CCNA2 Chapter 5

Lab 5.1.2 Powering Up an Integrated Service Router

Step 5: Reflection

1. Is there anything about this is risky?
2. Why do the router cover, all modules, and cover palates to be installed?
3. How many ruoters can you safely stack on top of each other?

1)       0

2)       1

3)       2

4)       3

Lab 5.2.3 Configuring an ISR with SDM Express

 

Step 1: Configure the PC to connect to the router and then launch Cisco SDM

1. Power up the router.
2.  Power up the PC.
3. Disable any popup blocker programs. Popup blockers prevent SDM Express windows from displaying.
4.  Connect the PC NIC to the FastEthernet 0/0 port on the Cisco 1841 ISR router with the Ethernet cable.

NOTE: An SDM router other than the 1841 may require connection to different port in order to access SDM.

5. Configure the IP address of the PC to be 10.10.10.2 with a subnet mask of 255.255.255.248.
6. SDM does not load automatically on the router. You must open the web browser to reach the SDM. Open the web browser on the PC and connect to the following URL: http://10.10.10.1

g.        In the Connect to dialog box, enter cisco for the username and cisco for the password. Click OK. The main SDM web application will start and you will be prompted to use HTTPS. Click Cancel. In the Security Warning window, click Yes to trust the Cisco application.

h.       In the Welcome to the Cisco SDM Express Wizard window, read the message and then click Next.

i.         Verify that you are using the latest version of SDM. The initial SDM screen that displays immediately after the login shows the current version number. It is also displayed on the main SDM screen shown below, along with IOS version. NOTE 2: If the current version is not 2.4 or higher, notify your instructor before continuing with this lab. You will need to download the latest zip file from the URL listed above and save it to the PC. From the Tools menu of the SDM GUI, use the Update SDM option to specify the location of the zip file and start the update.

Step 2: Perform initial basic configuration

a.       In the Basic Configuration window, enter the following information. When you complete the basic configuration, click Next to continue.

·       In the Host Name field, enter CustomerRouter.

·       In the Domain Name field, enter the domain name customer.com.

·       Enter the username admin and the password cisco123 for SDM Express users and Telnet users. This password gives access to SDM locally, through the console connection, or remotely using Telnet.

·       Enter the enable secret password of cisco123. This entry creates an encrypted password that prevents casual users from entering privileged mode and modifying the configuration of the router using the CLI.

b.       From the Router Provisioning window, click the radio button next to SDM Express and then click Next.

Step 3: Configure the LAN IP address

In the LAN Interface Configuration window, choose FastEthernet0/0 from the Interface list. For interface FastEthernet 0/0, enter the IP address of 192.168.1.1 and subnet mask of 255.255.255.0. You can also enter the subnet mask information in a different format: entering a count of the number of binary digits or bits in the subnet mask, such as 255.255.255.0 or 24 subnet bits.

 Step 4: De-select DHCP server

At this point, do not enable the DHCP server. This procedure is covered in a later section of this course. In the DHCP server configuration window, ensure that the Enable DHCP server on the LAN interface check box is cleared before proceeding. Click Next to continue.

Step 5: Configure the WAN interface

a.       In the WAN Configuration window, choose Serial0/0/0 interface from the list and click the Add Connection button. The Add Connection window appears.

NOTE: With the 1841 router, the serial interface is designated by 3 digits – C/S/P, where C=Controller#, S=Slot# and P=Port#. The 1841 has two modular slots. The designation Serial0/0/0 indicates that the serial interface module is on controller 0, in slot 0, and that the interface to be used is the first one (0). The second interface is Serial0/0/1. The serial module is normally installed in slot 0 but may be may be installed in slot 1. If this is the case, the designation for the first serial interface on the module would be Serial0/1/0 and the second would be Serial0/1/1.

b.       From the Add Serial0/0/0 Connection dialog box, choose PPP from the Encapsulation list. From the Address Type list, choose Static IP Address. Enter 209.165.200.225 for the IP address and 255.255.255.224 for the Subnet mask. Click OK to continue. Notice that this subnet mask translates to a /27, or 27 bits for the mask.

c.        Notice that the IP address that you just set for the serial WAN interface now appears in the Interface List. Click Next to continue.

d.       Enter the IP address 209.165.200.226 as the Next Hop IP Address for the Default Route. Click Next to continue.

e.        Ensure that the check box next to Enable NAT is cleared. This procedure is covered in a later section of this course. Click Next to continue.

Step 6: Enable the firewall and security settings

a.       Depending on the router IOS version, the next step may be Firewall Configuration. In the Firewall Configuration window, click the radio button that enables the firewall and then click Next. The Security Configuration window appears

b.       Leave all the default security options checked in the Security Configuration window and then click Next.

Step 7: Review and complete the configuration

a.       If you are not satisfied with the Cisco SDM Express Summary, click Back to fix any changes and then click Finish to commit the changes to the router

b.       Click OK after reading the Reconnection Instructions. Save these instructions to a file for future reference, if desired. NOTE: Before the next time you connect, you will need to change the IP address of the PC to be compatible with the new address that you configured to FastEthernet 0/0. The Reconnection instructions are shown below.

Step 8: Reflection

a.       What feature makes configuring the router easy?

b.       Summarize the steps that are configured by the Cisco SDM Express       ?

 Lab 5.2.5 Configuring Dynamic NAT with SDM

Step 1: Establish a connection from the PC to the router

1. Power up the router.
2. Power up the PC.
3. Disable any popup blocker programs. Popup blockers prevent SDM windows from displaying.
4. Connect the PC NIC to the FastEthernet 0/0 (Fa0/0) port on the Cisco 1841 ISR router with the Ethernet cable.

5. Configure the IP address of the PC to be 192.168.1.2 with a subnet mask of 255.255.255.0.
6. SDM does not load automatically on the router. You must open the web browser to reach the SDM. Open the web browser on the PC and connect to the following URL: http://192.168.1.1

Step 2: Configure SDM to show Cisco IOS CLI commands.

a.       From the Edit menu in the main SDM window, select Preferences.

b.       Check the Preview commands before delivering to router check box. With this check box checked, you can see the Cisco IOS CLI commands that you will use to perform a configuration function on the router before these commands are sent to the router. You can learn about Cisco IOS CLI commands this way.

Step 3: Launch the Basic NAT Wizard

a.       From the Configure menu, click the NAT button to view the NAT configuration page. Click the Basic NAT radio button and then click Launch the selected task.

b.       In the Welcome to the Basic NAT Wizard window, click Next.

Step 4: Select the WAN interface for NAT

a.       Choose the WAN interface Serial0/0/0 from the list. Check the box for the IP address range that represents the internal network of 192.168.1.0 to 192.168.1.255. This is the range that requires conversion using the NAT process.

b.       Click Next and, once you have read the Summary of the Configuration, click Finish.

c.        In the Deliver Configuration to Router window, review the CLI commands that were generated by the Cisco SDM. These are the commands that will be delivered to the router to configure NAT. The commands can also be manually entered from the CLI to accomplish the same task. Check the box for Save running config. to router’s startup config.

d.       Click Deliver to finish configuring the router.

e.        In the Commands Delivery Status window, notice the text that says that the running config was successfully copied to the startup config. Click OK to exit the Basic NAT wizard.

f.        The final NAT screen shows that the Inside Interface is Fa0/0 and the outside interface is S0/0/0. The internal private (Original) addresses will be translated dynamically to the external public address

Step 5: Reflection

a.       If a PC or a LAN within your organization does not require Internet access, what do you think would be one way to stop the PC from gaining access to the Internet?

b.       Consider the skills that you need to configure NAT using Cisco IOS CLI commands. What do you think the benefits and disadvantages are to using the Cisco SDM?

c.        Why do you think that the default, after the commands have been generated, is to only update the router’s running configuration file when delivered? Why not always update the startup config file as well? What are the advantages and disadvantages of one over the other?

Lab 5.3.5 configuring basic router settings with IOS CLI

Step 1 : configure host IP setting

a.       Make sure that the PCs are connected according to the topology diagram

b.       Configure static IP addresses on them sa follows

Step 2: log in to each router and configure a host name an password

c.        Configure a host name for each of the two routers. Repeats this process for router R2

d.       Configure a console password and enable login for each of the two routers. Repeats this process for router R2

e.        Configure the password on the virtual terminal lines for each of the two routers. Repeats this process for router R2

f.        Configure the enable and and enable secret password for each of the two routers.

Step 3: show the router running configuration

a.       From the  privteged EXEC prompt issue the show running-config command this command can be abbreviated as shrun

b.       Is there an encrypted password?

c.        Are there any other password?

d.       Are any of the other password encrypted?

Step 5: Display information about the serial interface on R1

a.       Enter the show interface command on R1. Refer to the router interface summary chart.

b.       List at least three details discovered by issuing this command.

Serial 0/0 is:

Line protocol is:

Internet address is:

Encapsulation:

To what OSI layer is the encapsulation referring?

c.        If the serial interface was configured, why did the show interface serial 0/0 say that the interface is down?

Step 7: display information about the serial interface on R2

a.       Enter the show interface command on R1. Refer to the router interface summary cahrt.

b.       List at least three details discovered by issuing this command

Serial 0 is:

Line protocol is:

Internal address is:

Enscapsulation:

To what OSIlayer is the Encapsulation referring?

d.      Why did the show interface serial 0/0 say that the interface is up?

Step 8: verify that the serial conection is functioning

a.       Use the ping command to test connectivity to the other router. From R1 ping the The R2router serial interface.

Does the ping work?

b.       From R2 ping the R1 router serial interface

Does the ping work?

c.        If the answer is no for either question. Troubleshoot the router configuration to find the error. Then ping the interface again until the answer to both question is yes.

Step 10: display information about the fastEthernet interface on R1

a.       Enter the show interface command on R1. Refer to the router interface summary chart

b.       List at least three details discovered by issuing this command

fastEthernet 0 is:

line protocol is:

internet address is:

enscapsulation:

to what OSI layer is the Enscapsulation referring?

c.        Why did the show interface fastEthernet 0/0 say that the interface is up?

Step 12: display information about the fastEthernet interface on R2

a.       Enter the show interface FastEthernet 0/0 command on R1 refer to the router interface summary chart.

b.       List at least three details discovered by issuing this command.

fastEthernet 0/0 is:

line protocol is:

internet address is:

enscaptulation:

to what OSI layer is the Enscaptulation referring?

c.        Why did the show interface fasEthernet 0/0 say that the interface is up?

Step 15: verify that the fastEthernet connection is functioning

a.       Open command prompt window.

b.       Use the ping command to test connectivity

Does the ping work?

c.        From PC1, ping the R2 router FastEthernet interface

Does the ping work?

d.       If the answere is no for either question. Troubleshoot the router configuration to find the error. Then ping the interface again until the answere to both questions is yes.

Step 16: (optional challenge) test connectivity

a.       From PC1, ping the R1 router FastEthernet interface (default gateway)

Does the ping work?

b.       From the PCI command prompt use the ping command to test end to end connectivity from PC1  Does the ping work?

 Lab 5.3.8 Configuring NAT and DHCP with IOS CLI

 

Step 1: Cable and configure the routers

1. Based on the topology diagram, connect the PC, switch, and routers using the appropriate cabling.
2. Configure each router with the following parameters: hostname, console access and password, vty access and password, and enable secret password. If necessary, refer to Lab 5.3.5, “Configuring Basic Router Settings with IOS CLI,” for instructions on setting hostname, passwords, and interface addresses.
3. Configure the router interfaces with the appropriate IP address and mask. Make sure that the interfaces are in usable condition and can ping a directly connected interface or host.
4. Configure the ISP router with a loopback address to be used to test the customer router. The loopback address represents a distant network.

ISP(config)#interface loopback 0

ISP(config-if)#ip address 209.165.200.1 255.255.255.224

Step 2: Configure a default route on the customer router

1. On the customer router, configure a default route pointing toward the ISP. All packets destined for networks that are not in the customer routing table are forwarded to the ISP router, which has a much larger routing table and connections to other Internet providers. Notice how this default route uses the neighbor router IP address as the last number.

Customer(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.226

2. Why is a default route not used on the ISP? A default route on the ISP router would be a bad configuration if it pointed toward a customer site. Any routes not found in the ISP routing table would be automatically sent to the customer router. Of course, the customer router would not know what to do with the packet and would send the packet to the default route of the customer router, which is the ISP. A routing loop would occur.

Step 3: Configure and test the DHCP pool

1.  On the customer router, configure a DHCP pool for the internal clients.

Customer(config)#ip dhcp excluded-address 192.168.1.1

Customer(config)#ip dhcp pool INTERNAL

Customer(dhcp-config)#network 192.168.1.0 255.255.255.0

Customer(dhcp-config)#domain-name abc-xyz-widgets.inc

Customer(dhcp-config)#default-router 192.168.1.1

2. On the customer host PC, click Start > Control Panel > Network Connections to verify that the NIC is configured for DHCP. If necessary, open a command prompt and issue the ipconfig /release and ipconfig /renew commands.
3. On the customer host PC, open a command prompt. Click Start > Run, and then type cmd and press Enter. Alternatively, click Start > All Programs > Accessories > Command Prompt. Issue the ipconfig /all command.
4. What IP address is issued to the PC? __________________________
5. What is the MAC address of the host PC? __________________________
6. From the host PC, ping the default gateway (the router Ethernet interface). Does the ping succeed? _______ Troubleshoot as necessary and do not proceed until the ping is successful.

Step 4: Display DHCP binding on the customer router

1. To see the IP address and host hardware (MAC) address combination assigned by the DHCP server in the router, issue the show ip dhcp binding command on the customer router.

Customer#show ip dhcp binding

IP address Client-ID/ Lease expiration Type

Hardware address

192.168.1.2 0100.0bdb.04a5.cd May 26 2007 11:19 AM Automatic

2. Do the IP address and Hardware address displayed match those recorded for the host PC in Step 3? ______

Step 5: Configure NAT/PAT

1. On the customer router, use the access-list command to identify the addresses that need to be translated. The network number is stated, but instead of a normal mask that usually comes next, a wildcard mask is used (0.0.0.255).

Customer(config)#access-list 1 permit 192.168.1.0 0.0.0.255

2. On the customer router, define where NAT looks for the IP addresses it needs to translate (source list 1 refers to access list 1 that you just created). Also define which interface IP address to use as the real address for each packet that comes through the FastEthernet interface destined for the Serial interface. The overload parameter at the end of the command shown below means that the serial port IP address is used and that port numbers are used to track the packets. Approximately 4,000 addresses can realistically be translated using this method, even though it is technically possible to translate even more.

Customer(config)#ip nat inside source list 1 interface serial 0/0 overload

3. Apply NAT to the inside and outside interfaces.

Customer(config)#interface serial 0/0

Customer(config-if)#ip nat outside

Customer(config-if)#exit

Customer(config)#interface fastethernet 0/0

Customer(config)#ip nat inside

Customer(config)#end

Step 6: Test NAT/PAT

1. From the host PC command prompt, ping the ISP router loopback address.

ping 209.165.200.1

2. Was the ping successful? ________ If not, perform appropriate troubleshooting.
3. On the customer router, issue the command to verify the NAT translation.

Customer#show ip nat translation

Pro Inside global Inside local Outside local Outside global

icmp 209.165.200.225:512 192.168.1.2:512 209.165.200.1:512 209.165.200.1:512

4. List the following IP addresses: What is the inside global IP address shown? ___________________________________________

What is the inside local IP address shown? ____________________________________________

What is the outside local IP address shown? ___________________________________________

What is the outside global IP address shown? __________________________________________

5. On the ISP router, configure the router to show all ICMP packets that come into the router.

ISP#debug ip icmp

ICMP packet debugging is on

6. From the host PC command prompt, issue a continuous ping.

ping 209.165.200.1 –t

7. On the ISP router, notice the debug output.

ISP#

00:49:10: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:11: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:12: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:13: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:14: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:15: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:16: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

8. What is the source IP address of the ICMP reply? ______________________________________
9. What is the destination IP address of the ICMP reply? ___________________________________
10. Does this debug prove or disprove the fact that internal IP addresses are hidden and how can you tell?
11. On the host PC, stop the ping by pressing CTRL-X.
12. On the ISP router, stop the debug process. Note that the router takes a few moments for the output to quit displaying.

ISP#undebug all

Step 7: Clear NAT Translations

1. From the customer host PC command prompt, open a Telnet session to the ISP router.

telnet 209.165.200.226

This Telnet session will create another translation on the customer router.

2. On the customer router, issue the command to verify the NAT translation.

Customer#show ip nat translation

Pro Inside global Inside local Outside local Outside global

tcp 209.165.200.225:1297 192.168.1.2:1297 209.165.200.226:23 209.165.200.226:23

The port number on the inside addresses may be different, because they are randomly generated source port numbers.

3. Close the command window on the customer host PC to terminate the Telnet session.
4.  On the customer router, issue the command to verify the NAT translation.
5. Is the translation for the customer host PC still active on the customer router? __________________ NAT translations remain active for different periods of time, depending on the type of translation. TCP NAT translations can remain active for up to 24 hours by default. Port translations have shorter time limits, but can still remain active for minutes, even hours after the session between the two hosts has timed out. The default timeouts for UDP range from 1 minute to 5 minutes. For more information on NAT timeouts, view the Cisco IOS Network Address Translation Overview white paper on the Cisco.com website.

http://cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

f.   On the customer router, issue the command to clear all NAT translations active in the router.

Customer#clear ip nat translation *

Verify that the translation for the customer host PC is no longer active on customer router.

Step 8: Reflection

a.   What would be an advantage of using the NAT method shown in this lab over a static configuration as shown in the curriculum?

2. List an instance of when a company might not use NAT/PAT.

Lab 5.4.4 Configuring the Cisco 2960 Switch

Step 1: Connect the hosts to the switch and configure them.

a.   Connect Host-A to Fast Ethernet switch port Fa0/1, and connect Host-B to port Fa0/4. Configure the hosts to use the same IP subnet for the address and mask as on the switch, as shown in the topology diagram above.

b.   Do NOT connect Host-C to the switch yet.

Step 3: Perform an initial configuration on the switch.

a.       Configure the hostname of the switch as CustomerSwitch:

Switch#Config Terminal

Switch(config)#hostname CustomerSwitch

2.  Set the privilege exec mode password to cisco:

CustomerSwitch(config)#enable password cisco

3.  Set the privilege exec mode secret password to cisco123:

CustomerSwitch(config)#enable secret cisco123

4.  Set the console password to cisco123:

CustomerSwitch(config)#line console 0

CustomerSwitch(config-line)#password cisco123

5. Configure the console line to require a password at login:

CustomerSwitch(config-line)#login

6. Set the vty password to cisco123:

CustomerSwitch(config-line)#line vty 0 15

CustomerSwitch(config-line)#password cisco123

7. Configure the vty to require a password at login:

CustomerSwitch(config-line)#login

CustomerSwitch(config-line)#end

Step 4: Configure the management interface on VLAN 1.

1. Enter global configuration mode. Remember to use the new password.

CustomerSwitch>enable

CustomerSwitch#configure terminal

2. Enter the interface configuration mode for VLAN 1:

CustomerSwitch(config)#interface vlan 1

3. Set the IP address, subnet mask, and default gateway for the management interface. The IP address must be valid for the local network where the switch is installed.

CustomerSwitch(config-if)#ip address 192.168.1.5 255.255.255.0

CustomerSwitch(config-if)#exit

CustomerSwitch(config)#ip default-gateway 192.168.1.1

CustomerSwitch(config)#end

Step 5: Verify configuration of the switch.

Verify that the IP address of the management interface on the switch VLAN 1 and the IP address of Host-A are on the same local network. Use the show running-configuration command to check the IP address configuration of the switch:

CustomerSwitch#show running-configuration

Building configuration...

Current configuration : 1283 bytes

!

version 12.2

no service pad

hostname CustomerSwitch

!

enable secret 5 $1$XUe/$ch4WQ/SpcFCDd2iqd9bda/

!

interface FastEthernet0/1

!

*** Output Omitted ***

!

interface FastEthernet0/24

!

interface Vlan1

ip address 192.168.1.5 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.1.1

ip http server

!

line con 0

password cisco123

login

line vty 0 4

password cisco123

login

line vty 5 15

password cisco123

login

!

end

b. Save the configuration using the following command:

CustomerSwitch#copy running-configuration startup-configuration

Step 6: Verify connectivity using ping and Telnet.

1. To verify that the switch and router are correctly configured, ping the router Fa0/0 interface (default gateway) IP address from the Switch CLI.
2. Were the pings successful? __________________________________________________
3. To verify that the hosts and switch are correctly configured, ping the switch IP address from Host-A.
4.  Were the pings successful? ______________________________________________
5. If the ping is not successful, verify the connections and configurations again. Check to ensure that all cables are correct and that connections are seated. Check the host, switch and router configurations.
6. Open a command prompt on Host-A, and enter the telnet command followed by the IP address assigned to switch management VLAN 1.
7. Enter the vty password configured in Step 3. What was the result? ____________________________________________________
8. At the switch prompt, issue the show version command.

CustomerSwitch>show version

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(0.0.16)FX, CISCO

DEVELOPMENT TEST VERSION

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Tue 17-May-05 01:43 by yenanh

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M), Version 12.2 [lqian-flo_pilsner 100]

Switch uptime is 3 days, 20 hours, 8 minutes

System returned to ROM by power-on

System image file is "flash:c2960-lanbase-mz.122-0.0.16.FX.bin"

cisco WS-C2960-24TC-L (PowerPC405) processor with 61440K/4088K bytes of memory.

Processor board ID FHH0916001J

Last reset from power-on

Target IOS Version 12.2(25)FX

1 Virtual Ethernet interface

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:0B:FC:FF:E8:80

Motherboard assembly number : 73-9832-02

Motherboard serial number : FHH0916001J

Motherboard revision number : 01

System serial number : FHH0916001J

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C2960-24TC-L 12.2(0.0.16)FX C2960-LANBASE-M

Configuration register is 0xF

9. What is the Cisco IOS version of this switch? ___________________
10. Type quit at the switch command prompt to terminate the Telnet session.

Step 7: Determine which MAC addresses that the switch has learned.

1. From the Windows command prompt, determine the Layer 2 addresses of the PC network interface card for each host by using the ipconfig /all command.

Host-A: _______________________________________________

Host-B: _______________________________________________

Host-C: _______________________________________________

2. Determine which MAC addresses the switch has learned by using the show mac-address-table command at the privileged exec mode prompt:

CustomerSwitch#show mac-address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 000b.be7f.ed40 STATIC CPU

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All 0100.0cdd.dddd STATIC CPU

1 000b.db04.a5cd DYNAMIC Fa0/1

1 000c.3076.8380 DYNAMIC Fa0/3

1 000d.1496.36ad DYNAMIC Fa0/4

Total Mac Addresses for this criterion: 7

3. How many dynamic addresses are there? ____________________________
4. Do the MAC addresses match the host MAC addresses? _______________
5. Review the options that the mac-address-table command has by using the ? option:

CustomerSwitch(config)#mac-address-table ?

address address keyword

aging-time aging-time keyword

count count keyword

dynamic dynamic entry type

interface interface keyword

multicast multicast info for selected wildcard

notification MAC notification parameters and history table

static static entry type

vlan VLAN keyword

| Output modifiers

6. Set up a static MAC address on the Fast Ethernet interface 0/4. Use the address that was recorded for Host-B in Step 7. The MAC address XXXX.YYYY.ZZZZ is used in the example statement only.

CustomerSwitch(config)#mac-address-table static XXXX.YYYY.ZZZZ interface fastethernet 0/4 vlan 1

7. Verify the MAC address table entries:

CustomerSwitch#show mac-address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 000b.be7f.ed40 STATIC CPU

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All 0100.0cdd.dddd STATIC CPU

1 000b.db04.a5cd DYNAMIC Fa0/1

1 000c.3076.8380 DYNAMIC Fa0/3

1 000d.1496.36ad STATIC Fa0/4

How many total MAC addresses are there now? ________________________

8.  What type are they? ____________________________________________

Step 8: Configure basic port security.

1. Determine the options for setting port security on Fast Ethernet interface 0/4.

CustomerSwitch#configure terminal

CustomerSwitch(config)#interface fastEthernet 0/4

CustomerSwitch(config-if)#switchport port-security ?

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addrs

violation Security Violation Mode

b.       To allow the switch port FastEthernet 0/4 to accept only one device, configure port security as follows:

CustomerSwitch(config-if)#switchport mode access

CustomerSwitch(config-if)#switchport port-security

CustomerSwitch(config-if)#switchport port-security mac-address sticky

CustomerSwitch(config-if)#end

c.        Check the port security settings.

CustomerSwitch#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/4 1 0 0 Shutdown

---------------------------------------------------------------------------

d.       What is the security action for port fa0/4? _______________

e.        What is the maximum secure address count? ____________

f.        Display the running configuration

NOTE: Some output omitted in following display.

CustomerSwitch#show running-config

Building configuration...

Current configuration : 1452 bytes

version 12.2

hostname CustomerSwitch

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

switchport mode access

switchport port-security

switchport port-security mac-address sticky

!

interface FastEthernet0/5

!

*** Output Omitted ***

mac-address-table static 000b.db04.a5cd vlan 1 interface FastEthernet0/4

!

end

g.   Are there statements that directly reflect the security implementation in the listing of   the running configuration? __________________________________________________

Step 9: Connect a different PC to the secure switch port.

a.    Disconnect Host-B from FastEthernet 0/4 and connect Host-C to the port. Host-C has not yet been attached to the switch. Ping the switch address 192.168.1.5 to generate some traffic.

b.   Record any observations at the PC and the switch terminal session.

______________________________________________________________________________

______________________________________________________________________________

c.    To see the configuration information for just FastEthernet port 0/4, enter the following command at the privileged EXEC mode prompt:

CustomerSwitch#show interface fastethernet 0/4

4.  What is the state of this interface?

FastEthernet0/4 is ________________ , and line protocol is _____________.

Step 10: Reactivate the port.

1. If a security violation occurs and the port is shut down, use the no shutdown command to reactivate it.

CustomerSwitch(config)#interface fastEthernet 0/4

CustomerSwitch(config-if)#no shutdown

2. Try reactivating this port a few times by switching between the original port 0/4 host and the new one. Plug in the original host, type the no shutdown command on the interface, and ping using the Command prompt. You must ping multiple times or use the ping 192.168.1.5 –n 200 command, which sets the number of ping packets to 200, instead of 4.
3. Switch hosts and try again.

Step 11: Set speed and duplex options for a port.

1. Switch port settings default to Auto-duplex and Auto-speed. If a computer with a 100 Mbps NIC is attached to the port, it automatically goes into full-duplex 100 Mbps mode. If a hub is attached to the switch port, it normally goes into half-duplex 10 Mbps mode.
2. Issue the show interfaces command to see the setting for ports Fa0/1 and Fa0/5. This command generates a large amount of output. Press the Space bar until you can see all the information for these ports. What are the duplex and speed settings for these ports?

Port Fa0/2 ________________________________

Port Fa0/4 ________________________________

Port Fa0/5 ________________________________

3.  It is sometimes necessary to set the speed and duplex of a port to ensure that it operates in a particular mode. You can set the speed and duplex with the duplex and speed commands while in interface configuration mode. To force Fast Ethernet port 5 to operate at half duplex and 10 Mbps, issue the following commands:

Switch>enable

Switch#Config Terminal

Switch(config-if)#interface fastEthernet 0/5

Switch(config-if)#speed 10

Switch(config-if)#duplex half

Switch(config-if)#end

Switch#

4. Issue the show interfaces command again. What is the duplex and speed setting for Fa0/5 now? ___________________________

Step 12: Exit the switch.

a.       Type exit to leave the switch and return to the welcome screen:

Switch#exit

c.       Once the steps are completed turn off all the devices. The remove and store the cables and adapter.

Step 13: Reflection.

a.       Which password needs to be entered to switch from user mode to privilege exec mode on the Cisco switch, and why?

____________________________________________________________________________

____________________________________________________________________________

b.        Which symbol is used to show a successful ping in the Cisco IOS software?

____________________________________________________________________________

c.         What is the benefit of using port security? ___________________________________________

_____________________________________________________________________________

d.        What other port-related security steps could be taken to further improve switch security? _____________________________________________________________________________

Lab 5.5.5 configuring a remote router using SSH

Step 2: (optional) configure SSH on non-SDM router

h.       fill in the following information based on the output of the show ip ssh command:

SSH verson enable:

Authentication timeout:

Authentication retries:

Step 6: reflection

a.       when companing telnet and SSH, what are some advantages and disadvantages?

b.       What is the default port for SSH?

What is the default port for telnet?

c.        What cisco IOS software version was displayed in the running.config?