you want to telnet to the
device, as shown below:
2621B#172.16.20.2
Trying 172.16.10.2 ... Open
2621B#
12. Its time to set VTY passwords on the router I want to telnet into. Here is an example
of what was done:
2621A#config t
2621A#
13. Now, lets try connecting to the router again (from the 2621 Router B console).
2621B#172.16.20.2
Trying 172.16.20.2 ... Open
Password:
2621A>
14. Remember that the VTY password is the user mode password, not the enable pass-
word. Watch what happens when I try to go into privileged mode after telneting into
2621 Router A:
2621A>en
% No password set
2621A>
354 Switch Security
This is a good security feature. You dont want anyone just telneting onto your device
and then being able to just type the enable command to get into privileged mode. You
must set your enable password or enable secret password to use telnet to congure
remote devices.
15. Now, exit out of 2621 Router A.
2621A>exit
2621B#
16. If you telnet to a router or switch, you can end the connection by typing Exit at any
time. However, what if you want to keep your connection to a remote device but still
come back to your original router console? To keep the connection, you can press the
Ctrl+Shift+6 key combination, release it, and then press X.
Heres an example of connecting to multiple devices from the 2621 Router B console:
2621B#telnet 172.16.20.2
Trying 172.16.20.2 ... Open
Password:
2621A> [press ctrl+shift+6 then x]
2621B#
In the example above, I telneted to 2621 Router A, then typed the password to enter
user mode. I then pressed Ctrl+Shift+6, then x (this does not show on the screen out-
put). Notice the command prompt is now back at the 2621 B router.
17. You can also telnet into a switch. In the following example, we telnet to 3550 Switch A.
2621B#telnet 172.16.10.17
Trying 172.16.10.17 ... Open
Password:
3550A>
18. At this point, press Ctrl+Shift+6, then X, which will take you back to the 2621 B
router console.
2621B#
19. To see the connections made from your router to a remote device, use the show ses-
sions command, as shown below.
2621B#show sessions
1 172.16.20.2 172.16.20.2 0 0 172.16.20.2
* 2 172.16.10.17 172.16.10.17 0 0 172.16.10.17
2621B#
20. Notice the asterisk (*) next to connection 2. This means that session 2 was the last ses-
sion. You can return to your last session by pressing enter twice. You can also return
to any session by typing the number of the connection and pressing enter twice. Here is
an example:
2621B#1
[Resuming connection 1 to 172.16.20.2 ... ] [press enter]
2621A>
When changing windows from Router to Router do not close the window
with the x or the telnet information will be lost.
21. You can list all active consoles and VTY ports in use on your router with the show
users command. Type show users from 2621 Router A, which 2621 Router B had
telneted into.
2621A>show users
0 con 0 idle 00:00:00
* 2 vty 0 idle 00:25:12 172.16.30.2
2621A>
In the commands output, the con represents the local console. In this example, the
console is connected to two remote IP addresses, or devices. This output shows that the
console is active and that VTY port 0 is being used. The asterisk represents the current
terminal session user.
22. You can end Telnet sessions a few different ways. Typing exit or disconnect is probably
the easiest and quickest. To end a session from a remote device, use the exit command,
as shown below.
2621A#exit
2621B#
23. To end a session from a local device, use the disconnect command, as shown below.
2621B#show sessions
356 Switch Security
* 2 172.16.10.17 172.16.10.17 0 0 172.16.10.17
2621B#disconnect 2
Closing connection to 172.16.10.17 [confirm] [enter]
2621B#
In this example, we used the session number 2 because that was the connection to the
3550 Switch A that we wanted to end. As explained earlier, you can use the show sessions
command to see the connection number.
Individual Lab: Using the Cisco Discovery Protocol
to Gather Information about Neighbor Devices
Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help admin-
istrators collect information about both locally attached and remote devices. You can gather
hardware information, as well as protocol information about neighbor devices. This infor-
mation is useful for troubleshooting and documenting the network.
N
N
N
Your configuration.
N
N
Network Layout
Cisco Internetwork, and Cisco Discovery Protocol.
358 Switch Security
Lab Steps
commands.
Router>enable
Router#config t
2621A(config)#exit
[OK]
2621A#
commands.
Router>enable
Router#config t
2811A(config)#exit
[OK]
2811A#
commands.
Router>enable
Router#config t
2621B(config)#exit
[OK]
2621B
4. Gather CDP information on your router by getting CDP Timers and Holdtime Informa-
tion. Use the show cdp command which shows information about two CDP global param-
eters that can be configured on Cisco devices. The output on a router looks like this:
2811A#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
2811A#
Clock Rate
2621 router you still need to explicitly set the clock rate. In our lab the DCE side of the
connection is interface serial 0/1/1 and serial 0/0/1.
360 Switch Security
N
CDP timer is how often CDP packets are transmitted to all active interfaces.
N
CDP holdtime is the amount of time that the device will hold packets received
from neighbor devices.
Both the Cisco routers and the Cisco switches use the same parameters.
5. Use the global commands cdp holdtime and cdp timer to configure the CDP holdtime
and timer on a router.
2811A#config t
2811A(config)#cdp ?
advertise-v2 CDP sends version-2 advertisements
holdtime Specify the holdtime (in sec) to be sent in packets
log Log messages generated by CDP
run Enable CDP
source-interface Insert the interface's IP in all CDP packets
timer Specify rate (in sec) at which CDP packets are sent
2811A(config)#cdp timer 90
2811A(config)#cdp holdtime 240
6. You can turn off CDP completely on the router with the no cdp run command from
global configuration mode of a router. Enable CDP with the cdp run command.
2811A(config)#no cdp run
2811 (config)#cdp run
7. To turn off or on CDP on a router interface, use the no cdp enable and cdp enable
commands. Enable CDP on the interface with the cdp enable command.
2811A(config-if)#no cdp enable
2811A(config-if)#cdp enable
8. The show cdp neighbor command (show cdp nei for short) shows information about
directly connected devices. It is important to remember that CDP packets are not passed
through a Cisco switch, and you only see what is directly attached. On a router con-
nected to a switch, you will not see the other devices connected to the switch. The fol-
lowing output shows the show cdp neighbor command used on the 2811 A router.
2811A#show cdp nei
Device ID Local Intrfce Holdtme Capability Platform Port ID
2621B Ser 0/0/1 170 R 2621
Ser 0/0
2621A Ser 0/1/1 170 R 2621
Ser 0/0
2811A#
The following table summarizes the information displayed by the show cdp neighbor
command for each device.
Field Description
Device ID The hostname of the device directly connected.
Local Interface The port or interface on which you are receiving the
CDP packet.
Holdtime The amount of time the router will hold the information before
discarding it if no more CDP packets are received.
Capability The neighbors capability, such as router, switch, or
repeater. The capability codes are listed at the top of the
command output.
Platform The type of Cisco device. In the above output, a 2811 router,
two 2621 routers, a 3550 switch, and a 3560 switch are
attached.
Port ID The neighbor devices port or interface on which the CDP
packets are broadcasted out.
9. Another command that provides neighbor information is the show cdp neighbor
detail command (show cdp nei de for short), which also can be run on the router or
switch. This command shows detailed information about each device connected to the
device, as in the router output below.
2811A#show cdp neighbor detail
-------------------------
Device ID: 2621B
Entry address(es):
IP Address: 172.16.30.2
Holdtime : 146 sec
Version :
(fc1)
362 Switch Security
-------------------------
Device ID: 2621A
Entry address(es):
IP Address: 172.16.20.2
Holdtime : 146 sec
Version :
(fc1)
-------------------------
2811A#
The output above shows the hostname and IP address of the directly connected devices.
In addition to the same information displayed by the show cdp neighbor command, the
show cdp neighbor detail command also shows the IOS version of the neighbor device.
10. The show cdp entry * command displays the same information as the show cdp
neighbor details command. The following is an example of the router output of
the show cdp entry * command.
2811A#show cdp entry *
-------------------------
Device ID: 2621B
Entry address(es):
IP Address: 172.16.30.2
Holdtime : 146 sec
Version :
(fc1)
-------------------------
Device ID: 2621A
Entry address(es):
IP Address: 172.16.20.2
Holdtime : 146 sec
Version :
(fc1)
-------------------------
2811A#
11. The show cdp traffic command displays information about interface traffic, including
the number of CDP packets sent and received and the errors with CDP. The following
output shows the show cdp traffic command used on a router.
2811A#show cdp traffic
CDP counters :
Total packets output: 30, Input: 30
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0, Fragmented: 0
2811A#
Individual Lab: Working with a Router Interface
By default, interfaces are shut down and turned off. That means that packets cannot travel
through the device to another connected device. You can turn an interface on with the no
shutdown command. You can turn off or shut down an interface with the shutdown command.
You can check the status of an interface by using the show interface command. If an inter-
face is shut down, it will display administratively down when using the show interface com-
mand, and the show running-config command will also show the interface as shut down.
364 Switch Security
N
N
N
Your configuration.
N
N
Lab Steps
a console screen.
3. Change to the privileged mode and global configuration mode.
Router>
Router>enable
Router>config t
4. Set the hostname.
Network Layout
Cisco IOS, and Router Interface.
366 Switch Security
5. Type show interface fastethernet 0 and see that it is administratively down.
2621A(config)#exit
FastEthernet0/0 is administratively down, line protocol is up
[output cut]
6. Bring up interface FastEthernet 0/0 with the no shutdown command.
2621A#config t
00:57:08: %LINK-3-UPDOWN: Interface Fastethernet 0/0, changed state to up
00:57:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface Fastethernet 0/0,
changed state to up
Fastethernet 0/0 is up, line protocol is down
[output cut]
7. Configure the router to enable all interfaces by issuing the no shutdown command on
all interfaces.
Configuring an IP Address on an Interface
8. Configure the FastEthernet 0/0 interface with the IP address of 172.16.10.2/24.
2621A#config t
Notice that in order to enable an interface, we use the no shut command. Remember
to look at the command show interface fa0/0, for example, which will show you if it
administratively shut down or not. Show running-config will also show you if the inter-
face is shut down.
9. If you want to add a second subnet address to an interface, then you must use the
secondary command.
If you type another IP address and press Enter, it will replace the existing IP address
and mask. To add a secondary IP address, use the secondary command.
2621A(config-if)#ip address 172.16.20.2 255.255.255.0 secondary
10. You can verify both addresses are configured on the interface with the show running-
config command (show run for short).
2621A#show run
[output cut]
!
interface Fastethernet 0/0
ip address 172.16.10.2 255.255.255.0
Serial Interface
To congure a serial interface, there are a couple of specics that need to be discussed.
Typically, when in production, the interface will be attached to a CSU/DSU type of
device that provides clocking for the line. However, if you have a back-to-back congura-
tion used in a lab environment, for example, one end must provide clocking. This would
be the DCE end of the cable. Cisco routers, by default, are all DTE devices, and you must
tell an interface to provide clocking if it is to act as a DCE device. If you dont completely
understand this right now, dont worry, you will. Just run through the commands below for
now and I promise it will become clear to you later.
Subnet Address
Is a range of logical addresses within the address space of an organization. This allows
you to take one network and turn it into many more, smaller networks. This allows for
less network trafc on each network and faster and more efcient networks. See the
section Subnetting Basics in the Sybex CCNA Study Guide, 7th edition.
368 Switch Security
Serial Interface
You have a connection between two devices where data is sent between the two one
bit at a time. This occurs in only one direction at a time.
11. You can configure a DCE serial interface with the clock rate command. Configure an
interface that has a DCE connection.
2621A#config t
2621A(config)#int s0/0
2621A(config-if)#clock rate ?
Speed (bits per second)
1200
2400
4800
9600
19200
38400
56000
64000
72000
125000
148000
250000
500000
800000
1000000
1300000
2000000
4000000
<300-4000000> Choose clockrate from list above
2621A(config-if)#clock rate 64000
It does not hurt anything to try and put a clock rate on an interface. Notice that the
clock rate command is in bits per second.
If you are not on an interface that is set to DCE than you will receive an
error when trying this command.
370 Switch Security
12. The next command you need to understand is the bandwidth command. Every Cisco
router ships with a default serial link bandwidth of a T1, or 1.544Mbps. However,
understand that this has nothing to do with how data is transferred over a link. The
bandwidth of a serial link is used by routing protocols such as IGRP, EIGRP, and
OSPF to calculate the best cost to a remote network. If you are using RIP routing, then
the bandwidth setting of a serial link is irrelevant.
2621A(config-if)#bandwidth ?
<1-10000000> Bandwidth in kilobits
2621A(config-if)#bandwidth 64
Notice that unlike the clock rate command, the bandwidth command is congured in
kilobits.
Setting An Interface Description
13. Set the description of the interface serial 0/0 interface to WAN to Miami with a circuit
number of 6fdda4321.
2621A(config-if)#desc Wan to Miami circuit:6fdda4321
14. You can view the description of an interface either with the show running-config
command or the show interface command.
2621A#show run
[output cut]
Finding DCE
DCE (data communications equipment) is the side of the connection that provides the
clocking. Unless it is a 2811 router, you would enter the clock rate on the DCE side of a
connection between routers. If you cannot remember what side of your connection is
DCE, you can use the show controllers command. Here is an example:
2811#show controllers s0/1/1
Interface Serial0/1/1
Hardware is GT96K
DCE V.35, clock rate 2000000 <------------ The DCE connection is associated
with s0/1/1 and a clockrate of 2000000
idb at 0x454E69C8, driver data structure at 0x454EE0EC
wic_info 0x454EE6E8
Physical Port 0, SCC Num 0
[output cut]
!
interface Serial0/0
description Wan to Miami circuit:6fdda4321
no ip address
shutdown
clockrate 64000
!
[output cut]
2621A#show int s0/0
Serial0/0 is administratively down, line protocol is down
Hardware is PowerQUICC Serial
Description: Wan to Miami circuit:6fdda4321
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 0.
Encapsulation HDLC, loopback not set
[output cut]
2621A#
Individual Lab: Configuring Hosts
We will now congure all the hosts in the network and then verify the congurations. We
will start with Host A.
372 Switch Security
N
N
N
Your configuration.
N
N
Lab Steps
the console for each router. After you get into User mode, copy and paste the script into the
Click Paste.
[startup-config]?. At this point, press enter.
Network Layout
Cisco IOS, and Conguring Hosts.
374 Switch Security
enable
config t
hostname 2621A
line vty 0 4
password todd
login
interface serial 0/0
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
enable
config t
hostname 2811A
line vty 0 1180
password todd
login
255.255.255.0
LAN 10
no shutdown
interface serial 0/1/1
255.255.255.0
2621A
no shutdown
255.255.255.0
2621B
no shutdown
exit
exit
copy run start
enable
config t
hostname 2621B
line vty 0 4
password todd
login
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
N
Hostname
N
Interface description
N
Router>enable
Router#config t
N
Hostname
N
N
Router>enable
Router#config t
Clock Rate
376 Switch Security
N
Hostname
N
N
Router>enable
Router#config t
4. We need to add a routing protocol such as RIP. Add RIP for each router with a net-
work of 172.16.0.0.
[OK]
2621A#
2621B#config t
[OK]
2621B#
2811A#config t
[OK]
2811A#
N
IP Address
N
Subnet Mask
N
Default Gateway
IP address unique identication number for a device that is located on a network.
An IP address is equivalent to the address of your home. The format of an IP address is a
32-bit numeric address written as four numbers separated by periods. Each number can
be zero to 255. For example, 172.16.10.6 could be an IP address.
378 Switch Security
subnet mask when you split up an IP network it is used to determine what section or
subnet the IP address of networked device belongs to. An IP address has two parts, the
network address and the host address.
Lets examine IP address 172.16.10.6. Assuming this is part of a Class B network, the
first two numbers (172.16) represent the Class B network address, and the second two
numbers (10.6) identify a particular host on this network.
IP Address: 172.16.10.5
Subnet Mask: 255.255.255.0
8. Right-click on Host B.
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.10.6
Subnet Mask: 255.255.255.0
N
IP Address
N
Subnet Mask
N
Default Gateway
380 Switch Security
IP Address: 172.16.10.7
Subnet Mask: 255.255.255.0
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.10.8
Subnet Mask: 255.255.255.0
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.40.3
Subnet Mask: 255.255.255.0
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.50.3
Subnet Mask: 255.255.255.0
20. From each host, ping all other hosts. Here is an example where we ping all others hosts
from Host.
382 Switch Security
21. Double-click Host D on the network.
C:\>ping 172.16.10.5
C:\>ping 172.16.10.6
C:\>ping 172.16.10.7
C:\>ping 172.16.40.3 (this should fail)
C:\>ping 172.16.50.3 (this should fail)
ICND2
RIP - IPv6
Lab 1.1: Configuring RIP Routing
Conguring the routers with static and default routing is interesting to say the least. However,
it is not very often that you would use just static and default routing in a network these days.
This lab will congure Routing Information Protocol (RIP), one of the rst dynamic routing
protocols created. It is easy and works pretty well in small to medium size networks.
Dynamic Routing
The process of routers in an Intranet or Internet advertising route information automati-
cally between each other. There is typically a common dynamic routing protocol con-
gured on each router. RIP Version 1 and 2, OSPF, EIGRP, and BGP are some examples
of dynamic routing protocols. When all routers have received routing updates and have
updated routing tables, the network is said to have converged. Convergence means that
all routers in the internetwork have the same routing information. At this point, a routed
protocol, IP for example, can send user data throughout the internetwork.
Network Layout
Load Standard Layout.rsm (or whatever you have named it in ICND1 labs) before going
through the following lab.
Lab Steps
To congure RIP routing, you rst have to remove the static and default routes congured
on the routers. This is assuming that you completed ICND1 Lab 2.9. Skip to lab step 4 if
you did not work with ICND1 Lab 2.9.
If do not remove static and default routes, you will have connectivity throughout the net-
work and will not know if you have correctly set up RIP. Removing static and default routes
will help you clearly determine when and if you have set up RIP throughout the network.
Then use the router rip command to congure RIP. Then tell the routers which networks
are advertised with RIP.
1. From 2621 Router A, delete the default route and then verify the routing table with
the show ip route command. Only the directly connected networks should be in the
routing table.
2621A#config t
2621A(config)#exit
2621A#show ip route
[output cut]
3. Click on the le Standard Layout.rsm and click Open.
386 ICND2
2. From the 2621 Router B, delete the default route and then verify the routing table with
routing table.
2621B#config t
2621B(config)#exit
2621B#show ip route
[output cut]
3. From 2811 Router A, delete the static routes and then verify the routing table with
routing table.
2811A#config t
2811A(config)#do show ip route
[output cut]
Deleting the static and default routes was the hardest part of conguring RIP routing!
Now, congure each router with RIP.
4. From 2621 Router A, configure RIP routing and tell RIP the network you want to
advertise.
Router Rip Command
Turns on RIP routing.
Network Command
Should be entered for each of the networks that the router is connected to and is a
part of the RIP network. In our network we have only one network, network 172.16.0.0.
2621A#config t
Thats all there is to it! Dynamic routing is easy on small networks. The important
thing to notice here is that the network address is a classful address, which means you
use the classful boundary.
5. From 2621 Router B, configure RIP routing and tell RIP the network you want to
advertise.
2621B#config t
RIP
N
Stands for Routing Information Protocol.
N
Sends routing-update messages at regular intervals (usually every 30 seconds)
and when the network topology changes.
N
Uses a single metric called a hop, which measures the distance between the
source and destination.
N
Is limited to a hop count of 15. It has a maximum hop count. This means a network
cannot be more than 15 hops from the source to the destination. Otherwise the
destination is deemed as unreachable.
N
Has a routing update timer that is used so that on a period basis (usually every
30 seconds) creates an update for each known route.
N
Does not support VLSM.
Classful Routing
Routing protocols (i.e., RIPv1 and IGRP) where subnet masks (routing masks) are not
sent in the periodic routing updates. For example, we use the 172.16.0.0 class B network
address and subnet that network with 24 bits of subnetting. This means the third octet
is used for subnets and the fourth octet is the host addresses for each subnet. RIP is a
classful routing protocol, which means that you do not type in any subnet addresses,
only the class B address. When using a classful network protocol like RIP, make sure
that all networked devices have the same subnet mask.
388 ICND2
advertise.
2811A#config t
Lab 1.2: Verifying RIP Routing
Conguring RIP is pretty easy, especially in small networks. It is important to be able to
verify RIP on Cisco
routers. This lab will provide you with the commands to verify RIP.
Network Layout
Load the network layout you have been working with in Lab 1.1.
Lab Steps
2621A#show ip route
R 172.16.30.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0
R 172.16.10.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0
R 172.16.50.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0
Notice the R, which means it is a RIP found route. The C is a directly connected network.
You should see two directly connected routes and three RIP routes.
2621B#show ip route
R 172.16.40.0 [120/2] via 172.16.30.1, 00:00:21, Serial0/0
R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:21, Serial0/0
R 172.16.10.0 [120/1] via 172.16.30.1, 00:00:21, Serial0/0
3. From the 2811 Router A, use the show ip route command to verify the routing table.
2811A#show ip route
R 172.16.40.0 [120/1] via 172.16.20.2, 00:00:27, Serial0/1/1
R 172.16.50.0 [120/1] via 172.16.30.2, 00:00:27, Serial0/0/1
4. From 2621 Router B, use the debug ip rip command to see RIP updates being sent
and received on the router.
2621B#debug ip rip
RIP protocol debugging is on
2621B#
then after a few seconds ....
*Oct 13 17:19:25.906: RIP: received v1 update from 172.16.30.1 on Serial0/0
*Oct 13 17:19:25.906: 172.16.40.0 in 2 hops
*Oct 13 17:19:25.906: 172.16.20.0 in 2 hops
390 ICND2
*Oct 13 17:19:25.906: 172.16.40.0 in 3 hops
*Oct 13 17:19:25.906: 172.16.20.0 in 3 hops
*Oct 13 17:19:25.906: 172.16.40.0 in 4 hops
*Oct 13 17:19:25.906: 172.16.20.0 in 4 hops
*Oct 13 17:19:25.906: 172.16.40.0 in 5 hops
[output cut]
5. To turn off debugging, use the no debug ip rip command, or the undebug all
command.
2621B#undebug all
6. To see detailed information about currently configured protocols on a router, use the
show ip protocols command.
2621B#show ip protocols
Routing Protocol is "rip"
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Triggered RIP Key-chain
Serial0/0 1 1 2
FastEthernet0/0 1 1 2
Automatic network summarization is in effect
Maximum path: 4
172.16.0.0
172.16.30.1 120 00:00:03
2621B#
Notice the timers. RIP is sent out every 30 seconds by default. The administrative
distance for RIP is 120 by default.
7. Another really good command is the show protocols command, which shows you the
routed protocol configuration of each interface.
2621B#show protocols
Global values:
Internet protocol routing is enabled
Serial0/0 is up, line protocol is up
FastEthernet0/1 is administratively down, line protocol is down
Administrative Distance
Is a measure of the trustworthiness of the source of the routing information. It is reported
as a number between 0 and 255. The smaller the number, the more reliable the protocol.
If you have, for example, two protocols IGRP and RIP congured on a router, the IGRP
routes will be preferred over the RIP routes. This is because you have an administrative
distance of 120 for RIP and 100 for IGRP.
Source Default Distance Value
Connected interface 0
Static route 1
Enhanced Interior Gateway Routing Protocol (EIGRP)
summary route
5
External Border Gateway Protocol (BGP) 20
Internal EIGRP 90
IGRP 100
OSPF 110
Intermediate System-to-Intermediate System (IS-IS) 115
Routing Information Protocol (RIP) 120
Exterior Gateway Protocol (EGP) 140
On Demand Routing (ODR) 160
External EIGRP 170
Internal BGP 200
Unknown 255
392 ICND2
8. From 2811 Router A, use the show protocols command.
2811A#show protocols
Global values:
Serial0/0/1 is up, line protocol is up
Lab 1.3: Configuring IPv6 Static Routing
Internet Protocol Version 6 (IPv6) is the new addressing scheme that will eventually replace
all IPv4 addresses. The IPv4 address scheme is no longer adequate to meet the needs of the
growing Internet, and growing Intranets. IPv6 was also designed to increase routing perfor-
mance and network scalability issues. IPv6 addresses are 128 bits in length.
Hexadecimal Groups
IPv6 addresses are divided into eight, 16 bit hexadecimal groups. For example,
2001:0000:0000:0008:0000:0000:0000:0012 can be divided into ...
2001: 0000: 0000: 0008: 0000: 0000: 0000: 0012
1 2 3 4 5 6 7 8
The IPV6 address above can also be shortened to 2001:0:0:8:0:0:0:12 or
2001::8:0:0:0:12
Address Types
There are three IPv6 address types:
N
Unicast
N
Anycast
N
Multicast
Unicast Types
There are four unicast address types:
N
Link local
N
Unique local
N
Global
N
Special
IPv6 Bits
IPv6 bit address can be divided into ...
48 bits 16 bits 64 bits
2001:0000:0000: 0008: 0000:0000:0000:0012
Global Prefix Subnet Interface ID
This lab will have you create an IPv6 network. In this network you will use IPv6 to
create both default and static routing. The network used in this lab has IPv4 addresses
already congured on each router interface. Having both IPv4 and IPv6 addresses on an
interface is called DUAL stacking.
Network Layout
Load IPv6 Layout.rsm before going through the following lab.
394 ICND2
Lab Steps
1. Enable IPv6 routing and Cisco Express Forwarding (CEF) on each router.
2811A#config t
2811A(config)#ipv6 unicast-routing
2811A(config)#ipv6 cef
2811B#config t
2811B(config)#ipv6 unicast-routing
2811B(config)#ipv6 cef
2811C#config t
2811C(config)#ipv6 unicast-routing
2811C(config)#ipv6 cef
2. Configure IPv6 addresses on 2811 Router A.
2811A(config-if)#ipv6 address 2001::10:1/112
3. Click on the le IPv6 Layout.rsm and click Open. You should see the following non-
congured network:
2811A(config-if )ipv6 address 2001::20:1/112
3. Configure IPv6 addresses on 2811 Router B.
2811B(config)#interface fastethernet 0/0
2811B(config-if)# ipv6 address 2001::40:1/112
2811B(config-if)#int s0/1/0
2811B(config-if)#ipv6 address 2001::30:2/112
4. Configure IPv6 addresses on 2811 Router C.
2811C(config)#int fa0/0
2811C(config-if)# ipv6 address 2001::50:1/112
2811C(config-if)#int s0/0/0
2811C(config-if)#ipv6 address 2001::20:2/112
5. Configure two IPv6 static routes on 2811 Router A.
2811A(config)#ipv6 route 2001::40:0/112 2001::30:2
2811A(config)#exit
The static routes will allow 2811 Router A to communicate with the rest of the network.
6. Configure a IPv6 default route on 2811 Router B.
2811B(config)#ipv6 route ::/0 2001::30:1
2811B(config)#exit
This default route will allow 2811 Router B to communicate with the rest of the net-
work. 2811 Router B will use 2811 Router A as a gateway of last resort.
7. Configure a IPv6 default route on 2811 Router C.
2811C(config)#ipv6 route ::/0 2001::20:1
2811C(config)#exit
This default route will allow 2811 Router C to communicate with the rest of the net-
work. 2811 Router C will use 2811 Router A as a gateway of last resort.
396 ICND2
have been working with. You might want to save it to another le name than IPv6 Layout.
rsm. This allows you to start over with a non-congured network if you wish.
2. A dialog box will appear. At the bottom you will see the file name IPv6 Layout.rsm.
Rename the file. For example, you could name it My IPv6 Layout.rsm.
You then have the option of reloading IPv6 Layout.rsm which is non-configured.
Lab 1.4: Verifying IPv6 Static Routing
Understanding how to congure routers is very important. But just as important as the
understanding of conguring routers is the process of verifying your congurations. This
lab will provide you with the commands to verify your IPv6 Static Routing congurations.
Network Layout
Load IPv6 Layout.rsm or whatever you named the le when you saved your work. You
need a congured network in order to complete this lab.
398 ICND2
Lab Steps
1. On 2811 Router A, issue the show running-configuration command to verify the IPv6
configurations.
2811A#show run
[output cut]
!
ip address 172.16.10.1 255.255.255.0
ipv6 address 2001::10:1/112
!
[output cut]
!
interface Serial0/0/0
ip address 172.16.20.1 255.255.255.0
clockrate 2000000
ipv6 address 2001::20:1/112
!
[output cut]
!
ip address 172.16.30.1 255.255.255.0
clockrate 2000000
ipv6 address 2001::30:1/112
!
[output cut]
!
ipv6 route 2001::40:0/112 2001::30:2
ipv6 route 2001::50:0/112 2001::20:2
!
[output cut]
2811A#
As you can see, each interface has an IPv6 address. You can also see the IPv6 static
routes that are congured.
2. On 2811 Router A, issue the show ipv6 interface command to see which router
interfaces are configured for IPv6.
2811A#show ipv6 interface
IPv6 is enabled, link-local address is FE80::21A:2FFF:FE55:D408
Global unicast address(es):
2001::10:1, subnet is 2001::10:0/112
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF10:1
FF02::1:FF55:D408
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
[output cut]
Description: conn-to-2811A
2001::20:1, subnet is 2001::30:0/112
FF02::1
FF02::2
FF02::1:FF20:1
FF02::1:FF55:D408
MTU is 1500 bytes
[output cut]
Description: conn-to-2811C
2001::30:1, subnet is 2001::20:0/112
FF02::1
FF02::2
FF02::1:FF30:1
FF02::1:FF55:D408
MTU is 1500 bytes
[output cut]
2811A#
400 ICND2
3. On 2811 Router A, issue the show ipv6 interface brief command to see a summary
of the router interfaces configured for IPv6.
2811A#show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::21A:2FFF:FE55:D408
2001::10:1
FastEthernet0/1 [administratively down/down]
Serial0/0/0 [up/up]
FE80::21A:2FFF:FE55:D408
2001::20:1
Serial0/0/1 [administratively down/down]
Serial0/1/0 [up/up]
FE80::21A:2FFF:FE55:D408
2001::30:1
2811A#
4. On 2811 Router A, issue the show ipv6 route command to see the IPv6 routing table.
2811A#show ipv6 route
IPv6 Routing Table - 10 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2001::10:0/112 [0/0]
via ::, FastEthernet0/0
L 2001::10:1/128 [0/0]
C 2001::20:0/112 [0/0]
via ::, Serial0/0/0
L 2001::20:1/128 [0/0]
via ::, Serial0/0/0
C 2001::30:0/112 [0/0]
via ::, Serial0/1/0
L 2001::30:1/128 [0/0]
via ::, Serial0/1/0
S 2001::40:0/112 [1/0]
via 2001::30:2
S 2001::50:0/112 [1/0]
via 2001::20:2
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
2811A#
5. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of routers 2811 B and
2811 C. Pinging will verify that your default and static routing configurations are
correct.
2811A#ping ipv6 2001::40:1
Sending 5, 100-byte ICMP Echos to 2001::40:1, timeout is 2 seconds:
!!!!!
2811A#
2811A#ping ipv6 2001::50:1
!!!!!
2811A#
Troubleshooting IPv6 Static Routing
You have been asked to resolve the issue. This is stated below.
(use Practice Scenario:
Troubleshooting Ipv6 )
Now that you have learned about some concepts and completed some hands-on work, try your
problem-solving and troubleshooting skills with the following task. To complete your task you
will load a specic network layout which you will use in working through the scenario.
402 ICND2
N
N
N
Your configuration.
N
The result for each command. You will see a green check mark (meaning that you
N
Turn On Hostnames
make sure that Hostnames is turned on for this lab. On the Network Visualizer screen
click View and then click Hostnames so that it has a checkmark next to it.
Scenario
Your IPv6 network has been working ne up until today.
Task
You have been asked to resolve the issue.
Network Layout
narios, Basic Cisco Router Operations, and Troubleshooting IPv6 Static Routing.
404 ICND2
Lab 1.5: Configuring RIP IPv6
Routing (RIPng)
In this lab you will create an IPv6 RIPng network. The network used in this lab has IPv4
addresses already congured on each router interface. This will demonstrate DUAL stacking.
You will also be given the commands to verify your RIPng routing congurations.
Lab Steps
1. You need to remove the IPv6 routing configured in the previous lab. Perform this for
each of the three routers.
2811A#config t
2811A(config)#no ipv6 route 2001::40:0/112 2001::30:2
2811A(config)#no ipv6 route 2001::50:0/112 2001::20:2
Network Layout
Load IPv6 Layout.rsm or whatever you named the le when you saved your work in
Lab 1.3.
Lab 1.5: Configuring RIP IPv6 Routing (RIPng) 405
2811B#config t
2811B(config)#no ipv6 route ::/0 2001::30:1
2811C#config t
2811C(config)#no ipv6 route ::/0 2001::20:1
2. On the 2811 Router A, enable the IPv6 RIPng routing process from global and interface
configuration mode.
2811A(config)#ipv6 router rip myripngprocess
2811A(config-rtr)#exit
2811A(config-if)#ipv6 rip myripngprocess enable
2811A(config-if )ipv6 rip myripngprocess enable
Remember that the ipv6 unicast-routing command must be congured on the router
before the RIPng routing process can be enabled. The previous labs had you congure
the command on all routers so we will not do it here.
3. On the 2811 Router B, enable the IPv6 RIPng routing process from global configura-
tion mode.
2811B(config)#ipv6 router rip myripngprocess
2811B(config)#int fa0/0
2811B(config-if)#ipv6 rip myripngprocess enable
2811B(config-if)#ctrl+z
4. On the 2811 Router C, enable the IPv6 RIPng routing process from global configura-
tion mode.
2811C(config)#ipv6 router rip myripngprocess
2811C(config-rtr)#exit
2811C(config-if)#ipv6 rip myripngprocess enable
2811C(config-if)#ctrl+z
406 ICND2
Lab 1.6: Verifying RIP IPv6
Routing (RIPng)
Understanding how to congure routers is very important. But just as important as the
understanding of conguring routers is the process of verifying your congurations. This
lab will provide you with the commands to verify your RIPng routing congurations.
Lab Steps
1. On the 2811 Router A, issue the show running-configuration command to verify the
IPv6 configurations.
2811A# show run
[output cut]
Network Layout
Load IPv6 Layout.rsm or whatever you named the le when you saved your work in
Lab 1.5.
!
ipv6 unicast-routing
ipv6 cef
!
[output cut]
!
ip address 172.16.10.1 255.255.255.0
no ip directed broadcast
ipv6 address 2001::10:1/112
ipv6 rip myripngprocess enable
!
[output cut]
!
ip address 172.16.20.1 255.255.255.0
ipv6 address 2001::20:1/112
clock rate 8000000
!
ip address 172.16.30.1 255.255.255.0
ipv6 address 2001::30:1/112
clock rate 8000000
no cdp enable
!
[output cut]
!
ipv6 router rip myripngprocess
[output cut]
2811A#
As you can see, RIPng is congured on each interface. You can also see the IPv6 RIP
(RIPng) routing process.
408 ICND2
C 2001::10:0/112 [0/0]
L 2001::10:1/128 [0/0]
C 2001::20:0/112 [0/0]
via ::, Serial0/0/0
L 2001::20:1/128 [0/0]
via ::, Serial0/0/0
C 2001::30:0/112 [0/0]
via ::, Serial0/1/0
L 2001::30:1/128 [0/0]
via ::, Serial0/1/0
R 2001::40:0/112 [120/2]
via FE80::215:FAFF:FED7:EDA0, Serial0/1/0
R 2001::50:0/112 [120/2]
via FE80::21A:2FFF:FE52:4808, Serial0/0/0
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
2811A#
3. On 2811 Router A, issue the show ipv6 protocols command to see the IPv6 protocols
that are running on the router.
2811A#show ipv6 protocols
IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "static"
IPv6 Routing Protocol is "rip myripngprocess"
Interfaces:
Serial0/0/1
Serial0/0/0
FastEthernet0/0
Redistribution:
None
2811A_aka_2811B#
4. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of Routers 2811 B and
2811 C. Pinging will verify that your RIPng configurations are correct.
2811A#ping ipv6 2001::40:1
!!!!!
2811A#ping ipv6 2001::50:1
Sending 5, 100-byte ICMP Echos to 2001::5 0:1, timeout is 2 seconds:
!!!!!
2621B_aka_2811A#
Cisco Wide Area
Networks (WAN)
Cisco Wide Area Network
Support
The Cisco IOS WAN can support many different WAN protocols that can help you extend
your LANs to other LANs at remote sites. Connecting company sites together so informa-
tion can be exchanged is imperative in this economy. However, it would take a truckload of
money to put in your own cable or dedicated connections to network all of your companys
remote locations. Service providers allow you to lease or share connections that the service
provider already has installed, which can save money and time.
Although this section does not cover every type of Cisco WAN support, it does cover the
HDLC, PPP, and Frame Relay.
The labs covered in this section are as follows:
N
2.1: Configuring PPP Encapsulation
N
2.2: Verifying PPP Encapsulation
N
2.3: Configuring PPP Authentication with CHAP
N
2.4: Verifying PPP with Authentication
N
2.5: Understanding Frame Relay Configuration
N
2.6: Configuring Frame Relay Switching
N
2.7: Configuring Frame Relay with Subinterfaces
N
2.8: Verifying Frame Relay
The commands covered in this section are as follows:
Command Meaning
encapsulation frame-relay Changes the encapsulation to frame-relay on a
serial link.
encapsulation frame-relay ietf Sets the encapsulation type to the Internet Engi-
neering Task Force (IETF). Used to connect Cisco
routers to off-brand routers.
encapsulation hdlc Restores the default encapsulation of HDLC on a
serial link.
Lab 2.1: Configuring PPP Encapsulation 413
Command Meaning
encapsulation ppp Changes the encapsulation on a serial link to PPP.
frame-relay interface-dlci Configures the PVC address on a serial interface or
subinterface.
frame-relay lmi-type Configures the LMI type on a serial link.
interface s0.16 point-to-point Creates a point-to-point subinterface on a serial
link that can be used with frame-relay.
ppp authentication chap Tells PPP to use CHAP authentication.
show frame-relay lmi Sets the LMI type on a serial interface.
show frame-relay map Shows the static and dynamic Network layer to
PVC mappings.
show frame-relay pvc Shows the configured PVCs and DLCI numbers
configured on a router.
username name password password Creates usernames and passwords used for
authentication on a Cisco router.
Lab 2.1: Configuring PPP Encapsulation
The High-Level Data-Link Control protocol (HDLC) is a point-to-point protocol used on
leased lines. No authentication can be used with HDLC and is the default encapsulation
used by Cisco routers over synchronous serial links. Ciscos HDLC is proprietaryit wont
communicate with any other vendors HDLC implementation. If you wanted to either offer
authentication on a serial link or to connect from a Cisco router to another vendor router,
then we need to congure PPP on the serial interfaces.
PPP (Point-to-Point Protocol) is a data-link protocol that can be used over asynchronous
serial (dial-up) media and uses the LCP (Link Control Protocol) to build and maintain data-
link connections. The basic purpose of PPP is to transport layer-3 packets across a data link
layer point-to-point link.
This lab will have you congure PPP on all four serial networks, and replace HDLC as
the encapsulation method on our serial links.
414 Cisco Wide Area Networks (WAN)
Lab Steps
1. Connect to 2811 Router B and change the encapsulation on the serial links from
HDLC to PPP.
2811A>enable
2811A#config t
2811A(config)#interface serial 0/0/1
2811A(config-if)#encapsulation ppp
2811A(config-if)#interface serial 0/1/1
2811A#
HDLC to PPP.
2621B>enable
2621B#config t
2621B(config)#interface serial 0/0
2621B(config-if)#encapsulation ppp
Network Layout
in earlier labs.
Lab 2.2: Verifying PPP Encapsulation 415
2621B#
3. Connect to 2621 Router A and change the encapsulation on the serial link from HDLC
to PPP.
2621A>enable
2621A#config t
2621A(config)#interface serial 0/0
2621A#
That is all there is to it. This part is easy.
Lab 2.2: Verifying PPP Encapsulation
Once you have replaced HDLC as the serial encapsulation method, then you need to verify
your network is still working properly.
The rst command to use is the show ip route command to make sure all your IP
routes are still present.
Network Layout
Lab Steps
1. From 2621 Router A, use the show ip route command to verify the network is still
running.
2621A#show ip route
[output cut]
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
O 172.16.30.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0
C 172.16.20.1/32 is directly connected, Serial0/0
O 172.16.50.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0
O 172.16.10.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0
2621A#
2. From 2621 Router B, use the show ip route command to verify the network is still
running.
2621B#show ip route
[output cut]
O 172.16.40.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0
O 172.16.20.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0
O 172.16.10.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0
2621B#
running.
2811A#show ip route
[output cut]
C 172.16.30.2/32 is directly connected, Serial0/0/1
O 172.16.40.0/24 [110/74] via 172.16.20.2, 22:22:18, Serial0/1/1
O 172.16.50.0/24 [110/74] via 172.16.30.2, 22:22:18, Serial0/0/1
2811A#
Lab 2.3: Configuring PPP Authentication with CHAP 417
4. From 2811 Router A, use the show interface command to see the serial link encap-
sulation.
2811A#show interface s0/0/1
Description: connection to 2621B
Encapsulation PPP, loopback not set
[output cut]
2811A#show interface s0/1/1
Description: connection to 2621A
Lab 2.3: Configuring PPP Authentication
with CHAP
Now that the network should be up and working with PPP, you can use PPP authentication
to stop unwanted users from connected to your network. Although, this is typically used
with dial-up, it still can be used with serial interfaces.
This lab will have you congure PPP authentication on all routers serial interfaces using
the CHAP protocol.
Challenge Authentication Protocol (CHAP) is used at the initial startup of a link and at
periodic checkups on the link to make sure the router is still communicating with the same
host. After PPP nishes its initial phase, the local router sends a challenge request to the
remote device. The remote device sends a value calculated using a one-way hash function
called MD5. The local router checks this hash value to make sure it matches. If the values
dont match, the link is immediately terminated.
To congure PPP authentication, rst set the hostname of the router if it is not already
set (this is not an option!). Then set the username and password for the remote router con-
necting to your router. For example, if you are connected to 2621 Router A and want to
congure authentication, you would set the hostname and then create a username that con-
sists of the router you are going to connect to, in this example, 2811 Router A.
This is shown below:
Router#config t
2621A(config)#username 2811A password cisco
When using the hostname command, remember that the username is the hostname of
the remote router connecting to your router. It is case-sensitive. Also, the password on
both routers must be the same. It is a plain-text password and can be seen with a show run
command.
You must have a username and password congured for each remote system you are
going to connect to. The remote routers must also be congured with usernames and
passwords.
After you set the hostname, usernames, and passwords, choose the authentication as
shown in the following example:
2621A#config t
2621A(config-if)#ppp authentication chap
2621A#
Network Layout
Lab Steps
1. Open a console to 2621 Router A and create a username of 2811A and with a pass-
word of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap.
2621A#config t
2621A#
2. Open a console to 2621 Router B and create a username of 2811A and with a password
of cisco. Then configure the serial interface 0/0 to use ppp authentication of chap.
2621B#config t
2621B(config)#username 2811A password cisco
2621B(config)#int s0/0
2621B(config-if)#ppp authentication chap
2621B#
3. Open a console to 2811 Router A and create a username of router 2621A and 2621B
and with a password of cisco. Then configure the serial interfaces 0/0/1 and 0/1/1 to
use ppp authentication of chap.
2811A#config t
2811A(config)#username 2621B password cisco
2811A(config)#int s0/0/1
ing on.
Lab 2.4: Verifying PPP with
Authentication
Once you have congured PPP with authentication as the serial encapsulation method, then
you need to verify your network is still working properly.
The rst command to use is the show ip route command to make sure all your IP routes
are still present. The next command to use is the show interface command.
Lab Steps
running.
2621A#show ip route
[output cut]
O 172.16.30.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0
O 172.16.50.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0
O 172.16.10.0/24 [110/74] via 172.16.20.1, 22:22:18, Serial0/0
2621A#
Network Layout
running.
2621B#show ip route
[output cut]
O 172.16.40.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0
O 172.16.20.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0
O 172.16.10.0/24 [110/74] via 172.16.30.1, 22:22:18, Serial0/0
2621B#
running.
2811A#show ip route
[output cut]
O 172.16.40.0/24 [110/74] via 172.16.20.2, 22:22:18, Serial0/1/1
O 172.16.50.0/24 [110/74] via 172.16.30.2, 22:22:18, Serial0/0/1
2811A#
4. From 2811 Router A use the show interface command to see the serial link encapsu-
lation.
2811A#show int s0/0/1
Keepalive set (10)
2811A#
Keepalive set (10)
Lab 2.5: Understanding Frame Relay Configuration 423
Lab 2.5: Understanding Frame Relay
Configuration
Frame Relay provides a communications interface between DTE (data terminal equipment)
and DCE (data circuit-terminating equipment, such as packet switches) devices. DTE con-
sists of terminals, PCs, routers, and bridgescustomer-owned end-node and internetwork-
ing devices. DCE consists of carrier-owned internetworking devices.
Frame Relay sends packets at the data link layer (layer 2) of the OSI model rather than at
the network layer (layer 3). A frame can incorporate packets from different protocols.
Frame Relay Uses Virtual Circuits
Frame Relay provides connection-oriented, Data Link layer communication via virtual
circuits. These virtual circuits are logical connections created between two DTEs across a
packet-switched network, which is identied by a DLCI, or Data Link Connection Identier.
Also, Frame Relay uses both PVCs (Permanent Virtual Circuits) and SVCs (Switched
Virtual Circuits which is a form of dialup), although most Frame Relay networks use only
PVCs. This virtual circuit provides the complete path to the destination network prior to
the sending of the rst frame.
Configuring Frame Relay Encapsulation
When conguring Frame Relay on Cisco routers, you need to specify it as an encapsula-
tion on serial interfaces. There are only two encapsulation types: Cisco and IETF (Internet
Engineering Task Force). The following router output shows the two different encapsulation
methods when choosing Frame Relay on your Cisco router:
2621A#config t
2621A(config)#interface s0/0
2621A(config-if)#encapsulation frame-relay ?
ietf Use RFC1490 encapsulation
<cr>
The default encapsulation is Cisco unless you manually type in IETF, and Cisco is the
type used when connecting two Cisco devices. Youd opt for the IETF-type encapsulation
if you needed to connect a Cisco device to a non-Cisco device with Frame Relay.
Frame Relay DLCI
Frame Relay virtual circuits (PVCs) are identied by Data Link Connection Identiers
(DLCIs). A Frame Relay service provider, such as the telephone company, typically assigns
DLCI values, which are used by Frame Relay to distinguish between different virtual circuits
on the network. Because many virtual circuits can be terminated on one multipoint Frame
Relay interface, many DLCIs are often afliated with it.
For the IP devices at each end of a virtual circuit to communicate, their IP addresses
need to be mapped to DLCIs. This mapping can function as a multipoint deviceone that
can identify to the Frame Relay network the appropriate destination virtual circuit for each
packet that is sent over the single physical interface. The mappings can be done dynamically
through IARP (Inverse ARP) or manually through the frame relay map command.
DLCI numbers, used to identify a PVC, are typically assigned by the provider and start
at 16. Conguring a DLCI number to be applied to an interface is shown below:
2621A(config-if)#frame-relay interface-dlci ?
<16-1007> Define a DLCI as part of the current subinterface
2621A(config-if)#frame-relay interface-dlci 16
Frame Relay LMI
The Local Management Interface (LMI) was developed in 1990 by Cisco Systems,
StrataCom, Northern Telecom, and Digital Equipment Corporation and became known
as the Gang-of-Four LMI or Cisco LMI. This gang took the basic Frame Relay protocol
from the CCIT and added extensions onto the protocol features that allow internetwork-
ing devices to communicate easily with a Frame Relay network.
The LMI is a signaling standard between a CPE device (router) and a frame switch. The
LMI is responsible for managing and maintaining status between these devices.
If youre not going to use the auto-sense feature of LMI, youll need to check with your
Frame Relay provider to nd out which type to use instead. The default type is Cisco, but
you may need to change to ANSI or Q.933A. The three different LMI types are depicted in
the router output below.
2621A(config-if)#frame-relay lmi-type ?
cisco
ansi
q933a
2621A(config-if)#frame-relay lmi-type ansi
You can have multiple virtual circuits on a single serial interface and yet treat each as a
separate interface. These are known as subinterfaces. Think of a subinterface as a hardware
interface dened by the IOS software. An advantage gained through using subinterfaces is
the ability to assign different Network layer characteristics to each subinterface and virtual
circuit, such as IP routing on one virtual circuit and IPX on another.
Subinterfaces with Frame Relay
You dene subinterfaces with the int s0.subinterface number command as shown
below. You rst set the encapsulation on the serial interface, and then you can dene the
subinterfaces.
2621A(config-int)#encapsulation frame-relay
2621A(config-int)#exit
2621A(config)#int s0/0.?
2621A(config)#int s0/0.16 ?
multipoint Treat as a multipoint link
point-to-point Treat as a point-to-point link
2621A(config)#int s0/0.16 point-to-point
2621A(config-subif)#
You can dene an almost limitless number of subinterfaces on a given physical interface
(keeping router memory in mind). In the above example, we chose to use subinterface 16
because that represents the DLCI number assigned to that interface. However, you can
choose any number between 0 and 4,292,967,295.
Lab 2.6: Configuring Frame Relay
Switching
Now that you should have a background on how to congure basic Frame Relay on a Cisco
router, this lab will have you congure 2811 Router A as a Frame relay switch. Then you
will congure routers 2811 B and 2811 C as remote Frame Relay connections.
To perform this lab, you need to delete the congurations on 2811 Router A rst since
the Frame Relay switching conguration is completely different then what we have now.
Network Layout
Lab Steps
1. From 2811 Router A, type erase start then reload.
2811A#erase start
Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm] [press Enter]
[OK]
*Oct 27 19:30:52.640: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of
nvram
2811A#
2811A#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm] (press enter)
*Nov 15 16:11:07.406: %SYS-5-RELOAD: Reload requested by console. Reload
Reason:
Reload Command.
System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)
Copyright (c) 2005 by cisco Systems, Inc.
Initializing memory for ECC
c2811 processor with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC enabled
Readonly ROMMON initialized
program load complete, entry point: 0x8000f000, size: 0xc940
program load complete, entry point: 0x8000f000, size: 0xc940
program load complete, entry point: 0x8000f000, size: 0x228d9f8
Self decompressing the image : #############################################
####
#########################################################################
[OK]
Smart Init is enabled
smart init is sizing iomem
ID MEMORY_REQ TYPE
0003E7 0X003DA000 C2811 Mainboard
0X00263F50 Onboard VPN
0X000021B8 Onboard USB
0X002C29F0 public buffer pools
0X00211000 public particle pools
TOTAL: 0X00B13AF8
If any of the above Memory Requirements are
"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Rounded IOMEM up to: 12Mb.
Using 4 percent iomem. [12Mb/256Mb]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12),
RELEASE SOFTWARE (fc1)
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
Image text-base: 0x40093160, data-base: 0x42B00000
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.
Processor board ID FTX0952C3EG
2 FastEthernet interfaces
4 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: (press n)
2. Open a console for 2811 Router A and configure the hostname.
Router>enable
Router#config t
2811A(config)#
Once your router is clear, you can now make them a frame relay switch with the
frame-relay switching command. However, that is the easy part. You need to map
every DLCI on the switch. Of course the router only has two connections, so it is not
too time consuming, but if you had dozens of PVCs, this could take a while.
3. On the frame relay switch, use the frame relay route command to map each and
every DLCI. Here is an example:
2811A(config-if)#frame-relay route 17 int serial 0/1/1 16
2811A(config)#
This command tells the switch that if it receives a frame on serial 0/0/1 with a PVC of 17,
then send it out serial 0/1/1 using a PVC of 16. Again, in our network, this conguration
will only be two routes so its not a big deal.
4. On 2811 Router A configure the Frame Switching. No IP addresses are assigned to the
routes interfaces. Remember, this is a Data Link layer function only, so IP is irrelevant
to this configuration.
2811A(config)#frame-relay switching
2811A(config)#encapsulation frame-relay
2811A(config-if)#no shut
2811A(config-if)#frame intf-type dce
Lab 2.7: Configuring Frame Relay with Subinterfaces 429
2811A#
5. Save you configurations.
6. Now that the frame-relay switching router is configured, you need to configure the
remote routers.
Lab 2.7: Configuring Frame Relay
with Subinterfaces
This lab will have you bring up the console for Routers 2811 B and 2811 C and congure
them for frame relay conguration using subinterfaces.
Since the Frame-Relay switches are not using IP addressing, connecting from Routers
2811 B to 2811 C, for example, will use one subnet and appear like a direct connection.
Use subnet 172.16.100.0.
Network Layout
Lab Steps
1. Open the console for 2811 Router B and configure the serial 0/0 interface with a Frame
Relay subinterface. To perform this, you must remove the IP address from the serial
interface.
2811B#config t
2811B(config)#int serial 0/0
2811B(config-if)#no ip address
2811B(config-if)#no shut
2811B(config-if)#encapsulation frame-relay
2811B(config-if)#int serial 0/0.16 point-to-point
2811B(config-subif)#ip address 172.16.100.1 255.255.255.0
2811B(config-subif)#frame-relay interface-dlci 16
2811B(config-subif)#ctrl+z
2811B#
2. Open the console for 2811 Router C and configure the serial 0/0 interface with a
Frame Relay subinterface.
2811C#config t
2811C(config)#int serial 0/0
2811C(config-if)#no ip address
2811C(config-if)#no shut
2811C(config-if)#encapsulation frame-relay
2811C(config-if)#int serial 0/0.17 point-to-point
2811C(config-subif)#ip address 172.16.100.2 255.255.255.0
2811C(config-subif)#frame-relay interface-dlci 17
2811C(config-subif)#ctrl+z
2811C#
3. Verify the Frame Relay connection is up and running. Ping from 2811 Router B to the
2811 Router C.
2811B#ping 172.16.100.2
!!!!!
2811B#
Lab 2.8: Verifying Frame Relay
There are several ways to check the status of your interfaces and PVCs once you have
Frame Relay encapsulation set up and running.
Lab Steps
1. Open the console screen for 2621 Router A. I have this in the online docs.
2. You can use the show frame-relay command with a question mark (?) to get the
command options: The show frame-relay lmi command will give you the LMI
traffic statistics exchanged between the local router and the Frame Relay switch.
2621A#show frame ?
ip show frame relay IP statistics
lapf show frame relay lapf status/statistics
lmi show frame relay lmi statistics
map Frame-Relay map table
pvc show frame relay pvc statistics
qos-autosense show frame relay qos-autosense information
route show frame relay route
rtp show frame relay RTP statistics
Network Layout
svc show frame relay SVC stuff
traffic Frame-Relay protocol statistics
vofr show frame relay VoFR statistics
261A#show frame lmi
LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = ANSI
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Rcvd 1748 Num Status msgs Sent 1748
Num Update Status Sent 0 Num St Enq. Timeouts 0
2811B#
The router output from the show frame-relay lmi command shows you LMI errors as
well as the LMI type.
3. The show frame pvc command will list all configured PVCs and DLCI numbers. It
provides the status of each PVC connection and traffic statistics. It will also give you
the number of BECN and FECN packets received on the router.
2621A#show frame pvc
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
DLCI = 16 , DLCI USAGE = LOCAL , PVC STATUS = ACTIVE , INTERFACE =
Serial0/0.16
input pkts 11290 output pkts 11277 in bytes 898590
out bytes 899156 dropped pkts 2 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 11264 out bcast bytes 898468
pvc create time 13:25:57, last time pvc status changed 13:25:39
2811B#
4. You can also use the show interface command to check for LMI traffic. The show
interface command displays information about the encapsulation as well as layer-2
and layer-3 information.
The LMI DLCI is used to dene the type of LMI being used. If it is 1023, it is the
default LMI type of Cisco. If the LMI DLCI is zero, then it is the ANSI LMI type.
2621A#show int s0/0
Encapsulation FRAME-RELAY, loopback not set
Keepalive set (10)
FR SVC disabled, LAPF state down
LMI enq sent 41, LMI stat recvd 22, LMI upd recvd 0, DTE LMI down
LMI enq recvd 4, LMI stat sent 0, LMI upd sent 0
LMI DLCI 0 LMI type is ANSI frame relay DTE
Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0
[output cut]
2811B#
The show interface command displays line, protocol, DLCI and LMI information.
5. The show frame map command will show you the Network layer-to-DLCI mappings.
2621A#show frame map
Serial0/0 (up):ip dlci 16(0x66,0x1860), broadcast
status defined, active
Serial0/0.16 (up): point-to-point dlci, dlci 16(0x66,0x1860), broadcast
2621A#
EIGRP
Lab 3: Introduction to EIGRP
In this section you will learn about EIGRP which is a proprietary Cisco protocol that only
runs on Cisco routers. You will learn how to manage Cisco routers in an internetwork. EIGRP
uses the properties of both distance vector and link state and uses autonomous systems (AS) to
create groups of routers that share routing information.
N
3.1: Configuring EIGRP Routing
N
3.2: Verifying EIGRP Routing
N
3.3: Configuring EIGRP Wild Card Masks
N
3.4: Verifying EIGRP Wild Card Masks Configurations
N
3.5: Configuring EIGRP Authentication
N
3.6: Verifying EIGRP Authentication
N
3.7: Configuring Advanced Commands with EIGRP
Lab 3.1: Configuring EIGRP Routing
EIGRP is a Cisco proprietary hybrid routing protocol. If you want your routers to share
information they must all:
N
have EIGRP running
N
use the same AS number
Network Layout
in earlier labs. You need a congured network in order to complete this lab.
Lab Steps
1. First go to 2621 Router A and ping interface f 0/0 on 2621 Router B. The packet will
travel through 2811 Router A on its way to 2621 Router B.
2621A#ping 172.16.30.2
!!!!!
2. We have not done anything yet with EIGRP but we can ping a distant router. If you look
back at Lab 5.16 (if you have been sequentially going through the labs), we configured
every router with RIP version 2. We need to remove RIP from every router so that we can
test the effects of the EIGRP commands.
2621A#config t
2621A(config)#no router rip
2621B#config t
2621B(config)#no router rip
2811A#config t
2811A(config)#no router rip
EIGRP
N
Stands for Enhanced Interior Routing Protocol
N
Uses properties of both distance vector and link state
N
Has an administrative distance of 90
N
Has a maximum hop count of 255
N
Will automatically overwrite RIP (which has a default administrative distance of 120)
routes in the routing table
N
Uses autonomous systems (AS) to create groups of routers that share routing
information
N
Classless routing protocol but congured in a classful manner
N
Uses RTP Reliable Transport Protocol
N
Uses DUAL Diffusing Update Algorithm
N
Supports VLSM, summarization, and discontiguous networking
N
Supports IP V4 and V6, IPX, AppleTalk
438 EIGRP
3. Now try pinging 172.16.30.2.
2621A#ping 172.16.30.2
.....
2621A#
Good! We have removed RIP and now no connectivity. We can now proceed with
EIGRP.
4. Configure 2621 Router A to use EIGRP with an AS of 10.
2621A#config t
2621A#
5. Configure 2621 Router B to use EIGRP with an AS of 10.
2621B#config t
2621B(config-router)
2811A#config t
2811A(config-router)#exit
7. Now that we have EIGRP on every router, go to 2621 Router A and ping 172.16.30.2
on 2621 Router B.
2621A#ping 172.16.30.2
.....
2621A#
It did not work. Click on the Net Detective icon to see if we can nd out why the ping
was not successful.
You will see the following information:
1. Network 172.16.0.0 was not found in the routing tables for 2621 Router A.
2. The desired address falls outside of the protocol networks set up for one or more
of the devices.
3. The desired IP address of 172.16.30.2 was not found. None of the interfaces in the
current network have been configured with this IP address.
Net Detective
Unless you are an expert in using routers and switches, you might enter a command,
have it not work, and not immediately know what you did wrong. We have tried to
bridge that gap with Net Detective
. There are several hundred commands that Net

Detective monitors. If something does not work properly, clicking on the Net Detective
button may prove be helpful. For example, if you are unsuccessful in trying to ping
between 2600 A and 2600 B, Net Detective
will provide a several suggestions as to

what is possibly wrong.
440 EIGRP
We know that Network 172.16.0.0 is in the routing table. Maybe #2 is true. Ok, I
found it. The AS number for 2811 Router A is wrong. Change it from 15 to 10.
8. First, remove router eigrp 15 and put the correct command in.
2811A(config)#no router eigrp
(We forgot to put 15 in the command. Try again)
2811A(config)#no router eigrp 15
2811A#
9. Now the ping should work. Go to 2621 Router A and ping interface f 0/1 on 2621
Router B.
2621A#ping 172.16.50.1
!!!!!
Lab 3.2: Verifying EIGRP Routing
Since EIGRP has a better administrative distance then IGRP and RIP, all the routing tables
should have EIGRP found routes (D). Use the show ip route command and other EIGRP
show commands to verify EIGRP.
2621A#show ip route
Network Layout
Work with the saved network that you used in Lab 3.1.
default
route
D 172.16.30.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0
D 172.16.50.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0
D 172.16.10.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0
2621A#
Notice the routes that begin with D. These are EIGRP routes.
Routing Protocol is "eigrp 10"
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hop count 100
EIGRP maximum metric variance 1
Redistributing: eigrp 10
Maximum path: 4
172.16.0.0
172.16.20.1 90 02:23:05
Distance: internal 90 external 170
2621A#
Based on this output, we can see that EIGRP is enabled for autonomous system 10
and that the K values are set to their defaults. The variance is 1, so only equal-cost
load balancing will be performed. Automatic summarization is on. We can also see
that EIGRP is advertising for one network and that it sees one neighbor.
442 EIGRP
3. From the 2621 Router B, use the show ip route command to verify the routing table.
2621B#show ip route
[output cut]
D 172.16.40.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0
D 172.16.20.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0
D 172.16.10.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0
2621B#
2811A#show ip route
[output cut]
D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:20:55, Serial0/1/1
D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:20:55, Serial0/0/1
2811A#
5. From 2621 Router A, use the show ip eigrp neighbors command to see the EIGRP
neighbor table. This table holds information about the routers directly connected
neighbors.
2621A#show ip eigrp neighbor
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
Type
(sec) (ms) cnt Num
0 172.16.20.1 S0/0 12 02:28:04 20 200 0 1
2621A#
In the above output, H indicates the order in which the neighbor was discovered. The
hold time is how long this router will wait for a Hello packet to arrive from a specic
neighbor. The uptime indicates how long the neighbor relationship has been established.
The SRTT eld is the smooth round-trip timer, which is an indication of the time it takes
for a round-trip from this router to its neighbor and back. This value is used to determine
how long to wait after a multicast for a reply from this neighbor. If a reply is not received,
this router will switch to using unicasts to attempt to complete the communication. The
time between multicast attempts is specied by the Retransmission Time Out (RTO) eld,
which is itself based upon the SRTT values. The Q value indicates whether there are any
outstanding messages in the queue; consistently large values would indicate a problem.
And nally the Seq eld indicates the sequence number of the last update from that neigh-
bor, which is used to maintain synchronization and avoid duplicate or out-of-sequence
processing of messages.
6. From the 2621 Router A, use the show ip route eigrp. This command gives you a
quick picture of the EIGRP routes. If a route does not appear in the routing table,
verify the source of the route. If the source is functioning properly, check the topology
table. The routing table from the perspective of 2621 Router A looks like this:
2621A#show ip route eigrp
D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:00:49, Serial0/0
D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:00:49, Serial0/0
D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:00:49, Serial0/0
2621A#
Notice that most EIGRP routes are indicated with simply a D designation and that the
administrative distance of these routes is 90. This represents internal EIGRP routes. If
a route has a D EX designation, this would indicate that it is an external EIGRP route,
which implies that the route was introduced into EIGRP via redistribution.
7. From the 2621 Router A, use the show ip eigrp topology command to see the EIGRP
topology table. This table shows the entire network as 2621 Router A understands it. If
the route is not in the topology table, it is safe to assume that there is a problem between
the topology database and the routing table. There must be a reason the topology data-
base is not injecting the route into the routing table.
2621A#show ip route eigrp topology
IP-EIGRP Topology Table for AS(10)/ID(172.16.20.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.30.0/24, 1 successors, FD is 2172416
via 172.16.20.1 (2172416/28160), Serial0/1/1
via Connected, FastEthernet0/0
via 172.16.20.1 (2172416/28160), Serial0/1/1
via Connected, Serial0/0
via 172.16.20.1 (2172416/28160), Serial0/1/1
2621A#
444 EIGRP
Notice that every route is preceded by a P; this indicates that the route is in the passive
state, which is good. Routes in the active state indicate that the router has lost its path
to this network and is searching for a replacement. Each entry also indicates the feasible
distance, or FD, to each remote network and the next-hop neighbor through which pack-
ets will travel to this destination. Each entry also has two numbers in brackets ( ), the
rst indicating the feasible distance and the second the advertised distance to a remote
network.
Additionally, if you want to nd out about any secondary route (feasible successor
route) to another network, you can use the show ip eigrp topology command.
8. From 2621 Router A, use the show ip eigrp traffic command to see if updates
are being sent. If the counters for EIGRP input and output packets dont increase, no
EIGRP information is being sent between peers.
The following output indicates that 2621A is experiencing normal trafc.
2811A#show ip eigrp traffic
IP-EIGRP Traffic Statistics for process 10
Hellos sent/received: 640/279
Updates sent/received: 3/1
Queries sent/received: 0/0
Replies sent/received: 0/0
Acks sent/received: 5/7
Input queue high water mark 1, 0 drops
SIA-Queries sent/received: 0/0
SIA-Replies sent/received: 0/0
2811A#
9. From 2621 Router A, use the show ip eigrp events command. This command dis-
plays a log of every EIGRP eventwhen routes are injected and removed from the
routing table and when EIGRP adjacencies reset or fail. This information can be used
to see if there are routing instabilities in the network. Be cautioned that this command
displays a substantial amount of information in even the simplest configurations.
2621A#show ip eigrp events
Event information for AS 10:
1 15:49:03.848 Change queue emptied, entries: 1
2 15:49:03.848 Metric set: 172.16.30.0/24 2707456
3 15:49:03.848 Update reason, delay: new if 4294967295
4 15:49:03.848 Update sent, RD: 172.16.30.0/24 4294967295
5 15:49:03.848 Update reason, delay: metric chg 4294967295
6 15:49:03.848 Update sent, RD: 172.16.30.0/24 4294967295
7 15:49:03.848 Route install: 172.16.30.0/24 172.16.20.1
8 15:49:03.848 Find FS: 172.16.30.0/24 4294967295
Lab 3.3: Configuring EIGRP Wild Card Masks 445
9 15:49:03.848 Rcv update met/succmet: 2707456 2195456
10 15:49:03.848 Rcv update dest/nh: 172.16.30.0/24 172.16.20.1
11 15:49:03.848 Metric set: 172.16.30.0/24 4294967295
[output cut]
All of the commands covered in this lab are intended to be used by the system adminis-
trator when troubleshooting a problem in the network.
Lab 3.3: Configuring EIGRP
Wild Card Masks
Cisco added the wild card mask or inverse mask feature to EIGRP in IOS version 12.0(4).
EIGRP wild card masks are similar to the OSPF implementation. The addition of wild card
masks to the EIGRP conguration suite gives network administrators more administrative
control. Wild card masks allow network administrators to easily designate which routed
interfaces will or will not participate in EIGRP routing advertisements.
In this lab, congure EIGRP wild card masks on each router.
Lab Steps
Any previous EIGRP conguration needs to be removed before conguring EIGRP with
wild card masks.
1. Configure wild card masks on 2811 Router A.
2811A#config t
2811A(config-router)#network 172.16.10.1 0.0.0.0
2811A(config)#exit
Network Layout
446 EIGRP
The commands: network 172.16.10.1 0.0.0.0, network 172.16.20.1 0.0.0.0,
and network 172.16.30.1 0.0.0.0 tell the EIGRP process to advertise the interfaces
172.16.10.1, 172.16.20.1, and 172.16.30.1. The wildcard mask of 0.0.0.0 tells the
EIGRP process to match all four octets exactly.
2. Configure wild card masks on 2621 Router A.
2621A#config t
2621A(config)#exit
The commands: network 172.16.20.0 0.0.0.255, and network 172.16.40.0
0.0.0.255 tell the EIGRP process to look for and advertise interfaces congured with
network 172.16.20 or 172.16.40 in the rst three octets, and any value in the last octet.
3. Configure wild card masks on 2621 Router B.
2621B#config t
2621B(config)#no router eigrp 10
2621B(config-router)#network 172.0.0.0 0.255.255.255
2621B(config-router)#exit
2621B(config)#exit
The command: 172.0.0.0 0.255.255.255 tells the EIGRP process to look for and
advertise any interface congured with network 172 in the rst octet, and any value
in the last three octets.
Lab 3.4: Verifying EIGRP Wild Card
Mask Configurations
This lab will provide you with the commands to verify EIGRP wild card mask
congurations.
Lab 3.4: Verifying EIGRP Wild Card Mask Configurations 447
Lab Steps
1. At this point, your network should have converged. Issue the show ip route command
on each router.
2811A#show ip route
D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:03:07, Serial0/1/10
D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:03:07, Serial0/0/
2811A#
2621A#show ip route
D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
2621A#
2621B#show ip route
D 172.16.40.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0
D 172.16.20.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0
D 172.16.10.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0
2621B#
Network Layout
You need a congured network in order to complete this lab.
448 EIGRP
2. Issue the show running-configuration command on each router to verify wild card
mask configurations.
2811A#show run
[output cut]
!
router eigrp 10
network 172.16.10.1 0.0.0.0
network 172.16.20.1 0.0.0.0
network 172.16.30.1 0.0.0.0
!
[output cut]
2621A#show run
[output cut]
!
router eigrp 10
network 172.16.20.0 0.0.0.255
network 172.16.40.0 0.0.0.255
!
[output cut]
2621B# show run
[output cut]
!
router eigrp 10
network 172.0.0.0 0.255.255.255
!
[output cut]
3. Issue the show ip eigrp interfaces command to display interfaces configured within
the EIGRP process.
2811A#show ip eigrp interfaces
IP-EIGRP interfaces for process 10
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0 0 0/0 0 0/1 0 0
Se0/0/1 0 0/0 0 0/1 0 0
Se0/1/1 0 0/0 0 0/1 0 0
2811A#
2621A#show ip eigrp interfaces
Fa0/0 0 0/0 0 0/1 0 0
Se0/0 0 0/0 0 0/1 0 0
2621A#
2621B#show ip eigrp interfaces
Fa0/1 0 0/0 0 0/1 0 0
Se0/0 0 0/0 0 0/1 0 0
2621B#
Lab 3.5: Configuring EIGRP
Authentication
EIGRP Authentication protects network routers from unauthorized access.
Implementing EIGRP Authentication adds a layer of security to routing messages.
Routing messages are shared among routers in a common autonomous system. Only
routers congured with the appropriate authentication credentials will share routing
updates. Pre-shared keys (PSKs) and Message Digest 5 (MD5) facilitate messages authen-
tication between routers.
Typically, routers belonging to the same EIGRP autonomous system exchange routing
updates without requiring message authentication. Routers in this lab will require message
authentication before EIGRP routing updates are accepted. Pre-shared keys are congured
from global conguration mode. Additionally, authentication will need to be congured on
each interface.
Network Layout
450 EIGRP
Lab Steps
1. Issue the show ip route command on Routers 2811 A, 2621 A, and 2621 B. Make sure
your network is completely converged.
2811A#show ip route
D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:03:07, Serial0/1/10
D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:03:07, Serial0/0/1
C 172.16.10.0 is directly connected, fastethernet0/0
2811A#
2621A#show ip route
D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
2621A#
2621B#show ip route
D 172.16.40.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0
D 172.16.20.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0
D 172.16.10.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0
2621B#
2. Configure a pre-shared key on 2811 Router A.
2811A#config t
2811A(config)#key chain securekey-2811A
2811A(config-keychain)#key 100
2811A(config-keychain-key)#key-string secure-eigrp-traffic
2811A(config-keychain-key)#exit
2811A(config-keychain)#exit
3. Configure a pre-shared key on 2621 Router A.
2621A#config t
2621A(config)#key chain securekey-2621A
2621A(config-keychain)#key 100
2621A(config-keychain-key)#key-string secure-eigrp-traffic
2621A(config-keychain-key)#exit
2621A(config-keychain)#exit
4. Configure a pre-shared key on 2621 Router B.
2621B#config t
2621B(config)#key chain securekey-2621B
2621B(config-keychain)#key 100
2621B(config-keychain-key)#key-string secure-eigrp-traffic
2621B(config-keychain-key)#exit
2621B(config-keychain)#exit
5. Configure interfaces on 2811 Router A with authentication.
2811A(config-if)#ip authentication mode eigrp 10 md5
2811A(config-if)#ip authentication key-chain eigrp 10 securekey-2811A
2811A(config)#exit
2811A# copy run start
6. Configure interfaces on 2621 Router A with authentication.
2621A(config)#exit
452 EIGRP
7. Configure interfaces on 2621 Router B with authentication.
2621B(config-if)#ip authentication mode eigrp 10 md5
2621B(config-if)#ip authentication key-chain eigrp 10 securekey-2621B
2621B(config-if)#int s0/0
2621B(config-if)#ip authentication mode eigrp 10 md5
2621B(config-if)#ip authentication key-chain eigrp 10 securekey-2621B
2621B(config)#exit
Lab 3.6: Verifying EIGRP Authentication
This lab will provide you with the commands to verify EIGRP Authentication.
Lab Steps
1. At this point, your network should have converged and message authentication should
be in effect. Issue the show ip route command on each router.
2811A#show ip route
D 172.16.40.0 [90/2172416] via 172.16.20.2, 00:03:07, Serial0/1/10
D 172.16.50.0 [90/2172416] via 172.16.30.2, 00:03:07, Serial0/0/1
2811A#
2621A#show ip route
Network Layout
D 172.16.30.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
D 172.16.50.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
D 172.16.10.0 [90/2172416] via 172.16.20.1, 00:33:19, Serial0/0
2621A#
2621B#show ip route
D 172.16.40.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0
D 172.16.20.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0
D 172.16.10.0 [90/2172416] via 172.16.30.1, 00:33:26, Serial0/0
2621B#
2. Issue the show running-configuration command on each router to verify EIGRP
Authentication.
2811A#show run
[output cut]
!
key chain securekey-2811A
key 100
key-string secure-eigrp-traffic
!
[output cut]
2621A# show run
[output cut]
!
key chain securekey-2621A
key 100
!
[output cut]
2621B# show run
[output cut]
!
key chain securekey-2621B
key 100
!
[output cut]
454 EIGRP
3. Issue the show key chain command to display all the configured key chains.
2811A#show key chain
Key-chain securekey-2811A:
key 100 -- text "secure-eigrp-traffic"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
2811A#
2621A#show key chain
Key-chain securekey-2621A:
2621A#
2621B#show key chain
Key-chain securekey-2621B:
2621B#
4. Issue the show ip eigrp interfaces detail command to display interfaces configu-
rations.
2811A#show ip eigrp interfaces detail
[output cut]
Se0/0/1 0 0/0 0 0/1 0 0
Hello interval is 5 sec
Next xmit serial <none>
Un/reliable mcasts: 0/0 Un/reliable ucasts: 0/0
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication mode is md5, key-chain is "securekey-2811A"
Use unicast
[output cut]
2621A#show ip eigrp interfaces detail
[output cut]
Fa0/0 0 0/0 0 0/1 0 0
Authentication mode is md5, key-chain is "securekey-2621A"
Use unicast
[output cut]
2621B#show ip eigrp interfaces detail
[output cut]
Se0/0 0 0/0 0 0/1 0 0
Authentication mode is md5, key-chain is "securekey-2621B"
Use unicast
2621B#
The command displays the authentication mode and the name of the congured
key chain.
5. Verify that 2621 Router B will not receive any routing updates if EIGRP Authentication
is not configured correctly.
2621B#config t
2621B(config)# interface serial 0/0
2621B(config-if)#no ip authentication mode eigrp 10 md5
2621B(config-if)#no ip authentication key-chain eigrp 10
2621B(config)#exit
2621B#
6. Issue the show ip route command on 2621 Router B.
2621B#show ip route
[output cut]
2621B#
As you can see above, the routing table for 2621 Router B has no EIGRP routing entries.
Without the correct authentication congured on an interface, 2621 Router B will never
receive routing updates.
456 EIGRP
Lab 3.7: Configuring Advanced
Commands with EIGRP
This section will have you congure a router with advanced EIGRP commands. Although
the network used in this lab is too small to see any advantage to most of these commands,
running through the commands on a router will help you become more familiar and com-
fortable with the commands when used later in the Extended labs or when you build your
own larger networks.
Unless set otherwise, the bandwidth on a serial interface is assumed to be T1 (1.544Kbps).
In order to identify slower links, such as a 128K link, you must congure this manually. It is
important that the bandwidth setting accurately reect the actual bandwidth because it is one
of the two elements used to calculate a routes metric. Improperly set bandwidth statements
will skew the route decisions made by EIGRP. Use the bandwidth command followed by the
bandwidth in kilobits in interface conguration mode. The possible values are from 1
to 10,000,000. The following command sets the bandwidth to 512K:
Router(config-if)#bandwidth 512
The default for EIGRP is to use 50 percent of the available bandwidth per neighbor.
This can be adjusted if you wish, by using the interface conguration command ip
bandwidth-percent eigrp as percent, where percent indicates the percentage of band-
width that EIGRP could potentially use. The following command congures EIGRP to
use 40 percent of the available bandwidth per neighbor for autonomous system 10 on
interface Serial 0/0:
2621A(config-if)#ip bandwidth-percent eigrp 10 40
In congested networks, it may also be necessary to increase the EIGRP hello-interval and
hold-time so that neighbors do not mistakenly assume that an EIGRP neighbor has died
when in fact there has simply been a delay in the arrival of Hello packets. The command to
set the Hello interval is ip hello-interval eigrp as seconds; this indicates the number
of seconds between transmissions of Hello packets. The command to set the hold timer is
ip hold-time eigrp as seconds; this indicates how long to wait for a Hello packet before
assuming that the neighbor has failed. In general, the hold time should be three times the
Network Layout
Work with the saved network that you used in Lab 3.5.
Lab 3.7: Configuring Advanced Commands with EIGRP 457
Hello interval. The hello-interval defaults to 60 seconds on NBMA media running at
speeds of T1 or slower, and for all other networks, it defaults to 5 seconds. The hold-time
defaults to 180 seconds on T1 or slower NBMA networks and 15 seconds on all other net-
works. Both commands are entered under interface conguration mode, and the seconds
parameter can range from 1 to 65535.
2621A(config-if)#interface fastethernet 0/0
2621A(config-if)#ip hello-interval eigrp ?
<1-65535> Autonomous system number
2621A(config-if)#ip hello-interval eigrp 10 ?
<1-65535> Seconds between hello transmissions
2621A(config-if)#ip hello-interval eigrp 10 100
2621A(config-if)#ip hold-time eigrp 10 ?
<1-65535> Seconds before neighbor is considered down
2621A(config-if)#ip hold-time eigrp 10 300
The commands above set the Hello interval to 100 seconds and the hold time to
300 seconds for EIGRP AS 10.
OSPF
Lab 4: Introduction to OSPF
OSPF is an open standards routing protocol that has been implemented by a wide variety
of network vendors, including Cisco. The easiest way to congure OSPF is simply to use a
single area. We will also discuss OSPF DR and BDR Elections.
N
4.1: Configuring Single Area OSPF
N
4.2: Verifying Single Area OSPF
N
4.3: OSPF Authentication
N
4.4: Stub Area Configuration
N
4.5: Totally Stub
N
4.6: OSPF DR and BDR Elections
Lab 4.1: Configuring Single Area OSPF
This section will discuss the OSPF routing process.
OSPF an open standards routing protocol that has been implemented by a wide variety
of network vendors, including Cisco. The benet of an approach based on open standards
is that equipment from multiple vendors can interoperate as long as their implementations
are compliant with the appropriate Requests for Comments (RFCs). This does not mean
that vendors are forced to restrict their implementations to only the features documented
in the RFCs.
On the contrary, Cisco and others have added features to their versions of OSPF that
may not be found in other vendors implementations. Knowing which features are standards
based and which are proprietary becomes important when deploying multivendor OSPF
networks.
N
Stands for open shortest path first
N
Uses the concept of an area, which is a grouping of contiguous OSPF networks and hosts
N
Is a link-state routing protocol
N
Has no maximum hop count
N
N
Includes equal-cost multipath routing
N
Supports VLSM, summarization, and discontiguous networks
The easiest (and least scalable) way to congure OSPF is simply to use a single area,
which requires a minimum of two commands.
This program only supports a single area OSPF network, which will always
be area 0.
The command to activate the OSPF routing process is as follows:
2621A(config)#router ospf ?
<1-65535>
A value in the range 1 through 65535 identies the OSPF Process ID, which is a unique
number on this router that groups a series of OSPF conguration commands under a specic
running process. Different OSPF routers do not have to use the same Process ID in order to
communicate. It is purely a local value and is basically irrelevant. The only time an OPSF
number would matter is when you have multiple OSPF Autonomous Systems (AS) connecting
together on the same network.
This lab will be pretty simple as far as OSPF goes. We will start the process on each
router, then congure the interfaces to be in OSPF area 0. This is much more complicated
then any of the other routing protocols we have congured, but simple nonetheless for
OSPF. However, since EIGRP has a better administrative distance then OSPF, we need to
also disable the EIGRP routing processes on each router.
Network Layout
Work with the saved network that you have been using in section 3.
462 OSPF
Lab Steps
1. First, disable EIGRP on the 2621 Router A.
2621A#conf t
Enter configuration commands, one per line.
End with CNTL/Z.
2. Disable EIGRP on the 2621 B router.
2621B#conf t
End with CNTL/Z.
2621B(config)#no router eigrp 10
3. Disable EIGRP on the 2811 Router A.
2811A#conf t
End with CNTL/Z.
4. You will start the OSPF process by issuing the following command, as an example:
2621A(config)#router ospf 100
5. After starting the OSPF process (and disabling EIGRP on each router), you need to
identify the interfaces on which to activate OSPF communications and the area in
which each resides. This will also configure the networks you will advertise to others.
This is achieved with the following command as an example:
2621A(config-router)#network 10.0.0.0 0.255.255.255 area ?
<0-4294967295> OSPF area ID as a decimal value
A.B.C.D OSPF area ID in IP address format
A 0 (zero) octet in the wildcard mask indicates that the corresponding octet in the net-
work must match exactly. A 255, on the other hand, indicates that you do not care what
the corresponding octet is in the network number. A network and wildcard mask combi-
nation of 1.1.1.1 0.0.0.0 would match 1.1.1.1 only and nothing else. This is useful if you
want to activate OSPF on a specic interface in a very clear and simple fashion. If you
insist on matching a range of networks, the network and wildcard mask combination of
1.1.0.0 0.0.255.255 would match anything in the range 1.1.0.01.1.255.255. Its simpler
and safer to stick to using wildcard masks of 0.0.0.0 and identify each OSPF interface
individually.
Remember that OSPF routers will only become neighbors if their interfaces share a
network that is congured to belong to the same area number. The format of the area
number is either a decimal value from the range 04294967295 or a value represented
in standard dotted-decimal notation. Area 0.0.0.0 is a legitimate area, for example,
and is identical to area 0. Again, we only support area 0 in this module at this time.
Just a reminder, here are the router interface IP addresses for routers on the current
network:
2621 A Serial 0/0 172.16.20.2
2621 A Fastethernet 0/0 172.16.40.1
2621 B Serial 0/0 172.16.30.2
2621 B Fastethernet 0/0 172.16.50.1
2811 A Serial 0/1/1 172.16.20.1
2811 A Serial 0/0/1 172.16.30.1
2811 A Fastethernet 0/0 172.16.10.1
6. Configure the 2621 Router A to advertise both directly connected networks with
OSPF. The router ospf number does not matter; use whatever feels good to you. The
number can even all be the same on all routers, or they can be different. In this lab
we will use different numbers.
2621A(config-router)#network 172.16.20.2 0.0.0.0 area 0
Anatomy of a Command: Network 172.16.20.2 0.0.0.0 area 0
Network 172.16.20.2 0.0.0.0 area 0 - tells the OSPF process to advertise the interface
172.16.20.2 into area 0.
172.16.20.2the network number
0.0.0.0The wildcard mask of 0.0.0.0 tells the process to match each octet exactly.
0 - The nal argument is the area number. It indicates the area to which the interfaces
identied in the network and wildcard mask portion belong. It tells the OSPF process
to advertise the interface 172.16.20.2 into area 0.
The combination of the two rst two numbers identies the interfaces that OSPF will
operate on and that will also be included in its OSPF Link State Advertisements (LSA)
advertisements.
464 OSPF
7. Configure 2621 Router B to advertise both directly connected networks with OSPF.
2621B(config)#router ospf 101
2621B(config-router)#network 172.16.30.2 0.0.0.0 area 0
Now, let us go over what we have congured on 2621 Router B. Please understand that
all we are doing is advertising OSPF networks and this lab is showing the many ways
to accomplish the same thing.
The command network 172.16.30.2 0.0.0.0 area 0 tells the OSPF process to
advertise the interface 172.16.30.2 into area 0. The wildcard mask of 0.0.0.0 tells
the process to match all four octets exactly.
The command network 172.0.0.0 0.255.255.255 area 0 tells the OSPF process to
look for an interface congured with network 172 in the rst octet, but the other three
octets can be any value. Once found, place that interface in area 0. Now, understand
that with this second command, the rst command is really not needed; we just did it
for fun! The network command 172.0.0.0 will nd any interface that has an IP address
that starts with 172 and put that in area 0.
Anatomy of a command: network 172.16.40.0 0.0.0.2555 area 0
Network 172.16.40.0 0.0.0.255 area 0tells the router OSPF process to look for any
interface in subnet 172.16.40.0 and advertise that in area 0.
172.16.40.0the network number.
0.0.0.255With a wildcard of 0.0.0.255, this tells the OSPF process to match the rst
three octets exactly, but the fourth octet value is irrelevant. We could have used this
command as well: network 172.16.40.1 0.0.0.0 area 0, which is just another way to
advertise the same interface, but is more precise. No difference in function on the
router or OSPF.
0The nal argument is the area number. It indicates the area to which the interfaces
operate on and that will also be included in its OSPF Link State Advertisements (LSA)
advertisements.
8. Configure 2811 Router A to advertise all directly connected networks with OSPF.
Lab 4.2: Verifying Single Area OSPF
This lab describes several ways to verify proper OSPF conguration and operation.
1. The show ip ospf command is used to display OSPF information for one or all OSPF
processes running on the router. Information contained therein includes the Router ID,
area information, SPF statistics, and LSA timer information. Here is a sample output
from 2621 Router A:
2621A#sho ip ospf
Routing Process "ospf 100" with ID 172.16.40.1
Network Layout
466 OSPF
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x0
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0) (Inactive)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm executed 7 times
Area ranges are
Number of LSA 7. Checksum Sum 0x2E2A0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
2621A#
2. The information displayed by the show ip ospf database command indicates the
number of links and the neighboring Router ID. The output is broken down by area.
Here is a sample output from 2621 Router A:
2621A#show ip ospf database
OSPF Router with ID (172.16.40.1) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
172.16.50.1 172.16.50.1 475 0x80000003 0x0030F9 3
172.16.40.1 172.16.40.1 475 0x80000003 0x0030F9 3
172.16.30.1 172.16.30.1 475 0x80000003 0x0030F9 3
2621A#
3. The show ip ospf interface command displays all interface-related OSPF information.
Data is displayed about OSPF information for all interfaces or for specified interfaces.
Information includes the interface IP address, area assignment, Process ID, Router ID,
network type, cost, priority, DR/BDR (if applicable), timer intervals, and adjacent neigh-
bor information. Here is a sample output:
2621A#show ip ospf interface
Internet Address 172.16.40.1/24, Area 0
Process ID 100, Router ID 172.16.40.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 172.16.40.1, Interface address 172.16.40.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Index 2/2, flood queue length 0
[output cut]
Process ID 100, Router ID 172.16.40.1, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
oob-resync timeout 40
[output cut]
2621A#
Notice in the above output that the hello timer is set to 10 seconds and the dead timer is
set to 40. If two or more routers are connected together, the timers must be set exactly
the same. By looking at line three of the show ip ospf interface command, you can
see the OSPF network type.
4. The show ip ospf neighbor command is very useful. It summarizes the pertinent
OSPF information regarding neighbors and the adjacency state. If a DR or BDR exists,
that information is also displayed. Here is an output from 2621 Router A:
2621A#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
172.16.30.1 1 FULL/BDR 00:00:36 172.16.20.1 Serial0/0
2621A#
OSPF network types
N
Point-to-Point
N
Broadcast
N
Point-to-Multipoint
N
Nonbroadcast
N
Point-to-Multipoint Nonbroadcast
468 OSPF
5. The show ip protocols command is useful whether you are running OSPF, EIGRP,
IGRP, RIP, BGP, ISIS, or any other routing protocol you can configure on your router. It
provides an excellent overview of the actual operation of all currently running protocols.
2621A#show ip protocols
Routing Protocol is "ospf 100"
Router ID 172.16.40.1
Maximum path: 4
Routing for Networks:
172.16.20.2 0.0.0.0 area 0
172.16.40.0 0.0.0.255 area 0
Routing Information Sources:
172.16.30.1 110 00:00:29
172.16.50.1 110 00:00:29
Distance: (default is 110)
2621A#
6. Based upon this output, you can determine the OSPF Process ID, OSPF Router ID, type of
OSPF area, networks and areas configured for OSPF, and OSPF Router IDs of neighbors.
Lab 4.3: OSPF Authentication
OSPF supports different methods of authentication. Authentication can be congured to
pass the authentication key in clear text or encrypted. You will congure both methods
of authentication in this lab. Additionally, when conguring an encrypted key, you can
specify a single key or, by assigning numbers to keys, specify a series of keys.
2811 Router A has interfaces in both Area 0 and Area 1. 2811 Router B has an interface
in Area 0 directly connected to 2811 Router A. 2811 Router C has an interface in Area 0
directly connected to 2811 Router A. 2811 Router D has an interface in Area 1 directly
connected to 2811 Router A. For both the 2811 Router A - 2811 Router B and 2811 Router
A - 2811 Router C connections you will congure message digest authentication. For the
2811 Router A - 2811 Router C connection you will congure a key list. For the 2811
Router A - 2811 Router D connection you will congure clear text authentication.
Network Layout: Load OSPF Authentication Layout.rsm before going through the fol-
lowing lab.
3. Click on the file OSPF Authentication Layout.rsm and click Open. You should see the
following network:
Lab Steps
1. Bring up the console for 2811 Router A. After the console screen comes up set the:
Hostname
IP Address
OSPF Parameters
Router#config t
2811A(config-if)#ip add 10.1.0.1 255.255.255.0
470 OSPF
2811A(config-if)#ip add 10.2.0.1 255.255.255.02811A(config-if)#no shut
2811A(config-if)#ip add 172.16.1.1 255.255.255.0
2811A(config-if)#router ospf 25
2. Bring up the console for 2811 Router B. After the console screen comes up set the:
Hostname
IP Address
OSPF Parameters
Router#config t
Router(config)#hostname 2811B2811B(config)#int f0/1
2811B(config-if)#ip add 10.1.0.2 255.255.255.0
2811B(config-if)#router ospf 25
3. Bring up the console for 2811 Router C. After the console screen comes up set the:
Hostname
IP Address
OSPF Parameters
Router#config t
2811C(config)#int f0/0
2811C(config-if)#ip add 10.2.0.2 255.255.255.0
2811C(config-if)#router ospf 25
2811C(config-router)#network 10.2.0.2 0.0.0.0 area 0
4. Bring up the console for 2811 Router D. After the console screen comes up set the:
Hostname
IP Address
OSPF Parameters
Router#config t
2811D(config)#int s0/0/0
2811D(config-if)#ip add 172.16.1.2 255.255.255.0
2811D(config-if)#no shut
2811D(config-if)#router ospf 25
2811D(config-router)#network 172.16.1.2 0.0.0.0 area 1
you have been working with. You might want to save it to another le name than OSPF
Authentication Layout.rsm This allows you to start over with your initial, non-congured
network if you wish.
There are two ways you can save a network layout. The rst way is by clicking on the
Diskette button on the button bar, at the top of the Network Visualizer screen. You can
also click File on the menu and choose Save from the drop down menu.
5. On 2811 Router A, confirm that 2811 Router A has an OSPF neighbor relationship
with 2811 Router B, 2811 Router C and 2811 Router D.
172.16.1.2 1 FULL/ - 00:00:36 172.16.1.2 Serial0/0/0
472 OSPF
10.2.0.2 1 FULL/BDR 00:00:36 10.2.0.2
FastEthernet0/0
10.1.0.2 1 FULL/BDR 00:00:36 10.1.0.2
FastEthernet0/1
6. You will now configure authentication on 2811 Rouer A only. You will configure mes-
sage-digest authentication for area 0 and plain text authentication for area 1. You will
then confirm that all neighbor relationships have closed as expected (authentication is
not configured on any other routers)
2811A#config t
2811A(config-router)#area 0 authentication message-digest
2811A(config-router)#area 1 authentication
2811A(config-router)#int f0/1
2811A(config-if)#ip ospf authentication-key 0 cisco
2811A(config-if)#ip ospf message-digest-key 1 md5 0 cisco1
2811A(config-if)#ip ospf message-digest-key 2 md5 0 cisco2
2811A(config-if)#ip ospf authentication-key 0 cisco3
2811A#
7. Now you will configure authentication on the other routers then confirm that the
neighbor relationships have been re-established.
2811B(config-router)#area 0 authentication message-digest
2811B(config-router)#int f0/1
2811B(config-if)#ip ospf authentication-key 0 cisco
2811C(config-router)#exit
2811C(config)#router ospf 25
2811C(config-router)#area 0 authentication message-digest
2811C(config)#int f0/0
2811C(config-if)#ip ospf message-digest-key 1 md5 0 cisco1
2811C(config-if)#ip ospf message-digest-key 2 md5 0 cisco2
2811D(config-router)#exit
2811D(config)#router ospf 25
2811D(config-router)#area 1 authentication
2811D(config-if)#ip ospf authentication-key 0 cisco3
8. On 2811 Router A, confirm that 2811 Router A has an OSPF neighbor relationship
with 2811 Router B, 2811 Router C and 2811 Router D.
172.16.1.2 1 FULL/ - 00:00:36 172.16.1.2 Serial0/0/0
10.2.0.2 1 FULL/BDR 00:00:36 10.2.0.2
FastEthernet0/0
10.1.0.2 1 FULL/BDR 00:00:36 10.1.0.2
FastEthernet0/1
Lab 4.4: Stub Area Configuration
Since the main purpose of having stub areas is to keep such areas from carrying external
routes, we need to review some design guidelines before conguring a stub area or a totally
stubby area:
Area 0 (the backbone area) cannot be made a stub area.
Since autonomous system boundary routers inject external routes, do not make any area
containing an ASBR a stub area.
Since routers within a stub area use a default route to get out of the stub area, typically
there is only one route out of the stub area. Therefore, a stub area should usually only con-
tain a single area border router. Keep in mind that since a default route is being used, if a
stub area contains more than one ABR, a non-optimal path may be used.
If you decide to make a particular area a stub area, be sure to congure all the routers in
the area as stubby. If a router within a stub area has not been congured as stubby, it will
not be able to correctly form adjacencies and exchange OSPF routes.
The following are some benets of a stub area conguration:
Smaller Link State Database
Reduction in the size of the routing table
Reduction in CPU processing for link state advertising
Automatic creation of default gateway
474 OSPF
With the guidelines in mind, lets examine a sample conguration for a stub area. We
are going to make Area 2 a stub area.Lets review some key elements of our stub area con-
guration example:
The syntax to make a router stubby is [area area-id stub].
All routers that are part of Area 2 are congured as stubby.
Area 2 has only one ABR (i.e., only one path out of the area).
The ABR used the area area-id stub command only for Area 2, not for Area 0, which is
not stubby.
Network Layout: Work with the saved network that you used to congure devices in
lab 4.1.
Lab Steps
1. Configure 2811 Router A to be stubby:
2811A#config t
End with CNTL/Z.
2811A(config)# router ospf 102
2811A(config-router)#area 2 stub
2. Configure 2621 Router B to be stubby:
2621B#config t
End with CNTL/Z.
2621B(config-router)#area 2 stub
3. Verify your stub configurations on routers 2811 A, and 2621 B.
2811A#show ip ospf
Routing Process ospf 102 with ID 172.16.30.1
It is an area border router
[output cut]
Area 1
[output cut]
Area 2
It is a stub area
Area ranges are
Flood list length 0
2811A#
2621B#show ip ospf
Area 2
It is a stub area
[output cut]
2621B#
As you can see, area 2 is now a stub area on both routers.
4. Issue the show ip route to verify that the routing table now has a gateway of last resort
set.
2621B#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2
476 OSPF
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
O IA 172.16.20.0/24 [110/128] via 172.16.30.1, 00:00:15, Serial0/0
O IA 172.16.10.0/24 [110/129] via 172.16.30.1, 00:00:15, Serial0/0
O IA 172.16.40.0/24 [110/65] via 172.16.30.1, 00:00:15, Serial0/0
O*IA 0.0.0.0/0 [110/65] via 172.16.30.1, 00:00:15, Serial0/0
2621B#
As you can see, a gateway of last resort has automatically been added to the routing table.
5. Issue the show run command on router 2811 A and 2621 B to verify the stubby c
onfiguration.
Lab 4.5: Totally Stub
Using the same network topology as we had for the stub area conguration lets examine
how to make Area 2 a totally stubby area. Remember, the only difference between a stub
area and a totally stubby area is that totally a stubby area does not allow summary routes
to be injected into it.
The following are some benets of a totally stub area conguration:
Smaller Link State Database
Reduction in the size of the routing table
Reduction in CPU processing for link state advertising
Automatic creation of default gateway
Network Layout: Work with the saved network that you used to congure devices in
lab 4.4.
Lab Steps
2621B.#show ip route
Lab 4.5: Totally Stub 477
route
O IA 172.16.20.0/24 [110/128] via 172.16.30.1, 00:00:15, Serial0/0
O IA 172.16.10.0/24 [110/129] via 172.16.30.1, 00:00:15, Serial0/0
O IA 172.16.40.0/24 [110/65] via 172.16.30.1, 00:00:15, Serial0/0
O*IA 0.0.0.0/0 [110/65] via 172.16.30.1, 00:00:15, Serial0/0
2621B#
As you can see, the routing table still has routes agged with O IA, OSPF inter area
routes. The routing table should look like this for now.
2. Configure OSPF area 2 on the 2811 Router A (ABR) router to be totally stubby:
2811A#config t
End with CNTL/Z.
2811A(config-router)#area 2 stub no-summary
The totally stubby conguration only needs to be made on our (ABR) router 2811 A.
3. Issue the show ip ospf command to verify your totally stubby configurations on 2811
Router A.
2811A#show ip ospf
It is an area border router
[output cut]
Area 2
478 OSPF
It is a stub area, no summary LSA in this area
[output cut]
2811A#
As you can see, area 2 is not allowing summary routes into the stub area.
2621B.#show ip route
route
O*IA 0.0.0.0/0 [110/65] via 172.16.30.1, 00:01:33, Serial0/0
2621B#
You can now see that the routing table no longer has routes agged with O IA, OSPF
inter area routes. The routing table only displays directly connected interfaces and a
gateway of last resort. As you can see the routing table is noticeable smaller.
5. Issue the show run command on 2811 Router A to verify the totally stubby configura-
tion.
Lab 4.6: OSPF DR and BDR Elections
This lab will have you work with the lab OSPF DR and BDR Election layout to watch the
DR and BDR elections on the 10.10.10.0 network, by forcing and verifying the election pro-
cess. Remember that elections occur on broadcast and non-broadcast multi-access networks
only. This means we need a LAN to run this lab, as shown in the network layout .
Network Layout: Load the network layout le, OSPF DR and BDR Elections Layout.rsm.
Lab Steps
1. Double-click 2621 Router A in order to bring up the console screen.
2. Configure the hostname.
Router>enable
Router#config t
3. Configure the router with OSPF.
4. Configure interface Fa0/0 for 2621 Router A.
2621A(config-if)#ip add 10.10.10.1 255.255.255.0
480 OSPF
5. Use the menu to change to the console for 2621 Router B.
Router>enable
Router#config t
8. Configure interface Fa0/0 for 2621 Router B.
2621B(config)#int f0/0
2621B(config-if)#ip add 10.10.10.3 255.255.255.0
9. Use the menu to change to the console for 2811 Router A.
Router>enable
Router#config t
12. Configure interface Fa0/0 for the 2811 A router.
2811A(config-if)#ip add 10.10.10.2 255.255.255.0
13. Use the menu to change to the console for 2811 Router B.
Router>enable
Router#config t
15. Configure the router with OSPF
16. Configure interface Fa0/0 for 2811 Router B.
2811B(config-if)#ip add 10.10.10.4 255.255.255.0
17. On 2621 Router A verify the RID of your router. Use the show ip ospf command on
the router to gather this information.
2621A#show ip ospf
Area ranges are
Flood list length 0
2621A#
18. Enter the command show ip ospf interface fa0/0 to verify area ID, DR, BDR informa-
tion and the hello and dead timers of the interface connected to the 10.1.1.0 network.
2621A#show ip ospf interface fa0/0
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 10.10.10.4 , Interface address 10.10.10.4
482 OSPF
Backup Designated router (ID) 10.10.10.3 , Interface address 10.10.10.3
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 3, Adjacent neighbor count is 3
Adjacent with neighbor 10.10.10.3(Backup Designated Router)
Adjacent with neighbor 10.10.10.2(Other Designated Router)
Adjacent with neighbor 10.10.10.4(Designated Router)
Suppress hello for 0 neighbor(s)
2621A#
19. By looking at the show ip ospf interface fa0/0 output, which router is the DR? Which
router is the BDR?
20. Verify the network type of your router. Since the connection is on an Ethernet LAN,
the Network Type is BROADCAST. What would the Network Type be if you were
viewing a serial connection? Answer: point-to-point.
21. he priority of all routers, by default, is 1. If you were to change the priority to 0, then
the router would never participate in the election process for the LAN (remember that
elections do not occur on serial point-to-point links).
22. Change the priority of a router that you choose to become the new DR. Choose any
router that is not the DR at this moment.
23. Enable the debugging process that allows you to see the DR and BDR election take place.
Use the command debug ip ospf adjacency on the router that will become the DR.
24. For the router that was chosen to become the new DR, set your priority of the
FastEthernet 0/0 interface to 3. Here is how you do that:
config t
int fa0/0
ip ospf priority 3
25. Now shut down all the Fa0/0 interfaces of all four routers.
26. Now enable all four routers fa0/0 interfaces with the no shut command.
27. The election should take place and the router you have chosen with the highest priority
should now be the DR.
28. Type show ip ospf interface fa0/0 to verify the DR and BDR information.
29. Hopefully you also noticed the debug output of the election process.
30. The priority of a routers interface can be set all the way up to 255. However, if the
priority is set to 255, the DR/BDR can never be formed.
Virtual LANs (VLANs)
Virtual LANs
VLANs is a group of hosts that are (logically) connected, regardless of their (physical) LAN
segment location. This allows you to specify where packets are transmitted instead of them
being seen by every device. VLAN conguring is accomplished through software congura-
tions which makes it easy to add or move a single host or group hosts when needed. VLANs
create smaller broadcast domains, thus reducing broadcast collisions and increasing the ef-
ciency of your network resources. Easily managing your network, adding security, and the
future growth of your network can be addressed by the use of VLANs.
This section will cover VLANs congured for the 1900, 3550, and 3560 switches. The
labs covered in this section include:
N
5.1: Configuring VLANs on a 1900 Switch
N
5.2: Configuring the 1900 Switch
The labs above are for the 1900 switch, which is not a switch used in the
Standard Layout, but is included for your educational purpose. The 1900
switch is an older switch and is end-of-life from Cisco
.
N
N
5.4: Configuring Trunk Ports/VTP Domain a 3550 Switch
N
N
5.6: Configuring Trunk Ports/VTP Domain on a 3560 Switch
N
5.7: Intra and InterVLAN Routing
The commands used in this section are described below:
Command Description
delete vtp Deletes VTP configurations from a switch
encapsulation isl 2 Sets ISL routing for VLAN 2
Command Description
int f0/0.1 Creates a subinterface
interface e0/5 Configures Ethernet interface 5
interface f0/26 Configures FastEthernet 26
show trunk A Shows the trunking status of port 26
show trunk B Shows the trunking status of port 27
show vlan Shows all configured VLANs
show vlan-membership Shows all port VLAN assignments
show vtp Shows the VTP configuration of a switch
trunk auto Sets the port to auto trunking mode
trunk on Sets a port to permanent trunking mode
vlan 2 name Sales Creates a VLAN 2 named Sales
vlan-membership static 2 Assigns a static VLAN to a port
vtp client Sets the switch to be a VTP client
vtp domain Sets the domain name for the VTP configuration
vtp server Sets the switch to be a VTP server
Lab 5.1: Configuring VLANs
on a 1900 Switch
Conguring VLANs is the easy part of the job. It is trying to understand which users you
want in each VLAN that is time consuming. Once you have decided the number of VLANs
you want to create and the users that will be members of each VLAN, you can create your
VLAN. You can create up to 64 VLANs on a 1900 switch.
486 Virtual LANs (VLANs)
Lab Steps
1. Double-click 1900 Switch A in order to bring up the console screen.
2. To configure VLANs on the 1900 series switch, choose k from the initial user inter-
face menu to get into IOS configuration. The following switch output is the console
display when connecting to a 1900 switch. Press k to enter the CLI mode, and enter
global configuration mode using the enable command and then config t.
User Interface Menu
[M] Menus
[K] Command Line
Enter Selection: k
Network Layout
Load 1900 Switch Layout.rsm before going through the following lab.
3. Click on the le 1900 Switch Layout.rsm and click Open.
3. To configure VLANs on an IOS-based switch, use the vlan [vlan#] name [vlan
name] command. The following will demonstrate how to configure VLANs on the
switch by creating three VLANs for three different departments.
>en
#config t
(config)#hostname1900A
1900A(config)#vlan 2 name sales
1900A(config)#vlan 3 name marketing
1900A(config)#vlan 4 name mis
1900A(config)#exit
4. After you create the VLANs that you want, you can use the show vlan command to see
the configured VLANs. However, notice that by default all ports on the switch are in
VLAN 1. To change the VLAN associated with a port you need to go to each interface
and tell it what VLAN to be a member of.
Once the VLANs are created, verify your conguration with the show vlan command
(sh vlan for short).
1900A#sh vlan
VLAN Name Status Ports
--------------------------------------
1 default Enabled 1-12,A,B,AUI
2 sales Enabled
3 marketing Enabled
4 mis Enabled
1002 fddi-default Suspended
1003 token-ring-defau Suspended
1004 fddinet-default Suspended
1005 trnet-default Suspended
--------------------------------------
[output cut]
5. You can configure each port to be in a VLAN by using the vlan-membership command.
You can only configure VLANs one port at a time. There is no command to assign more
than one port to a VLAN at a time with the 1900 switch. In the following example, we
configure interface 2 to VLAN 2, interface 4 to VLAN 3, and interface 5 to VLAN 4.
1900A#config t
1900A(config-if)#vlan-membership ?
dynamic Set VLAN membership type as dynamic
static Set VLAN membership type as static
1900A(config-if)#vlan-membership static ?
<1-1005> ISL VLAN index
1900A(config-if)#vlan-membership static 2
1900A(config-if)#int e0/4
1900A(config)#exit
6. Now, type show vlan again to see the ports assigned to each VLAN.
1900A#sh vlan
--------------------------------------
1 default Enabled 1,3,6-12,A,B,AUI
2 sales Enabled 2
3 marketing Enabled 4
4 mis Enabled 5
--------------------------------------
[output cut]
7. Another command you can use to see the ports assigned to a VLAN is show
vlan-membership. Notice that this command shows each port on the switch, which
VLAN the port is a member of, and the membership type (static or dynamic).
1900A#sh vlan-membership
Port VLAN Membership Type Port VLAN Membership Type
----------------------------- -----------------------------
1 1 Static
2 2 Static
3 1 Static
4 3 Static
5 4 Static
6 1 Static
7 1 Static
8 1 Static
9 1 Static
10 1 Static
11 1 Static
12 1 Static
AUI 1 Static
A 1 Static
B 1 Static
1900A#
on a 3550 Switch
Conguring VLANs is the easy part of the job. It is trying to understand which users you want
in each VLAN that is time consuming. Once you have decided the number of VLANs you
want to create and the users that will be members of each VLAN, you can create your VLAN.
Network Layout
in earlier labs.
Lab Steps
1. To configure VLANs on the 3550 series switch, you can configure the VLANs from
the VLAN database. You do this from privileged mode, not configuration mode. Type
vlan database:
3550A#vlan database
2. To configure VLANs on the 3550 switch, use the vlan # name name command. The
following shows an example of creating three VLANs.
3550A(vlan)#vlan 2 name Sales
VLAN 2 added:
Name: Sales
3550A(vlan)#vlan 4 name Marketing
VLAN 4 added:
Name: Marketing
3550A(vlan)#vlan 7 name Research
VLAN 7 added:
Name: Research
3550A(vlan)#exit
APPLY completed.
Exiting....
3550A#
3. You must apply your changes to the switch. You can either use the apply command or
use the exit command which will then apply the changes.
4. After you create the VLANs that you want, you can use the show vlan command to
see the configured VLANs. However, notice that by default all ports on the switch are
in VLAN 1. To change the VLAN associated with a port you need to go to each inter-
face and tell it what VLAN to be a member of.
Once the VLANs are created, verify your conguration with the show vlan command
(show vlan for short).
3550A#show vlan
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10
2 Sales active
4 Marketing active
7 Research active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
[output cut]
5. You can configure each port to be in a VLAN by using the switchport access vlan #
command. You can only configure VLANs one port at a time. In the following example,
we configure interface 1 to VLAN 2, interface 5 to VLAN 7, and interface 10 to VLAN 4.
3550A#config t
3550A(config-if)#switchport access vlan 2
6. You must also set the port to be in access mode, which means that the interface will
only be a member of one VLAN.
3550A(config)#exit
Destination filename [startup-config]?
[OK]
3550A#
3550A#sh vlan
---- -------------------------------- --------- -------------------------------
Fa0/8, Fa0/9
2 Sales active Fa0/1
4 Marketing active Fa0/10
7 Research active Fa0/5
[output cut]
Interface Fa0/1 is a member of VLAN 2, interface Fa0/05 a member of VLAN 5, and
interface Fa0/10 is a member of VLAN 4.
running-config.
3550A#show run
[output cut]
!
switchport access vlan 2
!
!
!
[output cut]
3550A#
Lab 5.4: Configuring Trunk Ports and VTP Domain on a 3550 Switch 493
Lab 5.4: Configuring Trunk Ports and
VTP Domain on a 3550 Switch
Configure Trunk Ports
Trunk links are 100 or 1000 Mbps point-to-point links between two switches, between
a switch and router, or between a switch and server. Trunked links carry the trafc of
multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps
links, nor would you want to. Remember that an access link is a port on a switch that is
a member of only one VLAN.
In this network 3560 Switch A is connected to 3550 Switch A via interface Fa0/3 on each
device. That is what we are going to use to set our trunk port between the two switches.
Lab Steps
1. To configure trunking on a 3550 port, use the interface command switchport mode
command. In this lab we will set it up for fa0/3.
3550A>en
3550A#config t
Network Layout
3550A(config-if)#switchport trunk encapsulation ?
dot1q Interface uses only 802.1q trunking encapsulation when
trunking
isl Interface uses only ISL trunking encapsulation when
trunking
negotiate Device will negotiate trunking encapsulation with peer on
interface
3550A(config-if)#switchport trunk encapsulation dot1q
3550A(config-if)#switchport mode trunk
2. By default, traffic from all VLANs are sent over a trunk link. To change the VLANs
permitted to send traffic on a trunk link, use the switchport trunk allowed vlan
except # command. The command allows traffic from all VLANs except the VLANs
listed. In lab 9.5 we set up VLAN 7, for now we do not want to allow VLAN 7 to send
traffic across the trunk link.
3550A(config-if)#switchport trunk allowed vlan except 7
3. The above command sets the trunking interface to allow traffic from all VLANs except
for VLAN 7.
4. To verify your trunk ports, use the show running-config command.
3550A(config)#exit
3550A#show run
[output cut]
!
switchport trunk allowed vlan 1-6,8-1005
switchport mode trunk
switchport trunk encapsulation dot1q
!
[output cut]
5. Notice in the above output that all VLANs are allowed except for VLAN 7.
Configure VTP Domain
Every Catalyst switch is congured by default to be a VTP server. To congure VTP, rst
congure the domain name you want to use, as discussed in the next section. Once you con-
gure the VTP information on a switch, you need to verify the conguration.
6. Use the vtp global configuration mode command to set this information. In the following
example, we explicitly set switch 3550 A to be a VTP server, which it already is, and then
set the VTP domain to routersim.
3550A(config)#vtp mode server
Device mode already VTP SERVER.
3550A(config)#vtp domain routersim
Changing VTP domain name from NULL to routersim
3550A(config)#
7. After you configure the VTP information, you can verify it with the show vtp status
command.
3550A#show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 64
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : routersim
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x70 0x01 0xF2 0x72 0x97 0xA1 0x35 0xEB
Configuration last modified by: 172.16.10.17 at 11-29-93 20:39:24
Local updater ID is 172.16.10.17 on interface Vl1 (lowest numbered VLAN
interface found)
3550A#
The preceding switch output shows the VTP domain and the switchs mode.
on a 3560 Switch
In this lab we want to eventually associate ports 2 and 8 with VLANs 2 and 4, that were
set up for 3550 Switch A in lab 5.3. However, we do not have to manually set up VLANs 2
and 4 again for 3560 Switch A. That can be broadcast from 3550 Switch A (from work you
did in lab 5.2), however, we must do a couple things in order to facilitate that.
Lab Steps
1. Initially, lets issue the show vlan command to verify that there are no VLANs associated
with 3560 Switch A.
3560A#sh vlan
---- -------------------------------- --------- -------------------------------
Fa0/6, Fa0/7, Fa0/8, Gi0/1
[output cut]
No VLANs!
Network Layout
2. We now need to configure two ports, one for each VLAN by using the switchport
access vlan # command. You can only configure VLANs one port at a time. In the
following example, we configure interface 2 to VLAN 2 and interface 8 to VLAN 4.
3560A(config)#exit
[OK]
3560A#
4. We can verify what we did with the two ports with the show run command.
3560A#show run
[output cut]
!
!
!
[output cut]
3560A#
Lab 5.6: Configuring Trunk Ports and
VTP Domain on a 3550 Switch
Configure Trunk Ports
Trunk links are 100 or 1000 Mbps point-to-point links between two switches, between
a switch and router, or between a switch and server. Trunked links carry the trafc of
multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps
links, nor would you want to. Remember that an access link is a port on a switch that is
a member of only one VLAN.
Lab Steps
trunk command. In this lab we will configure interface fa0/3.
3560A>en
3560A#config t
Network Layout
Lab 5.6: Configuring Trunk Ports and VTP Domain on a 3550 Switch 499
2. To verify your trunk port, use the show running-config command.
3560A(config)#exit
3560A#show run
[output cut]
!
!
[output cut]
Configure VTP Domain
Every Catalyst switch is congured by default to be a VTP server. To congure VTP, rst con-
gure the domain name you want to use, as discussed in the next section. Once you congure
the VTP information on a switch, you need to verify the conguration.
3. Use the vtp global configuration mode command to set this information. In the fol-
lowing example, we set the switch to a VTP client and then set the VTP domain to
routersim.
3560A(config)#vtp mode client
Setting device to VTP CLIENT mode.
4. After you configure the VTP information, you can verify it with the show vtp command.
3560A#sh vtp status
VTP Version : 2
VTP Operating Mode : Client
interface
found)
3560A#
5. VLAN information should now be propagated from 3550 Switch A to 3560 Switch A.
Confirm this with the show vlan command.
3560A#show vlan
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6,
Fa0/7
Gi0/1
7 Research active
VLAN 7 will not be allowed to pass any traffic on the trunk link because we
issued the command switchport trunk allowed vlan except 7 in lab
5.4, step 2.
Lab 5.7: IntraVLAN and
InterVLAN Routing
In previous labs we have set up VLANs 2 and 4 for the 3550 and 3560 switches. We will
rst set up the proper subnetting so that we can place Hosts A and C in VLANs 2 and
Hosts B and D in VLANs 4. We will then have you test this by communicating with the
VLANS. Then we will set up interVLAN routing so that Hosts from VLANs 2 and 4 can
communicate with each other. Network devices in different VLANs cannot communicate
with each other without sending trafc through a router. In this lab we will use 2811
Router A to perform the 802.1q routing so that we can route trafc between the two
VLANs.
Two new subnets will be needed. We will us subnets 172.16.2.0/24 and 172.16.3.0/24.
2811 Router A FastEthernet 0/0 interface will stay at 172.16.10.1/24, however, the IP address
needs to be moved to a subinterface, which well do in a minute.
Lab Steps
1. We configured all hosts in this network in ICND1 lab 2.11. If you have not configured
the hosts in this lab, you should go through ICND1 lab 2.11.
Lets start from that point. VLAN 2 will have a subnet of 172.16.2.0/24 and
VLAN 4 will have a subnet of 172.16.3.0/24. Change the current IP addresses of
the hosts so they are in their proper VLAN. Change the IP addresses and default-
gateways of the four hosts.
Network Layout
Host Current IP Address New IP Address New Default Gateway
A 172.16.10.5 172.16.2.2 172.16.2.1
B 172.16.10.6 172.16.3.3 172.16.3.1
C 172.16.10.7 172.16.2.3 172.16.2.1
D 172.16.10.8 172.16.3.2 172.16.3.1
2. Verify you have set up the VLANs correctly by pinging from Host A to Host C.
C:\>ping 172.16.2.3
Pinging 172.16.2.3 with 32 bytes of data:
Reply from 172.16.2.3 ;bytes=32 time=22ms TTL=254
Ping Statistics for 172.16.2.3:
Packets Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 22ms, Maximum = 23ms, Average = 22ms
C:\>
Once you can ping, you know you have congured at least one VLAN correctly. At this
time, Host A and Host C cannot ping anything else in the network except each other.
3. At this point you should not be able to ping Host B even though it is connected to the
same switch.
C:\>ping 172.16.3.3
Request timed out.
Request timed out.
Request timed out.
Request timed out.
C:\>
4. Verify you have set up the VLANs correctly by pinging from Host B to Host D.
C:\>ping 172.16.3.2
C:\>
Once you can ping, you know you have congured both VLANs correctly. At this
time, Host B and Host D cannot ping anything else in the network except each other.
5. To have the hosts ping outside their own VLAN, you must setup some type of rout-
ing You also need to setup a trunk link between the switch and the router. Use 2811
Router A FastEthernet 0/0 interface and create 802.1q routing. Create three subinter-
faces, one for each VLAN. To establish a trunk link between 3550 Switch A and the
2811 Router A, configure FastEthernet 0/4, on the 3550 Switch A as a trunk port with
802.1q encapsulation.
2811A>enable
2811A#config t
2811A(config-if)#no ip address
2811A(config-if)#int fa0/0.1
2811A(config-subif)#encapsulation dot1q 1
2811A(config-subif)#ip address 172.16.10.1 255.255.255.0
2811A(config-subif)# int fa0/0.2
2811A(config-subif)#router ospf 102
2811A(config-router)#network 172.16.2.0 0.0.0.255 a 0
2811A(config-router)#network 172.16.3.0 0.0.0.255 a 0
2811A(config-subif)#exit
2811A(config)#exit
[OK]
2811A#
3550A>en
3550A#config t
6. Verify your sub-interface configurations with the show run command.
2811A(config)#show run
[output cut]
!
no ip address
!
interface FastEthernet0/0.1
encapsulation dot1Q 1
ip address 172.16.10.1 255.255.255.0
!
ip address 172.16.2.1 255.255.255.0
!
ip address 172.16.3.1 255.255.255.0
!
[output cut]
7. At this point, the hosts should be able to ping all hosts and 2811 Router A.
Access Lists
Managing Traffic with
Access Lists
This set of labs will have you congure IP ltering on the internetwork. The proper use and
conguration of access lists is a vital part of router conguration. Contributing mightily to
the efciency and optimization of your network, access lists give network managers a huge
amount of control over trafc ow throughout the internetwork.
With access lists, managers can gather basic statistics on packet ow and security policies
can be implemented. Sensitive devices can also be protected from unauthorized access. We
will discuss access lists for TCP/IP, and we will cover some of the tools available to test and
monitor the functionality of applied access lists.
The following labs are presented in this section:
N
6.1: Standard IP Access-Lists Lab
N
6.2: Verifying Standard IP Access-lists Lab
N
6.3: Applying an Access-List to a VTY Line Lab
N
6.4: Extended IP Access-Lists Lab
N
6.5: Verifying Extended IP Access-lists
N
6.6: Removing Extended IP Access-lists
The commands covered in this chapter are as follows:
Command Meaning
access-list Creates a list of tests to filter the networks.
host Specifies a single host address.
Access List
A set of permissions that have been established at an interface level that are used
to permit or deny packets moving through a router, and permit or deny Telnet (VTY)
access to or from a router. It essentially acts as a packet ltering rewall.
Command Meaning
any Wildcard command. Specifies any host or any network;
same as the 0.0.0.0 255.255.255.255 command.
0.0.0.0 255.255.255.255 Wildcard command; same as the any command.
ip access-group Applies an IP access-list to an interface.
access-class Applies a standard IP access list to a VTY line.
show access-list Shows all the access lists configured on the router.
show access-list 110 Shows only access-list 110.
show ip access-list Shows only the IP access lists.
show ip interface Shows which interfaces have IP access lists applied.
There are two types of access lists used with IP.
Standard access lists use only the source IP address in an IP packet to lter the network.
This basically permits or denies an entire suite of protocols. IPX standards can lter on
both source and destination IPX address.
Extended access lists these check for both source and destination IP address, protocol
eld in the Network layer header, and port number at the Transport layer header.
Once you create an access list, you apply it to an interface with either an inbound or
outbound list:
Inbound access lists packets are processes through the access list before being routed to
the outbound interface.
Outbound access lists packets are routed to the outbound interface and then processed
through the access list.
Lab 6.1: Standard IP Access-Lists
This lab will have you block access to network 172.16.40.0 from Host F. Access-lists can
be tricky because if you do not create your lists correctly, you can bring the network down.
There are two steps with access-lists:
N
Create an access-list
N
Apply an access-list
standard IP access-lists use source addresses for ltering packets. A collection of permit
and deny conditions is applied to IP addresses.
508 Access Lists
1. Double-click Host F.
Network Layout
in earlier labs.
2. Verify that you can ping to the 2950 Switch A and that you can ping Host E from Host F.
C:\ping 172.16.40.2
C:\>ping 172.16.40.3
C:\>
510 Access Lists
3. From the Host F menu, bring up the console for the 2621 Router A.
4. Create an access-list that blocks access from host F trying to get to network 172.16.40.0.
2621A>enable
2621A#config t
2621A(config)#access-list 10 deny host 172.16.50.3
2621A(config)#access-list 10 permit any
That is all were going to do for the list. Remember that IP standard access-lists should
be created closest to the destination network, which is why we built that access-list on
2621 Router A. It is directly connected to network 172.16.40.0.
5. After creating an access-list for 2621 Router A, we now need to add the access-list to
the serial 0/0 interface of 2621 Router A.
2621A(config-if)#ip access-group 10 in
This applied the access-list 10 to the serial 0/0 interface of 2621 Router A and ltered
any incoming packets.
6. Check to see that Host F can no longer ping to 172.16.40.2 and 172.16.40.3.
C:\>ping 172.16.40.2
Request timed out.
Request timed out.
Request timed out.
Request timed out.
C:\>
C:\>ping 172.16.40.3
Request timed out.
Request timed out.
Request timed out.
Request timed out.
C:\>
512 Access Lists
7. If the access-list is correct, all other devices should still be able to reach network
172.16.40.0. Ping from 2621 Router B and verify that you can reach 172.16.40.2
and 172.16.40.3.
2621B#ping 172.16.40.2
!!!!!
2621B#
2621B#ping 172.16.40.3
!!!!!
2621B#
Lab 6.2: Verifying Standard
IP Access-Lists
Pinging and telnetting through the internetwork is a really good way to verify the network and
access-lists. However, using the Cisco IOS commands is also a good way to verify the lists.
Network Layout
Work with the saved network that you used to congure devices in lab 6.1.
Lab 6.2: Verifying Standard IP Access-Lists 513
Lab Steps
1. Bring up the console for 2621 Router A and type show access-list to see the list config-
ured on the router.
2621A#show access-list
Standard IP access list 10
deny 172.16.50.3
permit any
2621A#
2. You can also type either show ip access-list or show access-list 10 to gather specific list
configurations.
2621A#show access-list 10
deny 172.16.50.3
permit any
2621A#
3. To see which interface has access-lists applied, use the show ip interface command.
2621A#show ip interface
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1514 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 10
[output cut]
4. The show running-config is useful to see both the access-list and to verify the inter-
face where the access-list is applied.
2621Ashow run
[output cut]
!
interface Serial0/0
514 Access Lists
ip address 172.16.20.2 255.255.255.0
ip access-group 10 in
!
[output cut]
Lab 6.3: Applying an Access-List
to a VTY Line
You will have a difcult time trying to stop users from telneting into a router because any
active port on a router is fair game for VTY access. However, you can use a standard IP
access-list to control access by placing the access-list on the VTY lines themselves.
To perform this function:
1. Create a standard IP access-list that permits only the host or hosts you want to be able
to telnet into the routers.
2. Apply the access list to the VTY line with the access-class command.
This lab will have you stop Host F from telneting into 2621 Router A.
Network Layout
Lab 6.3: Applying an Access-List to a VTY Line 515
Lab Steps
1. Remove the access-list on 2621 Router A.
2621A#config t
2621A(config)#no access-list 10
2. Remove the access-list on the serial 0/0 interface of 2621 Router A.
2621A(config-if)#no ip access-group 10 in
You can just type no access-list 10 on to remove the access-list, but you
must type the whole command from the interface to remove the list from
the interface on the router.
3. Verify that Host F can telnet into 2621 Router A.
C:\>telnet 172.16.20.2
Connecting To 172.16.20.2 ...
This is 2621 Router A
Password:
2621A>
4. Exit from your telnet session.
2621A>exit
Connection to host lost.
C:\>
5. Connect to 2621 Router A and block telnet access for Host F, but allow all other
devices to telnet to the 2621 A router.
2621A#config t
6. Apply the access-list directly to the VTY lines and not to an interface.
2621A(config-line)#access-class 20 in
2621A#
516 Access Lists
7. Verify that Host F can no longer telnet into 2621 Router A.
C:\>telnet 172.16.20.2
Connecting To 172.16.20.2 ...Could not open a connection to host: Connect
failed
C:\>
8. Use the Host F menu to go to the 2621 Router A console.
9. Verify that 2621 Router B can still telnet into 2621 Router A.
2621B#telnet 172.16.20.2
Trying 172.16.20.2 ... Open
Password:
2621A>
ing on.
Lab 6.4: Extended IP Access-Lists
In this lab we will remove the standard IP access-list on 2621 Router A and create a new
access-list that is more succinct on 2621 Router A. We want Host F to use the services on
the 172.16.40.0 network, but we dont want them to telnet into 2950 Switch A.
Lab 6.4: Extended IP Access-Lists 517
Lab Steps
2621A#config t
2. Bring up the Host F console by using 2621 Router As menu.
Network Layout
518 Access Lists
3. Verify that Host F can now ping 172.16.40.2 and 172.16.40.3.
C:\ping 172.16.40.2
C:\>ping 172.16.40.3
C:\>
4. Create an access-list on 2621 Router A to block telnet access into the 172.16.40.0 net-
work, but still allow Host F to ping Host E.
2621A#config t
2621A(config)#access-list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255
eq telnet
2621A(config)#access-list 110 permit ip any any
This access-list blocked source address 172.16.50.3 from telneting into
172.16.40.0.
5. Apply this access-list to the serial interface 0/0 of 2621 Router A to filter the packets
coming into the router.
2621A#
Lab 6.5: Verifying Extended IP Access-lists 519
6. Test the access-list by trying to telnet 172.16.40.2 From Host F, (remember, you cannot
telnet to a host). All other devices should be able to telnet to 172.16.40.2.
C:\>telnet 172.16.40.2
failed
C:\
Lab 6.5: Verifying Extended
IP Access-lists
We will use the same command as we did to verify the IP Standard Access-Lists. Go
to 2621 Router A (if you created the list on 2621 Router A) and verify your access-list.
Remember that ping and telnet are really good tools to verify your network as well.
Network Layout
520 Access Lists
Lab Steps
1. From 2621 Router A, type the show access-list command to see the configured list.
Extended IP access list 110
deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255 eq telnet
permit ip any any
2621A#
2. Use the show access-list 110 command to see only list 110.
permit ip any any
2621A#
3. You can also use show ip access-list to see only the IP access-list configured on
your router.
2621A#show ip access-list
permit ip any any
2621A#
4. Verify which interface has an access-list set by using the show ip interface command
on 2621 Router A.
MTU is 1514 bytes
[output cut]
2621A#
Lab 6.6: Removing Extended IP Access-lists 521
Lab 6.6: Removing Extended
IP Access-lists
To remove the extended IP access-list, perform the following steps.
Lab Steps
2621A#config t
Network Layout
522 Access Lists
3. Verify that you have removed the extended IP access-list.
[output cut]
!
interface Serial0/0
ip address 172.16.20.2 255.255.255.0
!
[output cut]
Practice Scenario: NAT and ACLs
Configuring ACLs for Telnet and SSH
N
N
N
Your configuration
Lab 6.6: Removing Extended IP Access-lists 523
N
N
Network Layout
narios, NAT and ACLs, and Conguring ACLs for Telnet and SSH.
524 Access Lists
Turn On Hostnames
Scenario
Colorado Company RouterSim is planning and designing their new corporate Internetwork.
You are the network administrator for the Denver network. Develop an extended access list
that will block the California network from telneting into the DNVR_RTR router.
Task
Congure access-list 150 on the DNVR_RTR router as close as possible to the source
network. Set it up so that any router or switch in the 172.16.40 network is blocked.
NAT/PAT
Lab 7.1: Configuring
Dynamic NAT
This section will show you how to congure NAT to translate from real ISP assigned
addresses to private addresses so that the inside network can communicate to the Internet.
Network Layout
Use the network the you worked with in ICND1 lab 5.1. The network is Nat-Pat Layout.rsm
or whatever you renamed it in the earlier lab. If you have not completed that lab, please
go back and go through it.
Lab 7.1: Configuring Dynamic NAT 527
Lab Steps
1. In this step, youll configure a dynamic NAT pool on 2811 Router B. Create a pool
of addresses called RouterSim on 2811 Router B. The pool should contain a range of
addresses of 171.16.10.50 through 171.16.10.55.
2811B(config)#ip nat pool RouterSim 171.16.10.50 171.16.10.55 net
255.255.255.0
2. Create access-list 1. This list permits traffic from the 192.168.20.0 and 192.168.10.0
network to be translated.
2811B(config)#access-list 1 permit 192.168.20.0 0.0.0.255
3. Map the access list to the pool that was created.
2811B(config)#ip nat inside source list 1 pool RouterSim
4. Configure fa0/0 as an inside NAT interface.
2811B(config-if)#ip nat inside
5. Configure serial 0/0/0 as an outside NAT interface.
2811B(config-if)#ip nat outside
6. Bring up the console for 2811 Router D. Telnet from 2811 Router D to 2811
Router Ado not disconnect.
2811D#telnet 171.16.10.1
Trying 171.16.10.1 ... Open
2811D#
We received this message because we did not set up a telnet password on 2811 Router A.
7. Go to the 2811 A router and set up a telnet password.
2811A#config t
2811ARouter(config)#line vty 0 1180
2811ARouter(config-line)#password todd2
8. Try step 6 again and if you are successful, move on to step 9.
528 NAT/PAT
9. Bring up the console for 2811 Router C. Telnet from the 2811 Router C to 2811
2811C#telnet 171.16.10.1
10. Go back to 2811 Router A and execute the command show users. (This shows who is
accessing the VTY lines).
2811A#show users
0 con 0 idle 00:00:00
2 vty 0 idle 00:00:40 171.16.10.50
* 3 vty 1 idle 00:00:17 171.16.10.51
2811A#
Notice that there is a one-to-one translation. Which means you must have a real IP
address for every host that wants to get to the Internet, which is not always possible.
11. Leave the session open on 2811 Router A and connect back to 2811 Router B.
12. Bring up the console for 2811 Router B and view your current translations by entering
the show ip nat translation command. You should see something like this:
2811B#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 171.16.10.50 192.168.20.2 --- ---
--- 171.16.10.51 192.168.10.2 --- ---
2811B#
Remember that the inside local is before translation and the inside global is after
translation, and how you are known on the Internet.
Exit out of the telnet session from 2811 Router D.
13. If you turn on debug ip nat on 2811 Router B and then ping through the router from
2811 Router D, you will see the actual NAT process take place, which will look some-
thing like this:
2811B#debug ip nat
2811D#ping 171.16.10.1
2811B#
Feb 27 17:16:18.256: NAT*: s=192.168.20.2->171.16.10.52, d=171.16.10.1 [1]
Feb 27 17:16:18.260: NAT*: s=171.16.10.1->171.16.10.52, d=192.168.20.2 [1]
Lab 7.2: Configuring PAT 529
Lab 7.2: Configuring PAT
Port Address Translation (PAT), also called NAT Overload, uses TCP and UDP port
numbers to uniquely identify hosts on the inside network so that everyone on the inside
network can use only one real IP address to send packets to the Internet. Static NAT is a
one-for-one translation, which means that each host uses a unique real IP address to send
packets to the Internet. By using PAT, we save address space by using only one real IP
address for all hosts.
In this lab, youll congure Port Address Translation (PAT) on 2811 Router B. We will
use PAT because we dont want a one-to-one translation, but instead we want to just use
one IP address for every user on the network.
Network Layout
Use the network you worked with in lab 7.1.
530 NAT/PAT
Lab Steps
1. Terminate the telnet sessions on 2811 Router C by using the exit command.
2. On the 2811 Router B, delete the translation table and remove the dynamic NAT pool.
2811B#clear ip nat translation *
2811B#config t
2811B(config)#no ip nat pool RouterSim 171.16.10.50 171.16.10.55 netmask
255.255.255.0
2811B(config)#no ip nat inside source list 1 pool RouterSim
3. On 2811 Router B, create a NAT pool with one address called Lammle. The pool
should contain a single address 171.16.10.100. Enter the command below:
2811B(config)#ip nat pool Lammle 171.16.10.100 171.16.10.100 netmask
255.255.255.0
4. Create access-list 2. It should permit networks 192.168.20.0 and 192.168.10.0 to be
translated.
5. Map the access-list 2 to the new pool, allowing PAT to occur by using the overload
command.
2811B(config)#ip nat inside source list 2 pool Lammle overload
6. Bring up the console for 2811 Router D and telnet to 2811 Router A. Then bring up the
2811 Router C and telnet to 2811 Router A.
7. From the ISP router use the show users command. The output should look something
like this:
2811A>sh users
0 con 0 idle 00:00:00
2 vty 0 idle 00:00:29 171.16.10.100
* 3 vty 1 idle 00:00:21 171.16.10.100
2811A>
8. From 2811 Router B use the show ip nat translations command.
tcp 171.16.10.100:1723 192.168.10.2:1723 171.16.10.1:23 171.16.10.1:23
tcp 171.16.10.100:1723 192.168.20.2:1723 171.16.10.1:23 171.16.10.1:23
2811B#
9. Exit the telnet session from 2811 Router D.
10. Also make sure that the debug ip nat command is on 2811 Router B. If you ping from
2811 Router C to 2811 Router A, the output will look like this:
01:12:36: NAT: s=192.168.10.2->171.16.10.100, d=171.16.10.1 [35]
01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [35]
01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [36]
01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [36]
01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [37]
01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [37]
01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [38]
01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [38]
01:12:37: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [39]
01:12:37: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2
Lab 7.3: NAT/PAT Final Configuration
Exercise
In this lab, you will congure two routers and a host so that the inside network can com-
municate with the outside network using Port Address Translation. You will not use the
network layout used previously. You have six public IP address assigned to your company:
198.18.194.73 -78. There are 30 hosts that need to access the Internet simultaneously.
N
Hosts range on the inside network is 192.168.35.65- 94
N
Inside global addresses are 198.18.194.73-78/29
N
Inside local addresses are 192.168.35.65-94/27
532 NAT/PAT
Lab Steps
1. Double-click 2811 Router B to open the console screen.
Network Layout
Load Nat-Pat Final Layout.rsm before going through the following lab.
3. Click on the le Nat-Pat Final Layout and click Open.
Router>en
Router#config t
2811B(config-if)#clock rate 1000000
[OK]
2811B#
3. Configure 2811 Router A with IP addresses and default routing.
Router>en
Router#config t
2811A(config)#ip route 0.0.0.0 0.0.0.0 192.0.2.157
4. Configure your host with the IP address 192.168.35.65/27. Dont forget to set your
default-gateway.
5. Create an inside source list that will allow the inside hosts to access the NAT pool and
allow the use of PAT.
2811B#config t
2811B(config)#ip nat inside source list 10 pool 2811B overload
6. Next, create an access-list for IP range 192.168.35.65-94/27.
534 NAT/PAT
7. Verify your access-list.
2811B(config)#do show run
!
!
access-list 10 permit 192.168.35.64 0.0.0.31
[output cut]
2811B(config)#do show access-lists
10 permit 192.168.35.64, wildcard bits 0.0.0.31
2811B(config)#
8. Create the pool with the six available global hosts IP addresses.
2811B(config)#ip nat pool 2811B 198.18.194.73 198.18.194.78 netmask
255.255.255.248
9. Configure the interfaces for use with NAT.
2811B(config)#exit
[OK]
2811B#
10. Change the console screen to Host A and then ping 2811 Router A.
C:\ping 192.0.2.158
11. Change to the console screen for 2811 Router B and verify your NAT/PAT configura-
tion by enabling debug ip nat.
2811B#debug ip nat
IP NAT debugging is on
Dec 3 16:48:09.484: NAT*: s=192.168.35.65->198.18.194.73, d=192.0.2.158 [1]
Dec 3 16:48:09.500: NAT*: s=192.0.2.158->198.18.194.73, d=192.168.35.65 [1]
2811B#
12. Verify your NAT table with the following command:
icmp 198.18.194.74:1 192.168.35.65:1 192.0.2.158:1 192.0.2.158:1
2811B#
13. Delete the NAT/PAT configuration on your routers.
14. Reconfigure the router with the following IP addresses on 2811 Router B (try to
configure this without looking at the answers for the NAT/PAT configuration we
just finished):
Interface f0/0: 192.168.76.94/27
Interface s0/0/0: 192.0.2.165/30
Inside global: 198.18.149.113-118/29
Inside local: 192.168.76.65-94/27
15. Verify your NAT configuration.
VLSM with
Summarization
Lab 8.1: VLSM with
Summarization Lab
Configuring Routers
The following lab will have you congure a medium size network into block sizes of 32 (/27)
using the EIGRP routing protocol and summarizing the classless boundaries. The switches
will not be congured in this lab and they will behave just like hubs. You will congure each
router in the lab with the appropriate IP addressing and verify the conguration in lab 8.2.
Network Layout
Load VLSM Layout.rsm before going through the following lab.
3. Click on the le VLSM Layout.rsm and click Open.
Lab 8.1: VLSM with Summarization LabConfiguring Routers 539
Routers 2811 A through 2811 E will be congured in the 192.168.10.32/27 network and
routers 2811 F through 2811 J will be congured in the 192.168.10.64/27 network. In each
network there are four block sizes of four (the WAN links) and two block sizes of eight
(the LANs).
To connect routers 2811 A and 2811 F across the backbone, we will use the 10.1.1.0/24
network. This is called discontiguous networking because we have one class of network
(192.168.10.0) connecting across to the same network address through the 10.0.0.0 network
and this will not work by default. RIPv1 and IGRP can never work in this type of network. In
order to use VLSM with discontiguous networking in your network, you must use one the fol-
lowing routing protocols: RIPv2, EIGRP, OSPF or ISIS (these are considered classless routing
protocols). This lab will have you use EIGRP as the classless routing protocol.
Here is the IP addressing scheme used in this lab for routers 2811 A through 2811 E:
(notice how the four block sizes of four, and two block sizes of eight t in one block size of
32VLSM network addressing).
Router Block Sizes
2811 Router A S0/0/0: 192.168.10.37/30 (subnet 36, block size of 4)
S0/0/1: 192.168.10.33/30 (subnet 32, block size of 4)
F0/0: 10.1.1.1/24
2811 Router B S0/0/0: 192.168.10.41/30 (subnet 40, block size of 4)
S0/0/1: 192.168.10.34/30 (subnet 32, connected to s0/0/1 of 2811
Router A)
2811 Router C S0/0/0: 192.168.10.45/30 (subnet 44, block size of 4)
Router A)
2811 Router D S0/0/0: 192.168.10.42/30 (connected to s0/0/0 of router 2811 B)
F0/0: 192.168.10.49/29 (subnet 48, block size of 8)
Discontiguous Networking
When a major network like 192.168.10.0 is separated by a different major network like
10.0.0.0. Example: The 192.168.10.0/24 network can be subnetted into two or more net-
works. The networks 192.168.10.36/30 and 192.168.10.80/29 are congured on different
routers. The routers are using the 10.0.0.0 network to connect to each other, thus one
major network being separated by another major network.
540 VLSM with Summarization
Router Block Sizes
2811 Router E S0/0/0: 192.168.10.46/30 (connected to s0/0/0 of router 2811 C)
2811 Router F S0/0/0: 192.168.10.69/30 (subnet 64, block size of 4)
F0/0: 10.1.1.2/24
2811 Router G S0/0/0: 192.168.10.73/30 (subnet 72, block size of 4)
Router F)
2811 Router H S0/0/0: 192.168.10.77/30 (subnet 76, block size of 4)
Router F)
2811 Router I S0/0/0: 192.168.10.74/30 (connected to s0/0/0 of router 2811 G)
2811 Router J S0/0/0: 192.168.10.78/30 (connected to s0/0/0 of router 2811 H)
F0/0: 192.168.10.89 (subnet 88, block size of 8)
Lab Steps
1. Double-click on 2811 Router A to bring up the console screen.
Router>en
Router#config t
(continued)
3. Change to the console for 2811 Router B.
Router>en
Router#config t
2811B(config)#int s0/0/0
5. Change to the console for 2811 Router C.
Router>en
Router#config t
2811C(config)#int s0/0/0
7. Change to the console for 2811 Router D.
Router>en
Router#config t
2811D(config-if)#int f0/0
2811D(config-if)#ctrl+z
9. Change to the console for 2811 Router E.
10. Configure 2811 Router E.
Router>en
Router#config t
Router(config)#hostname 2811E
2811E(config)#int s0/0/0
2811E(config-if)#ip address 192.168.10.46 255.255.255.252
2811E(config-if)#no shut
2811E(config-if)#int f0/0
2811E(config-if)#ctrl+z
2811E#copy run start
11. Change to the console for 2811 Router F.
12. Configure 2811 Router F.
Router>en
Router#config t
Router(config)#hostname 2811F
2811F(config)#int s0/0/0
2811F(config-if)#ip address 192.168.10.69 255.255.255.252
2811F(config-if)#no shut
2811F(config-if)#int s0/0/1
2811F(config-if)#int f0/0
2811F(config-if)#ctrl+z
2811F#copy run start
13. Change to the console for 2811 Router G.
14. Configure 2811 Router G.
Router>en
Router#config t
Router(config)#hostname 2811G
2811G(config)#int s0/0/0
2811G(config-if)#ip address 192.168.10.73 255.255.255.252
2811G(config-if)#no shut
2811G(config-if)#int s0/0/1
2811G(config-if)#ctrl+z
2811G#copy run start
15. Change to the console for 2811 Router H.
16. Configure 2811 Router H.
Router>en
Router#config t
Router(config)#hostname 2811H
2811H(config)#int s0/0/0
2811H(config-if)#ip address 192.168.10.77 255.255.255.252
2811H(config-if)#no shut
2811H(config-if)#int s0/0/1
2811H(config-if)#ctrl+z
2811H#copy run start
17. Change to the console for 2811 Router I.
18. Configure 2811 Router I.
Router>en
Router#config t
Router(config)#hostname 2811I
2811I(config)#int s0/0/0
2811I(config-if)#ip address 192.168.10.74 255.255.255.252
2811I(config-if)#no shut
2811I(config-if)#int f0/0
2811I(config-if)#ctrl+z
2811I#copy run start
19. Change to the console for 2811 Router J.
20. Configure 2811 Router J.
Router>en
Router#config t
Router(config)#hostname 2811J
2811J(config)#int s0/0/0
2811J(config-if)#ip address 192.168.10.78 255.255.255.252
2811J(config-if)#no shut
2811J(config-if)#int f0/0
2811J(config-if)#ctrl+z
2811J#copy run start
you have been working with. You might want to save it to another le name than VLSM
Lab 8.2: VLSM with Summarization LabConfiguring Hosts 545
2. A dialog box will appear. At the bottom you will see the file name VLSM Layout.rsm.
Rename the file. In the following example it is renamed to My VLSM Layout.rsm.
You then have the option of reloading VLSM Layout.rsm which is not configured.
LabConfiguring Hosts
We will now congure all the hosts in the network.
Network Layout
Use the saved network you were working with in Lab 8.1.
Lab Steps
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address:192.168.10.50
Subnet Mask: 255.255.255.248
Default Gateway:192.168.10.49
N
IP Address
N
Subnet Mask
N
Default Gateway
Lab 8.4: VLSM with Summarization LabConfiguring EIGRP 547
IP Address:192.168.10.58
Subnet Mask: 255.255.255.248
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address:192.168.10.82
Subnet Mask: 255.255.255.248
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address:192.168.10.90
Subnet Mask: 255.255.255.248
LabConfiguring EIGRP with
Discontiguous Networking
In this lab you will congure the classless routing protocol EIGRP on each router. EIGRP is an
advanced Distance Vector routing protocol that supports VLSM and discontiguous networks.
In addition, it can be used to manually summarize contiguous network boundaries, which is
what we have.
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary hybrid
routing protocol. It uses the properties of both distance vector and link state and uses
an administrative distance of 90, so it will automatically overwrite RIP (which has a
default administrative distance of 120) routes in the routing table. Also, it uses autono-
mous systems (AS) to create groups of routers that share routing information. The major
difference between IGRP and EIGRP is that EIGRP uses three different tables to create
a stable routing environment and additionally EIGRP only sends updates when needed
whereas IGRP broadcasts routing table entries every 90 seconds.
Remember that although EIGRP is considered a classless routing protocol (which
means it sends subnet mask information with each route update), it is congured in a
classful manner. What this means is that you turn off all subnet bits and host bits to
add each network statementwhich is why the network statement is 192.168.10.0, not
192.168.10.32, 192.168.10.36, etc. for each subnet. EIGRP will nd the subnets; you
dont type subnets in with the network statement.
Router A is directly connected to the 192.168.10.0 network, but also the 10.1.1.0/24
network is directly connected off of F0/0. What is the network statement we will use?
Remember, ALL subnet bits and host bits are off!
Add EIGRP with AS 10 to each router, using the correct network statement. Also, add
the network statement of network 192.168.10.0 under EIGRP 10 for each router, except
for routers A and F, which will need the network 10.0.0.0 statement as well.
Network Layout
Use the network you were working with in Lab 8.2.
Lab Steps
1. From each router global configuration prompt, add the routing protocol EIGRP with
an AS number of 10:
2811A>en
2811A#config t
2811A(config)#auto-summary
2811A(config-router)#
2811B>en
2811B#config t
2811B(config)#auto-summary
2811B(config-router)#
2811C>en
2811C#config t
2811C(config)#auto-summary
2811C(config-router)#
2811D>en
2811D#config t
2811D(config)#auto-summary
2811D(config-router)#
2811E>en
2811E#config t
2811E(config)#router eigrp 10
2811E(config-router)#network 192.168.10.0
2811E(config)#auto-summary
2811E(config-router)#
2811F>en
2811F#config t
2811F(config)#router eigrp 10
2811F(config-router)#network 192.168.10.0
2811F(config)#auto-summary
2811F(config-router)#
2811G>en
2811G#config t
2811G(config)#router eigrp 10
2811G(config-router)#network 192.168.10.0
2811G(config)#auto-summary
2811G(config-router)#
2811H>en
2811H#config t
2811H(config)#router eigrp 10
2811H(config-router)#network 192.168.10.0
2811H(config)#auto-summary
2811H(config-router)#
2811I>en
2811I#config t
2811I(config)#router eigrp 10
2811I(config-router)#network 192.168.10.0
2811I(config)#auto-summary
2811I(config-router)#
2811J>en
2811J#config t
2811J(config)#router eigrp 10
2811J(config-router)#network 192.168.10.0
2811J(config)#auto-summary
2811J(config-router)#
2. Now that we have added our directly connected networks under EIGRP (remember,
add networks, not subnets!), we need to configure 2811 Router A and 2811 Router F to
work using discontiguous networking. Take a look at the routing table of each router
and notice that you can see the subnets in the routing table from each contiguous net-
work only (2811 Router A through 2811 Router E and 2811 Router F through 2811
Router J). This is because discontiguous networking does not work by default.
2811A#sh ip route
2811F(config-router)#ctrl+z
2811F#sh ip route
3. We need to add the no auto-summary command to 2811 Router A and 2811 Router F
to have this work.
2811A#config t
2811A(config-router)#no auto-summary
2811F#config t
2811F(config-router)#no auto-summary
4. Now, lets take a look at the routing tables of each router and notice that ALL subnets
are now listed in each routers routing table.
2811J#show ip route
[output cut]
D 10.1.1.0 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.44/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.68/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.32/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
Auto-summary
The process of taking subnets like 192.168.10.4/30 or 192.168.10.56/29 and sum-
192.168.10.56/29 the networks are summarized to their Class C base network address
of 192.168.10.0/24.
No auto-summary
The process of taking the subnets like 192.168.10.4/30 or 192.168.10.56/29 and not
summarizing them down to their base network class. In the case of 192.168.10.4/30 or
D 192.168.10.36/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.40/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.64/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.48/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.80/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.72/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.56/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
5. This is a small network and the routing tables are manageable.. However, if we had
more routers, our routing tables would be rather large, which takes up memory and
router processing parsing the routing table. What can we do to make our routing table
smaller, more efficient, yet still keep all our connectivity from end to end? You guessed
it! Summarization baby!
LabConfiguring Summarization
Now that we have congured the internetwork from end to end using VLSM and discontiguous
networking, and EIGRP with the no auto-summary command to support the discontiguous net-
work, it is time to congure summarization.
Summarization would be done on the boundaries of each contiguous congured net-
work (routers 2811 A and 2811 F). Summarization is used by EIGRP under the interface
conguration using the ip summary-address eigrp 10 network mask command.
Before we add the summary commands to routers 2811 A and 2811 F, we need to know
what network and mask to add to the summary command. Remember, summary addresses
are congured in block sizes, just like subnets. The summary address for the 2811 Router A
would be 192.168.10.32, since we are starting at subnet 32; however, what is our summary
mask? Well, what is the block size of our contiguous networks? Thirty-two (32). What mask
provides a block size of 32? A /27, which is 255.255.255.224; this is our summary mask.
For the 2811 F conguration, we would start at subnet 192.168.10.64, which is also a
summary mask of /27, since the contiguous networks t in a block size of 32.
Lab 8.5: VLSM with Summarization LabConfiguring Summarization 553
Lab Steps
1. Here is our configuration on both routers:
2811A#config t
2811A(config)#interface fa0/0
2811A(config-if)#ip summary-address eigrp 10 192.168.10.32 255.255.255.224
2811F#config t
2811F(config)#interface fa0/0
2811F(config-if)#ip summary-address eigrp 10 192.168.10.64 255.255.255.224
At this point, we have disabled automatic summarization under EIGRP since we need
to support discontiguous networking. We then congured manual summarization at
contiguous classful boundaries.
2. If we take a look at the routing tables now, we can see that 2811 Router A is summa-
rizing the contiguous network with a 192.168.10.32/27 route into the 2811 Router F
routing tables, which is then sent to the other routers connected to 2811 Router F.
2811F>en
2811F#show ip route
Network Layout
Use the network you were working with in Lab 8.4.
[output cut]
D 192.168.10.80/29 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1
D 192.168.10.72/30 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1
D 192.168.10.76/30 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0
D 192.168.10.32/27 [90/2172416] via 10.1.1.1, 00:05:49, FastEthernet0/0
D 192.168.10.88/29 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0
3. For 2811 Router A, the routing table now looks like this, which is sent to all routers
connected to 2811 Router A.
2811A#show ip route
[output cut]
D 192.168.10.44/30 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0
D 192.168.10.40/30 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1
D 192.168.10.48/29 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1
D 192.168.10.56/29 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0
Our routing tables are smaller, more efcient, and easier for IP to parse.
Individual Labs
(Comprehensive)
Introduction to
Individual Labs
We offer CCNA labs that are comprehensive and self-contained. They stand on their own, and
do not require congurations from prior labs. These labs are typically longer than the accumu-
lative labs because you are starting with a non-congured network each time you bring up an
Individual lab. You are totally conguring the network for each lab, from beginning to nish.
We provide step-by-step instructions for these labs.
Grading
When you have nished with each Individual lab ...
N
The name of the command entered for this lab
N
N
Your configuration
N
got it correct) or a red X
N
Individual Lab: RIP Routing
Conguring the routers with static and default routing is interesting to say the least. However,
it is not very often that you would use just static and default routing in a network these days.
This lab will have you congure Routing Information Protocol (RIP), one of the rst dynamic
routing protocols created. It is easy and works pretty well in small to medium size networks.
RIP
N
Stands for routing information protocol.
N
Sends routing-update messages at regular intervals (usually every 30 seconds)
and when the network topology changes.
N
Uses a single metric called a hop, which measures the distance between the
source and destination.
N
Is limited to a hop count of 15. It has a maximum hop count. This means a network
cannot be more than 15 hops from the source to the destination. Otherwise the
destination is deemed as unreachable.
N
Has a timeout timer that is used on a period basis (usually every 30 seconds) for
each known route. If the timer times out this usually means that path is no longer
available. Therefore that route is removed from routing tables.
N
Does not support VLSM.
558 Individual Labs (Comprehensive)
N
N
N
Your configuration
N
got it correct) or a red X
N
Network Layout
Routing Protocols, and RIP.
Lab Steps
Click Paste.
enable
config t
hostname 2621A
line vty 0 4
password todd
login
IP address 172.16.20.2
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
enable
config t
hostname 2811A
line vty 0 1180
password todd
login
255.255.255.0
2621A
no shutdown
255.255.255.0
2621B
no shutdown
exit
exit
copy run start
enable
config t
hostname 2621B
line vty 0 4
password todd
login
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
commands.
Router>enable
Router#config t
[OK]
2621A#
commands.
Router>enable
Router#config t
[OK]
2811A#
commands.
Router>enable
Router#config t
[OK]
2621B#
advertise.
Clock Rate
Dynamic Routing
The process of routers in an Intranet or internet advertising route information automat-
ically between each other. There is typically a common dynamic routing protocol con-
gured on each router. RIP Version 1 and 2, OSPF, EIGRP, and BGP are some examples
of dynamic routing protocols. When all routers have received routing updates and have
updated routing tables, the network is said to have converged. Convergence means
that all routers in the internetwork have the same routing information. At this point, a
routed protocol, IP for example, can send user data throughout the internetwork.
2621A#config t
Thats all there is to it! Dynamic routing is easy on small networks. The important thing
to notice here is that the network address is a classful address, which means you use the
classful boundary.
5. From 2621 Router B, configure RIP routing and tell RIP the network you want to
advertise.
2621B#config t
Router RIP Command
Turns on RIP routing.
Network Command
Should be entered for each of the networks that the router is connected to and is a part
of the RIP network. In our network we have only one network, network 172.16.0.0.
Classful Routing
Routing protocols (i.e., RIPv1 and IGRP) where subnet masks (routing masks) are not
sent in the periodic routing updates. For example, we use a 172.16.0.0 class B network
address and subnet that network with 24 bits of subnetting. This means the third
octet is used for subnets and the fourth octet are the host addresses for each subnet.
RIP is a classful routing protocol, which means that you do not type in any subnet
addresses, only the class B address. When using a classful network protocol like RIP,
make sure that all networked devices have the same subnet mask.
advertise.
2811A#config t
Verify Configurations
2621A#show ip route
R 172.16.30.0 [120/1] via 172.16.20.1, 00:00:21, Serial0/0
2621A#
Notice the R, which means it is a RIP found route. The C is a directly connected
network. You should see two directly connected routes and three RIP routes.
2621B#show ip route
R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:13, Serial0/0
2621B#
2811A#show ip route
10. From 2621 Router B, use the debug ip rip command to see RIP updates being sent
2621B#debug ip rip
RIP protocol debugging is on
2621B#
then after a few seconds ....
*Oct 13 17:19:25.906: 172.16.20.0 in 2 hops
*Oct 13 17:19:25.906: 172.16.20.0 in 3 hops
*Oct 13 17:19:25.906: 172.16.20.0 in 4 hops
[output cut]
command.
2621B#undebug all
12. To see detailed information about currently configured protocols on a router, use the
show ip protocols command.
2621B#show ip protocols
Redistributing: rip
Default version control: send version 1, receive any version
Serial0/0 1 1 2
Maximum path: 4
172.16.0.0
172.16.30.1 120 00:00:11
2621B#
Notice the timers. RIP is sent out every 30 seconds by default. The administrative dis-
tance for RIP is 120 by default.
Administrative distance is a measure of the trustworthiness of the source of the routing
information. It is reported as a number between 0 and 255. The smaller the number, the
more reliable the protocol. If you have, for example, two protocols IGRP and RIP cong-
ured on a router, the IGRP routes will be preferred over the RIP routes. This is because you
have an administrative distance of 120 for RIP and 100 for IGRP.
Source Default Distance Value
Connected interface 0
Static route 1
Enhanced Interior Gateway Routing Protocol (EIGRP) summary
route
5
External Border Gateway Protocol (BGP) 20
Internal EIGRP 90
IGRP 100
OSPF 110
Intermediate System-to-Intermediate System (IS-IS) 115
Routing Information Protocol (RIP) 120
Exterior Gateway Protocol (EGP) 140
On Demand Routing (ODR) 160
External EIGRP 170
Internal BGP 200
Unknown 255
13. Another really good command is the show protocols command, which shows you the
routed protocol configuration of each interface.
2621B#show protocols
Global values:
2621B#
14. From 2811 Router A, use the show protocols command.
2811A#show protocols
Global values:
2811A#
RIPv2
You will now congure RIPv2.
RIPv2 RIP does not carry subnet information. To overcome this, RIPv2 was created in
1994 to address some deciencies in RIP. RIPv2 can carry subnet information. RIPv2 sends
routing updates via multicast address 224.0.0.9. It also provides support for variable length
subnet masks (VLSM) and discontiguous networking. RIPv2 is not automatically turned on
with the router rip command. You must also specify it and use the version 2 command.
2621A#config t
Thats all there is to it! Since we have already added our directly connected networks
under router rip in our last lab, we now just have to tell it to run version 2.
2621B#config t
2811A#config t
2621A#show ip route
R 172.16.30.0 [120/1] via 172.16.20.1, 00:00:13, Serial0/0
Notice the R, which means it is a RIP found route. The C is a directly connected
network. The routing tables will look the same as version 1 unless you have VLSM net-
works congured.
19. From the 2621 Router B, use the show ip route command to verify the routing table.
2621B#show ip route
R 172.16.20.0 [120/1] via 172.16.30.1, 00:00:09, Serial0/0
2811A#show ip route
21. From 2621 Router A, use the debug ip rip command to see RIP updates being sent
2621A#debug ip rip
command.
2621A#undebug all
23. To see the routing protocol timers, use the show ip protocols command.
Redistributing: rip
Default version control: send version 2, receive version 2
Serial0/0 1 1 2
Maximum path: 4
172.16.0.0
172.16.20.1 120 00:00:07
2621A#
Notice the timers. RIP is sent out every 30 seconds by default. The administrative dis-
tance is 120 by default. Both RIPv1 and RIPv2 use the same timers.
Individual Lab: IPv6 Static Routing
Internet Protocol Version 6 (IPv6) is the new addressing scheme that will eventually
replace all IPv4 addresses. The IPv4 address scheme is no longer adequate to meet the
needs of the growing Internet, and growing Intranets. IPv6 was also designed to increase
routing performance and network scalability issues. IPv6 addresses are 128 bits in length.
Hexadecimal Groups IPv6 addresses are divided into eight, 16 bit hexadecimal groups.
For example, 2001:0000:0000:0008:0000:0000:0000:0012 can be divided into ...
2001: 0000: 0000: 0008: 0000: 0000: 0000: 0012
1 2 3 4 5 6 7 8
The IPV6 address above can also be shortened to 2001:0:0:8:0:0:0:12 or 2001::8:0:0:0:12
Address Types There are three IPv6 address types:
N
Unicast
N
Anycast
N
Multicast
Unicast Types There are four unicast address types:
N
Link local
N
Unique local
N
Global
N
Special
IPv6 Bits IPv6 bit address can be divided into ...
48 bits 16 bits 64 bits
2001:0000:0000: 0008: 0000:0000:0000:0012
Global Prefix Subnet Interface ID
This lab will have you create an IPv6 network. In this network you will use IPv6 to create
both default and static routing. The network used in this lab has IPv4 addresses already con-
gured on each router interface. Having both IPv4 and IPv6 addresses on an interface is called
DUAL stacking. You will also verify your IPv6 Static Routing congurations.
N
N
N
Your configuration
N
N
Network Layout
Routing Protocols, and Static IPv6.rsm.
Lab Steps
2811A#en
2811A#config t
2811B#en
2811B#config t
2811C#en
2811C#config t
5. Configure two IPv6 static routes on 2811 Router A.
2811A(config)#exit
The static routes will allow 2811 Router A to communicate with the rest of the
network.
6. Configure a IPv6 default route on 2811 Router B.
2811B(config)#ipv6 route ::/0 2001::30:1
2811B(config)#exit
This default route will allow 2811 Router B to communicate with the rest of the network.
2811 Router B will use router 2811 A as a gateway of last resort.
7. Configure a IPv6 default route on 2811 Router C.
2811C(config)#ipv6 route ::/0 2001::20:1
2811C(config)#exit
This default route will allow 2811 Router C to communicate with the rest of the network.
2811 Router C will use router Router A as a gateway of last resort.
Verifying IPv6 Static Routing
8. On 2811 Router A, issue the show running-configuration command to verify the
2811A#show run
[output cut]
!
ip address 172.16.10.1 255.255.255.0
ipv6 address 2001::10:1/112
!
[output cut]
!
ip address 172.16.20.1 255.255.255.0
clockrate 2000000
ipv6 address 2001::20:1/112
!
[output cut]
!
ip address 172.16.30.1 255.255.255.0
clockrate 2000000
ipv6 address 2001::30:1/112
!
[output cut]
!
ipv6 route 2001::40:0/112 2001::30:2
ipv6 route 2001::50:0/112 2001::20:2
!
[output cut]
2811A#
As you can see, each interface has an IPv6 address. You can also see the IPv6 static
routes that are congured.
9. On 2811 Router A, issue the show ipv6 interface command to see which router
interfaces are configured for IPv6.
2811A#show ipv6 interface
2001::10:1, subnet is 2001::10:0/112
FF02::1
FF02::2
FF02::1:FF10:1
FF02::1:FF55:D408
MTU is 1500 bytes
[output cut]
Description: conn-to-2811A
2001::20:1, subnet is 2001::30:0/112
FF02::1
FF02::2
FF02::1:FF20:1
FF02::1:FF55:D408
MTU is 1500 bytes
[output cut]
Description: conn-to-2811C
2001::30:1, subnet is 2001::20:0/112
FF02::1
FF02::2
FF02::1:FF30:1
FF02::1:FF55:D408
MTU is 1500 bytes
[output cut]
2811A#
10. On 2811 Router A, issue the show ipv6 interface brief command to see a summary
of the router interfaces configured for IPv6.
2811A#show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::21A:2FFF:FE55:D408
2001::10:1
FastEthernet0/1 [administratively down/down]
Serial0/0/0 [up/up]
FE80::21A:2FFF:FE55:D408
2001::20:1
Serial0/1/0 [up/up]
FE80::21A:2FFF:FE55:D408
2001::30:1
2811A#
C 2001::10:0/112 [0/0]
L 2001::10:1/128 [0/0]
C 2001::20:0/112 [0/0]
via ::, Serial0/0/0
L 2001::20:1/128 [0/0]
via ::, Serial0/0/0
C 2001::30:0/112 [0/0]
via ::, Serial0/1/0
L 2001::30:1/128 [0/0]
via ::, Serial0/1/0
S 2001::40:0/112 [1/0]
via 2001::30:2
S 2001::50:0/112 [1/0]
via 2001::20:2
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
2811A#
12. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of routers 2811 B and 2811 C.
Pinging will verify that your default and static routing configurations are correct.
2811A#ping ipv6 2001::40:1
!!!!!
2811A#
2811A#ping ipv6 2001::50:1
!!!!!
2811A#
Individual Lab: RIP IPv6 Routing (RIPng)
In this lab you will create an IPv6 RIPng network. The network used in this lab has IPv4
addresses already congured on each router interface. This will demonstrate DUAL stacking.
You will also be given the commands to verify your RIPng routing congurations.
N
N
N
Your configuration
N
correct) or a red X
N
Network Layout
Routing Protocols, and RIP IPv6.rsm.
Lab Steps
2811A#en
2811A#config t
2811B#en
2811B#config t
2811C#en
2811C#config t
2811B(config)#interface fastthernet 0/0
5. On 2811 Router A, enable the IPv6 RIPng routing process from global and interface
configuration mode.
2811A(config)#ipv6 router rip myripngprocess
2811A(config-if )ipv6 rip myripngprocess enable
Remember that the ipv6 unicast-routing command must be congured on the router
before the RIPng routing process can be enabled. The previous labs had you congure
the command on all routers so we will not do it here.
6. On 2811 Router B, enable the IPv6 RIPng routing process from global
configuration mode.
2811B(config)#ipv6 router rip myripngprocess
2811B(config-rtr)#exit
7. On 2811 Router C, enable the IPv6 RIPng routing process from global
configuration mode.
2811C(config)#ipv6 router rip myripngprocess
2811C(config-rtr)#exit
Verifying RIP IPv6 Routing (RIPng)
8. On 2811 Router A, issue the show running-configuration command to verify the
2811A#show run
[output cut]
!
ipv6 unicast-routing
ipv6 cef
!
[output cut]
!
ip address 172.16.10.1 255.255.255.0
ipv6 address 2001::10:1/112
!
[output cut]
!
ip address 172.16.20.1 255.255.255.0
ipv6 address 2001::20:1/112
clock rate 8000000
!
ip address 172.16.30.1 255.255.255.0
ipv6 address 2001::30:1/112
clock rate 8000000
no cdp enable
!
[output cut]
!
ipv6 router rip myripngprocess
[output cut]
2811A#
As you can see, RIPng is congured on each interface. You can also see the ipv6 RIP
(RIPng) routing process.
C 2001::10:0/112 [0/0]
L 2001::10:1/128 [0/0]
C 2001::20:0/112 [0/0]
via ::, Serial0/0/0
L 2001::20:1/128 [0/0]
via ::, Serial0/0/0
C 2001::30:0/112 [0/0]
via ::, Serial0/1/0
L 2001::30:1/128 [0/0]
via ::, Serial0/1/0
R 2001::40:0/112 [120/2]
via FE80::215:FAFF:FED7:EDA0, Serial0/1/0
R 2001::50:0/112 [120/2]
via FE80::21A:2FFF:FE52:4808, Serial0/0/0
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
2811A#
10. On 2811 Router A, issue the show ipv6 protocols command to see the IPv6 protocols
that are running on the router.
2811A#show ipv6 protocols
IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "static"
IPv6 Routing Protocol is "rip myripngprocess"
Interfaces:
Serial0/0/1
Serial0/0/0
FastEthernet0/0
Redistribution:
None
2811A_aka_2811B#
11. From 2811 Router A, ping the IPv6 Fast Ethernet addresses of routers 2811 B and
2811 C. Pinging will verify that your RIPng configurations are correct.
2811A#ping ipv6 2001::40:1
!!!!!
2621B_aka_2811A#
2811A#ping ipv6 2001::50:1
Sending 5, 100-byte ICMP Echos to 2001::5 0:1, timeout is 2 seconds:
!!!!!
2621B_aka_2811A#
Individual Lab: PPP Encapsulation
The High-Level Data-Link Control protocol (HDLC) is a point-to-point protocol used on
leased lines. No authentication can be used with HDLC and it is the default encapsulation
used by Cisco routers over synchronous serial links. Ciscos HDLC is proprietaryit wont
communicate with any other vendors HDLC implementation. If you wanted to either offer
authentication on a serial link or to connect from a Cisco router to another vendor router,
then we need to congure PPP on the serial interfaces.
PPP (Point-to-Point Protocol) is a data-link protocol that can be used over asynchronous
serial (dial-up) media and uses the LCP (Link Control Protocol) to build and maintain data-
link connections. The basic purpose of PPP is to transport layer-3 packets across a Data
Link layer point-to-point link.
This lab will have you congure PPP on all four serial networks, and replace HDLC as
the encapsulation method on our serial links.
N
N
N
Your configuration
N
correct) or a red X
N
Network Layout
WAN, and PPP.
Lab Steps
Steps 1-3 are necessary in order to perform this lab. If you do not want to manually com-
plete these steps and want to accelerate steps 1 - 3, you can copy and paste the following
script into the console for each router. After you get into user mode, copy and paste the
script into the console. Click on the console and click your right mouse button. A pop-up
menu will appear. Click Paste.
enable
config t
hostname 2621A
line vty 0 4
password todd
login
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
enable
config t
hostname 2811A
line vty 0 1180
password todd
login
255.255.255.0
2621A
no shutdown
255.255.255.0
2621B
no shutdown
exit
exit
copy run start
enable
config t
hostname 2621B
line vty 0 4
password todd
login
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
commands.
Router>enable
Router#config t
2621A(config)#exit
[OK]
2621A#
commands.
Router>enable
Router#config t
[OK]
2811A#
commands.
Router>enable
Router#config t
[OK]
2621B#
4. Now, configure each router with OSPF.
Clock Rate
5. Bring up the console for 2811 Router A and change the encapsulation on the serial
links from HDLC to PPP.
2811A#
HDLC to PPP.
2621B(config-if)#encapsulation ppp
2621B#
7. Connect to 2621 Router A and change the encapsulation on the serial link from
HDLC to PPP.
2621A#
Thats all there is to it. This part is easy.
Verifying PPP Encapsulation
Once you have replaced HDLC as the serial encapsulation method, then you need to verify
your network is still working properly.
The rst command to use is the show ip route command to make sure all your IP
routes are still present.
running.
2621A#show ip route
[output cut]
O 172.16.30.0/24 [110/74] via 172.16.20.1, 07:50:33, Serial0/0
2621A#
running.
2621B#show ip route
[output cut]
O 172.16.20.0/24 [110/74] via 172.16.30.1, 07:50:33, Serial0/0
2621B#
running.
2811A#show ip route
[output cut]
2811A#
11. From 2811 Router A, use the show interface command to see the serial link
encapsulation.
[output cut]
Configuring PPP Authentication with CHAP
Now that the network should be up and working with PPP, you can use PPP authentication
to stop unwanted users from connecting to your network. Although, this is typically used
with dial-up, it still can be used with serial interfaces.
This lab will have you congure PPP authentication on all routers serial interfaces using
the CHAP protocol.
Challenge Authentication Protocol (CHAP) is used at the initial startup of a link and at
period checkups on the link to make sure the router is still communicating with the same
host. After PPP nishes its initial phase, the local router sends a challenge request to the
remote device. The remote device sends a value calculated using a one-way hash function
called MD5. The local router checks this hash value to make sure it matches. If the values
dont match, the link is immediately terminated.
12. To configure PPP authentication, first set the hostname of the router if it is not already
set (this is not an option!). Then set the username and password for the remote router
connecting to your router. For example, if you are connected to 2621 Router A and want
to configure authentication, you would set the hostname and then create a username that
consists of the router you are going to connect to, in this example, 2811 Router A.
This is shown below:
Router#config t
When using the hostname command, remember that the username is the hostname of
the remote router connecting to your router. It is case-sensitive. Also, the password on
both routers must be the same. It is a plain-text password and can be seen with a show
run command.
You must have a username and password congured for each remote system you are
going to connect to. The remote routers must also be congured with usernames and
passwords.
13. After you set the hostname, usernames, and passwords, choose the authentication as
shown in the following example:
2621A#config t
2621A(config)#
14. Open a console to 2621 Router A and create a username of 2811 Router A and with
a password of cisco. Then configure the serial interface 0/0 to use ppp authentication
of chap.
2621A#
15. Open a console to 2621 Router B and create a username of 2811 Router A and with
a password of cisco. Then configure the serial interface 0/0 to use ppp authentication
of chap.
2621B#config t
2621B(config)#username 2811A password cisco
2621B(config-if)#ppp authentication chap
2621B#
16. Open a console to 2811 Router A and create a username of 2621 Router A and 2621
Router B and with a password of cisco. Then configure the serial interfaces 0/0/1 and
0/1/1 to use ppp authentication of chap.
2811A(config)#username 2621B password cisco
2811A#
Verifying PPP with Authentication
Once you have congured PPP with authentication as the serial encapsulation method, then
you need to verify your network is still working properly.
The rst command to use is the show ip route command to make sure all your IP routes
are still present. The next command to use is the show interface command.
running.
2621A#show ip route
[output cut]
O 172.16.30.0/24 [110/74] via 172.16.20.1, 08:08:48, Serial0/0
2621A#
running.
2621B#show ip route
[output cut]
O 172.16.20.0/24 [110/74] via 172.16.30.1, 08:08:48, Serial0/0
2621B#
running.
2811A#show ip route
[output cut]
2811A#
20. From 2811 Router A, use the show interface command to see the serial link
encapsulation.
Keepalive set (10)
2811A#
Keepalive set (10)
Individual Lab: Frame Relay Switching
Virtual Circuits, which is a form of dialup), although most Frame Relay networks use only
Frame Relay provides a communications interface between DTE (data terminal equip-
ment) and DCE (data circuit-terminating equipment, such as packet switches) devices.
DTE consists of terminals, PCs, routers, and bridgescustomer-owned end-node and
Internetworking devices. DCE consists of carrier-owned internetworking devices.
Frame Relay sends packets at the Data Link Layer (layer 2) of the OSI model rather than
at the network layer (layer 3). A frame can incorporate packets from different protocols.
Network Layout
WAN, and Frame Relay.
N
N
N
Your configuration
N
correct) or a red X
N
Understand Frame Relay
Frame Relay Uses Virtual Circuits`
Virtual Circuits, which is a form of dialup), although most Frame Relay networks use only
Configuring Frame Relay Encapsulation
When conguring Frame Relay on Cisco routers, you need to specify it as an encapsula-
tion on serial interfaces. There are only two encapsulation types: Cisco and IETF (Internet
Engineering Task Force). The following router output shows the two different encapsula-
tion methods when choosing Frame Relay on your Cisco router:
2621A#config t
2621A(config-if)#encapsulation frame-relay ?
ietf Use RFC1490 encapsulation
<cr>
The default encapsulation is Cisco unless you manually type in IETF, and Cisco is the
type used when connecting two Cisco devices. Youd opt for the IETF-type encapsulation if
you needed to connect a Cisco device to a non-Cisco device with Frame Relay.
Frame Relay DLCI
Frame Relay virtual circuits (PVCs) are identied by Data Link Connection Identiers
(DLCIs). A Frame Relay service provider, such as the telephone company, typically assigns
DLCI values, which are used by Frame Relay to distinguish between different virtual cir-
cuits on the network. Because many virtual circuits can be terminated on one multipoint
Frame Relay interface, many DLCIs are often afliated with it.
For the IP devices at each end of a virtual circuit to communicate, their IP addresses
need to be mapped to DLCIs. This mapping can function as a multipoint deviceone that
can identify to the Frame Relay network the appropriate destination virtual circuit for each
packet that is sent over the single physical interface. The mappings can be done dynami-
cally through IARP (Inverse ARP) or manually through the frame relay map command.
DLCI numbers, used to identify a PVC, are typically assigned by the provider and start
at 16. Conguring a DLCI number to be applied to an interface is shown below:
2621A(config-if)#frame-relay interface-dlci ?
<16-1007> Define a DLCI as part of the current subinterface
2621A(config-if)#frame-relay interface-dlci 16
Frame Relay LMI
The Local Management Interface (LMI) was developed in 1990 by Cisco Systems,
StrataCom, Northern Telecom, and Digital Equipment Corporation and became known
as the Gang-of-Four LMI or Cisco LMI. This gang took the basic Frame Relay protocol
from the CCIT and added extensions onto the protocol features that allow internetworking
devices to communicate easily with a Frame Relay network.
The LMI is a signaling standard between a CPE device (router) and a frame switch. The
LMI is responsible for managing and maintaining status between these devices.
If youre not going to use the auto-sense feature of LMI, youll need to check with your
Frame Relay provider to nd out which type to use instead. The default type is Cisco, but
you may need to change to ANSI or Q.933A. The three different LMI types are depicted in
the router output below.
2621A(config-if)#frame-relay lmi-type ?
cisco
ansi
q933a
2621A(config-if)#frame-relay lmi-type ansi
You can have multiple virtual circuits on a single serial interface and yet treat each as a
separate interface. These are known as subinterfaces. Think of a subinterface as a hardware
interface dened by the IOS software. An advantage gained through using subinterfaces is
the ability to assign different Network layer characteristics to each subinterface and virtual
circuit, such as IP routing on one virtual circuit and IPX on another.
Subinterfaces with Frame Relay
You dene subinterfaces with the int s0.subinterface number command as shown
below. You rst set the encapsulation on the serial interface, and then you can dene the
subinterfaces.
2621A(config-int)#encapsulation frame-relay
2621A(config-int)#exit
2621A(config)#int s0/0.?
2621A(config)#int s0/0.16 ?
multipoint Treat as a multipoint link
point-to-point Treat as a point-to-point link
2621A(config)#int s0/0.16 point-to-point
You can dene an almost limitless number of subinterfaces on a given physical interface
(keeping router memory in mind). In the above example, we chose to use subinterface 16
because that represents the DLCI number assigned to that interface. However, you can
choose any number between 0 and 4,292,967,295.
Configuring Frame-Relay
Lab Steps
Now that you should have a background on how to congure basic Frame Relay on a Cisco
router, this lab will have you congure 2811 Router A as a Frame Relay switch. Then youll
congure routers 2621 A and 2621 B as remote Frame Relay connections.
1. Open a console for 2811 A and configure the hostname.
Router>enable
Router#config t
2811A(config)#
Once your router is clear, you can now make them a Frame Relay switch with the
frame-relay switching command. However, that is the easy part. You need to map
every DLCI on the switch. Of course the router only has two connections, so it is not
too time consuming, but if you had dozens of PVCs, this could take a while.
2811 A
serial 0/0/1 DLCI 16
serial 0/1/1 DLCI 17
On the frame relay switch, use the frame relay route command to map each and
every DLCI. Here is an example:
2811A(config-if)#frame-relay route 17 interface serial 0/1/1 16
2811A(config)#
This command tells the switch that if it receives a frame on serial 0/0/1 with a PVC of
16, then send it out serial 0/1/1 using a PVC of 17. Again, in our network, this congura-
tion will only be two routes so its not a big deal.
2. On 2811 Router A configure the Frame Switching. No IP addresses are assigned to the
routes interfaces. Remember, this is a Data Link layer function only, so IP is irrelevant
to this configuration.
2811A(config)#frame-relay switching
2811A#
Configuring Frame Relay with Subinterfaces
Now that the Frame-Relay switching router is congured, you need to congure the remote
routers. You will bring up the console for routers 2621 A and 2621 B and congure them
for Frame Relay conguration using subinterfaces.
Since the Frame-Relay switches are not using IP addressing, connecting from routers
2621 A to 2621 B, for example, will use one subnet and appear like a direct connection.
Use subnet 172.16.100.0.
3. Open a console on 2621 Router A and configure the serial 0/0 interface with a Frame
Relay subinterface. To perform this, you must remove the IP address and IPX network
number from the serial interface. In this lab we do not have an existing IP address but
we wanted to include the configuration to remove it. You may be constructing your
own network and already have an IP address for s0/0 and you will need to remember
to remove it.
Router>enable
Router#config t
2621A(config-if)#no ip address
2621A(config-if)#encapsulation frame-relay
2621A(config-if)#int s0/0.16 point-to-point
2621A(config-subif)#frame-relay interface-dlci 16
2621A(config-subif)#ctrl+z
2621A#
4. Open a console on 2621 Router B and configure the serial 0/0 interface with a Frame
Relay subinterface.
Router>enable
Router#config t
2621B(config-if)#no ip address
2621B(config-if)#encapsulation frame-relay
2621B(config-if)#int s0/0.17 point-to-point
2621B(config-subif)#ip address 172.16.100.2 255.255.255.0
2621B(config-subif)#frame-relay interface-dlci 17
2621B(config-subif)#ctrl+z
2621B#
5. Verify the Frame-Relay connection is up and running. Ping from 2621 Router A to
2621 Router B.
2621A#ping 172.16.100.2
!!!!!
2621A#
Verifying Frame Relay
There are several ways to check the status of your interfaces and PVCs once you have Frame
Relay encapsulation set up and running. You can use the show frame-relay command with
a question mark (?) to get the command options:
2621A#show frame ?
ip show frame relay IP statistics
lapf show frame relay lapf status/statistics
lmi show frame relay lmi statistics
map Frame-Relay map table
pvc show frame relay pvc statistics
qos-autosense show frame relay qos-autosense information
route show frame relay route
rtp show frame relay RTP statistics
svc show frame relay SVC stuff
traffic Frame-Relay protocol statistics
6. Change to the console for 2621 Router A.
7. The show frame-relay lmi command will give you the LMI traffic statistics
exchanged between the local router and the Frame Relay switch.
2621A#show frame lmi
LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Rcvd 1748 Num Status msgs Sent 1748
Num Update Status Sent 0 Num St Enq. Timeouts 0
2621A#
The router output from the show frame-relay lmi command shows you LMI errors as
well as the LMI type.
8. The show frame pvc command will list all configured PVCs and DLCI numbers. It pro-
vides the status of each PVC connection and traffic statistics. It will also give you the
number of BECN and FECN packets received on the router.
2621A#show frame pvc
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
DLCI = 16 , DLCI USAGE = LOCAL , PVC STATUS = ACTIVE , INTERFACE =
Serial0/0.16
input pkts 11290 output pkts 11277 in bytes 898590
out bytes 899156 dropped pkts 2 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 11264 out bcast bytes 898468
pvc create time 13:25:57, last time pvc status changed 13:25:39
2621A#
9. You can also use the show interface command to check for LMI traffic. The show
interface command displays information about the encapsulation as well as layer-2
and layer-3 information.
The LMI DLCI is used to dene the type of LMI being used. If it is 1023, it is the
default LMI type of Cisco. If the LMI DLCI is zero, then it is the ANSI LMI type.
2621A#show int s0/0
Encapsulation FRAME-RELAY, loopback not set
Keepalive set (10)
FR SVC disabled, LAPF state down
LMI enq sent 41, LMI stat recvd 22, LMI upd recvd 0, DTE LMI down
LMI enq recvd 4, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0
[output cut]
2621A#
The show interface command displays line, protocol, DLCI and LMI information.
10. The show frame map command will show you the Network layer-to-DLCI mappings.
2621A#show frame map
Serial0/0.16 (up): point-to-point dlci, dlci 16(0x66,0x1860), broadcast
2621A#
Individual Lab: EIGRP Routing
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary hybrid routing
protocol. If you want your routers to share information they must all:
N
have EIGRP running
N
use the same AS number
N
N
N
Your configuration
N
correct) or a red X
N
EIGRP
N
Stands for Enhanced Interior Gateway Routing Protocol
N
Uses properties of both distance vector and link state
N
N
Has a maximum hop count of 255
N
Will automatically overwrite RIP (which has a default administrative distance of 120)
routes in the routing table
N
Uses autonomous systems (AS) to create groups of routers that share routing
information
N
Classless routing protocol but congured in a classful manner
N
Uses RTP Reliable Transport Protocol
N
Uses DUAL Reliable Transport Protocol
N
Supports VLSM, summarization, and discontiguous networking
N
Supports IP v4 and v6, IPX, AppleTalk
Network Layout
Routing Protocols, and EIGRP.
Lab Steps
Click Paste.
enable
config t
hostname 2621A
line vty 0 4
password todd
login
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
enable
config t
hostname 2811A
line vty 0 1180
password todd
login
255.255.255.0
2621A
no shutdown
255.255.255.0
2621B
no shutdown
exit
exit
copy run start
enable
config t
hostname 2621B
line vty 0 4
password todd
login
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
commands.
Router>enable
Router#config t
[OK]
2621A#
commands.
Router>enable
Router#config t
[OK]
2811A#
commands.
Router>enable
Router#config t
[OK]
2621B#
4. Go to the console screen for 2621 Router A and ping interface s 0/0 on 2621 Router B.
The packet will travel through 2811 Router A on its way to router 2621 B.
2621A#ping 172.16.30.2
.....
2621A#
No routing protocol is set up. The routing table for router 2621 A does not
know how to get to the destination address.
2621A#config t
Clock Rate
You do not have to set a clock rate if the DCE side of your connection is a 2811 router. The
clock rate for the serial interface is set by default to 2000000. However, on the 2621 router
you still need to explicitly set the clock rate. In our lab the DCE side of the connection is
interface serial 0/1/1 and serial 0/0/1.
2621A#
6. Configure 2621 Router B to use EIGRP with an AS of 10.
2621B#config t
2621B(config-router)
2811A#config t
2811A(config)#
8. Now that we have EIGRP on every router, go to router 2621 A and ping 172.16.30.2
on router 2621 B.
2621A#ping 172.16.30.2
.....
2621A#
It did not work. Click on the Net Detective icon to see if we can nd out why the ping
was not successful.
You will see the following information:
1. Network 172.16.0.0 was not found in the routing tables for 2621 Router A.
2. The desired address falls outside of the protocol networks set up for one or more of
the devices.
3. The desired IP address of 172.16.30.2 was not found. None of the interfaces in the
current network have been configured with this IP address.
We know that Network 172.16.0.0 is in the routing table. Maybe #2 is true. Ok, I found
it. The AS number for 2811 Router A is wrong. Change it from 15 to 10.
9. First, remove router eigrp 15 and put the correct command in.
2811A(config)#no router eigrp
(We forgot to put 15 in the command. Try again)
2811A#
10. Now the ping should work. Go to 2621 Router A and ping interface f 0/0 on 2621 B.
2621A#ping 172.16.30.2
!!!!!
2621A#
Net Detective
Unless you are an expert in using routers and switches, you might enter a command,
have it not work, and not immediately know what you did wrong. We have tried to
bridge that gap with Net Detective
. There are several hundred commands that Net

Detective monitors. If something does not work properly, clicking on the Net Detective
button may prove be helpful. For example, if you are unsuccessful in trying to ping
between 2600 A and 2600 B, Net Detective
will provide a several suggestions as to

what is possibly wrong.
Verifying EIGRP
Since EIGRP has a better administrative distance then IGRP and RIP, all the routing tables
should have EIGRP found routes (D). Use the show ip route command and other EIGRP
show commands to verify EIGRP.
2621A#show ip route
default
route
D 172.16.30.0 [90/2172416] via 172.16.20.1, 02:20:56, Serial0/0
2621A#
Notice the route that begins with D. These are EIGRP routes.
Routing Protocol is "eigrp 10"
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hop count 100
EIGRP maximum metric variance 1
Redistributing: eigrp 10
Maximum path: 4
172.16.0.0
172.16.20.1 90 00:12:28
Distance: internal 90 external 170
2621A#
2621B#show ip route
[output cut]
D 172.16.20.0 [90/2172416] via 172.16.30.1, 02:22:00, Serial0/0
2621B#
2811A#show ip route
[output cut]
2811A#
15. From 2621 Router A, use the show ip eigrp neighbors command to see the EIGRP
neighbor table. This table holds information about the routers directly connected
neighbors.
2621A#show ip eigrp neighbor
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
Type
(sec) (ms) cnt Num
0 172.16.20.1 S0/0 12 02:28:04 20 200 0 1
2621A#
16. From 2621 Router A, use the show ip eigrp topology command to see the EIGRP
topology table. This table shows the entire network as 2621 Router A understands it.
2621A#show ip eigrp topology
IP-EIGRP Topology Table for AS(10)/ID(172.16.20.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
via 172.16.20.1 (2172416/28160), Serial0/1/1
via Connected, Serial0/0
2621A#
Individual Lab: Single Area OSPF
This section will discuss the OSPF routing process.
OSPF an open standards routing protocol that has been implemented by a wide variety of
network vendors, including Cisco. The benet of an approach based on open standards is that
equipment from multiple vendors can interoperate as long as their implementations are com-
pliant with the appropriate Requests for Comments (RFCs). This does not mean that vendors
are forced to restrict their implementations to only the features documented in the RFCs. On
the contrary, Cisco and others have added features to their versions of OSPF that may not be
found in other vendors implementations. Knowing which features are standards based and
which are proprietary becomes important when deploying multivendor OSPF networks.
N
Stands for open shortest path first
N
Uses the concept of an area, which is a grouping of contiguous OSPF networks and hosts
N
Is a link-state routing protocol
N
Has no maximum hop count
N
N
Includes equal-cost multipath routing
N
Supports VLSM and discontiguous networks
This program only supports a single area OSPF network, which will always
be area 0.
Network Layout
Routing Protocols, and Single Area OSPF.
N
N
N
Your configuration
N
correct) or a red X
N
Lab Steps
Click Paste.
enable
config t
hostname 2621A
line vty 0 4
password todd
login
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
enable
config t
hostname 2811A
line vty 0 1180
password todd
login
255.255.255.0
2621A
no shutdown
255.255.255.0
2621B
no shutdown
exit
exit
copy run start
enable
config t
hostname 2621B
line vty 0 4
password todd
login
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
commands.
Router>enable
Router#config t
[OK]
2621A#
commands.
Router>enable
Router#config t
2811A(config-line)#int s0/1/1
[OK]
2811A#
3. Double-click. After the console screen comes up, perform the following commands.
Router>enable
Router#config t
Clock Rate
[OK]
2621B#
The command to activate the OSPF routing process is as follows:
2621A(config)#router ospf ?
<1-65535>
A value in the range 1 65535 identies the OSPF Process ID, which is a unique
number on this router that groups a series of OSPF conguration commands under a
specic running process. Different OSPF routers do not have to use the same Process
ID in order to communicate. Its purely a local value and its number is basically irrel-
evant. The only time an OPSF number would matter is when you have multiple OSPF
Autonomous Systems(AS) connecting together on the same network.
This lab will be pretty simple as far as OSPF goes. Well start the process on each router,
then congure the interfaces to be in OSPF area 0. This is much more complicated then
any of the other routing protocols we have congured, but simple nonetheless for OSPF.
However, since EIGRP has a better administrative distance then OSPF, we need to also
disable the EIGRP routing processes on each router.
You will start the OSPF process by issuing the following command, as an example:
After starting the OSPF process (and disabling EIGRP on each router), you need to
identify the interfaces on which to activate OSPF communications and the area in
which each resides. This will also congure the networks you will advertise to others.
This is achieved with the following command as an example:
2621A(config-router)#network 10.0.0.0 0.255.255.255 area ?
<0-4294967295> OSPF area ID as a decimal value
A.B.C.D OSPF area ID in IP address format
A 0 (zero) octet in the wildcard mask indicates that the corresponding octet in the net-
work must match exactly. A 255, on the other hand, indicates that you do not care what
the corresponding octet is in the network number. A network and wildcard mask combi-
nation of 1.1.1.1 0.0.0.0 would match 1.1.1.1 only and nothing else. This is useful if you
want to activate OSPF on a specic interface in a very clear and simple fashion. If you
insist on matching a range of networks, the network and wildcard mask combination of
1.1.0.0 0.0.255.255 would match anything in the range 1.1.0.01.1.255.255. Its simpler
and safer to stick to using wildcard masks of 0.0.0.0 and identifying each OSPF interface
individually.
Remember that OSPF routers will only become neighbors if their interfaces share a
network that is congured to belong to the same area number. The format of the area
number is either a decimal value from the range 04294967295 or a value represented
in standard dotted-decimal notation. Area 0.0.0.0 is a legitimate area, for example,
and is identical to area 0. Again, we only support area 0 in this module at this time.
4. Configure 2621 Router A to advertise both directly connected networks with OSPF.
The router OSPF number does not matter; use whatever feels good to you. The number
can even all be the same on all routers, or they can be different. In this lab we will use
different numbers.
5. Configure 2621 Router B to advertise both directly connected networks with OSPF.
2621B(config)#config t
Anatomy of a Command: Network 172.16.20.2 0.0.0.0 area 0
Network 172.16.20.2 0.0.0.0 area 0tells the OSPF process to advertise the interface
172.16.20.2 into area 0.
172.16.20.2 The network number.
0.0.0.0 The wildcard mask of 0.0.0.0 tells the process to match each octet exactly.
0 The nal argument is the area number. It indicates the area to which the interfaces
operate on and that will also be included in its OSPF Link State Advertisements (LSA).
Now, lets go over what we have congured on 2621 Router B. Please understand that
all we are doing is advertising OSPF networks and this lab is showing the many ways
to accomplish the same thing.
The command network 172.16.30.2 0.0.0.0 area 0 tells the OSPF process to adver-
tise the interface 172.16.30.2 into area 0. The wildcard mask of 0.0.0.0 tells the pro-
cess to match all four octets exactly.
6. Configure the 2811 A router to advertise all directly connected networks with OSPF.
Verify OSPF
7. The show ip ospf command is used to display OSPF information for one or all OSPF
processes running on the router. Information contained therein includes the Router ID,
area information, SPF statistics, and LSA timer information. Here is a sample output
from 2621 Router A:
2621A#show ip ospf
Area ranges are
Flood list length 0
2621A#
8. The information displayed by the show ip ospf database command indicates the
number of links and the neighboring Router ID. The output is broken down by area.
Here is a sample output from 2621 Router A:
2621A#show ip ospf database
OSPF Router with ID (172.16.20.2) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
172.16.20.2 172.16.20.2 475 0x80000003 0x0030F9 3
172.16.30.1 172.16.30.1 475 0x80000003 0x0030F9 3
172.16.30.2 172.16.30.2 475 0x80000003 0x0030F9 3
2621A#
9. The show ip ospf interface command displays all interface-related OSPF infor-
mation. Data is displayed about OSPF information for all interfaces or for specified
interfaces. Information includes the interface IP address, area assignment, Process ID,
Router ID, network type, cost, priority, DR/BDR (if applicable), timer intervals, and
adjacent neighbor information. Here is a sample output:
2621A#show ip ospf interface
Process ID 100, Router ID 172.16.20.2, Network Type POINT_TO_POINT, Cost:
64
Transmit Delay is 1 sec, State POINT_TO_POINT,
No designated router on this network
No backup designated router on this network
Next 0x0(0)/0x0(0)
Adjacent with neighbor 172.16.30.1
2621A#
Notice in the above output that the hello timer is set to 10 seconds and the dead timer
is set to 40. If two or more routers are connected together, the timers must be set
exactly the same.
10. The show ip ospf neighbor command is very useful. It summarizes the pertinent
OSPF information regarding neighbors and the adjacency state. If a DR or BDR exists,
that information is also displayed. Here is an output from 2621 Router A:
172.16.30.1 1 FULL/DROTHER 00:00:36 172.16.20.1 serial
2621A#
11. The show ip protocols command is useful whether youre running OSPF, EIGRP,
IGRP, RIP, BGP, ISIS, or any other routing protocol you can configure on your
router. It provides an excellent overview of the actual operation of all currently
running protocols.
Routing Protocol is "ospf 100"
Router ID 172.16.20.2
Maximum path: 4
172.16.20.2 0.0.0.0 area 0
172.16.40.0 0.0.0.255 area 0
172.16.30.1 110 00:00:09
172.16.30.2 110 00:00:09
2621A#
12. Based upon this output, you can determine the OSPF Process ID, OSPF Router ID,
type of OSPF area, networks and areas configured for OSPF, and OSPF Router IDs of
neighbors.
Individual Lab: OSPF DR
and BDR Elections
You need to fully understand the terms neighbors and adjacencies because theyre really
crucial to the DR and BDR election process. The election process happens when a broad-
cast or nonbroadcast multi-access network is connected together. (Think Ethernet or
Frame Relay.)
N
N
N
Your configuration
N
correct) or a red X
N
Network Layout
Routing Protocols, and OSPF DR BDR.
Neighbors Routers that share a common segment become neighbors on that segment.
These neighbors are elected via the Hello protocol. Hello packets are sent periodically
out of each interface using IP multicast. Two routers wont become neighbors unless they
agree on the following:
Area-ID The idea here is that the two routers interfaces have to belong to the same area
on a particular segment. And of course, those interfaces have to belong to the same subnet.
Authentication OSPF allows for the conguration of a password for a specic area. Although
authentication between routers isnt required, you have the option to set it if you need to do so.
Also, keep in mind that in order for routers to become neighbors, they need to have the same
password on a segment if youre using authentication.
Hello and Dead Intervals OSPF exchanges Hello packets on each segment. This is a keep-
alive system used by routers to acknowledge their existence on a segment and for electing a
designated router (DR) on both broadcast and nonbroadcast multi-access segments.
The Hello interval species the amount of seconds between Hello packets. The Dead
interval is the number of seconds that a routers Hello packets can go without being seen
before its neighbors declare the OSPF router dead (down). OSPF requires these intervals
to be exactly the same between two neighbors. If any of these intervals are different, the
routers wont become neighbors on that segment. You can see these timers with the show
ip ospf interface command.
Adjacencies In the election process, adjacency is the next step after the neighboring
process. Adjacent routers are routers that go beyond the simple Hello exchange and pro-
ceed into the database exchange process. In order to minimize the amount of information
exchanged on a particular segment, OSPF elects one router to be a designated router (DR)
and one router to be a backup designated router (BDR) on each multi-access segment.
The BDR is elected as a backup router in case the DR goes down. The idea behind this is
that routers have a central point of contact for information exchange. Instead of each router
exchanging updates with every other router on the segment, every router exchanges informa-
tion with the DR and BDR. The DR and BDR then relay the information to everybody else.
DR and BDR Elections DR and BDR election is accomplished via the Hello protocol.
Hello packets are exchanged via IP multicast packets on each segment.
However, only segments that are broadcast and nonbroadcast multi-access networks
(examples are Ethernet and Frame Relay) will perform DR and BDR elections. Point-to-
point links, like a serial WAN for example, will not have a DR election process.
On a broadcast or nonbroadcast multi-access network, the router with the highest OSPF
priority on a segment will become the DR for that segment. This priority is shown with the
show ip ospf interface command. The default priority for a router interface is one. If all
routers have the default priority set, the router with the highest Router ID (RID) will win.
The RID is determined by the highest IP address on any interface at the moment of OSPF
startup. This can be overridden with a loopback (logical) interface. If you set a routers
interface to a priority value of zero, that router wont participate in the DR or BDR election
on that interface. The state of the interface with priority zero will then be DROTHER.
Lab Steps
1. Double-click 2621 Router A in order to bring up the console screen.
Router>enable
Router#config t
4. Configure interface Fa0/0 for the 2621 Router A router.
5. Use the menu to change to the console for the 2621 Router B.
Router>enable
Router#config t
8. Configure interface Fa0/0 for the 2621 B router.
9. Use the menu to change to the console for the 2811 Router A.
Router>enable
Router#config t
12. Configure interface Fa0/0 for the 2811 A router.
2811A(config-if)#copy run start
13. Use the menu to change to the console for the 2811 Router B.
Router>enable
Router#config t
16. Configure interface Fa0/0 for the 2811 B router.
17. In 2621 Router A verify the RID of your router. Use the show ip ospf command on
the router to gather this information.
2621A#show ip ospf
Area ranges are
Flood list length 0
2621A#
18. Enter the command show ip ospf interface fa0/0 to verify area ID, DR, BDR
information and the hello and dead timers of the interface connected to the 10.1.1.0
network.
2621A#show ip ospf interface fa0/0
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 10.10.10.4 , Interface address 10.10.10.4
Backup Designated router (ID) 10.10.10.3 , Interface address 10.10.10.3
Next 0x0(0)/0x0(0)
Adjacent with neighbor 10.10.10.3(Backup Designated Router)
Adjacent with neighbor 10.10.10.2(Other Designated Router)
Adjacent with neighbor 10.10.10.4(Designated Router)
2621A#
19. By looking at the show ip ospf interface fa0/0 output, which router is the DR?
Which router is the BDR?
20. Verify the network type of your router. Since the connection is on an Ethernet LAN,
the Network Type is BROADCAST. What would the Network Type be if you were
viewing a serial connection? Answer: point-to-point.
21. The priority of all routers, by default, is 1. If you were to change the priority to 0, then
the router would never participate in the election process for the LAN (remember that
elections do not occur on serial point-to-point links).
22. Change the priority of a router that you choose to become the new DR. Choose any
router that is not the DR at this moment.
23. Enable the debugging process that allows you to see the DR and BDR election take place.
Use the command debug ip ospf adjacency on the router that will become the DR.
24. For the router that was chosen to become the new DR, set your priority of the
FastEthernet 0/0 interface to 3. Here is how you do that:
config t
int fa0/0
ip ospf priority 3
25. Now shut down all the Fa0/0 interfaces of all four routers.
26. Now enable all four routers fa0/0 interfaces with the no shut command.
27. The election should take place and the router you have chosen with the highest priority
should now be the DR.
28. Type show ip ospf interface fa0/0 to verify the DR and BDR information.
Hopefully you also noticed the debug output of the election process. The priority of a
routers interface can be set all the way up to 255.
Individual Lab: Configuring VLANs
VLAN. We will set up VLANs on 3550 Switch A and 3560 Switch A. We will test intraVLAN
routing and then use router 2811 A to create interVLAN routing.
N
N
N
Your configuration
N
correct) or a red X
N
Network Layout
On the Network Visualizer screen, click on the Labs menu and then choose Individual,
VLANS and then VLANS and InterVLAN.
Lab Steps
Setting Up VLANS
1. Double-click 3550 Switch A to bring up the console screen.
Switch>enable
Switch#config t
Switch#hostname 3550A
3550A#exit
2. To configure VLANs on the 3550 series switch, you can configure the VLANs from
the VLAN database. You do this from privileged mode, not configuration mode. Type
vlan database:
3550A#vlan database
3. To configure VLANs on the 3550 switch, use the vlan # name name command. The
following shows an example of creating three VLANs.
3550A(vlan)#vlan 2 name Sales
VLAN 2 added:
Name: Sales
3550A(vlan)#vlan 4 name Marketing
VLAN 4 added:
Name: Marketing
3550A(vlan)#vlan 7 name Research
VLAN 7 added:
Name: Research
3550A(vlan)#exit
APPLY completed.
Exiting....
3550A#
4. You must apply your changes to the switch. You can either use the apply command or
use the exit command which will then apply the changes.
6. Once the VLANs are created, verify your configuration with the show vlan command.
3550A#show vlan
---- -------------------------------- --------- -------------------------------
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10
2 Sales active
4 Marketing active
7 Research active
[output cut]
7. You can configure each port to be in a VLAN by using the switchport access
vlan # command. You can only configure VLANs one port at a time. In the follow-
ing example, we configure interface 1 to VLAN 2, interface 5 to VLAN 7, and inter-
face 10 to VLAN 4.
3550A#config t
3550A(config)#exit
[OK]
3550A#
3550A#show vlan
---- -------------------------------- --------- -------------------------------
Fa0/8, Fa0/9
7 Research active Fa0/5
[output cut]
Interface fa0/1 is a member of VLAN 2, interface fa0/05 a member of VLAN 5, and
interface fa0/10 is a member of VLAN 4.
running-config.
3550A#show run
[output cut]
!
!
!
!
[output cut]
3550A#
11. Now let us move on to 3560 Switch A. By using the console menu, change to the 3560
Switch A console screen.
12. Add a hostname to 3560 Switch A.
switch>enable
switch#config t
switch#hostname 3560A
3560A#exit
13. Initially, let us issue the show vlan command to verify that there are no VLANs
associated with 3560 Switch A.
3560A#show vlan
---- -------------------------------- --------- -------------------------------
Fa0/6, Fa0/7, Fa0/8, Gi0/1
[output cut]
No VLANs!
14. We now need to configure two ports, one for each VLAN by using the switchport
access vlan # command. You can only configure VLANs one port at a time. In the
following example, we configure interface 2 to VLAN 2 and interface 8 to VLAN 4.
3560A(config)#exit
[OK]
3560A#
16. We can verify what we did with the two ports with the show run command.
3560A#show run
[output cut]
!
!
!
[output cut]
3560A#
Setting Up Trunk Ports
Now that we have set up VLANs on both switches, we will now set up trunking, rst start-
ing with 3550 Switch A. Trunk links are 100 or 1000 Mbps point-to-point links between two
switches, between a switch and router, or between a switch and server. Trunked links carry
the trafc of multiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on
10Mbps links, nor would you want to. Remember that an access link is a port on a switch
that is a member of only one VLAN.
In this network 3560 Switch A is connected to 3550 Switch A via interface Fa0/3 on each
device. That is what we are going to use to set our trunk port between the two switches.
17. Move to 3550 Switch A through the console menu.
trunk command. In this lab we will set it up for interface Fa0/3.
3550A#config t
3550A(config-if)#switchport trunk encapsulation ?
dot1q Interface uses only 802.1q trunking encapsulation when
trunking
isl Interface uses only ISL trunking encapsulation when
trunking
negotiate Device will negotiate trunking encapsulation with peer on
interface
19. By default, traffic from all VLANs is sent over a trunk link. To change the VLANs per-
mitted to send traffic on a trunk link, use the switchport trunk allowed vlan except
# command. The command allows traffic from all VLANs except the VLANs listed.
Earlier we set up VLAN 7; for now we do not want to allow VLAN 7 to send traffic
across the trunk link.
3550A(config-if)#switchport trunk allowed vlan except 7
20. The above command sets the trunking interface to allow traffic from all VLANs except
for VLAN 7.
21. To verify your trunk ports, use the show running-config command.
3550A(config)#exit
3550A#show run
[output cut]
!
switchport trunk allowed vlan 1-6,8-1005
!
[output cut]
22. Notice in the above output that all VLANs are allowed except for VLAN 7.
trunk command. In this lab we will configure interface fa0/3.
3560A#config t
3560A(config)#switchport trunk encapsulation dot1q
25. To verify your trunk port, use the show running-config command.
3560A(config)#exit
3560A#show run
[output cut]
!
!
[output cut]
Configuring VTP Domain
Every Catalyst switch is congured by default to be a VTP server. To congure VTP, rst
congure the domain name you want to use, as discussed in the next section. Once you
congure the VTP information on a switch, you need to verify the conguration.
27. Use the vtp global configuration mode command to set this information. In the follow-
ing example, we explicitly set 3550 Switch A to be a VTP server, which it already is, and
then set the VTP domain to routersim.
3550A(config)#vtp mode server
Device mode already VTP SERVER.
3550A(config)#
28. After you configure the VTP information, you can verify it with the show vtp status
command.
VTP Version : 2
VTP Operating Mode : Server
interface found)
3550A#
30. Set the switch to a VTP client and then set the VTP domain to routersim.
3560A(config)#vtp mode client
Device mode already VTP CLIENT
3560A(config)#exit
VTP Version : 2
VTP Operating Mode : Client
interface
found)
3560A#
32. VLAN information should now be propagated from 3550 Switch A to 3560 Switch A.
Confirm this with the show vlan command.
3560A#show vlan
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6,
Fa0/7
Gi0/1
7 Research active
VLAN 7 will not be allowed to pass any traffic on the trunk link because we
issued the command switchport trunk allowed vlan except 7 in step 18.
IntraVLAN and InterVLAN Routing
In previous labs we have set up VLANs 2 and 4 for the 3550 and 3560 switches. We will rst
set up the proper subnetting so that we can place Hosts A and C in VLAN 2 and Hosts B
and D in VLAN 4. We will then have you test this by communicating with the VLANs. Then
we will set up interVLAN routing so that Hosts from VLANs 2 and 4 can communicate
with each other. Network devices in different VLANs cannot communicate with each other
without sending trafc through a router. In this lab we will use 2811 A router to perform the
802.1q routing so that we can route trafc between the two VLANs.
Two new subnets will be needed. We will use subnets 172.16.20.0/24 and 172.16.30.0/24.
Router 2811 A FastEthernet 0/0 interface will stay at 172.16.10.1/24; however, the IP address
needs to be moved to a subinterface, which well do in a minute.
33. We should now configure our hosts. VLAN 2 will have a subnet of 172.16.20.0/24
and VLAN 4 will have a subnet of 172.16.30.0/24. We will now change the current IP
addresses of the hosts so they are in their proper VLAN. Change the IP addresses and
default gateways of the four hosts.
Host IP Address New Default Gateway Subnet Mask
A 172.16.20.2 172.16.20.1 255.255.255.0
B 172.16.30.3 172.16.30.1 255.255.255.0
C 172.16.20.3 172.16.20.1 255.255.255.0
D 172.16.30.2 172.16.30.1 255.255.255.0
34. Right mouse click Host A.
N
IP Address
N
Subnet Mask
N
Default Gateway
IP address unique identication number for a device that is located on a network. An IP
address is equivalent to the address of your home. The format of an IP address is a 32-bit
numeric address written as four numbers separated by periods. Each number can be zero to
subnet mask when you split up an IP network it is used to determine what section or
subnet the IP address of the networked device belongs to. An IP address has two parts, the
network address and the host address.
Let us examine IP address 172.16.10.6. Assuming this is part of a Class B network, the rst
two numbers (172.16) represent the Class B network address, and the second two numbers
(10.6) identify a particular host on this network.
IP Address: 172.16.20.2
Subnet Mask: 255.255.255.0
On Host B congure:
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.30.3
Subnet Mask: 255.255.255.0
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.20.3
Subnet Mask: 255.255.255.0
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.30.2
Subnet Mask: 255.255.255.0
41. Click the OK button and then the Close button. Now double-click Host A.
42. Verify you have set up the VLANs correctly by pinging from Host A to Host C.
C:\>ping 172.16.20.3
C:\>
Once you can ping, you know you have congured at least one VLAN correctly. At this
time, Host A and Host C cannot ping anything else in the network except each other.
43. At this point you should not be able to ping Host B even though it is connected to the
same switch.
C:\>ping 172.16.30.3
Request timed out.
Request timed out.
Request timed out.
Request timed out.
C:\>
44. Verify you have set up the VLANs correctly by pinging from Host B to Host D.
C:\>ping 172.16.30.2
C:\>
Once you can ping, you know you have congured both VLANs correctly. At this
time, Host B and Host D cannot ping anything else in the network except each other.
45. To have the hosts ping outside their own VLAN, you must setup some type of routing. You
also need to setup a trunk link between the switch and the router. Use the 2811 Router A
FastEthernet 0/0 interface and create 802.1q routing. Create three subinterfaces, one for
each VLAN. To establish a trunk link between 3550 Switch A and the 2811 router, config-
ure FastEthernet 0/4, on 3550 Switch A as a trunk port with 802.1q encapsulation.
2811A>enable
2811A#config t
2811A(config)#int fa0/0.1
2811A(config-subif)#int fa0/0.2
2811A(config-subif)#exit
2811A(config)#exit
[OK]
2811A#
3550A#config t
46. Verify your sub-interface configurations with the show run command.
[output cut]
!
no ip address
!
ip address 172.16.10.1 255.255.255.0
!
ip address 172.16.20.1 255.255.255.0
!
ip address 172.16.30.1 255.255.255.0
!
[output cut]
47. At this point, the hosts should be able to ping all hosts and 2811 Router A.
Individual Lab: Configuring
VLANs on a 1900 Switch
VLAN. You can create up to 64 VLANs on a 1900 switch.
N
N
N
Your configuration
N
correct) or a red X
N
Network Layout
On the Network Visualizer screen, click on the Labs menu then choose Individual, 1900
Switch VLANs.
Lab Steps
1. Double-click switch 1900 A to bring up the console screen.
2. To configure VLANs on the 1900 series switch, choose k from the initial user inter-
face menu to get into IOS configuration. Press k to enter the CLI mode, and enter
global configuration mode using the enable command and then config t.
User Interface Menu
[M] Menus
[K] Command Line
Enter Selection: k
3. Use the vtp global configuration mode command to set this information. In the follow-
ing example, we set the switch to a VTP server and the VTP domain to routersim.
A Catalyst is congured by default to be a VTP server, as are all switches. To cong-
ure VTP, rst congure the domain name you want to use, as discussed in the next
section. Once you congure the VTP information on a switch, you need to verify the
conguration.
Vtp is a protocol used between switches to simplify the management of VLANs. You
can make conguration changes on one switch and have those changes automatically
communicated to all the other switches in the network. You can designate one switch
as the VTP Server and the others as VTP clients. The VTP Server then communicates
changes to the VTP clients.
1900A(config)#vtp ?
client VTP client
domain Set VTP domain name
password Set VTP password
pruning VTP pruning
server VTP server
transparent VTP transparent
trap VTP trap
1900A(config)#vtp server
1900A(config)#exit
1900A#show vtp
VTP version: 1
Configuration revision: 3
Maximum VLANs supported locally: 1005
Number of existing VLANs: 7
VTP domain name : routersim
VTP password :
VTP operating mode : Server
VTP pruning mode : Disabled
VTP traps generation : Enabled
1900A#
5. To configure VLANs on an IOS-based switch, use the vlan [vlan#] name [vlan
name] command. The following will demonstrate how to configure VLANs on the
switch by creating three VLANs for three different departments.
>en
#config t
1900A(config)#vlan 2 name sales
1900A(config)#vlan 3 name marketing
1900A(config)#vlan 4 name mis
1900A(config)#exit
Once the VLANs are created, verify your conguration with the show vlan command.
1900A#show vlan
--------------------------------------
1 default Enabled 1-12,A,B,AUI
2 sales Enabled
3 marketing Enabled
4 mis Enabled
--------------------------------------
[output cut]
7. You can configure each port to be in a VLAN by using the vlan-membership command.
You can only configure VLANs one port at a time. In the following example, we config-
ure interface 2 to VLAN 2, interface 4 to VLAN 3, and interface 5 to VLAN 4.
1900A#config t
1900A(config-if)#vlan-membership ?
dynamic Set VLAN membership type as dynamic
static Set VLAN membership type as static
1900A(config-if)#vlan-membership static ?
<1-1005> ISL VLAN index
1900A(config)#exit
1900A#show vlan
--------------------------------------
1 default Enabled 1,3,6-12,A,B,AUI
2 sales Enabled 2
3 marketing Enabled 4
4 mis Enabled 5
--------------------------------------
[output cut]
9. Another command you can use to see the ports assigned to a VLAN is show vlan-
membership. Notice that this command shows each port on the switch, which VLAN
the port is a member of, and the membership type (static or dynamic).
1900A#show vlan-membership
Port VLAN Membership Type
-----------------------------
1 1 Static
2 2 Static
3 1 Static
4 3 Static
5 4 Static
6 1 Static
7 1 Static
8 1 Static
9 1 Static
10 1 Static
11 1 Static
12 1 Static
AUI 1 Static
A 1 Static
B 1 Static
1900A#
Configuring Trunk Ports
Trunk links are 100 or 1000 Mbps point-to-point links between two switches, between a
switch and router, or between a switch and server. Trunked links carry the trafc of mul-
tiple VLANs, from 1 to 1005 at a time. You cannot run trunked links on 10Mbps links.
trunk port assigned to a port, allowing that port to carry trafc for any or all of the
VLANs accessible by a particular switch. It marks frames with special identifying tags (i.e.
802.1Q) as they pass between switches, so each frame can be routed to its intended VLAN.
10. To configure trunking on a FastEthernet port, use the interface command trunk
[parameter]. The following switch output shows the trunk configuration on interface
26 to trunk on.
1900A#config t
1900A(config-if)#trunk ?
auto Set DISL state to AUTO
desirable Set DISL state to DESIRABLE
nonegotiate Set DISL state to NONEGOTIATE
off Set DISL state to OFF
on Set DISL state to ON
1900A(config-if)#trunk on
11. The following list describes the different options available when setting a trunk
interface.
N
The interface will become trunk only if the connected device is set to on or
desirable
N
If a connected device is either on, desirable, or auto, it will negotiate to become a
trunk port.
N
The interface becomes a permanent ISL trunk port and will not negotiate with any
attached device.
N
The interface is disabled from running trunking and tries to convert any attached
device to be on-trunk as well.
N
The interface becomes a permanent ISL trunk port. It can negotiate with a con-
nected device to convert the link to trunk mode.
12. To verify your trunk ports, use the show trunk command. If you have more than one
port trunking and want to see statistics on only one trunk port, you can use the show
trunk [port_number] command.
FastEthernet port 0/26 is identied by trunk A and port 0/27 is identied by trunk B.
Below we demonstrate how to view the trunk port on interface 26:
1900A#show trunk ?
A Trunk A
B Trunk B
1900A#show trunk a
DISL state: On, Trunking: On, Encapsulation type: ISL
Notice in this output that DISL is on, trunking is on, and ISL is the VLAN-
encapsulation type on trunk links.
Configuring Inter-Switch Link (ISL) Routing
To support ISL routing on one FastEthernet 2600 interface, the routers interface is divided
into logical interfaces, one for each VLAN. These are called subinterfaces and Cisco also
calls this router-on-a-stick.
isl routing in a switched network, it allows you to identify VLAN membership of a
frame as it travels between switches.
Each of the hosts in their VLAN must use the same subnet addressing. To congure the
router-on-a-stick for inter-VLAN routing, you need to complete three steps:
N
Enable ISL trunking on the switch port the router connects to
N
Enable ISL encapsulation on the routers subinterface
N
Assign an IP address to the subinterface and other logical addressing if applicable (IP,
for example)
13. To create a subinterface from global configuration mode, choose the FastEthernet
interface, a period, and then a number. You will now be in the (config-subif) prompt
for the interface. We will use a 2621 router in this lab.
14. Move to the console screen for 2621 Router A.
15. Before we work with a subinterface we need to make sure the main interface of f 0/0 is
up. Then let us go to the subinterface fa0/0.1.
Router>enable
Router#config t
2621A#hostname 2621A
2621A#(config-if)int fa0/0
16:27:04 %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
16:27:04 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
2621A(config-if)#int fa0/0.1
16. To configure ISL routing on a subinterface, use the encapsulation isl [vlan-number]
command. You can then assign an IP address to the subinterface. This is a unique sub-
net and all the hosts on that VLAN should be in that same subnet.
2621A(config-subif)#encapsulation isl 1
Grade Me
Before you remove VTP, you might want to click the Grade Me button to check your work.
18. To delete the VTP information configured on a 1900 switch, you must use the delete
vtp command. The following switch output shows how to delete the VTP NVRAM
database.
1900A#delete ?
1900A#delete vtp
This command resets the switch with VTP parameters set to factory defaults. All other
parameters will be unchanged.
Reset system with VTP parameters set to factory defaults, [Y]es or [N]o? Yes
Once you type in the command, you will be prompted to set the VTP information back
to the factory default conguration.
Individual Lab: Standard IP Access-Lists
This lab will have you block access to network 172.16.40.0 from Host F. Access-lists can be
tricky because if you do not create your lists correctly, you can bring the network down. In
this lab we will need to congure routers, hosts, and switches before we set up access-lists.
standard IP access lists uses source addresses for ltering packets. A collection of permit
and deny conditions is applied to IP addresses.
N
N
N
Your configuration
N
correct) or a red X
N
Lab Steps
Network Layout
Access-Lists, and Standard IP Access.
Click Paste.
enable
config t
hostname 2621A
line vty 0 4
password todd
login
255.255.255.0
LAN 40
no shutdown
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
enable
config t
hostname 2811A
line vty 0 1180
password todd
login
255.255.255.0
2621A
no shutdown
255.255.255.0
2621B
no shutdown
exit
exit
copy run start
enable
config t
hostname 2621B
line vty 0 4
password todd
login
255.255.255.0
LAN 30
no shutdown
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
commands.
Router>enable
Router#config t
[OK]
2621A#
commands.
Router>enable
Router#config t
[OK]
2811A#
commands.
Router>enable
Router#config t
[OK]
2621B#
Clock Rate
The clock rate for the serial interface is set by default to 2000000. However, you still
need to explicitly set the clock rate. In our lab the DCE side of the connection is inter-
face serial 0/1/1 and serial 0/0/1.
4. We need to add a routing protocol such as RIP. Add RIP for each router with a net-
work of 172.16.0.0.
2621A#config t
2621B#config t
2811A#config t
Configuring Hosts E and F
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.40.3
Subnet Mask: 255.255.255.0
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.50.3
Subnet Mask: 255.255.255.0
Configuring Switches
We now need to congure 2950 Switch A and 2960 Switch A.
13. Bring up the console for switch 2950 A.
switch>enable
switch#config t
2950A(config)#
2950A(config)#exit
2950A#
IP Default-Gateway
This is used on devices where no routing information is provided by the router that tells
you how to get to the next, directly connected device. It tells us what pathway to use to
send packets to the next, directly connected device. In the previous set of commands the
ip default-gateway is 172.16.40.1 because that is the IP address of interface f0/0 on A.
addresses or remove the IP information with the no ip address and no ip default-
gateway commands, at the appropriate conguration prompt.
16. Change to the console so you can work with 2960 Switch A.
17. Configure 2960 Switch A with an IP address and default-gateway.
switch>enable
switch#config t
2960A(config)#exit
2960A#
18. Close the console screen.
19. Double-click Host F on the network.
20. Verify that you can ping to 2950 Switch A and that you can ping Host E from Host F.
C:\ping 172.16.40.2
C:\>ping 172.16.40.3
C:\>
21. From the Host F menu, bring up the console for A.
22. Create an access-list that blocks access from host F trying to get to network
172.16.40.0.
2621A#config t
Thats all were going to do for the list. Remember that IP standard access-lists should
be created closest to the destination network, which is why we built that access-list on
2621 Router A. It is directly connected to network 172.16.40.0.
23. After creating an access-list for 2621 Router A, we now need to add the access-list to
the serial 0/0 interface of 2621 Router A.
This applied the access-list 10 to the serial 0/0 interface of 2621 Router A and ltered
any incoming packets.
24. Check to see that Host F can no longer ping to 172.16.40.2 and 172.16.40.3.
C:\>ping 172.16.40.2
Request timed out.
Request timed out.
Request timed out.
Request timed out.
C:\>
C:\>ping 172.16.40.3
Request timed out.
Request timed out.
Request timed out.
Request timed out.
C:\>
25. If the access-list is correct, all other devices should still be able to reach network
172.16.40.0. Ping from 2621 Router B and verify that you can reach 172.16.40.2
and 172.16.40.3.
2621B#ping 172.16.40.2
!!!!!
2621B#
2621B#ping 172.16.40.3
!!!!!
2621B#
Verifying Standard IP Access-Lists
Pinging and telneting through the internetwork is a really good way to verify the network and
access-lists. However, using the Cisco IOS commands is also a good way to verify the lists.
26. Bring up the console for 2621 Router A and type show access-list to see the list
configured on the router.
deny 172.16.50.3
permit any
2621A#
27. You can also type either show ip access-list or show access-list 10 to gather specific list
configurations.
deny 172.16.50.3
permit any
2621A#
28. To see which interface has access-lists applied, use the show ip interface command.
[output cut]
MTU is 1514 bytes
[output cut]
29. The show running-config is useful to see both the access-list and to verify the inter-
face where the access-list is applied.
2621A#show run
[output cut]
!
interface Serial0/0
ip address 172.16.20.2 255.255.255.0
ip access-group 10 in
!
[output cut]
Applying an Access-List to a VTY Line
You will have a difcult time trying to stop users from telnetting into a router because any
active port on a router is fair game for VTY access. However, you can use a standard IP
access list to control access by placing the access-list on the VTY lines themselves.
To perform this function:
30. Create a standard IP access list that permits only the host or hosts you want to be able
to telnet into the routers.
31. Apply the access list to the VTY line with the access-class command.
This lab will have you stop Host F from telnetting into 2621 Router A.
2621A#config t
34. Verify that Host F can telnet into 2621 Router A.
C:\>telnet 172.16.20.2
Connecting To 172.16.20.2 ...
Password:
2621A>
35. Exit from your telnet session.
2621A>exit
Connection to host lost.
C:\>
36. Connect to 2621 Router A and block Telnet access for Host F, but allow all other
devices to telnet to 2621 Router A.
2621A#config t
37. Apply the access-list directly to the VTY lines and not to an interface.
2621A(config-line)#access-class 20 in
2621A#
38. Verify that Host F can no longer telnet into 2621 Router A.
C:\>telnet 172.16.20.2
failed
C:\>
39. Use the Host F menu to go to the 2621 Router B console.
40. Verify that 2621 Router B can still telnet into 2621 Router A.
2621B#telnet 172.16.20.2
Trying 172.16.20.2 ... Open
Password:
2621A>
Individual Lab: Extended IP Access-Lists
In this lab we will create a new access-list that is more succinct on 2621 Router A. We want
Host F to use the services on the 172.16.40.0 network, but we do not want them to telnet
into 2950 Switch A.
N
N
N
Your configuration
N
correct) or a red X
N
Lab Steps
Network Layout
Access-Lists, and Extended IP Access.
Click Paste.
enable
config t
hostname 2621A
line vty 0 4
password todd
login
255.255.255.0
LAN 40
no shutdown
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
enable
config t
hostname 2811A
line vty 0 1180
password todd
login
255.255.255.0
2621A
no shutdown
255.255.255.0
2621B
no shutdown
exit
exit
copy run start
enable
config t
hostname 2621B
line vty 0 4
password todd
login
255.255.255.0
LAN 30
no shutdown
255.255.255.0
2811A
no shutdown
exit
exit
copy run start
commands.
Router>enable
Router#config t
[OK]
2621A#
commands.
Router>enable
Router#config t
[OK]
2811A#
commands.
Router>enable
Router#config t
[OK]
2621B#
4. We need to add a routing protocol such as RIP. Add RIP for each router with a network
of 172.16.0.0.
2621A#config t
2621B#config t
Clock Rate
The clock rate for the serial interface is set by default to 2000000. However, on 2621
2811A#config t
Configuring Hosts E and F
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.40.3
Subnet Mask: 255.255.255.0
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address: 172.16.50.3
Subnet Mask: 255.255.255.0
Configuring Switches
We now need to congure 2950 Switch A and 2960 Switch A.
13. Bring up the console for 2950 Switch A.
switch>enable
switch#config t
2950A(config)#
2950A(config)#exit
2950A#
IP Default-Gateway
f0/0 on 2621 Router A.
16. Change to the console so you can work with 2960 Switch A.
17. Configure 2960 Switch A with an IP address and default-gateway.
switch>enable
switch#config t
2960A(config)#exit
2960A#
18. Close the console screen and bring up the Host F console.
19. Verify that Host F can now ping 172.16.40.2 and 172.16.40.3.
C:\ping 172.16.40.2
C:\>ping 172.16.40.3
C:\>
20. Create an access-list on 2621 Router A to block telnet access into the 172.16.40.0 net-
work, but still allow Host F to ping Host E.
2621A#config t
2621A(config)#access-list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255
eq telnet
2621A(config)#access-list 110 permit ip any any
This access-list blocked source address 172.16.50.3 from telneting into
172.16.40.0.
21. Apply this access-list to the serial interface 0/0 of 2621 Router A to filter the packets
coming into the router.
2621A#
22. Test the access-list by trying to telnet 172.16.40.2 From Host F (remember, you cannot
telnet to a host). All other devices should be able to telnet to 172.16.40.2.
C:\>telnet 172.16.40.2
failed
C:\>
Verifying Extended IP Access-lists
We will use the same command as we did to verify the IP Standard Access-lists. Go to 2621
Router A (if you created the list on 2621 Router A) and verify your access list. Remember
that ping and telnet are really good tools to verify your network as well.
23. From 2621 Router A, type the show access-list command to see the configured list.
permit ip any any
2621A#
24. Use the show access-list 110 command to see only list 110.
permit ip any any
2621A#
25. You can also use show ip access-list to see only the IP access-list configured on
your router.
2621A#show ip access-list
permit ip any any
2621A#
26. Verify which interface has an access-list set by using the show ip interface command
on 2621 Router A.
MTU is 1514 bytes
[output cut]
2621A#
Removing Extended IP Access-lists
2621A#config t
You can just type no access-list 110 to remove the access-list, but you
29. Verify that you have removed the extended IP access-list.
[output cut]
!
interface Serial0/0
ip address 172.16.20.2 255.255.255.0
!
[output cut]
Individual Lab: Network Address
Translation (NAT) and Port
Address Translation
When Do You Use NAT?
At times NAT decreases the overwhelming amount of Public IP addresses required in
your networking environment. And NAT comes in really handy when two companies that
have duplicate internal addressing schemes merge. NAT is also great to have around when
an organization changes its Internet Service Provider (ISP) and the networking manager
doesnt want to hassle with changing the internal address scheme.
Heres a list of situations when its best to have NAT on your side:
N
You need to connect to the Internet and your hosts do not have globally unique IP
addresses.
N
You change to a new ISP that requires you to renumber your network.
N
You require two Intranets with duplicate addresses to merge.
Advantages and Disadvantages of Implementing NAT
Conserves legally registered addresses Translation introduces switching path delays
Reduces address overlap occurrence Loss of end-to-end IP traceability
Individual Lab: Network Address Translation (NAT) and Port Address Translation 681
Increases flexibility when connecting to
Internet
Certain applications will not function with
NAT enabled
Eliminates address renumbering as network
changes

Initially, you will congure NAT on 2811 Router A to translate the private IP address of
192.168.10.0 to a public address of 171.16.10.0.
N
N
N
Your configuration
N
correct) or a red X
N
Network Layout
NAT-PAT, and NAT-PAT.
Command Summary for NAT/PAT Lab
Command Purpose
IP nat inside source list acl pool name Translates IPs that match the ACL from
the pool
IP nat inside source static inside_addr
outside_addr
Statically maps an inside address to an
outside address
IP nat pool name Creates an address pool
IP nat inside Sets an interface to be an inside interface
IP nat outside Sets an interface to be an outside interface
Show ip nat translations Shows current NAT translations
Setting up the NAT Lab
You will set up IP addresses on Router interfaces, plus, turn on EIGRP on every router.
Congure Routers with the IP addresses listed below:
Router IP Address Scheme
2811 A S0/0/0 171.16.10.1/24
2811 B F0/0 192.168.10.1/24
2811 B S0/0/0 171.16.10.2/24
2811 C F0/0 192.168.10.2/24
2811 C F0/1 192.168.20.1/24
2811 Router D F0/1 192.168.20.2/24
Lab Steps
1. Double-click 2811 Router A in order to bring up the console screen. Configure Router.
Router>enable
Router#config t
[OK]
2811A#
2. Use the console menu to bring up the console screen for 2811 Router B .
Router>enable
Router#config t
2811B(config-if)#int fa0/0
2811B(config-router)#no auto-summary
[OK]
2811B#
4. Use the console menu to bring up the console screen for 2811 Router C.
Router>enable
Router#config t
2811C(config-if)#int fa0/0
2811C(config-if)#int fa0/1
[OK]
2811C#
Auto-summary
The process of taking subnets like 192.168.10.4/30 or 192.168.10.56/29 and summarizing
them down to their base network class. In the case of 192.168.10.4/30 or 192.168.10.56/29
the networks are summarized to their Class C base network address of 192.168.10.0/24.
Summarization occurs at classful network boundaries. Classful network boundaries
occur when one class of networks meet a different class of networks, thus a network
boundary. If subnet 192.168.10.4/30 or 192.168.10.56/29 were crossing over to another
router connected by the 10.1.1.0/24 network, the classful network boundary is between
the 10.0.0.0/8 and 192.168.10.0/24 networks.
No Auto-summary
The process of taking the subnets 192.168.10.4/30 or 192.168.10.56/29 and not sum-
6. Use the console menu to bring up the console screen for 2811 Router D.
Router>enable
Router#config t
2811D(config-if)#int fa0/1
2811D(config-if)#no shutdown
2811D(config-router)#ctrl+z
[OK]
2811D#
8. After you configure Routers, you should be able to ping from router to router. Verify that
you can ping from 2811 Router A to 2811 Router D and from 2811 Router D router to
2811 Router A. If you cannot, STOP!, troubleshoot your network.
2811A#ping 192.168.20.2
!!!!!
2811A#
2811D#ping 171.16.10.1
!!!!!
2811D#
9. You can also verify your EIGRP routes with the show ip route command.
2811A#show ip route
[output cut]
D 192.168.20.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0
D 192.168.10.0 [90/2172416] via 171.16.10.2, 00:06:07, Serial0/0/0
2811A#
2811B#show ip route
[output cut]
2811B#
2811C#show ip route
[output cut]
2811C#
2811D#show ip route
[output cut]
2811D#
Dynamic NAT
We will now show you how to congure NAT to translate from real ISP assigned addresses
to private addresses so that the inside network can communicate to the Internet.
10. In this step, youll configure a dynamic NAT pool on 2811 Router B. Create a pool
of addresses called RouterSim on 2811 Router B. The pool should contain a range of
addresses of 171.16.10.50 through 171.16.10.55.
2811B(config)#ip nat pool RouterSim 171.16.10.50 171.16.10.55 net
255.255.255.0
11. Create access-list 1. This list permits traffic from the 192.168.20.0 and 192.168.10.0
network to be translated.
12. Map the access list to the pool that was created.
2811B(config)#ip nat inside source list 1 pool RouterSim
13. Configure f0/0 as an inside NAT interface.
14. Configure serial 0/0/0 as an outside NAT interface.
15. Bring up the console for 2811 Router D. Telnet from 2811 Router D to 2811
2811D#telnet 171.16.10.1
Trying 171.16.10.1 ... Open
2811D#
We received this message because we did not set up a telnet password on 2811 Router A.
16. Go to 2811 Router A and set up a telnet password.
2811A#config t
2811ARouter(config)#line vty 0 1180
2811ARouter(config-line)#password todd2
Try step 15 again and if you are successful, move on to step 18.
17. Bring up the console for 2811 Router C. Telnet from 2811 Router C to 2811
2811C#telnet 171.16.10.1
18. Go back to 2811 Router A and execute the command show users. (This shows who is
accessing the VTY lines).
2811A#show users
0 con 0 idle 00:00:00
2 vty 0 idle 00:00:40 171.16.10.50
* 3 vty 1 idle 00:00:17 171.16.10.51
2811A#
Notice that there is a one-to-one translation. Which means you must have a real IP
address for every host that wants to get to the Internet, which is not always possible.
19. Leave the session open on 2811 Router A and connect back to 2811 Router B.
20. Bring up the console for 2811 Router B and view your current translations by entering
the show ip nat translation command. You should see something like this:
2811B#show ip nat translations
--- 171.16.10.50 192.168.20.2 --- ---
--- 171.16.10.51 192.168.10.2 --- ---
2811B#
Oh my gosh, this really works!
Remember that the inside local is before translation and the inside global is after
translation, and how you are known on the Internet.
21. Exit out of the telnet session from 2811 Router D.
22. If you turn on debug ip nat on 2811 Router B and then ping through Router from
2811 Router D, you will see the actual NAT process take place, which will look some-
thing like this:
2811B#debug ip nat
2811D#ping 171.16.10.1
2811B#
Feb 27 17:16:18.256: NAT*: s=192.168.20.2->171.16.10.52, d=171.16.10.1 [1]
Feb 27 17:16:18.260: NAT*: s=171.16.10.1->171.16.10.52, d=192.168.20.2 [1]
Do not exit out of the telnet sessions for 2811 Router C and 2811 Router D.
Configuring PAT
You will now congure Port Address Translation (PAT) on 2811 Router B. We will use
PAT because we dont want a one-to-one translation, but instead we want to just use one
IP address for every user on the network.
23. Terminate the telnet sessions on 2811 Router C and 2811 Router D by using the exit
command.
24. On 2811 Router B, delete the translation table and remove the dynamic NAT pool.
2811B#clear ip nat translation *
2811B#config t
2811B(config)#no ip nat pool RouterSim 171.16.10.50 171.16.10.55 netmask
255.255.255.0
2811B(config)#no ip nat inside source list 1 pool RouterSim
25. On 2811 Router B, create a NAT pool with one address called Lammle. The pool
should contain a single address: 171.16.10.100. Enter the command below:
2811B(config)#ip nat pool Lammle 171.16.10.100 171.16.10.100 netmask
255.255.255.0
26. Create access-list 2. It should permit networks 192.168.20.0 and 192.168.10.0 to be
translated.
27. Map the access-list 2 to the new pool, allowing PAT to occur by using the overload
command.
2811B(config)#ip nat inside source list 2 pool Lammle overload
28. Bring up the console for 2811 Router D and telnet to 2811 Router A. Then bring up
2811 Router C and telnet to 2811 Router A.
29. From 2811 Router A use the show users command. The output should look something
like this:
2811A>show users
0 con 0 idle 00:00:00
2 vty 0 idle 00:00:29 171.16.10.100
* 3 vty 1 idle 00:00:21 171.16.10.100
2811A>
30. From 2811 Router B use the show ip nat translations command.
2811B#show ip nat translations
tcp 171.16.10.100:1723 192.168.10.2:1723 171.16.10.1:23 171.16.10.1:23
tcp 171.16.10.100:1723 192.168.20.2:1723 171.16.10.1:23 171.16.10.1:23
2811B#
Exit out of the telnet session from 2811 Router D.
31. Also make sure that the debug ip nat command is on 2811 Router B. If you ping from
2811 Router D to 2811 Router A, the output will look like this:
01:12:36: NAT: s=192.168.10.2->171.16.10.100, d=171.16.10.1 [35]
01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [35]
01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [36]
01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [36]
01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [37]
01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [37]
01:12:36: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [38]
01:12:36: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2 [38]
01:12:37: NAT*:s=192.168.10.2->171.16.10.100, d=171.16.10.1 [39]
01:12:37: NAT*:s=171.16.10.1, d=171.16.10.100->192.168.10.2
Individual Lab: VLSM with
Summarization
The following lab will have you congure a medium size network into block sizes of 32 (/27)
using the EIGRP routing protocol and summarizing the classless boundaries. The switches
will not be congured in this lab and they will behave just like hubs. You will congure each
router in the lab with the appropriate IP addressing.
N
N
N
Your configuration
N
correct) or a red X
N
Routers 2811 A through 2811 E should be congured in the 192.168.10.32/27 network
and routers 2811 F through 2811 J will be congured in the 192.168.10.64/27 network.
In each network there are four block sizes of four (the WAN links) and two block sizes of
eight (the LANs).
To connect routers 2811 A and 2811 F across the backbone, we will use the 10.1.1.0/24
network. This is called discontiguous networking because we have one class of network
Network Layout
VLSM, and VLSM and Summarization.
(192.168.10.0) connecting across to the same network address through the 10.0.0.0 network
and this will not work by default. RIPv1 and IGRP can never work in this type of network. In
order to use VLSM with discontiguous networking in your network, you must use one the fol-
lowing routing protocols: RIPv2, EIGRP, OSPF or ISIS (these are considered classless routing
protocols). This lab will have you use EIGRP as the classless routing protocol.
Here is the IP addressing scheme used in this lab for routers 2811 A through 2811 E:
(notice how the four block sizes of four, and two block sizes of eight t in one block size
of 32VLSM network addressing).
Router Block Sizes
2811 Router A S0/0/0: 192.168.10.37/30 (subnet 36, block size of 4)
F0/0: 10.1.1.1/24
2811 Router B S0/0/0: 192.168.10.41/30 (subnet 40, block size of 4)
Router A)
2811 Router C S0/0/0: 192.168.10.45/30 (subnet 44, block size of 4)
Router A)
2811 Router D S0/0/0: 192.168.10.42/30 (connected to s0/0/0 of 2811 Router B)
2811 Router E S0/0/0: 192.168.10.46/30 (connected to s0/0/0 of 2811 Router C)
2811 Router F S0/0/0: 192.168.10.69/30 (subnet 64, block size of 4)
F0/0: 10.1.1.2/24
2811 Router G S0/0/0: 192.168.10.73/30 (subnet 72, block size of 4)
Router F)
2811 Router H S0/0/0: 192.168.10.77/30 (subnet 76, block size of 4)
Router F)
2811 Router I S0/0/0: 192.168.10.74/30 (connected to s0/0/0 of 2811 Router G)
2811 Router J S0/0/0: 192.168.10.78/30 (connected to s0/0/0 of 2811 Router H)
F0/0: 192.168.10.89 (subnet 88, block size of 8)
Lab Steps
Steps 1-20 are necessary in order to perform this lab. If you do not want to manually
complete these steps and want to accelerate steps 1 - 20, you can copy and paste the fol-
lowing script into the console for each router. After you get into User mode, copy and
paste the script into the console. Click on the console and click your right mouse button.
A pop-up menu will appear. Click Paste.
2811 Router A 2811 Router B 2811 Router C
enable
config t
hostname 2811A
int s0/0/0
ip address 192.168.10.37
255.255.255.252
no shut
int s0/0/1
ip address 192.168.10.33
255.255.255.252
no shut
int f0/0
ip address 10.1.1.1
255.255.255.0
no shut
exit
exit
copy run start
enable
config t
hostname 2811B
int s0/0/0
ip address 192.168.10.41
255.255.255.252
no shut
int s0/0/1
ip address 192.168.10.34
255.255.255.252
no shut
exit
exit
copy run start
enable
config t
hostname 2811C
int s0/0/0
ip address 192.168.10.45
255.255.255.252
no shut
int s0/0/1
ip address 192.168.10.38
255.255.255.252
no shut
exit
exit
copy run start
2811 Router D 2811 Router E 2811 Router F
enable
config t
hostname 2811D
int s0/0/0
ip address 192.168.10.42
255.255.255.252
no shut
int f0/0
ip address 192.168.10.49
255.255.255.248
no shut
exit
exit
copy run start
enable
config t
hostname 2811E
int s0/0/0
ip address 192.168.10.46
255.255.255.252
no shut
int f0/0
ip address 192.168.10.57
255.255.255.248
no shut
exit
exit
copy run start
enable
config t
hostname 2811F
int s0/0/0
ip address 192.168.10.69
255.255.255.252
no shut
int s0/0/1
ip address 192.168.10.65
255.255.255.252
no shut
int f0/0
ip address 10.1.1.2
255.255.255.0
no shut
exit
exit
copy run start
2811 Router G 2811 Router H 2811 Router I
enable
config t
hostname 2811G
int s0/0/0
ip address 192.168.10.73
255.255.255.252
no shut
int s0/0/1
ip address 192.168.10.66
255.255.255.252
no shut
exit
exit
copy run start
enable
config t
hostname 2811H
int s0/0/0
ip address 192.168.10.77
255.255.255.252
no shut
int s0/0/1
ip address 192.168.10.70
255.255.255.252
no shut
exit
exit
copy run start
enable
config t
hostname 2811I
int s0/0/0
ip address 192.168.10.74
255.255.255.252
no shut
int f0/0
ip address 192.168.10.81
255.255.255.248
no shut
exit
exit
copy run start
2811 Router J
enable
config t
hostname 2811J
int s0/0/0
ip address 192.168.10.78
255.255.255.252
no shut
int f0/0
ip address 192.168.10.89
255.255.255.248
no shut
exit
exit
copy run start
1. Double-click on 2811 Router A to bring up the console screen.
Router>en
Router#config t
3. Change to the console for 2811 Router B.
Router>en
Router#config t
2811B(config)#int s0/0/0
5. Change to the console for 2811 Router C.
Router>en
Router#config t
2811C(config)#int s0/0/0
7. Change to the console for 2811 Router D.
Router>en
Router#config t
2811D(config-if)#int fa0/0
2811D(config-if)#ctrl+z
9. Change to the console for 2811 Router E.
10. Configure 2811 Router E.
Router>en
Router#config t
Router(config)#hostname 2811E
2811E(config)#int s0/0/0
2811E(config-if)#int fa0/0
2811E(config-if)#ctrl+z
2811E#copy run start
11. Change to the console for 2811 Router F.
12. Configure 2811 Router F.
Router>en
Router#config t
Router(config)#hostname 2811F
2811F(config)#int s0/0/0
2811F(config-if)#int s0/0/1
2811F(config-if)#int fa0/0
2811F(config-if)#ctrl+z
2811F#copy run start
13. Change to the console for 2811 Router G.
14. Configure 2811 Router G.
Router>en
Router#config t
Router(config)#hostname 2811G
2811G(config)#int s0/0/0
2811G(config-if)#int s0/0/1
2811G(config-if)#ctrl+z
2811G#copy run start
15. Change to the console for 2811 Router H.
16. Configure 2811 Router H.
Router>en
Router#config t
Router(config)#hostname 2811H
2811H(config)#int s0/0/0
2811H(config-if)#int s0/0/1
2811H(config-if)#ctrl+z
2811H#copy run start
17. Change to the console for 2811 Router I.
18. Configure 2811 Router I.
Router>en
Router#config t
Router(config)#hostname 2811I
2811I(config)#int s0/0/0
2811I(config-if)#int fa0/0
2811I(config-if)#ctrl+z
2811I#copy run start
19. Change to the console for 2811 Router J.
20. Configure 2811 Router J.
Router>en
Router#config t
Router(config)#hostname 2811J
2811J(config)#int s0/0/0
2811J(config-if)#int fa0/0
2811J(config-if)#ctrl+z
2811J#copy run start
Configuring Hosts
We will now congure all the hosts in the network.
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address:192.168.10.50
Subnet Mask: 255.255.255.248
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address:192.168.10.58
Subnet Mask: 255.255.255.248
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address:192.168.10.82
Subnet Mask: 255.255.255.248
N
IP Address
N
Subnet Mask
N
Default Gateway
IP Address:192.168.10.90
Subnet Mask: 255.255.255.248
From each router and each host, ping the directly connected neighbor and make sure that it
is successful. If not, troubleshoot each problem. Remember, you cannot ping past a directly
connected neighbor until a routing protocol is congured. In addition, use the command
show ip route on each router to see the routing table.
Only the directly connected networks will show in the routing tables until a routing pro-
tocol is congured. In this lab a representative sample of testing connectivity is performed,
so not all possibilities are shown.
31. Display the console for 2811 Router D and ping Host A.
2811D#ping 192.168.10.50
!!!!!
2811D#
32. Go to 2811 Router E and ping Host B.
2811E>ping 192.168.10.58
!!!!!
2811E>
33. Go to 2811 Router I and ping Host C.
2811I>ping 192.168.10.82
!!!!!
2811i>
34. Go to 2811 Router J and ping Host D.
2811J>ping 192.168.10.90
!!!!!
2811J>
35. Go to 2811 Router A and ping s0/0/1 on 2811 Router B.
2811A>ping 192.168.10.34
!!!!!
36. From 2811 Router A and ping s0/0/1 on 2811 Router C.
2811A>ping 192.168.10.38
!!!!!
37. From 2811 Router A enter a show ip route command to view the directly connected
devices.
2811A>show ip route
2811A>
Configuring EIGRP with Discontiguous Networking
You will now congure the classless routing protocol EIGRP on each router. EIGRP is an
advanced Distance Vector routing protocol that supports VLSM and discontiguous networks.
In addition, it can be used to manually summarize contiguous network boundaries, which is
what we have.
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary hybrid
routing protocol. It uses the properties of both distance vector and link state and uses an
administrative distance of 90, so it will automatically overwrite RIP (which has a default
administrative distance of 120) routes in the routing table. Also, it uses autonomous sys-
tems (AS) to create groups of routers that share routing information. The major difference
between IGRP and EIGRP is that EIGRP uses three different tables to create a stable rout-
ing environment and additionally EIGRP only sends updates when needed, whereas IGRP
broadcasts routing table entries every 90 seconds.
Remember that although EIGRP is considered a classless routing protocol (which
means it sends subnet mask information with each route update), it is congured in a
classful manner. What this means is that you turn off all subnet bits and host bits to
add each network statementwhich is why the network statement is 192.168.10.0, not
192.168.10.32, 192.168.10.36, etc. for each subnet. EIGRP will nd the subnets; you
dont type subnets in with the network statement.
Router A is directly connected to the 192.168.10.0 network, but also the 10.1.1.0/24
network is directly connected off of F0/0. What is the network statement we will use?
Remember, ALL subnet bits and host bits are off!
Add EIGRP with AS 10 to each router, using the correct network statement. Also, add
the network statement of network 192.168.10.0 under EIGRP 10 for each router, except
for routers A and F, which will need the network 10.0.0.0 statement as well.
38. From each router global configuration prompt, add the routing protocol EIGRP
with an AS number of 10:
2811A>en
2811A#config t
2811A(config-router)#
2811B>en
2811B#config t
2811B(config)#auto-summary
2811B(config-router)#
2811C>en
2811C#config t
2811C(config)#auto-summary
2811C(config-router)#
2811D>en
2811D#config t
2811D(config)#auto-summary
2811D(config-router)#
2811E>en
2811E#config t
2811E(config)#router eigrp 10
2811E(config-router)#network 192.168.10.0
2811E(config)#auto-summary
2811E(config-router)#
2811F>en
2811F#config t
2811F(config-router)#
2811G>en
2811G#config t
2811G(config)#router eigrp 10
2811G(config-router)#network 192.168.10.0
2811G(config)#auto-summary
2811G(config-router)#
2811H>en
2811H#config t
2811H(config)#router eigrp 10
2811H(config-router)#network 192.168.10.0
2811H(config)#auto-summary
2811H(config-router)#
2811I>en
2811I#config t
2811I(config)#router eigrp 10
2811I(config-router)#network 192.168.10.0
2811I(config)#auto-summary
2811I(config-router)#
2811J>en
2811J#config t
2811J(config)#router eigrp 10
2811J(config-router)#network 192.168.10.0
2811J(config)#auto-summary
2811J(config-router)#
39. Now that we have added our directly connected networks under EIGRP (remember,
add networks, not subnets!), we need to configure 2811 Router A and 2811 Router F to
work using discontiguous networking. Take a look at the routing table of each router
and notice that you can see the subnets in the routing table from each contiguous net-
work only (routers A through E and routers F through J). This is because discontiguous
networking does not work by default.
2811A#show ip route
2811F(config-router)#ctrl+z
2811F#show ip route
40. We need to add the no auto-summary command to routers 2811 A and 2811 F to have
this work.
2811A#config t
2811A(config-router)#no auto-summary
2811F#config t
2811F(config-router)#no auto-summary
41. Now, lets take a look at the routing tables of each router and notice that ALL subnets
are now listed in each routers routing table.
2811J#show ip route
[output cut]
D 10.1.1.0 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.44/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.68/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.32/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.36/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.40/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.64/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.48/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.80/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.72/30 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
D 192.168.10.56/29 [90/2172416] via 192.168.10.77, 00:12:01, Serial0/0/0
42. This is a small network and the routing tables are manageable.. However, if we had
more routers, our routing tables would be rather large, which takes up memory and
router processing parsing the routing table. What can we do to make our routing table
smaller, more efficient, yet still keep all our connectivity from end to end? You guessed
it! Summarization baby!
Configuring Summarization
Now that we have congured the internetwork from end to end using VLSM and discon-
tiguous networking, and EIGRP with the no auto-summary command to support the discon-
tiguous network, it is time to congure summarization.
Summarization would be done on the boundaries of each contiguous congured net-
work (routers 2811 A and 2811 F). Summarization is used by EIGRP under the interface
conguration using the ip summary-address eigrp 10 network mask command.
Before we add the summary commands to routers 2811 A and 2811 F, we need to know
what network and mask to add to the summary command. Remember, summary addresses
are congured in block sizes, just like subnets. The summary address for 2811 Router A
would be 192.168.10.32, since we are starting at subnet 32; however, what is our summary
mask? Well, what is the block size of our contiguous networks? Thirty-two (32). What mask
provides a block size of 32? A /27, which is 255.255.255.224; this is our summary mask.
43. For the 2811 F configuration, we would start at subnet 192.168.10.64, which is also a
summary mask of /27, since the contiguous networks fit in a block size of 32.
Here is our conguration on both routers:
2811A#config t
2811A(config-if)#ip summary-address eigrp 10 192.168.10.32 255.255.255.224
2811F#config t
2811F(config)#int fa0/0
2811F(config-if)#ip summary-address eigrp 10 192.168.10.64 255.255.255.224
At this point, we have disabled automatic summarization under EIGRP since we need to
support discontiguous networking. We then congured manual summarization at contiguous
classful boundaries.
Verifying Summarization
44. If we take a look at the routing tables now, we can see that 2811 Router A is summa-
rizing the contiguous network with a 192.168.10.32/27 route into the 2811 Router Fs
routing tables, which is then sent to the other routers connected to 2811 Router F.
2811F>en
2811F#show ip route
[output cut]
D 192.168.10.80/29 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1
D 192.168.10.72/30 [90/2172416] via 192.168.10.66, 00:05:49, Serial0/0/1
D 192.168.10.76/30 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0
D 192.168.10.88/29 [90/2172416] via 192.168.10.70, 00:05:49, Serial0/0/0
2811F#
45. For 2811 Router A, the routing table now looks like this, which is sent to all routers
connected to 2811 Router A.
2811A#show ip route
[output cut]
D 192.168.10.44/30 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0
D 192.168.10.40/30 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1
D 192.168.10.48/29 [90/2172416] via 192.168.10.34, 00:02:53, Serial0/0/1
D 192.168.10.56/29 [90/2172416] via 192.168.10.38, 00:02:53, Serial0/0/0
2811A#
Our routing tables are smaller, more efcient, and easier for IP to parse.
Net Assessment
Lab 1.1: Introduction to Net
Assessment
Net Assessment allows you to test and evaluate your problem solving and troubleshooting
network skills. We have created a powerful and exible tool for all to use, including teach-
ers, students, individuals, etc. There are six basic steps in fully utilizing Net Assessment:
N
Load Net Assessment
N
Load a fully configured network (Master network)
N
Create a template that allows you to specify the configurations you want to test
N
Create and distribute test networks that have their configurations altered in some way
N
Ask others to troubleshoot/problem-solve the network
N
Evaluate Test network against Master network
Net Assessment only works with CCNA networks.
Several options are available to assist you in determining what congurations will be
placed in the Test network. It depends on the audience for which the Test network is being
created. The following are some examples.
For Instructors
Scenario 1 Provide an empty network to students with instructions only. With this pro-
gram you can insert instructions into a network by importing a le like a Microsoft Word
le. Click on the Insert icon on the toolbar. When the dialog box appears select a le that
includes instructions. You can embed any le that you wish; however, the student must
have the same program on their computer.
Lab 1.1: Introduction to Net Assessment 711
When students open the Test network they will see a document object on the Network
Visualizer screen. They double-click the object and the instructions open up. When they
create, congure, and save the Test network, they return it to the instructor for evaluation.
This program can automatically evaluate the Test network. An instructor would then load
the Master network and evaluate Test networks one at a time or all at once. An instructor
can also view and/or print results one at a time or all at once.
Scenario 2 Provide a partially congured network to students, along with instructions.
In this situation, an instructor has manually removed part of the congurations and
expects students to problem solve and nish creating a fully congured network.
Scenario 3 Provide a fully congured network to students where the program has randomly
changed some of the congurations. This is an ideal situation for troubleshooting. An instruc-
tor can provide a randomized Test network to students in two different ways:
N
They can choose specific configurations they want the program to randomly
change values.
N
They can choose specific configurations they want the program to randomly
remove when the Test network is generated.
712 Net Assessment
From the total pool of congurations, have the program randomly change and/or
remove a specic number of values. For example, an instructor can indicate they want
any ve congurations (out of a total of 25 congurations) changed by the program.
For Individuals
Individuals can also use Net Assessment to evaluate their skills. You have several options
available to you. For example, you can load a Master network and have the program ran-
domly change a specic number of congurations. You would then generate a Test network
and try to restore the network with the same values found in the Master network. You can
also have the program randomly remove values. You can make it more complex by desig-
nating a specic number of values to be randomly changed and a specic number of values
to be randomly removed.
You will not know what congurations have been altered until you open the Test network.
At that point it will not be apparent as to what values have been changed or removed until
you go through your Test network. Almost anything in the network that had been originally
congured is fair game for being changed by our program.
When you have gone through the Test network and corrected any problems, you can
compare it with the Master network and evaluate your work. Our Report section will
display expected answers and your answers.
Lab 1.2: Making Changes and Inserting
Instructions
Before you start working with Net Assessment there are two important things that need to
be mentioned about making changes to the le.
Changes to the Master File Once you have created a Net Assessment template and saved
the Master network, you cannot make any changes to the network. So, be sure that you
have the network congured the way you want. Making additional changes and saving the
Master network will cause the templates to be removed.
Inserting Instructions You can insert instructions into the Master network but this needs
to be done before you create any Net Assessment templates. Instructions are not required
for you to work with Net Assessment, but a convenient way to instruct others as to what
to do with a Test network that you generate. Unlike the Master network, you have another
Lab 1.2: Making Changes and Inserting Instructions 713
option with instructions in that you can insert them into a Test network at any time and
save the le.
Lab Steps
1. Use a third-party program to create instructions. This can be a text editor, word pro-
cessor, html editor, spread sheet program, etc. The important thing to keep in mind is
that the person using the Test network must have the same program on their computer
that was used to create the instructions. Save the file as you normally would do.
2. Using this program, load your Master network. There is nothing special about this net-
work and any one will do. Make sure you have fully configured the network and plan
no changes.
3. There are two ways to insert a document.
N
Using the menu, click Insert and then File.
714 Net Assessment
N
Click the Insert button on the button bar.
4. Find your instruction file on your computer and then click the Close button on the dia-
log box. An object will appear on the network with file name of your instruction file.
Lab 1.3: Loading Net Assessment 715
5. When the user gets the Test network, the network topology will look the same as the
Master network. It will also display the instructions object. If they double-click on that
object, instructions will display within a few minutes.
Lab 1.3: Loading Net Assessment
Net Assessment can be loaded three ways.
N
On any Network Visualizer screen, click on the toolbar button that looks like a paper
and pencil.
N
From any Network Visualizer screen you can click on Tools and then Net Assessment
in the drop-down menu.
716 Net Assessment
N
Right-mouse click on any Network Visualizer screen and select Net Assessment from
the pop-up menu.
The Net Assessment screen will appear.
Lab 1.4: Creating a Net
Assessment Template
A fully congured network can potentially have several dozen or hundreds of congurations.
If you want to test others on a concept it makes sense to use a manageable number of congu-
rations. You need a way to accomplish this and a template allows you to create a small list of
congurations. Selecting items for a template does not change any conguration values in the
Master network. It just creates a list of values that you will alter in a future step.
Lab Steps
1. After the Net Assessment screen appears you will want to load a fully configured network
or what we refer to as a Master network. There is nothing special about this network and
any one will do. Click on the file folder on the menu or click File menu and then Open.
3. Click on the file Configured Network.rsm and click Open. You can confirm that you
loaded this Master network because the title of the file will be at the top of the Net
Assessment screen and also listed as Name of the Master network.
718 Net Assessment
4. Click the Add button in the section Assessment Template, located in the upper left
quadrant of the screen.
5. The Assessment Template screen will appear. Put a name in for the template you are
creating. For this example, enter Scenario1.
You can create several templates for the same Master network. Each tem-
plate can refer to different logical segments of configurations in the network.
For example, you could have different templates that test (among others) for:
N
Passwords
N
IP addresses
N
Routing Protocol
N
Routing Protocol Network
6. On the Assessment Template screen you will see a list of devices that are in the Master
network. In this example you will see an expandable tree for the:
N
2621 A router
N
2621 B router
N
2811 A router
N
3550 A switch
7. Lets begin with 3550 Switch A. Eventually we will ping from 3550 Switch A to 2621
Router A. We want to change the ip-default gateway on 3550 Switch A so that you
cannot successfully ping. Click on the plus sign (+) next to 3550 Switch A and an
expanded list of current configurations for that device will display.
8. Click on the box IP Default-Gateway so that there is a check mark present.
9. Click on the plus sign next to 2621 Router B.
10. Click on the plus sign next to Protocols.
11. Click on the plus sign next to RIP.
720 Net Assessment
12. Click on the box Networks so that there is a check mark present. We will eventually
alter the RIP network so that you cannot successfully ping from 2621 Router B to 2621
Router A.
We have now selected congurations from two devices that we will alter so that we can
generate a Test network. These congurations will have to be corrected in the Test network
in order for a ping to successfully work between 3550 Switch A to 2621 Router A, and
from 2621 Router B to 2621 Router A.
13. Click the Save Values button and the Assessment Template screen will close.
14. You will then see a new entry in the Assessment Template field (Scenario1).
15. This step is optional and is not required. You can password protect your Master
network. The password prevents others from loading a Master network and making
changes. On the upper right hand side of the Net Assessment screen is a password field.
Type in a password.
16. Save Your Network. When you click on the Save Values button, the newly created
template is only stored in memory. You will need to save the Master network to perma-
nently store the new template. Click on the Diskette on the menu bar. Then click the
Save button and overwrite your existing Master network.
722 Net Assessment
Lab 1.5: Net Assessment
Editing Values
After you create a Net Assessment template, you are one step from generating a Test net-
work. In Net Assessment lab 1.4 we create a template called Scenario1 in which a couple
conguration types were chosen. Up to this point we have only decided as to the congu-
ration types that will be tested for in the Lab network. We now need to alter some of the
congurations. In this lab we will manually alter values; however, other labs in this section
provide more sophisticated and automatic ways to alter congurations.
Lab Steps
1. Make sure that the newly created template is still highligted.
Lab 1.5: Net AssessmentEditing Values 723
2. Click on the Edit Value button on the top right side of the Net Assessment screen.
3. On the Edit Values screen you will see a tree-like structure that lists all the devices you
chose while creating a template. Actual configuration values (from the Master network)
for each chosen configuration will be displayed. You can quickly see all values by the
clicking the box at the bottom left position of the screen, titled Expand all values.
724 Net Assessment
Make sure that you only have values in the Edit Values section that you
want to alter.
Do not select values for a template that are extraneous. These additional values will
be used in the score calculation and skew an accurate assessment. For example, you
want to test students on four passwords that will be altered. However, you also have
an IP address, mask, and IP default-gateway listed in the Edit Values section. Lets say
that you do nothing to alter these values. When the Test network is evaluated you will
receive credit for the correct IP address, mask, and ip default-gateway because these
values will not have been altered and will match the Master network values.
4. Change the RIP network value from 172.16.0.0 to 172.14.0.0.
5. Change the IP Default-Gateway from 172.16.10.1 to 172.14.10.1
After you make a change in a file the background color changes from
white to yellow. This provides feedback to you as to what fields have
been altered.
Save Your Network. Click the Save Values button. When you click on the Save Values but-
ton, the altered values are only stored in memory. You will need to save the Master network
to permanently save these changes. Click on the Diskette on the menu bar. Then click the
Save button and overwrite your existing Master network.
Lab 1.6: Net AssessmentCreating A Test Network 725
Lab 1.6: Net AssessmentCreating
A Test Network
Creating a Test Network is relatively straight forward. If you have rst selected an assess-
ment template, you can click the Create Test Network button on the Net Assessment
screen. The assumption is that you have already determined how you want to alter values in
the creation of a Test network, so you do not have to view the Edit Values screen.
Lab Steps
1. Make sure that the newly created template is still highlighted.
2. On the Net Assessment Screen, click the button that says Create Test Network.
726 Net Assessment
A dialog box will appear with a suggested name for the Test network. It will be the name
of the Master network plus _test.rsm. In the example we have been using, the name of
the master le is Congured Network. The suggested le name would be Congured
Network _test.rsm. However, you can name the Test network anything you wish.
3. In this case, name it Scenario1 so that the full file name is Scenario1_test.rsm.
If you are an instructor you might want to have each student save their Test
network with some type of unique identifier when they finishing working
on it. For example, you create a Test network called Scenario1_test.rsm.
When Bill T. finishes working with his Test network, you have him save it
as Billt_Scenario1_test.rsm or perhaps Scenario1_test_Billt.rsm.
Lab 1.7: Net AssessmentAssessing
A Test Network
One or more Test networks can be evaluated at the same time, against the same Master
network.
Lab Steps
1. Bring up the Net Assessment screen.
2. After the Net Assessment screen appears, load the Master network. Click on the file
folder on the menu or click the File menu and then Open.
Lab 1.7: Net AssessmentAssessing A Test Network 727
4. Click on the file Configured Network.rsm and click OK. You can confirm that you
loaded this Master network because the title of the file will be at the top of the Net
Assessment screen and also listed as Name of the Master network.
5. In the Assessment section (bottom left side of the screen), click the Add button. A dia-
log box will appear. Find and select Scenario1_test.rsm. We came up with this name in
lab 16.6. The name of this file will display in the Assessment section window.
728 Net Assessment
6. Click the Assess button.
We have not made any changes to the Test network. Therefore, we should
expect two incorrect configurations.
7. Click the View button to view a detailed report. You will see a column labelled Expected
Answer. Those configurations are derived from the Master network. The column Your
Answer are the configurations entered and saved in the Test network. In this example we
did not make any changes in the Test network.
Lab 1.8: Advanced Values Editing 729
Lab 1.8: Advanced Values Editing
In Net Assessment lab 1.5 we used a straightforward process in editing values so that a Test
network could be generated. We had you manually change a couple values. We did that so
we could provide a quick and easy to understand method in changing values. However, Net
Assessment provides you with more sophisticated and powerful methods in altering values.
There are ve ways to affect values:
730 Net Assessment
N
Change a selected value
N
Randomize a selected value
N
Remove a selected value
N
Auto-select and randomize any value(s)
N
Auto-select and remove any value(s)
The rst three options can be performed by the user. The last two options are performed
by the program after you select the number of values to be affected.
Options Can Be Used Together
These options can be used in any combination and are not mutually exclusive. For example,
you can manually change a couple values, select a couple other values to be randomly changed
by the program, and a couple other values to be removed by the program. The auto-select
options can also be used with other options. The following are some examples.
Scenario 1 You manually change two values and select three other values to be randomly
changed by the program. There will be a total of ve values affected when a Test network
is created.
Scenario 2 You manually change two values, select one value to be randomly changed,
and select four other values to be removed when the Test network is generated. There will
be a total of seven values affected.
Scenario 3 You choose three specic values to be randomly changed by the program. You
also use the auto-select option to randomly select and randomly change two additional values.
There will be a total of ve values affected when a Test network is created.
Scenario 4 You use the auto-select options to randomly select and change ve values and
randomly select and remove ve additional values. There will be a total of ten values affected
when a Test network is created.
Lab 1.9: Edit ValuesChanging
A Selected Value
You can manually change values so that they appear differently in the Test network. Place
your cursor in a eld and type in a new value. Fields that you change will display a yellow
background. There are also drop down elds that you can change values. For example, you
Lab 1.9: Edit ValuesChanging A Selected Value 731
may want to change the VTP Operating mode from Server to Client. Click on the down
arrow next to the word Server and a drop down list will appear. Select Client. This option
would typically be used by an instructor because if you are an individual testing yourself,
you would know what values have been changed.
The following are some examples of how to use this option:
Scenario 1 For example, you have an IP address 192.168.1.1 and you want it to appear
as 192.168.11.2 in the Test network when it is created. Find the IP Address conguration,
place your cursor in the corresponding eld containing this value and make the change.
Scenario 2 Another use is entering bogus information that you expect the user to remove
in the Test network. For example, you have two OSPF networks that the student should
enter into the Test network but you dont want to display them. You can simply manually
remove these values. However, in place of these two values you could place two network
values that should be removed by the student.
Lets say you have two values from the Master network:
OSPF network 192.168.20.4 0.0.0.3 area 0
You want two bogus network values in place of these. In those two elds you could
substitute the following values:
The last two values from above will display in the Test network. However, remember that
when you compare the Master network with the Test network, it will still have the values of:
If those are not found in the Test network, these are marked as incorrect answers.
732 Net Assessment
During any of these processes the configuration values in the Master net-
work are never changed. Changes are only reflected in the Test network.
Lab 1.10: Edit ValuesRandomizing
A Selected Value
You can select specic values that you want the program to randomly change when the
Test network is created. Find the values that you want to randomly change and click the
Randomize check box that is to the right of the value. If you are an instructor you may
have values that you do not want to manually change every time you create a Test network
from a Master networks Assessment Template. You may prefer, instead, to have the pro-
gram randomly change specic values every time you create a Test network. In the follow-
ing example, IP Default-Gateway and VTP Password have been selected to be randomized.
The IP Default Gateway may display a value like 192.168.10.15 and the VTP Password
might display a value like Cisco when the Test network is generated.
Lab 1.11: Edit ValuesRemoving A Selected Value 733
This option provides security in the Test networks that you generate for a class. Instead
of giving every student the same test, every student can be tested on the same specied con-
gurations but receive a different and random value for each one.
You can manually change some values and have the program randomly
change others; these two options are not mutually exclusive. During any of
these processes the configuration values in the Master network are never
changed. Changes are only reflected in the Test network.
If you are testing yourself, you can use this option but you will know beforehand which
values are being randomized.
Lab 1.11: Edit ValuesRemoving
A Selected Value
You can select specic values that you want the program to remove when the Test network is
created. Find the values that you want to remove and click the Remove check box that is to
the right of the value. If you are an instructor you may want to test problem solving skills of
your students. For example, an access list needs to be created by students in a Test network.
You have access list 10 fully congured in the Master network but want to remove some
elements like the IP Access Group In and IP Access Group Out congurations. As you see
below the Remove checkbox has been selected for these two values. When the Test network
is generated these two values will not appear.
734 Net Assessment
You can manually change some values, have the program randomly change
others, and select specific values to be removed; these three options are not
mutually exclusive and can be used in combination together. During any of
these processes the configuration values in the Master network are never
changed. Changes are only reflected in the Test network.
If you are testing yourself, you can use this option but you will know
beforehand which values are being removed.
Lab 1.12: Edit ValuesAuto-Selecting
and Randomizing Any Value
You can have the program randomly select and randomly change any value that displays
in the Edit Values screen. Decide how many values you want to randomize and increment
the counter to match that number. For example, you may have 20 values that appear in the
Values Editor. You can set the counter between 1 and 20. A number of one means that only
one of the 20 values will be randomly selected and changed to a random value, by the pro-
gram. In the following example the counter has been changed to 5.
This option is ideal if you are testing yourself. You can set the counter to a specic
number and create a Test network. You will not know what values have been altered until
you open the Test network. At that point it will not be apparent as to what has changed
until you go through your Test network. Almost anything in the network that had been
originally congured is fair game for being changed by our program.
You can manually select, randomize, and remove values and still use this
auto-select option.
These options are not mutually exclusive and can be used in combination with each
other. However, keep in mind that if you use other options such as selecting a few values
to be randomly removed, those values will not be in the pool of possible values that will be
Lab 1.13: Edit ValuesAuto-Selecting and Removing Any Value 735
changed by this option. During this process the conguration values in the Master network
are never changed. Changes are only reected in the Test network.
Exceeding the Number of Configurations
If you set the counter(s) to a number that exceeds the possible number of congurations on
the Edit Value screen, the program will not affect more than the total number of congura-
tions on the screen.
Lab 1.13: Edit ValuesAuto-Selecting
and Removing Any Value
You can have the program randomly select and randomly remove any value that displays in
the Edit Values screen. Decide how many values you want removed and increment the counter
to match that number. For example, you may have 20 values that appear in the Values Editor.
You can set the counter between 1 and 20. A number of one means that only one of the 20
values will be randomly selected and removed by the program. In the following example the
counter has been changed to 3.
This option is ideal if you are testing yourself. You can set the counter to a specic
number and create a Test network. You will not know what values have been removed
until you open the Test network. At that point it will not be apparent as to what has been
removed until you go through your Test network. Almost anything in the network that
had been originally congured is fair game for being removed by our program.
You can manually select, randomize, and remove values and still use this
auto-select option.
736 Net Assessment
These options are not mutually exclusive and can be used in combination with each
other. However, keep in mind that if you use other options such as selecting a few values
to be randomly removed, those values will not be in the pool of possible values that will be
changed by this option. During this process the conguration values in the Master network
are never changed. Changes are only reected in the Test network.
Exceeding the Number of Configurations
If you set the counter(s) to a number that exceeds the possible number of congurations on
the Edit Value screen, the program will not affect more than the total number of congura-
tions on the screen.
Create Your Own
Custom Labs
Lab 1.1: Creating
a Custom Lab
You can create your own labs. You can then make your labs available for others to use.
This involves a three step process:
N
Create and configure a network
N
Insert instructions
N
Save your network into the folder Custom Networks and make it available to others
Lab Steps
1. Open a Network Visualizer screen.
2. Place the desired devices on the screen.
3. Connect the devices.
4. Configure the devices.
5. Use a third-party program to create instructions. This can be a text editor, word pro-
cessor, html editor, spread sheet program, etc. The important thing to keep in mind is
that the person using labs/networks that you create must have the same program on
their computer that was used to create the instructions. Save the file as you normally
would do.
6. There are two ways to insert a document.
N
Using the menu, click Insert and then File.
N
Click the Insert button on the button bar.
740 Create Your Own Custom Labs
7. Find your instruction file on your computer and then click the Close button on the dia-
log box. An object will appear on the network with file name of your instruction file.
8. Save your network. There are two ways you can save a network layout. The first way is
by clicking on the Diskette button on the button bar, at the top of the Network Visualizer
screen. You can also click File on the menu and choose Save from the drop down menu.
9. You will want to save your file to the custom networks folder. It can be found off the
root folder (program files\routersim\ccnavl3\custom networks). Any network saved to
this folder will display on the Network Visualizer menu.
N
You can save your files alphabetically - If you save your files alphabetically, that is
how they will be sorted and displayed when presented on the Custom Labs menu.
N
You can save your files with a numbering scheme. You can number your files
which will allow you to specify the order of display, regardless of the alphabetical
spelling of the file name. For example, let us say you have four network files that
are being saved to the custom networks folder. You assign a number to the title of
these files in this manner:
10_Cisco IOS
20_Dening and describing a network
30_CLI (command line interface)
40_Conguring an ISR router
742 Create Your Own Custom Labs
10. Close and re-open a Network Visualizer screen and you can now view your custom
labs under the menus Labs, Custom.
11. You can distribute your custom labs to others so that they show up on their menus.
Network It is straightforward to distribute the les if you have a network install. Save
all the custom labs to the custom networks folder on the server. When anyone launches
this program from their workstation, the custom labs will display on their Labs menu.
Standalone You can also distribute the les to others or place these les yourself on
standalone systems. Copy all the custom labs to the folder custom networks.

Ccna Virtual Lab

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ccna Virtual Lab

Diunggah oleh

Hak Cipta:

Format Tersedia

CCNA

ICND (640-822) exam can easily bring

CCNA exam is challenging. Trying to gure

CCNA exam is challenging. Trying to gure out

devices are displayed.

advanced editing features to help you congure your router or

router so that when either a user logs into the router or

SDM is a Web-based device-management tool for routers. The SDM is a graphical

IOS, you should copy the existing le to a tftp host

IOS on your router with a new IOS file, you

IOS to ash memory to replace an original le that has

SDM is a Web-based device-management tool for routers. The SDM is a graphical

. There are several hundred commands that Net

will provide a several suggestions as to

. There are several hundred commands that Net

will provide a several suggestions as to

Anda mungkin juga menyukai