Do Not Duplicate: Post beta, not for release. Interconnecting Cisco Networking Devices, Part 1 ICND1. Volume 1. Lab Guide. Version 2.

Transcription

1 ICND1 Interconnecting Cisco Networking Devices, Part 1 Volume 1 Version 2.0 Lab Guide Part Number:

2 Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above Cisco Systems, Inc.

3 Table of Contents Lab 1-1: Performing Switch Startup and Initial Configuration Visual Objective Required Resources Command List Job Aids Task 1: Perform a Reload and Verify that the Switch Is Unconfigured Task 2: Configure the Switch with a Hostname and an IP Address Task 3: Explore Context-Sensitive Help Task 4: Improve the Usability of the CLI Lab 1-2: Troubleshooting Switch Media Issues Visual Objective Required Resources Command List Job Aids Task 1: Lab Setup Task 2: Troubleshoot Connectivity Between Computer PC1 and Switch SW1 Task 3: Troubleshoot Connectivity Between Switch SW1 and the Branch Router Lab 2-1: Performing Initial Router Setup and Configuration Visual Objective Required Resources Command List Job Aids Task 1: Inspect the Router Hardware and Software Task 2: Create the Initial Router Configuration Task 3: Improve the Usability of the CLI Task 4: Discover Connected Neighbors with Cisco Discovery Protocol Lab 2-2: Connecting to the Internet Visual Objective Required Resources Command List Job Aids Task 1: Configure a Manual IP Address and Static Default Route Task 2: Configure a DHCP-Obtained IP Address Task 3: Configure NAT Task 4: Configure NAT with PAT Lab 3-1: Enhancing the Security of the Initial Configuration Visual Objective Required Resources Command List Job Aids L1 L2 L3 L3 L4 L6 L8 L10 L11 L13 L14 L14 L15 L15 L16 L17 L18 L19 L20 L20 L21 L21 L23 L24 L26 L28 L31 L32 L32 L33 L33 L35 L39 L42 L47 L53 L54 L54 L55 L56

4 Task 1: Add Password Protection Task 2: Enable SSH Remote Access Task 3: Limit Remote Access to Selected Network Addresses Task 4: Configure a Login Banner Lab 3-2: Device Hardening Visual Objective Required Resources Command List Job Aids Task 1: Disable Unused Ports Task 2: Configure Port Security on a Switch Task 3: Disable Unused Services Task 4: Configure NTP Lab 3-3: Filtering Traffic with ACLs Visual Objective Required Resources Command List Job Aids Task 1: Configure an ACL Task 2: Lab Setup Task 3: Troubleshoot an ACL Lab 4-1: Configuring Expanded Switched Networks Visual Objective Required Resources Command List Job Aids Task 1: Configure a VLAN Task 2: Configure the Link Between Switches as a Trunk Task 3: Configure a Trunk Link on the Router Lab 4-2: Configuring DHCP Server Visual Objective Required Resources Command List Job Aids Task 1: Configure DHCP Pools Task 2: Exclude Specific IP Addresses from DHCP Pools Task 3: Configure DHCP Relay Agent Task 4: Manually Assign IP Addresses Lab 4-3: Implementing OSPF Visual Objective Required Resources Command List L57 L64 L69 L71 L73 L74 L74 L75 L75 L77 L78 L81 L83 L85 L86 L86 L87 L87 L88 L95 L96 L111 L112 L112 L113 L113 L115 L120 L121 L125 L126 L126 L126 L127 L129 L133 L134 L135 L139 L140 L140 L141 ii Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

5 Job Aids Task 1: Connect the Router to the WAN Task 2: Configure OSPF Lab 5-1: Configure and Verify Basic IPv6 Visual Objective Required Resources Command List Job Aids Task 1: Enable IPv6 on the Router Lab 5-2: Configure and Verify Stateless Autoconfiguration Visual Objective Required Resources Command List Job Aids Task 1: Enable Stateless Autoconfiguration on the Router Lab 5-3: Configure and Verify IPv6 Routing Visual Objective Required Resources Command List Job Aids Task 1: Enable IPv6 Static Routing Task 2: Enable OSPFv3 Lab S-1: ICND1 Superlab Visual Objective Required Resources Command List Job Aids Task 1: Configure Basic Settings, VLANs, Trunks, and Port Security on Switches Task 2: Configure Inter-VLAN Routing Task 3: Configure Internet Connectivity Task 4: Configure WAN Connectivity and a Dynamic Routing Protocol Task 5: Configure IPv6 Connectivity in the LAN Task 6: Configure the OSPFv3 Routing Protocol Lab Answer Keys Lab 1-1: Performing Switch Startup and Initial Configuration Lab 1-2: Troubleshooting Switch Media Issues Lab 2-1: Performing Initial Router Setup and Configuration Lab 2-2: Connecting to the Internet Lab 3-1: Enhancing the Security of the Initial Configuration Lab 3-2: Device Hardening Lab 3-3: Filtering Traffic with ACLs Lab 4-1: Configuring Expanded Switched Networks L141 L143 L144 L147 L148 L148 L149 L149 L150 L153 L154 L154 L155 L155 L156 L161 L162 L162 L163 L163 L164 L166 L169 L170 L170 L170 L172 L175 L180 L190 L196 L201 L208 L217 L217 L224 L227 L229 L232 L235 L238 L Cisco Systems, Inc. Lab Guide iii

6 Lab 4-2: Configuring DHCP Server Lab 4-3: Implementing OSPF Lab 5-1: Configure and Verify Basic IPv6 Lab 5-2: Configure and Verify Stateless Autoconfiguration Lab 5-3: Configure and Verify IPv6 Routing Lab S-1: ICND1 Superlab L242 L244 L245 L245 L246 L246 iv Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

7 Lab 1-1: Performing Switch Startup and Initial Configuration Activity Overview Objectives In this activity, you will observe the switch boot procedure and perform basic switch configuration. After you have completed this activity, you will be able to meet these objectives: Restart the switch and verify the initial configuration messages Complete the initial configuration of the Cisco Catalyst switch Explore context-sensitive help Improve the usability of the CLI

8 Visual Objective The figure illustrates what you will accomplish in this activity. Visual Objective for Lab 1-1: Performing Switch Startup and Initial Configuration PC1 PC Cisco Systems, Inc. Branch SW1 SW2 Detailed Visual Objective PC Cisco Systems, Inc. Server HQ Perform switch startup and initial configuration. SW1 L2 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

9 Required Resources No additional resources are required for this lab. Command List The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity. Cisco IOS Switch Commands Command Description? or help In user EXEC mode, lists the subset of commands that are available at that level clock set configure terminal copy running-config destination delete name do command enable end erase startup-config exit history size number hostname hostname interface vlan 1 ip address ip-address subnet-mask line console 0 logging synchronous reload show clock Manages the system clock Activates the configuration mode from the terminal Copies the switch running configuration file to another destination. A typical destination is the startup configuration. Deletes a file from flash memory Executes user EXEC or privileged EXEC commands from global configuration mode or other configuration modes or submodes, in any configuration mode Activates privileged EXEC mode. In privileged EXEC mode, more commands are available. This command requires you to enter the enable password if an enable password is configured. Terminates configuration mode Erases the startup configuration that is stored in nonvolatile memory Exits the current configuration mode Sets the number of lines that are held in the history buffer for recall. Two separate buffers are used: one for EXEC mode commands and the other for configuration mode commands Sets the system name, which forms part of the prompt Enters interface configuration mode for VLAN 1 to set the switch management IP address Sets the IP address and mask of the interface Enters line console configuration mode Synchronizes unsolicited messages and debugs privileged EXEC command output with solicited device output and prompts for a specific console port line or vty line Restarts the switch and reloads the Cisco IOS operating system and configuration Displays the system clock 2013 Cisco Systems, Inc. Lab Guide L3

10 Command show flash: show startup-config Description Displays the layout and contents of a flash memory file system Displays the startup configuration settings that are saved in NVRAM show terminal show version Job Aids These job aids are available to help you complete the lab activity. Displays the current settings for the terminal Displays the configuration of the switch hardware and the various software versions The table shows the hardware that is used in the lab and the operating system that is running on the devices. Device Hardware Operating System SW1 Catalyst 2960 Series Switch c2960-lanbasek9-mz se3 PC1 Any PC Microsoft Windows 7 There are no console or enable passwords set for the router and switch in the initial lab setup. The table shows the username and password that are used to access PC1. Device Username Password PC1 Administrator admin L4 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

11 Topology and IP Addressing Devices are connected by Ethernet connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup. Topology and IP Addressing PC Cisco Systems, Inc. Fa0/ The table shows the interface identification and IP addresses that are used in this lab setup. Device Interface IP Address Subnet Mask SW1 VLAN PC1 Ethernet adapter local area connection SW Cisco Systems, Inc. Lab Guide L5

12 Setting the IP Address on a PC On a PC, click Start and choose Control Panel. Click Change Adapter Settings and then right-click Local Area Network. Choose Properties. When you are presented with the Local Area Connection Properties dialog, click Internet Protocol version 4 (TCP/IPv4) and then click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click the Use the Following IP Address radio button and enter the appropriate IP address, subnet mask, and default gateway. Task 1: Perform a Reload and Verify that the Switch Is Unconfigured In this task, you will use the erase startup-config command to ensure that the switch has no prior configuration in the startup-config file. You will then reload the switch software and observe the output that is generated during the reload. Finally, you will investigate the properties of the switch. Activity Procedure Complete the following steps: Step 1 Access the CLI of switch SW1 and enter user EXEC mode. You will be provided with information about how to access the lab equipment. L6 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

13 Step 2 To see the effect of entering a privileged-level command in user EXEC mode, enter the command erase startup-config. What was the result of issuing the command in an incorrect EXEC mode? Step 3 Enter privileged EXEC mode. How do you know if you are in privileged EXEC mode and not user EXEC mode? Step 4 Erase the startup configuration. Because the switch also stores a small part of the configuration in the file, vlan.dat, stored in flash memory, delete it before performing a reload. Observe the output during the reload. Step 5 Press Enter when the switch boots and skip the initial configuration dialog. You will know when the switch has finished booting when you see "Press RETURN to get started!" in the console output. How do you know that the startup configuration has been erased? Step 6 Using the appropriate show command, investigate the switch model number, software version, and amount of RAM and flash memory. Activity Verification You have completed this task when you attain these results: You performed a switch reload. You verified that the switch is unconfigured Cisco Systems, Inc. Lab Guide L7

14 Task 2: Configure the Switch with a Hostname and an IP Address In this task, you will configure the switch with a hostname and an IP address. Activity Procedure Complete the following steps: Step 1 Change the hostname of the switch to SW1. Step 2 Assign an IP address to the VLAN 1 interface on switch SW1. Be sure that you assign the correct IP address, as described in the Job Aids section in the beginning of the lab document. Note Step 3 Configuring the IP address on the switch is not mandatory to start the switch running, but it is necessary for remote management access to the switch. Access the PC1. Use the username and password that is described in the Job Aids section in order to log in. L8 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

15 Step 4 Assign the IP address of PC1, as listed in the Job Aids section. Leave the default gateway empty. Step 5 From PC1, ping the VLAN 1 IP address of SW1 to confirm Layer 3 connectivity. Activity Verification You have completed this task when you attain these results: You configured the switch with a hostname and a VLAN 1 IP address. You configured PC1 with the correct IP address. Your ping from PC1 to the VLAN 1 IP address of SW1 was successful Cisco Systems, Inc. Lab Guide L9

16 Task 3: Explore Context-Sensitive Help In this task, you will use context-sensitive help to locate commands and complete command syntax. Activity Procedure Complete the following steps: Step 1 On switch SW1, enter privileged EXEC mode and enter? (or help) to list the available commands. Step 2 Using the? command, set the clock on the switch to the current time and date. Note Step 3 Pressing the Tab key automatically completes the command if the characters that you have entered are not ambiguous. Verify the current date and time using the appropriate show command. Step 4 Type the following comment line at the prompt and then press Enter:!ths command changuw the clck sped for the swch Note Step 5 An exclamation point (!) at the beginning of the line indicates that you are entering a comment. The comment will not be part of the switch configuration. Comments are a great help when you are working on a configuration in a text editor and plan to upload it to a device. Press Ctrl-P or press the Up Arrow key to see the previous line. Use the editor commands Ctrl-A, Ctrl-F, Ctrl-E, and Ctrl-B to move along the line, and use the Backspace key to delete unwanted characters. Using the editing commands, correct the comment line to read:!this command changes the clock speed for the switch. Activity Verification You have completed this task when you attain these results: You used the system help and command-completion functions. You used the built-in editor and the keystrokes for cursor navigation. L10 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

17 Task 4: Improve the Usability of the CLI In this task, you will enter commands to improve the usability of the CLI. You will increase the number of lines in the history buffer, increase the inactivity timer on the console port, and stop the attempted name resolution of mistyped commands. Activity Procedure Complete the following steps: Step 1 Using the show terminal command, verify that history is enabled, and determine the current history size for the console line. Step 2 Change the history size to 100 for the console line and verify that the change has taken place. Note Step 3 Alternatively, you could use the begin keyword. You will see the output beginning from the first match. The no ip domain lookup command disables the resolution of symbolic names. If you mistype a command, the system will not try to translate it into an IP address (it will take about 5 seconds to time out). Disable IP domain lookup. Step 4 The default console access EXEC timeout is set to 10 minutes. After 10 minutes of inactivity, the user is disconnected from console access and is required to reconnect. Change this timer to 60 minutes. Note Step 5 Make sure that you are in console line configuration mode. To execute user EXEC or privileged EXEC commands from global configuration mode or other configuration modes or submodes, use the do command in any configuration mode. The logging synchronous command synchronizes unsolicited messages and debugs privileged EXEC command output with the input from the CLI. If you are in the middle of typing a command, status messages will appear where you are typing. Enable synchronous logging on line console 0. Step 6 Save your running configuration to the startup configuration Cisco Systems, Inc. Lab Guide L11

18 Activity Verification You have completed this task when you attain these results: You changed the history buffer size. You disabled resolution of symbolic names. You set the inactivity timeout on the console line to 60 minutes. You enabled synchronous logging on the console line. You saved the running configuration to the startup configuration file. L12 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

19 Lab 1-2: Troubleshooting Switch Media Issues Activity Overview Objectives In this activity, you will use troubleshooting guidelines to isolate and correct switch media issues. After completing this activity, you will be able to meet these objectives: Follow troubleshooting guidelines to determine the source of connectivity problems between a computer and a switch, and fix them Follow troubleshooting guidelines to determine the source of connectivity problems between a router and a switch, and fix them

20 Visual Objective The figure illustrates what you will accomplish in this activity. Visual Objective for Lab 1-2: Troubleshooting Switch Media Issues PC1 PC Cisco Systems, Inc. Branch SW1 SW2 Detailed Visual Objective PC Cisco Systems, Inc. Required Resources Troubleshooting Task 1 Branch Troubleshooting Task 2 These are the resources and equipment that are required to complete this activity: HQ Server SW1 Successful completion of Lab 1-1: Performing Switch Startup and Initial Configuration L14 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

21 Command List The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity. Commands Command configure terminal copy running-config startup-config duplex full enable interface FastEthernet 0/13 shutdown/no shutdown ping ip-address Description Enters global configuration mode Saves the running configuration into NVRAM as the startup configuration Enables full duplex on an interface Enters the privileged EXEC mode command interpreter Specifies interface FastEthernet 0/13 and enters interface configuration mode Disables or enables an interface Uses ICMP echo requests and ICMP echo replies to determine whether a remote host is reachable show interfaces FastEthernet 0/13 Displays information about interface FastEthernet 0/13 show ip interface brief Job Aids Displays a brief summary of the interfaces on a device, which is useful for quickly checking the status of the device These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices. Device Hardware Operating System Branch Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 SW1 Catalyst 2960 Series Switch c2960-lanbasek9-mz se3 PC1 Any PC Microsoft Windows 7 There are no console or enable passwords set for the router and switch in the initial lab setup. The table shows the username and password that are used to access PC1. Device Username Password PC1 Administrator admin Topology and IP Addressing Devices are connected with Ethernet connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup Cisco Systems, Inc. Lab Guide L15

22 Topology and IP Addressing PC Cisco Systems, Inc. Fa0/1 Gi0/ Fa0/ The table shows the interface identification and IP addresses that are used in this lab setup. Device Interface IP Address/Subnet Mask Branch Gi0/ /24 SW1 VLAN /24 PC1 Ethernet adapter local area connection /24 Task 1: Lab Setup In this setup task, you will load the configuration from the switch flash drive. Activity Procedure Complete these steps: Step 1 Access the CLI of switch SW1. You will be provided with information about accessing the lab equipment. SW1 L16 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

23 Step 2 Load the configuration file tshoot_media_issues_start.cfg from the flash drive of the switch. SW1#copy flash:tshoot_sw_media.cfg run At this point, you have loaded a configuration file that includes your trouble tickets, presented in Tasks 2 and 3. Activity Verification You have completed this task when you attain this result: You loaded a configuration file from the switch flash drive. Task 2: Troubleshoot Connectivity Between Computer PC1 and Switch SW1 In this task, you will troubleshoot connectivity problems between switch SW1 and computer PC1. Activity Procedure Complete the following steps: Step 1 John calls you about an issue that he is experiencing while using PC1. He says that PC1 has no network connectivity, and he insists that somebody unplugged his computer from the switch. The senior engineers are out. You are the only one who can solve this problem right now. You have access only to switch SW1. Determine whether or not you can ping PC1 from switch SW1. The IP address of PC1 is listed in the Job Aids section of this document. Is there Layer 3 connectivity between the computer and the switch? Step 2 What is the status of interface FastEthernet0/1 on switch SW1, which connects to the PC1? What does this status mean? Note Use the? command and the Tab key to help you with the command syntax Cisco Systems, Inc. Lab Guide L17

24 Step 3 Correct the issue so that John can continue his work. Do not forget to verify Layer 3 connectivity between PC1 and SW1. Step 4 Save the configuration of switch SW1. Why is it important at this stage to save the configuration? Activity Verification You have completed this task when you attain this result: You identified and corrected the problem that was reported by the user on PC1. Task 3: Troubleshoot Connectivity Between Switch SW1 and the Branch Router In this task, you will troubleshoot connectivity problems between the Branch router and switch SW1. You will correct the existing problem. Activity Procedure Complete the following steps: Step 1 Your colleague informs you that switch SW1 is showing messages about duplex mismatch and they are unable to prevent the messages. The senior engineers went out for lunch and left you alone to resolve this issue. How do you solve the problem indicated by this message? Using the appropriate show commands from the Command List section, identify the status of interface FastEthernet0/13, which connects to the Branch router. Step 2 Correct the issue that you identified. Do not forget to save the changes that you made. Activity Verification You have completed this task when you attain this result: You identified and corrected the connectivity problem. L18 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

25 Lab 2-1: Performing Initial Router Setup and Configuration Activity Overview Objectives In this activity, you will observe the router boot procedure and perform basic router configuration. After completing this activity, you will be able to meet these objectives: Inspect router hardware and software Perform initial router configuration Improve the usability of the CLI Use Cisco Discovery Protocol to discover how devices are interconnected

26 Visual Objective The figure illustrates what you will accomplish in this activity. Visual Objective for Lab 2-1: Performing Initial Router Setup and Configuration PC1 PC Cisco Systems, Inc. Branch SW1 SW2 Detailed Visual Objective 2013 Cisco Systems, Inc. PC1 Verify the router and its settings. Branch Perform router initial configuration. Use Cisco Discovery Protocol to discover how devices are interconnected. SW1 Required Resources No additional resources are required for this lab. HQ Server L20 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

27 Command List The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity. Cisco IOS Router Commands Command configure terminal copy running-config destination description enable erase startup-config exec-timeout hostname hostname interface type module/slot/port ip address ip-address subnet-mask [no] ip domain lookup line console 0 logging synchronous ping ip_address reload show cdp show cdp neighbors [detail] show interfaces show startup-config show version [no] shutdown Job Aids Description Activates the configuration mode from the terminal. Copies the running configuration file to another destination. A typical destination is the startup configuration. Adds a descriptive comment to the configuration of an interface. Activates privileged EXEC mode. In privileged EXEC mode, more commands are available. Erases the startup configuration that is stored in nonvolatile memory. Sets the interval before the user session is disconnected when idle. Sets the system name, which forms part of the prompt. Specifies an interface and enters interface configuration mode. Sets the IP address and mask of the interface. Enables or disables DNS resolution of symbolic names. Enters line console configuration mode. Synchronizes the display of router output messages with the command-line prompt. Uses ICMP echo requests and ICMP echo replies to determine whether a remote host is reachable. Restarts the router and reloads the Cisco IOS operating system. Displays global Cisco Discovery Protocol information. Displays brief information about discovered neighboring Cisco devices. If the keyword detail is used, detailed information about discovered devices is displayed. Displays information about all of the device interfaces. Displays the startup configuration settings that are saved in nonvolatile memory. Displays the configuration of the router hardware and the various software versions. Disables or enables an interface. These job aids are available to help you complete the lab activity Cisco Systems, Inc. Lab Guide L21

28 The table shows the hardware that is used in the lab and the operating system that is running on the devices. Device Hardware Operating System Branch Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 SW1 Catalyst 2960 Series Switch c2960-lanbasek9-mz se3 PC1 Any PC Microsoft Windows 7 There are no console or enable passwords set for the router and switch in the initial lab setup. The table shows the username and password that are used to access PC1. Device Username Password PC1 Administrator admin Topology and IP Addressing Devices are connected with Ethernet connections. The figure illustrates the interface identification and IP addresses that are used in this lab setup. Topology and IP Addressing PC Cisco Systems, Inc. Fa0/1 Gi0/ Fa0/ The table shows the interface identification and IP addresses that are used in this lab setup. Device Interface IP Address/Subnet Mask Branch Gi0/ /24 SW1 VLAN /24 PC1 Ethernet adapter local area connection /24 SW1 L22 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

29 Task 1: Inspect the Router Hardware and Software In this task, you will first inspect the router hardware and software properties. You will verify that a startup configuration exists and delete it. You will then reload the router and observe the output that is generated during the reload. Activity Procedure Complete the following steps: Step 1 Access the CLI of router Branch and enter privileged EXEC mode. Step 2 Use the correct verification command to display hardware and software properties. Find and write down the following information: Router model Serial number RAM Flash Software version Use command show version in privileged EXEC mode on the Branch router to display information about the currently loaded software, along with hardware and device information. Router#show version Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1) Technical Support: Copyright (c) by Cisco Systems, Inc. Compiled Thu 26-Jul-12 20:54 by prod_rel_team ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1) Router uptime is 15 minutes System returned to ROM by reload at 17:06:50 UTC Thu Nov System restarted at 17:09:24 UTC Thu Nov System image file is "flash0:c2900-universalk9-mz.spa m1.bin" Last reload type: Normal Reload Last reload reason: Reload Command <output omitted> Cisco CISCO2901/K9 (revision 1.0) with K/40960K bytes of memory. Processor board ID FCZ1642C5XJ 2 Gigabit Ethernet interfaces 1 Serial(sync/async) interface 1 terminal line DRAM configuration is 64 bits wide with parity enabled. 255K bytes of non-volatile configuration memory K bytes of ATA System CompactFlash 0 (Read/Write) <output omitted> 2013 Cisco Systems, Inc. Lab Guide L23

30 Step 3 Use the correct show command to verify that the router has a startup configuration. If it has, erase the startup configuration by issuing the erase startup-config command. Router#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete Router# After you have erased the startup configuration, verify that it no longer exists. Router#show startup-config startup-config is not present Step 4 Reload the router and observe the console output during startup. Router#reload Proceed with reload? [confirm] Sep 11 11:31:16.663: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1) Technical Support: Copyright (c) 2009 by cisco Systems, Inc. Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB CISCO2901/K9 platform with Kbytes of main memory Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled Readonly ROMMON initialized program load complete, entry point: 0x , size: 0x1b340 program load complete, entry point: 0x , size: 0x1b340 IOS Image Load Test <output omitted> Activity Verification You have completed this task when you attain these results: You collected hardware and software device information. You erased the startup configuration. You reloaded the router and observed the startup output. Task 2: Create the Initial Router Configuration In this task, you will skip the initial configuration dialog and proceed with manual configuration. You will configure system parameters and router interfaces. You will then verify connectivity. L24 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

31 Activity Procedure Complete the following steps: Step 1 Skip the initial configuration dialog, terminate the autoinstall, and enter privileged EXEC mode. Step 2 Set the router host name to Branch. The prompt will reflect the new hostname. Step 3 Enable interface GigabitEthernet0/0 and set its description to Link to LAN Switch. Step 4 Configure the IP address on the interface. Use subnet mask of Step 5 Return to the privileged EXEC command and verify GigabitEthernet0/0 interface status, interface description, and correct IP address assignment by using a suitable verification command. Branch#show interfaces GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is 5475.d08e.9ad8 (bia 5475.d08e.9ad8) Description: Link to LAN Switch Internet address is /24 MTU 1500 bytes, BW Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 100Mbps, media type is RJ45 <output omitted> Step 6 Save the current configuration on the Branch router. Activity Verification You have completed this task when you attain these results: Step 1 The console prompt shows the configured hostname: Branch# 2013 Cisco Systems, Inc. Lab Guide L25

32 Step 2 You verified IP connectivity between router Branch and PC1 by using ICMP ping: Branch#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms The ping should be successful. Note Note The ping might fail due to slow STP convergence on the SW1 switch. If the ping fails, try to issue another ping after a few seconds. The first ICMP packet could time out because ARP needs to obtain Layer 2 addressing before the packet can be sent out of the interface. Task 3: Improve the Usability of the CLI In this task, you will improve the CLI experience by increasing the inactivity timer on the console line and by disabling the resolution of symbolic names. Activity Procedure Complete the following steps: Step 1 Change the EXEC timeout on the console line, which is set to 10 minutes by default, to a value of 60 minutes. L26 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

33 Step 2 Verify the EXEC timeout value on the Branch router: Branch#show line console 0 Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int * 0 0 CTY /0 - Line 0, Location: "", Type: "" Length: 24 lines, Width: 80 columns Status: PSI Enabled, Ready, Active, Automore On Capabilities: none Modem state: Ready RJ45 Console is in use USB Console baud rate = 9600 Modem hardware state: CTS* nodsr DTR RTS Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none - - none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch 01:00:00 never none not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30 Autoselect Initial Wait not set <output omitted> Step 3 Improve the readability of the console access by synchronizing unsolicited messages and debug outputs with the input from the CLI. Step 4 Disable the resolution of symbolic names to prevent the system from attempting to translate a mistyped command into an IP address. Step 5 Save the configured changes to the startup configuration. Activity Verification You have completed this task when you attain these results: You have set the inactivity timeout on the console line to 60 minutes. You have enabled synchronous logging on the console line. You have disabled resolution of symbolic names Cisco Systems, Inc. Lab Guide L27

34 Task 4: Discover Connected Neighbors with Cisco Discovery Protocol In this task, you will use Cisco Discovery Protocol to obtain information about directly connected Cisco devices. You will gather information about neighbor capabilities and IP addresses and discover how devices are interconnected. Activity Procedure Complete the following steps: Step 1 On the Branch router, issue the show cdp command to verify that Cisco Discovery Protocol is enabled and to display its global information. Branch#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled L28 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

35 Step 2 Enter the Cisco Discovery Protocol verification command to display all known neighboring Cisco devices. Write down the information about the discovered neighbors in the table: Device ID Platform Local Interface # # Remote Interface (Port ID) The information that you gather about the local and remote interfaces that are used reveals how neighboring devices are physically interconnected. On the Branch router, use the show cdp neighbors command to display all neighboring Cisco devices: Branch#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Gig 0/0 158 S I WS-C2960- Fas 0/13 Use the Cisco Discovery Protocol verification command with the keyword detail to display additional information about other Cisco devices. Write down the IP address of a neighboring switch, with exact information about its platform and software version. Branch#show cdp neighbors detail Device ID: SW1 Entry address(es): IP address: Platform: cisco WS-C TT-L, Capabilities: Switch IGMP Interface: GigabitEthernet0/0, Port ID (outgoing port): FastEthernet0/13 Holdtime : 146 sec Version : Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(1)SE3, RELEASE SOFTWARE (fc1) Technical Support: Copyright (c) by Cisco Systems, Inc. Compiled Wed 30-May-12 14:26 by prod_rel_team advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value= ffffffff010221ff e147cbd00ff0000 VTP Management Domain: 'rlab' Native VLAN: 1 Duplex: full Branch# 2013 Cisco Systems, Inc. Lab Guide L29

36 Activity Verification You have completed this task when you attain these results: You observed Cisco Discovery Protocol output for directly attached Cisco neighbors. You gathered detailed information about a neighbor switch. L30 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

37 Lab 2-2: Connecting to the Internet Activity Overview Objectives In this activity, you will establish Internet connectivity by enabling static routing, DHCP, and NAT. After completing this activity, you will be able to meet these objectives: Configure a static default route Enable DHCP on a public interface Configure NAT using a pool Configure NAT with PAT

38 Visual Objective The figure illustrates what you will accomplish in this activity. Visual Objective for Lab 2-2: Connecting to the Internet 2013 Cisco Systems, Inc. PC1 PC2 Branch SW1 SW2 Detailed Visual Objective 2013 Cisco Systems, Inc. PC1 Configure NAT with PAT. PC2 Branch Inside SW1 Internet Server Required Resources No additional resources are required for this lab. Outside Configure static and DHCPobtained IP addresses. HQ HQ Server L32 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

39 Command List The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity. Command access-list acl_id permit network wildcard_mask configure terminal debug ip icmp interface interface ip address dhcp ip address ip_address network_mask ip nat inside ip nat inside source list acl_id pool pool_name ip nat inside source list acl_id interface interface_name overload ip nat outside ip nat pool pool_name start_ip end_ip netmask mask ip route network network_mask next_hop_address ping ip_address show ip interface brief show ip nat translations show ip route show users shutdown telnet ip_address terminal monitor undebug all Job Aids Description Configures a standard ACL that permits a network Enters global configuration mode Enables debugging of ICMP packets Enters interface configuration mode Configures an interface to obtain an IP address using DHCP Configures an IP address manually on an interface Configures an interface as NAT inside interface Configures a dynamic source NAT rule that translates addresses into IP addresses defined in the pool Configures a dynamic source NAT or PAT rule that translates addresses into the IP address of an interface Configures an interface as a NAT outside interface Configures a NAT pool Configures a static route Pings an IP address Displays the status and IP addresses of interfaces Displays active NAT translations Displays the routing table Displays information about the active lines on a router Disables an interface Establishes a Telnet session to an IP address Redirects debugging output to a Telnet session Disables all debugging These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices Cisco Systems, Inc. Lab Guide L33

40 Device Hardware Operating System Branch Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 HQ Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 SW1 Catalyst 2960 Series Switch c2960-lanbasek9-mz se3 PC1 Any PC Microsoft Windows 7 PC2 Any PC Microsoft Windows 7 There are no console or enable passwords set for the routers and switches in the initial lab setup. The table shows the username and password that are used to access PC1 and PC2. Device Username Password PC1 Administrator admin PC2 Administrator admin Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup. Topology and IP Addressing PC1 Gi0/1 Gi0/ Branch Internet Server VLAN 1: Gi0/0 HQ Cisco Systems, Inc. Fa0/1 PC2 Fa0/ Fa0/13 SW The table shows the interface identification and IP addresses that are used in this lab setup. Device Interface IP Address/Subnet Mask Branch Gi0/ /27 Branch Gi0/ /24 HQ Gi0/ /27 L34 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

41 Device Interface IP Address/Subnet Mask HQ Loopback /24 SW1 VLAN /24 PC1 Ethernet adapter local area connection /24 PC2 Ethernet adapter local area connection /24 Task 1: Configure a Manual IP Address and Static Default Route In this task, you will configure an IP address on the Internet-facing interface of the Branch router. You will also configure a static default route on the Branch router to reach Internet networks. Then you will verify connectivity between the Branch router, HQ router, and server. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Verify interface status and IP address on the Branch router. Branch#show ip interface brief Interface IP-Address OK? Method Status Protocol Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down GigabitEthernet0/ YES manual up up GigabitEthernet0/1 unassigned YES NVRAM administratively down down GigabitEthernet0/2 unassigned YES NVRAM administratively down down You should see that only GigabitEthernet0/0 is up and configured with an IP address. Step 3 Enable the GigabitEthernet0/1 interface. Manually assign the IP address to the interface. Use a mask of Cisco Systems, Inc. Lab Guide L35

42 Step 4 Verify interface status and IP address on the Branch router again. Branch#show ip interface brief Interface IP-Address OK? Method Status Protocol Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down GigabitEthernet0/ YES manual up up GigabitEthernet0/ YES manual up up GigabitEthernet0/2 unassigned YES NVRAM administratively down down Serial0/0/0 unassigned YES manual administratively down down The GigabitEthernet0/1 interface should be up and it should have an IP address configured. Step 5 From the Branch router, ping the HQ router at Branch#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 m The ping should be successful, because the destination IP address is in a directly connected network. Step 6 From the Branch router, ping the server at , which is behind the HQ router. Branch#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:... Success rate is 0 percent (0/5) The ping should not be successful. What is the reason for an unsuccessful ping? L36 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

43 Step 7 Verify the routing table on the Branch router. Branch#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set /8 is variably subnetted, 2 subnets, 2 masks C L C L /24 is directly connected, GigabitEthernet0/ /32 is directly connected, GigabitEthernet0/ /24 is variably subnetted, 2 subnets, 2 masks /27 is directly connected, GigabitEthernet0/ /32 is directly connected, GigabitEthernet0/1 Is there a route present for the IP address of the server? Step 8 On the Branch router, configure a static default route that points to the next-hop IP address Step 9 Save the running configuration to the startup configuration. Step 10 From the Branch router, ping the server at again. Branch#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms The ping should be successful because you configured a static default route Cisco Systems, Inc. Lab Guide L37

44 Step 11 Verify the routing table on the Branch router. Branch#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is to network S* /0 [1/0] via /8 is variably subnetted, 2 subnets, 2 masks C L C L /24 is directly connected, GigabitEthernet0/ /32 is directly connected, GigabitEthernet0/ /24 is variably subnetted, 2 subnets, 2 masks /27 is directly connected, GigabitEthernet0/ /32 is directly connected, GigabitEthernet0/1 The default route is designated with S and an asterisk (*). Step 12 Remove the previously configured static default route from the Branch router to prepare the router for the next task. Step 13 Verify the routing table on the Branch router again to make sure that no default route is present on the router. Branch#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is not set /8 is variably subnetted, 2 subnets, 2 masks C L C L /24 is directly connected, GigabitEthernet0/ /32 is directly connected, GigabitEthernet0/ /24 is variably subnetted, 2 subnets, 2 masks /27 is directly connected, GigabitEthernet0/ /32 is directly connected, GigabitEthernet0/1 L38 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

45 Activity Verification No additional verification is needed in this task. Task 2: Configure a DHCP-Obtained IP Address In this task, you will configure the Branch router to obtain an IP address using DHCP from the HQ router. The HQ router has been preconfigured as a DHCP server. You will also verify connectivity between the Branch router, HQ router, and server. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Configure the GigabitEthernet0/1 interface to obtain an IP address using DHCP. Step 3 Save the running configuration to the startup configuration. Step 4 Verify interface status and IP address on the Branch router. Branch#show ip interface brief Interface IP-Address OK? Method Status Protocol Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down GigabitEthernet0/ YES manual up up GigabitEthernet0/ YES DHCP up up The GigabitEthernet0/1 interface should be up and it should have an IP address that was configured through DHCP. Write down the IP address in the space that is provided Cisco Systems, Inc. Lab Guide L39

46 Step 5 Verify the routing table on the Branch router. Branch#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is to network S* /0 [254/0] via /8 is variably subnetted, 2 subnets, 2 masks C L C L /24 is directly connected, GigabitEthernet0/ /32 is directly connected, GigabitEthernet0/ /24 is variably subnetted, 2 subnets, 2 masks /27 is directly connected, GigabitEthernet0/ /32 is directly connected, GigabitEthernet0/1 You should see a default route present in the table. Where did the default route come from? Step 6 From the Branch router, ping the HQ router at Branch#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 m The ping should be successful. Step 7 From the Branch router, ping the server at Branch#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms The ping should be successful because the Branch router received knowledge of the default gateway from the DHCP server. The Branch router set the default route automatically and it set the route next-hop IP address to the IP address of the default gateway.. L40 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

47 Step 8 Access PC1. Step 9 From PC1, ping the Branch router at its public IP address, which was obtained through DHCP. C:\>ping Pinging with 32 bytes of data: Reply from : bytes=32 time=1ms TTL=255 Reply from : bytes=32 time<1ms TTL=255 Reply from : bytes=32 time<1ms TTL=255 Reply from : bytes=32 time<1ms TTL=255 Ping statistics for : Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms The ping should be successful. Step 10 From PC1, ping the server at C:\>ping Pinging with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for : Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The ping should not be successful. In the next step, you will examine why the ping is not successful. Step 11 Return to the Branch router and establish a remote Telnet session to the HQ router at Enable debugging of ICMP packets using the debug ip icmp command. Direct the output of the debug messages to the Telnet session using the terminal monitor command. Leave the console window open. Branch#telnet Trying Open HQ#debug ip icmp ICMP packet debugging is on HQ#terminal monitor 2013 Cisco Systems, Inc. Lab Guide L41

48 Note Establishing remote Telnet sessions and redirecting output of the debug messages to a remote session has not been discussed so far. In this task, it is needed only to verify that packets from PC1 actually reach the HQ router. Step 12 Return to PC1 and ping the server at again. Return to the HQ Telnet session and observe the debugging messages. HQ# Sep 7 13:18:27.881: ICMP: echo reply sent, src , dst , topology BASE, dscp 0 topoid 0 HQ# Sep 7 13:18:32.853: ICMP: echo reply sent, src , dst , topology BASE, dscp 0 topoid 0 HQ# Sep 7 13:18:37.857: ICMP: echo reply sent, src , dst , topology BASE, dscp 0 topoid 0 HQ# Sep 7 13:18:42.861: ICMP: echo reply sent, src , dst , topology BASE, dscp 0 topoid 0 You should see one debugging message for each ping packet coming from PC1. You can see that the pings actually reach the HQ router and replies are sent back to PC1. However, the HQ router is not aware of the network that PC1 is coming from and therefore discards the returning packets. You can verify this conclusion by verifying the routing table on the HQ router. What solution could be implemented on the Branch router to overcome this problem? Step 13 Return to the HQ Telnet session. Disable debugging and exit the Telnet session. HQ#undebug all All possible debugging has been turned off HQ#exit [Connection to closed by foreign host] Branch# Activity Verification No additional verification is needed in this task. Task 3: Configure NAT In this task, you will configure dynamic NAT on the Branch router to translate the IP addresses of inside hosts to public IP addresses. Then, you will verify the NAT configuration and connectivity from PC1 and PC2 to the server. L42 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

49 Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Configure a standard ACL that allows the /24 network. Use 1 as the ACL identifier. This ACL will be used to define networks that are eligible for NAT translations. Step 3 Create a NAT pool with the following parameters: Pool name NAT_POOL Starting IP address Ending IP address Network mask How many hosts that require NAT can you accommodate at the same time using this NAT pool? Step 4 Configure the GigabitEthernet0/0 interface as the NAT inside interface. Note Step 5 When you enable the interface as NAT inside, the router will block for approximately 1 minute. After that, you will see a log message about the router creating NVI0 interface. This interface is used internally by the router to perform NAT. Configure the GigabitEthernet0/1 interface as the NAT outside interface. Step 6 Configure a dynamic source NAT rule that will translate inside hosts into the IP addresses that were defined in the previously configured NAT pool. Use the previously configured ACL to specify hosts that are eligible for translations, and use the previously configured NAT pool. Step 7 Save the running configuration to the startup configuration Cisco Systems, Inc. Lab Guide L43

50 Activity Verification You have completed this task when you attain these results: Step 1 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a remote Telnet session to the server at by clicking the Telnet radio button and entering the IP address into the Host Name input field. You should be successful. Note Recall that the server is actually implemented as loopback interface on the HQ router. Therefore, you will actually establish a Telnet session to the HQ router for testing purposes. L44 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

51 Step 2 Verify the user connection to the server using the show users command. This command will display management sessions to the router via console or via remote access. HQ#show users Line User Host(s) Idle Location 0 con 0 idle 00:42:00 *514 vty 0 idle 00:00: You should see that the Telnet session from PC1 is seen as originating from a translated IP address. The translated IP address is the first free IP address from the NAT pool. Note The session marked with an asterisk (*) is the one that is currently active and used Cisco Systems, Inc. Lab Guide L45

52 Step 3 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at If PC2 is not configured with an IP address, assign it an IP address of /24. You should be successful. L46 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

53 Step 4 Verify the user connection to the server using the show users command. HQ#show users Line User Host(s) Idle Location 514 vty 0 idle 00:00: *515 vty 1 idle 00:00: You should see that the Telnet session from PC2 is seen as originating from a translated IP address. The translated IP address is the next free IP address from the NAT pool. Step 5 Return to the Branch router. Verify that there are active NAT translations. Branch#show ip nat translations Pro Inside global Inside local Outside local Outside global tcp : : : : tcp : : : : Notice that inside local IP addresses are translated into inside global IP addresses. Step 6 Close the Telnet session on PC1 and PC2. Task 4: Configure NAT with PAT In this task, you will configure dynamic NAT with PAT on the Branch router to translate the IP addresses of inside hosts to the public IP address of the Branch router. Then you will verify the NAT configuration and connectivity from PC1 and PC2 to the server. Activity Procedure Complete the following steps: Step 1 Return to the Branch router. Step 2 Remove the previously configured dynamic NAT rule Cisco Systems, Inc. Lab Guide L47

54 Step 3 Configure a dynamic source NAT/PAT (NAT with overload) rule that will translate inside hosts into the IP address of the router outside interface. Use the previously configured ACL to specify the hosts that are eligible for translations. How many hosts that require NAT can you accommodate at the same time by overloading the IP address of the interface? Step 4 Save the running configuration to the startup configuration. Activity Verification You have completed this task when you attain these results: L48 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

55 Step 1 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at You should be successful. Step 2 Verify the user connection to the server using the show users command. HQ#show users Line User Host(s) Idle Location *514 vty 0 idle 00:00: You should see that the Telnet session from PC1 is seen as originating from the IP address of the Branch router outside interface Cisco Systems, Inc. Lab Guide L49

56 Step 3 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at You should be successful. L50 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

57 Step 4 Verify the user connection to the server using the show users command. HQ#show users Line User Host(s) Idle Location 514 vty 0 idle 00:01: *515 vty 1 idle 00:00: You should see that the Telnet session from PC2 is again seen as originating from the IP address of the Branch router outside interface. Step 5 Return to the Branch router. Verify that there are active NAT translations. Branch#show ip nat translations Pro Inside global Inside local Outside local Outside global tcp : : : :23 tcp : : : :23 Notice that two inside local IP addresses are translated into the same inside global IP address, which is configured on the Branch router outside interface. To provide two distinct translations, different source ports are used. Step 6 Close the Telnet session on PC1 and PC Cisco Systems, Inc. Lab Guide L51

58 L52 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

59 Lab 3-1: Enhancing the Security of the Initial Configuration Activity Overview Objectives Securing administrative access to devices is crucial because you do not want unauthorized users to have access to your network devices. In this lab, you will increase the security of the initial switch and router configuration. After you have completed this activity, you will be able to meet these objectives: Configure passwords on a router and switch Configure and limit remote access to SSH Configure an ACL to limit remote access Configure the login banner

60 Visual Objective The figure illustrates what you will accomplish in this activity. Visual Objective for Lab 3-1: Enhancing the Security of the Initial Configuration 2013 Cisco Systems, Inc. Detailed Visual Objective 2013 Cisco Systems, Inc. Add password protection Enable SSH Configure a login banner P C 1 Branch Add password protection Enable SSH Limit access with an ACL Configure a login banner S W1 Required Resources There are no additional resources that are required for this lab. L54 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

61 Command List The table describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity. Commands Command access-class number direction access-list number permit ip_address wildcard_mask banner login copy running-config startup-config crypto key generate rsa enable secret password end ip domain-name name ip ssh version [1 2] line console 0 line vty start_number end_number login login local logout password show access-list show running-config show users Description Applies the ACL to the vty line. The direction argument can have the value of either in or out. Creates a standard ACL that permits all traffic from or to a specified network. Allows the configuration of a message that is displayed just before login. Copies the switch running configuration file to the startup configuration file that is held in local NVRAM. Generates the RSA key pairs to be used. Sets a password for entering privileged EXEC mode. The password is protected using strong MD5-type encryption. Terminates configuration mode. Supplies an IP domain name that is required by the cryptographic keygeneration process. Specifies the version of SSH to be run. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command. Enters line console 0 configuration mode. Enters vty configuration mode. Vty lines allow access to the switch for remote network management. The number of vty lines available is dependent on the Cisco IOS Software version. Typical values are 0-4 and 0-15 (inclusive). Activates the login process on the console or vty lines. Makes the login process on the console or vty lines rely on (or use) the local authentication database. Exits EXEC mode and requires reauthentication (if enabled). Assigns a password to the console or vty lines. Displays all ACLs that are defined on the device. Displays the active configuration. ssh l username ip_address Displays information about the active lines. Starts an encrypted session with a remote networking device using the current user ID. The IP address identifies the destination device Cisco Systems, Inc. Lab Guide L55

62 Command transport input [telnet ssh all] username username secret password Description Specifies which protocols to use to connect to a specific line of the device. Creates a username and password pair that can then be used as a local authentication database. Job Aids These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices. Device Hardware Operating System Branch Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 Headquarter s Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 SW1 Catalyst 2960 Series Switch c2960-lanbasek9-mz se3 PC1 Any PC Microsoft Windows 7 PC2 Any PC Microsoft Windows 7 There are no console or enable passwords that are set for the routers and switches in the initial lab setup. The table shows the username and password that are used to access PC1 and PC2. Device Username Password PC1 Administrator admin PC2 Administrator admin Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup. L56 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

63 Topology and IP Addressing Branch PC Cisco Systems, Inc. VLAN 1: SW Fa0/1 Gi0/0 Fa0/13 The table shows the interface identification and IP addresses that are used in this lab setup. Device Interface IP Address/Subnet Mask Branch Gi0/ /27 Branch Gi0/ /24 Headquarters Gi0/ /27 Headquarters Loopback /24 SW1 VLAN /24 PC1 Ethernet adapter local area connection /24 PC2 Ethernet adapter local area connection /24 Task 1: Add Password Protection Following the initial configuration of the switch, where passwords have been configured for the vty lines, two potential security holes exist. First, a security breach is possible when the vty lines have the login process deactivated and the password is too simple. Second, security can be breached because the console port initially is not protected by a password at all. In this task, you will secure console access and access to privileged EXEC mode on a router and a switch. Activity Procedure Complete the following steps: Step 1 Access the Branch router Cisco Systems, Inc. Lab Guide L57

64 Step 2 Secure the console line with the password cisco. Step 3 Exit to the console login screen by issuing the end and exit commands. You will be asked for the password that you configured in the previous step. Branch(config-line)# end Branch# exit Branch con0 is now available Press RETURN to get started. User Access Verification Password: Branch> Step 4 Examine the running configuration and identify the password that was configured for the console line. Note that the password is in cleartext. Branch# show running-config section line con line con 0 exec-timeout 60 0 password cisco logging synchronous login Step 5 Create the username ccna and assign the secret password cisco to it. Look at the Command List section to identify the correct command. Then change the mode of authentication on the console line so that this user is authenticated using this username and password. L58 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

65 Step 6 Exit to the console login screen by issuing the end and exit commands. You will be asked for a username and password. Enter the credentials that you created in the previous step. Branch(config-line)# end Branch# exit Branch con0 is now available Press RETURN to get started. User Access Verification Username: ccna Password: Branch> Step 7 Examine the running configuration and identify the username and password that you created. Note that the password is encrypted, not in cleartext. You could use the service password-encryption command to encode the cleartext password, but this encryption type is weak. Branch# show running-config section username username ccna secret 4 tnhtc92dxbhelxjyk8lwjrpv36s2i4ntxrpb4rfmfqy Step 8 Secure vty lines 0 through 15. Users should be able to log in using the username ccna and password cisco that you previously defined. For security reasons, the passwords for console and vty access should be different. Also, in production environments, you should use strong passwords (at least eight characters and a combination of letters, numbers, and special characters). In the lab environment, we are using the same passwords for console and vty access Cisco Systems, Inc. Lab Guide L59

66 Step 9 On PC1, open PuTTY and establish a Telnet session to the Branch router to verify that you configured vty security correctly. Enter the appropriate credentials to log into the Branch router. L60 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

67 Step 10 On the Branch router, secure access to privileged EXEC mode with the password cisco. The password must be encrypted with strong encryption. Step 11 Save the changes that you made on the Branch router. Step 12 Exit privileged EXEC mode and then re-enter it. When prompted, enter the password that you configured in the previous step. Branch# disable Branch> enable Password: Branch# Step 13 Examine the running configuration of the Branch router and identify the line where the password that allows access to privileged EXEC mode is configured. Notice that the password is encrypted. Branch# show running-config section enable enable secret 4 tnhtc92dxbhelxjyk8lwjrpv36s2i4ntxrpb4rfmfqy 2013 Cisco Systems, Inc. Lab Guide L61

68 Step 14 Access switch SW1. Configure it with the enable secret password cisco. Users should be able to log into the console and vty lines by using the username ccna and the password cisco. Use strong encryption. Step 15 Save the changes that you made on the SW1 switch. Step 16 On the SW switch, go to the user EXEC mode by entering the end and exit commands. Log into the switch SW console by using the previously configured username and password in order to verify console protection. SW1(config-line)# end SW1# exit SW1 con0 is now available Press RETURN to get started. User Access Verification Username: ccna Password: SW1> Step 17 On the SW switch, enter the privileged EXEC mode by entering the previously configured password. SW1> enable Password: SW1# L62 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

69 Step 18 Return to PC1, open PuTTY, and establish a Telnet session to the SW1 switch to verify that you configured vty security correctly. Enter the appropriate credentials to log into the switch Cisco Systems, Inc. Lab Guide L63

70 Activity Verification No additional verification is needed in this task. Task 2: Enable SSH Remote Access Previously, you protected passwords by using encryption. However, when remote management uses the Telnet protocol, which sends all characters in cleartext, including passwords, the potential exists for packet capture and exploitation of this information. In this task, you will configure SSH as an alternative to Telnet. If it is possible in your environment, it would be best to replace Telnet with SSH. Activity Procedure Complete the following steps: Step 1 Configure the Branch router for SSH access. Use cisco.com as the domain name. The key length should be 1024 bits. Use SSH version 2 and make SSH the only remote access that is allowed. Step 2 Save the changes that you made on the Branch router. L64 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

71 Step 3 Configure the SW1 switch for SSH access. Use cisco.com as the domain name, specify a key length of 1024 bits, use SSH version 2, and make SSH the only remote access that is allowed. Step 4 Save the changes that you made on the SW1 switch. Step 5 On PC1, open PuTTY and try to connect to the Branch router using Telnet. Your attempt will be unsuccessful Cisco Systems, Inc. Lab Guide L65

72 Step 6 Now try to remotely connect from PC1 to the Branch router using SSH. Your attempt should be successful. Leave the connection open for the next step. L66 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

73 Step 7 On the Branch router, show the users that are logged into the system. Identify the user that is using the vty line. Branch# show users Line User Host(s) Idle Location * 0 con 0 ccna idle 00:00: vty 0 ccna idle 00:00: Interface User Mode Idle Peer Address 2013 Cisco Systems, Inc. Lab Guide L67

74 Step 8 Return to PC1. Open another PuTTY and apply SSH to the SW1 switch in order to verify the SSH configuration on the switch. Your attempt should be successful. L68 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

75 Activity Verification No additional verification is needed in this task. Task 3: Limit Remote Access to Selected Network Addresses In this task, you will create an ACL on the SW1 switch and apply it to the vty lines. The ACL will permit remote sessions from the Branch router but not from PC1. Activity Procedure Complete the following steps: Step 1 On the SW1 switch, define a standard ACL that will permit only the IP address of the Branch router. Any attempts to establish remote sessions from unauthorized devices should be logged. Step 2 Apply the defined ACL to all vty lines of the SW1 switch. SW1(config)# line vty 0 15 SW1(config-line)# access-class 1 in Step 3 Save the changes that you made on the SW1 switch Cisco Systems, Inc. Lab Guide L69

76 Activity Verification You have completed this task when you attain this result: Step 1 Try to establish an SSH remote session from PC1 to SW1 at You should not be successful because the ACL that you defined allows only the Branch router to establish sessions to the SW1 switch. Step 2 Try to establish an SSH remote session from the Branch router. You should be successful. Branch# ssh -l ccna Password: SW1> L70 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

77 Step 3 On the SW1 switch, show the ACL that you defined for the vty lines. Notice that the counters for both the permit and deny statements increased. If you did not define an explicit deny statement, a remote session from PC1 would still be denied, but you would not be able to see counters for denied remote session attempts. SW1# show access-lists Standard IP access list 1 10 permit (2 matches) 20 deny any log (3 matches) Task 4: Configure a Login Banner As part of any security policy, you must ensure that network resources are clearly identified as being off limits to the casual visitor. Hackers have successfully used the fact that a welcome screen was presented at login as their legal defense for forced entry into the network. Therefore, a message that clearly states that access is restricted should be presented when a user is attempting to access a network device (switch, router, and so on). The Cisco IOS banner command allows you to do so. Activity Procedure Complete the following steps: Step 1 Configure the Branch router with the following login banner message: ********** Warning ************* Access to this device is restricted to authorized persons only! Unauthorized access is prohibited. Violators will be prosecuted. *********************************************** Step 2 Save the changes that you made on the Branch router. Step 3 Configure the SW1 switch with the same login banner that you used for the Branch router in the previous step: ********** Warning ************* Access to this device is restricted to authorized persons only! Unauthorized access is prohibited. Violators will be prosecuted. *********************************************** 2013 Cisco Systems, Inc. Lab Guide L71

78 Step 4 Save the changes that you made on the SW1 switch. Activity Verification You have completed this task when you attain these results: Step 1 Access the Branch router. Log out of the Branch router and then log back in. Notice the login banner that you were presented with as you logged in. Branch# logout Branch con0 is now available Press RETURN to get started. ********** Warning ************* Access to this device is restricted to authorized persons only! Unauthorized access is prohibited. Violators will be prosecuted. *********************************************** User Access Verification Username: ccna Password: Step 2 Access SW1. Log out of the SW1 switch console and then log back in. Notice the login banner that you were presented with as you logged in. SW1# logout SW1 con0 is now available Press RETURN to get started. ********** Warning ************* Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. *********************************************** User Access Verification Username: ccna Password: Note When accessing network devices via the SSH protocol, some terminal clients such as PuTTY display the login banner only after the username parameter is entered as input. L72 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

79 Lab 3-2: Device Hardening Activity Overview Objectives Device hardening is crucial to increasing security in the network. In this lab, you will perform security device hardening on a router and switch. After you have completed this activity, you will be able to meet these objectives: Disable unused ports Configure port security on a switch Disable unused services Configure NTP

80 Visual Objective The figure illustrates what you will accomplish in this activity. Visual Objective for Lab 3-2: Device Hardening 2013 Cisco Systems, Inc. Detailed Visual Objective 2013 Cisco Systems, Inc. PC1 Configure NTP client and server Branch Inside Outside SW1 Internet Disable unused ports Configure port security Disable Cisco Discovery Protocol Configure NTP client Server Required Resources No additional resources are required for this lab. HQ NTP server L74 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

81 Command List The table that follows describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity. Commands Command [no] cdp enable configure terminal interface interface ntp master [stratum] ntp server {ip-address} ping dest_ip show cdp neighbors show interfaces show interfaces status show port-security interface interface show ntp associations show ntp status show port-security address [no] shutdown switchport mode access switchport port-security switchport port-security mac-address mac-address Job Aids Description Enables or disables Cisco Discovery Protocol on an interface Enters configuration mode Enters interface configuration mode Configures Cisco IOS Software as an NTP master clock. Allows the software clock to be synchronized by an NTP time server Verifies connectivity between the source IP and destination IP Displays detailed information about neighboring devices that are discovered by using Cisco Discovery Protocol Displays statistics for all interfaces that are configured on the router Displays the status of interfaces Displays the port security settings that are defined for an interface Displays the status of NTP associations Displays the status of NTP Displays the secure MAC addresses for all ports Enables or disables an interface on the router Configures a switchport as an access port Enables the port security feature on the interface Enters a secure MAC address for the interface These job aids are available to help you complete the lab activity. The table shows the hardware that is used in the lab and the operating system that is running on the devices. Device Hardware Operating System Branch Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 Headquarter s Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 SW1 Catalyst 2960 Series Switch c2960-lanbasek9-mz se Cisco Systems, Inc. Lab Guide L75

82 Device Hardware Operating System PC1 Any PC Microsoft Windows 7 PC2 Any PC Microsoft Windows 7 The table shows usernames and passwords that are used to access the lab devices. Device Username Password PC1 Administrator admin PC2 Administrator admin Branch (console access) ccna cisco Branch (enable password) / cisco SW1 (console access) ccna cisco SW1 (enable password) / cisco Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup. Topology and IP Addressing PC1 Gi0/1 Gi0/ Branch Internet Server VLAN 1: Gi0/0 HQ Cisco Systems, Inc. Fa0/1 PC2 Fa0/ Fa0/13 SW The table shows the interface identification and IP addresses that are used in this lab setup. Device Interface IP Address/Subnet Mask Branch Gi0/ /27 Branch Gi0/ /24 Headquarters Gi0/ /27 L76 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

83 Device Interface IP Address/Subnet Mask Headquarters Loopback /24 SW1 VLAN /24 PC1 Ethernet adapter local area connection /24 PC2 Ethernet adapter local area connection /24 Task 1: Disable Unused Ports Unused ports on a switch can be a security risk. A hacker can plug a switch into an unused port and become part of the network. In this task, you will disable unused ports on a network switch. Activity Procedure Complete the following steps: Step 1 Access the SW1 switch. Step 2 Disable unused interfaces FastEthernet 0/14 to FastEthernet 0/24 with as few configuration steps as possible. Step 3 Examine the status of interfaces FastEthernet 0/14 to FastEthernet 0/24. You should see interfaces FastEthernet 0/14 to FastEthernet 0/24 as disabled. SW1# show interfaces status Port Name Status Vlan Duplex Speed Type <output omitted> Fa0/13 connected 1 a-full a /100BaseTX Fa0/14 disabled 1 auto auto 10/100BaseTX Fa0/15 disabled 1 auto auto 10/100BaseTX Fa0/16 disabled 1 auto auto 10/100BaseTX Fa0/17 disabled 1 auto auto 10/100BaseTX Fa0/18 disabled 1 auto auto 10/100BaseTX Fa0/19 disabled 1 auto auto 10/100BaseTX Fa0/20 disabled 1 auto auto 10/100BaseTX Fa0/21 disabled 1 auto auto 10/100BaseTX Fa0/22 disabled 1 auto auto 10/100BaseTX Fa0/23 disabled 1 auto auto 10/100BaseTX Fa0/24 disabled 1 auto auto 10/100BaseTX Step 4 Save the running configuration to the startup configuration Cisco Systems, Inc. Lab Guide L77

84 Activity Verification No additional verification is needed in this task. Task 2: Configure Port Security on a Switch Port security is a feature that is supported on Cisco Catalyst switches that restricts a switch port to a specific set or number of MAC addresses. In this task, you will configure port security on the switch interface that faces the router. You will also demonstrate a port security violation. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Examine the MAC address of the Branch router interface GigabitEthernet 0/0, which faces the SW1 switch. Write down the MAC address, which you will need to configure the port security feature. Branch# show interfaces GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is f866.f (bia f866.f ) Note Step 3 Access the SW1 switch. Step 4 Your MAC address might be different from the the address that is shown in the output. Configure interface FastEthernet0/13, which faces the Branch router, as a static access port. Step 5 Enable the port security feature on interface FastEthernet0/13. Manually specify the secure MAC address f866.f (which is not the MAC address of the Branch router). You will simulate a port security violation by misconfiguring the secure MAC address. L78 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

85 Step 6 Observe the switch output and verify the status of SW1 interface FastEthernet0/13. Make sure that a port security violation occurred because of the misconfigured secure MAC address. Sep 28 11:16:18.312: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/13, putting Fa0/13 in err-disable state Sep 28 11:16:18.312: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address f866.f on port FastEthernet0/13. Sep 28 11:16:19.318: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down Sep 28 11:16:20.317: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down SW1# show interfaces FastEthernet 0/13 FastEthernet0/13 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d) SW1#show port-security interface FastEthernet 0/13 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : f866.f :1 Security Violation Count : 1 A port security violation occurs due to management traffic (Cisco Discovery Protocol, for example) coming from the router toward the switch. Step 7 Try to ping PC1 at from the Branch router. Your attempt should fail because the switch port connecting to the Branch router is error-disabled. Branch# ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Step 8 Change the port security of the secure MAC address on SW1 interface FastEthernet0/13 to the correct MAC address, which you wrote down. Note Your MAC address for the Branch router might be different from the address that was shown in the output Cisco Systems, Inc. Lab Guide L79

86 Step 9 Make the FastEthernet0/13 interface on SW1 operational again. Step 10 Observe the switch output. Verify the status of the FastEthernet0/13 interface on SW1 and make sure that the interface is operational again. Sep 28 11:10:07.080: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up Sep 28 11:10:08.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up SW1# show interfaces FastEthernet 0/13 FastEthernet0/13 is down, line protocol is up Hardware is Fast Ethernet, address is 001e.147c.6f0d (bia 001e.147c.6f0d) Step 11 Try to ping PC1 at from the Branch router. Your attempt should succeed now. Branch# ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!!!!! Step 12 Display the secure MAC addresses for interface FastEthernet0/13. SW1# show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) f866.f SecureConfigured Fa0/ Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 L80 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

87 Step 13 Display the port security settings for the SW1 switch. SW1# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Fa0/ Shutdown Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 Step 14 Disable the port security feature on interface FastEthernet 0/13. Step 15 Save the running configuration to the startup configuration. Activity Verification No additional verification is needed in this task. Task 3: Disable Unused Services Some services may not be needed on the router and therefore can be disabled. You will disable Cisco Discovery Protocol on the switch interface toward the router. Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Examine the neighbor devices of the Branch router. You should see the SW1 switch as the neighbor device. Branch# show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Gig 0/0 135 S I WS-C2960- Fas 0/ Cisco Systems, Inc. Lab Guide L81

88 Step 3 Disable Cisco Discovery Protocol on the SW1 interface that is facing the Branch router. Step 4 Examine the neighbor devices of the Branch router. You should not see switch SW1 anymore as a neighbor device because you disabled Cisco Discovery Protocol on the switch interface toward the router. Branch# show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID Note Step 5 It may take up to 3 minutes for the neighbor to disappear from the output because of the holddown timer that is set to 180 seconds. Examine the neighbor devices of the SW1 switch. You should see no neighbor device because you disabled Cisco Discovery Protocol on the switch interface toward the Branch router. SW1# show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID Step 6 Enable Cisco Discovery Protocol on the SW1 interface that faces the Branch router. Step 7 Save the running configuration to the startup configuration. Activity Verification No additional verification is needed in this task. L82 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

89 Task 4: Configure NTP Networks use NTP to synchronize the clocks of various devices across a network. Clock synchronization within a network is critical for digital certificates and for correct interpretation of events within syslog data. In this task, you will configure the Branch router as an NTP client of the server. The Branch router will also act as an NTP server for SW1 at the same time. The server has been preconfigured as the NTP server with stratum 3. Activity Procedure Complete the following steps: Step 1 Configure the Branch router as an NTP client of the server at Step 2 Verify NTP associations on the Branch router. Branch# show ntp associations address ref clock st when poll reach delay offset disp *~ * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured You should see that the Branch router synchronized its clock with the server. Note Step 3 It may take several minutes in order to synchronize the clock with the NTP server. Verify the NTP status on the Branch router. Branch# show ntp status Clock is synchronized, stratum 4, reference is nominal freq is Hz, actual freq is Hz, precision is 2**21 ntp uptime is (1/100 of seconds), resolution is 4016 reference time is D46AE7E9.B6A4139E (09:46: UTC Thu Dec ) clock offset is msec, root delay is 0.87 msec root dispersion is msec, peer dispersion is 1.88 msec loopfilter state is 'CTRL' (Normal Controlled Loop), drift is s/s system poll interval is 128, last update was 121 sec ago. What is the stratum of the clock on the Branch router? Step 4 Access the SW1 switch Cisco Systems, Inc. Lab Guide L83

90 Step 5 Configure SW1 as an NTP client that will synchronize its time with the Branch router. Although the Branch router is configured only with NTP client configuration, it will respond to time requests from other clients. It will act as a server for switch SW1. Step 6 Verify the NTP status and the NTP association status on the SW1 switch. SW1# show ntp status Clock is synchronized, stratum 5, reference is nominal freq is Hz, actual freq is Hz, precision is 2**17 reference time is D46AEB16.D (09:59: UTC Thu Dec ) clock offset is msec, root delay is 2.30 msec root dispersion is msec, peer dispersion is 8.38 msec loopfilter state is 'CTRL' (Normal Controlled Loop), drift is s/s system poll interval is 128, last update was 862 sec ago. SW1# show ntp associations address ref clock st when poll reach delay offset disp *~ * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured You should see that SW1 synchronized its clock with the Branch router. What is the stratum of the clock on the SW1 switch? Note Step 7 It may take several minutes in order to synchronize the clock with the NTP server. Save the running configuration to the startup configuration. Activity Verification No additional verification is needed in this task. L84 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

91 Lab 3-3: Filtering Traffic with ACLs Activity Overview Objectives A common mechanism for filtering traffic is ACLs, which enable you to allow, limit, or restrict access to a network resource. In this lab, you will configure traffic filtering using ACLs. After you have completed this activity, you will be able to meet these objectives: Configure extended, named ACLs Troubleshoot ACLs

92 Visual Objective The figure illustrates what you will accomplish in this activity. Visual Objective for Lab 3-3: Filtering Traffic with ACLs 2013 Cisco Systems, Inc. PC1 PC2 Branch SW1 SW2 Detailed Visual Objective 2013 Cisco Systems, Inc. Configure ACL Troubleshoot ACL PC1 SW1 PC2 Branch Internet Server Required Resources Telnet Allowed There are no additional required resources for this lab. All Other Traffic Allowed Telnet Blocked HQ HQ All Other Traffic Allowed Server L86 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

93 Command List The table that follows describes the commands that are used in this activity. The commands are listed in alphabetical order so that you can easily locate the information that you need. Refer to this list if you need configuration command assistance during the lab activity. Commands Command configure terminal interface interface ip access-group ACL_name {in out} ip access-list extended ACL_name {permit deny} {test conditions} show access-lists ACL_name show ip interface interface-type interface number Job Aids Description Enters configuration mode Enters interface configuration mode Enables an IP ACL on an interface Defines an ACL and enters ACL configuration mode Creates ACL statements for a named ACL Displays the contents of all IP ACLs These job aids are available to help you complete the lab activity. Displays IP-specific information for an interface, including the ACLs that are applied on an interface The table shows the hardware that is used in the lab and the operating system that is running on the devices. Device Hardware Operating System Branch Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 Headquarter s Cisco 2901 Integrated Services Router c2900-universalk9-mz.spa m1 SW1 Catalyst 2960 Series Switch c2960-lanbasek9-mz se3 PC1 Any PC Microsoft Windows 7 PC2 Any PC Microsoft Windows 7 The table shows usernames and passwords that are used to access the lab devices. Device Username Password PC1 Administrator admin PC2 Administrator admin Branch (console access) ccna cisco Branch (enable password) / cisco SW1 (console access) ccna cisco SW1 (enable password) / cisco Server (HTTP) ccna cisco 2013 Cisco Systems, Inc. Lab Guide L87

94 Topology and IP Addressing Devices are connected with Ethernet links. The figure illustrates the interface identification and IP addresses that are used in this lab setup. Topology and IP Addressing PC1 Gi0/1 Gi0/ Branch Internet Server VLAN 1: Gi0/0 HQ Cisco Systems, Inc. Fa0/1 PC2 Fa0/ Fa0/13 SW The table shows the interface identification and IP addresses that are used in this lab setup. Device Interface IP Address/Subnet Mask Branch Gi0/ /27 Branch Gi0/ /24 Headquarters Gi0/ /27 Headquarters Loopback /24 SW1 VLAN /24 PC1 Ethernet adapter local area connection /24 PC2 Ethernet adapter local area connection /24 Task 1: Configure an ACL ACLs enable you to control access to network resources based on Layer 3 packet-header information. In this task, you will configure an ACL that will prevent a Telnet connection from PC2 to the server. All other IP traffic will be permitted. Activity Procedure Complete the following steps: L88 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

95 Step 1 Access the Branch router. Use the credentials provided in the Job Aids section of the document in order to log in. Step 2 Configure an extended ACL named Telnet that will prevent a Telnet connection from PC2 to the server. All other IP traffic should be permitted. Step 3 Verify the content of the configured ACL. Branch# show access-lists Telnet Extended IP access list Telnet 10 deny tcp host host eq telnet 20 permit ip any any Step 4 Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction. Step 5 Verify that the configured interface is applied to the GigabitEthernet0/0 interface in the correct direction. Branch# show ip interface GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is /24 Broadcast address is Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is Telnet Proxy ARP is enabled Local Proxy ARP is disabled <...output omitted...> Step 6 Save the running configuration to the startup configuration Cisco Systems, Inc. Lab Guide L89

96 Step 7 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at L90 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

97 You should be successful. Step 8 Verify that the counter that was matched by the permit ACL statement increased. Branch# show access-lists Telnet Extended IP access list Telnet 10 deny tcp host host eq telnet 20 permit ip any any (10 matches) Note The actual number of ACL hits may differ from the outputs that are provided in the lab guide Cisco Systems, Inc. Lab Guide L91

98 Step 9 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at L92 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

99 You should not be successful because the configured ACL blocks Telnet traffic from PC2 to the server. Step 10 Verify that the counter that was matched by the deny ACL statement increased. Branch#show access-lists Telnet Extended IP access list Telnet 10 deny tcp host host eq telnet (9 matches) 20 permit ip any any (10 matches) 2013 Cisco Systems, Inc. Lab Guide L93

100 Step 11 Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address Use the credentials that are provided in the Job Aids section of the document in order to log in. You should be successful. L94 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

101 Step 12 Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address Use the credentials that are provided in the Job Aids section of the document in order to log in. You should be successful. Step 13 Verify that the counter that was matched by the permit ACL statement increased. Branch# show access-lists Telnet Extended IP access list Telnet 10 deny tcp host host eq telnet (9 matches) 20 permit ip any any (274 matches) Activity Verification No additional verification is needed in this task. Task 2: Lab Setup In this lab setup procedure, you will load a configuration to the Branch router to create a trouble ticket. You will resolve this ticket in the next task Cisco Systems, Inc. Lab Guide L95

102 Activity Procedure Complete the following steps: Step 1 Access the Branch router. Step 2 Copy the TSHOOT_Troubleshoot_ACLs_Branch.cfg file from the router flash memory into the router running configuration. Branch# copy flash:tshoot_troubleshoot_acls_branch.cfg running-config 3341 bytes copied in secs (957 bytes/sec) Activity Verification No additional verification is needed in this task. Task 3: Troubleshoot an ACL It is very important to be able to analyze the behavior of configured ACLs and to troubleshoot them. In this task, you will troubleshoot the previously loaded trouble ticket. You should change the configuration so that a Telnet connection from PC2 to the server is not permitted, while all other IP traffic to the server is allowed. Activity Procedure Complete the following steps: L96 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

103 Step 1 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at Cisco Systems, Inc. Lab Guide L97

104 You should be successful. L98 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

105 Step 2 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at Cisco Systems, Inc. Lab Guide L99

106 You will be successful, although Telnet traffic from PC2 to the server should be blocked. L100 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

107 Step 3 Access PC1. Open Internet Explorer and try to reach the HTTP server at IP address Use the credentials that are provided in the Job Aids section of the document in order to log in. You should be successful Cisco Systems, Inc. Lab Guide L101

108 Step 4 Access PC2. Open Internet Explorer and try to reach the HTTP server at IP address Use the credentials that are provided in the Job Aids section of the document in order to log in. You should be successful. Step 5 Access the Branch router. L102 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

109 Step 6 Verify that the configured ACL is applied to the GigabitEthernet0/0 interface in the correct direction. Branch# show ip interface GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is /24 Broadcast address is Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is Telnet Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled <...output omitted...> Step 7 Apply the configured ACL to the GigabitEthernet0/0 interface in the correct direction. Step 8 Verify the contents of the configured ACL. Branch# show access-lists Telnet Extended IP access list Telnet 10 permit ip any any (338 matches) 20 deny ip any any 30 deny tcp host host eq telnet Step 9 Change the Telnet ACL so that it prevents Telnet connections from PC2 to the server. All other IP traffic should be permitted. Step 10 Save the running configuration to the startup configuration Cisco Systems, Inc. Lab Guide L103

110 Step 11 Access PC1. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at L104 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.

111 You should be successful Cisco Systems, Inc. Lab Guide L105

112 Step 12 Access PC2. Open PuTTY by double-clicking the PuTTY icon and establish a Telnet session to the server at L106 Interconnecting Cisco Networking Devices, Part Cisco Systems, Inc.