You are on page 1of 242

ICND1

Interconnecting Cisco
Networking Devices
Part 1
Version 1.0

Lab Guide

Text Part Number: 97-2507-01


DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
Table of Contents
Lab Guide 1
Overview 1
Outline 1
Lab 1-1: Using Windows Applications as Network Tools 3
Activity Objective 3
Visual Objective 3
Required Resources 3
Command List 4
Job Aids 4
Task 1: Obtain the Current IP Address Information 4
Task 2: View the Network Properties of the PC Ethernet Adapter 6
Task 3: Test Connectivity to the Default Gateway Router 8
Task 4: View the ARP Bindings of IP Address to MAC Address 9
Lab 1-2: Observing the TCP Three-Way Handshake 10
Activity Objective 10
Visual Objective 10
Required Resources 10
Command List 11
Job Aids 11
Task 1: Prepare the Sniffer Software to Capture a TCP Flow 11
Task 2: Generate the TCP Flow to Be Captured 13
Task 3: Inspect the TCP Initialization Sequence 16
Lab 1-3: Observing Extended PC Network Information 19
Activity Objective 19
Visual Objective 19
Required Resources 19
Command List 20
Job Aids 20
Task 1: Obtain the Full Current IP Addressing Information 20
Task 2: Test Connectivity to the DNS Server 21
Task 3: Tracing Connectivity to the DNS Server 22
Lab 2-1: Connecting to Remote Lab Equipment 24
Activity Objective 24
Visual Objective 24
Required Resources 25
Command List 25
Job Aid 25
Task 1: Connect to Remote Console Server 26
Task 2: Connect to Remote VPN Router 30
Lab 2-2: Performing Switch Startup and Initial Configuration 34
Activity Objective 34
Visual Objective 34
Required Resources 34
Command List 34
Job Aids 35
Task 1: Connect to Your Assigned Workgroup Switch 36
Task 2: Verify That Switch Is Unconfigured and Reload 37
Task 3: Use System Configuration Dialog to Produce an Initial Configuration 41
Task 4: Add Default Gateway to Initial Configuration 45
Lab 2-3: Enhancing the Security of Initial Switch Configuration 46
Activity Objective 46
Visual Objective 46
Required Resources 47
Command List 47
Job Aids 49
Task 1: Add Password Protection to Console Port and Vty Lines 49
Task 2: Activate Password Encryption Service 51
Task 3: Apply a Login Banner 52
Task 4: Enable SSH Protocol for Remote Management 53
Task 5: Configure Port Security on a Switch 56
Task 6: Disable Unused Ports and Place All Ports in Access Mode 60
Lab 2-4: Operating and Configuring a Cisco IOS Device 62
Activity Objective 62
Visual Objective 62
Required Resources 62
Command List 63
Job Aids 64
Task 1: Explore Context-Sensitive Help 64
Task 2: Edit an Incorrect Command 65
Task 3: Improve the Usability of the CLI 66
Lab 4-1: Converting Decimal to Binary and Binary to Decimal 68
Activity Objective 68
Visual Objective 68
Required Resources 68
Command List 68
Job Aids 68
Activity Preparation 69
Task 1: Convert from Decimal Notation to Binary Format 69
Task 2: Convert from Binary Notation to Decimal Format 69
Lab 4-2: Classifying Network Addressing 70
Activity Objective 70
Visual Objective 70
Required Resources 70
Command List 70
Job Aids 70
Activity Preparation 71
Task 1: Convert from Decimal IP Address to Binary Format 71
Task 2: Convert from Binary Format to Decimal IP Address 72
Task 3: Identify IP Address Classes 73
Task 4: Identify Valid and Invalid Host IP Addresses 73
Lab 4-3: Computing Usable Subnetworks and Hosts 74
Activity Objective 74
Visual Objective 74
Required Resources 74
Command List 74
Job Aids 74
Activity Preparation 75
Task 1: Determine the Number of Bits Required to Subnet a Class C Network 75
Task 2: Determine the Number of Bits Required to Subnet a Class B Network 75
Task 3: Determine the Number of Bits Required to Subnet a Class A Network 76
Lab 4-4: Calculating Subnet Masks 77
Activity Objective 77
Visual Objective 77
Required Resources 77
Command List 77
Job Aids 78
Activity Preparation 78
Task 1: Determine the Number of Possible Network Addresses 78
Task 2: Given a Network Address, Define Subnets 78
Task 3: Given Another Network Address, Define Subnets 79
Task 4: Given a Network Address and Classful Address, Define Subnets 80
Task 5: Given a Network Block and Classful Address, Define Subnets 81
Task 6: Given a Network Block and Classful Address, Define Subnets 83
Lab 4-5: Performing Initial Router Startup 85
Activity Objective 85
Visual Objective 85
Required Resources 85
Command List 85

ii Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Job Aids 86
Task 1: Remove Any Residual Configuration from Your Router 86
Task 2: Reload the Router and Observe the Startup Output 87
Lab 4-6: Performing Initial Router Configuration 90
Activity Objective 90
Visual Objective 90
Required Resources 90
Command List 90
Job Aids 91
Task 1: Enter the Initial Configuration Using the setup Command 91
Task 2: Validate the Router Configuration 95
Lab 4-7: Enhancing the Security of Initial Router Configuration 96
Activity Objective 96
Visual Objective 96
Required Resources 96
Command List 97
Job Aids 98
Task 1: Add Password Protection to Console Port 98
Task 2: Activate Password Encryption Service 100
Task 3: Apply a Login Banner 101
Task 4: Enable SSH Protocol for Remote Management 102
Lab 4-8: Using Cisco SDM to Configure DHCP Server Function 105
Activity Objective 105
Visual Objective 105
Required Resources 105
Command List 106
Job Aids 106
Task 1: Configuring the Router to Support Web-Based Applications, a User with Privilege 15,
and Telnet and SSH 107
Task 2: Use Cisco SDM to Configure a DHCP Pool 108
Task 2: Using Tools to Correlate Network Information 112
Lab 4-9: Managing Remote Access Sessions 114
Activity Objective 114
Visual Objective 114
Required Resources 114
Command List 114
Job Aids 115
Task 1: Improve the Usability of the Router CLI 115
Task 2: Connect to Your Remote Workgroup via VPN Tunnel 117
Task 3: Using the Cisco IOS CLI Commands to Control Telnet and SSH Sessions 118
Lab 5-1: Connecting to the Internet 123
Activity Objective 123
Visual Objective 123
Required Resources 123
Command List 124
Job Aids 124
Task 1: Use Cisco SDM to Configure the Ethernet Connection to the Internet 124
Task 2: Use the CLI to Verify and Observe the Operation of PAT on Your Workgroup Router 130
Lab 5-2: Connecting to the Main Office 133
Activity Objective 133
Visual Objective 133
Required Resources 133
Command List 134
Job Aids 134
Task 1: Configure Your Workgroup Router Serial 0/0/0 135
Task 2: Test Connectivity to Your Assigned Remote Network 136
Task 3: Add a Static Route Entry for Your Remote Network 137

© 2007 Cisco Systems, Inc. Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 iii
Lab 5-3: Enabling Dynamic Routing to the Main Office 139
Activity Objective 139
Visual Objective 139
Required Resources 139
Command List 140
Job Aids 140
Task 1: Configure RIP Routing Protocol on Your Workgroup Router 140
Task 2: Replace the Existing Static Route and Test Connectivity 142
Lab 6-1: Using Cisco Discovery Protocol 144
Activity Objective 144
Visual Objective 144
Required Resources 144
Command List 145
Job Aids 145
Task 1: Use and Control Cisco Discovery Protocol on Your Workgroup Router 145
Task 2: Use and Control Cisco Discovery Protocol on Your Workgroup Switch 148
Lab 6-2: Managing Router Startup Options 150
Activity Objective 150
Visual Objective 150
Required Resources 150
Command List 151
Job Aids 151
Task 1: Modify the Configuration Register 151
Task 2: Observe the Flash File System and Add Boot System Commands 154
Lab 6-3: Managing Cisco Devices 157
Activity Objective 157
Visual Objective 157
Required Resources 157
Command List 158
Job Aids 159
Task 1: Copy Configuration Files 159
Task 2: Use debug Commands 162
Lab 6-4: Confirming the Reconfiguration of the Branch Network 165
Activity Objective 165
Visual Objective 165
Required Resources 166
Command Lists 166
Job Aids 166
Task 1: Connect to the Remote Lab 170
Task 2: Prepare to Verify Your Configuration 170
Task 3: Verify Your Configuration 171
Answer Key 173
Lab 2-2 Answer Key: Performing Switch Startup and Initial Configuration 173
Lab 2-3 Answer Key: Enhancing the Security of Initial Switch Configuration 175
Lab 2-4 Answer Key: Operating and Configuring a Cisco IOS Device 179
Lab 4-1 Answer Key: Converting Decimal to Binary and Binary to Decimal 183
Task 1: Convert from Decimal Notation to Binary Format 183
Task 2: Convert from Binary Notation to Decimal Format 183
Lab 4-2 Answer Key: Classifying Network Addressing 184
Task 1: Convert from Decimal IP Address to Binary Format 184
Task 2: Convert from Binary Format to Decimal IP Address 185
Task 3: Identify IP Address Classes 186
Task 4: Identify Valid and Invalid Host IP Addresses 186
Lab 4-3 Answer Key: Computing Usable Subnetworks and Hosts 187
Task 1: Determine the Number of Bits Required to Subnet a Class C Network 187
Task 2: Determine the Number of Bits Required to Subnet a Class B Network 187
Task 3: Determine the Number of Bits Required to Subnet a Class A Network 187
Lab 4-4: Answer Key 188
Task 1: Determine the Number of Possible Network Addresses 188
Task 2: Given a Network Block, Define Subnets 188

iv Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Task 3: Given Another Network Block, Define Subnets 189
Task 4: Given a Network Block and Classful Address, Define Subnets 190
Task 5: Given a Network Block and Classful Address, Define Subnets 191
Task 6: Given a Network Block and Classful Address, Define Subnets 192
Lab 4-5 Answer Key: Performing Initial Router Startup 194
Lab 4-6 Answer Key: Performing Initial Router Configuration 197
Lab 4-7 Answer Key: Enhancing the Security of Initial Router Configuration 199
Lab 4-8 Answer Key: Using Cisco SDM to Configure DHCP Server Function 201
Lab 4-9 Answer Key: Managing Remote Access Sessions 204
Lab 5-1 Answer Key: Connecting to the Internet 207
Lab 5-2 Answer Key: Connecting to the Main Office 210
Lab 5-3 Answer Key: Enabling Dynamic Routing to the Main Office 213
Lab 6-1 Answer Key: Using Cisco Discovery Protocol 216
Lab 6-2 Answer Key: Managing Router Startup Options 223
Lab 6-3 Answer Key: Managing Cisco Devices 226
Lab 6-4 Answer Key: Confirming the Reconfiguration of the Branch Network 227

© 2007 Cisco Systems, Inc. Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 v
vi Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
ICND1

Lab Guide

Overview
This guide presents instructions and other information concerning the lab activities for this
course. You can find the solutions in the lab activity Answer Key.

Outline
This guide includes these activities:
„ Lab 1-1: Using Windows Applications as Network Tools
„ Lab 1-2: Observing the TCP Three-Way Handshake
„ Lab 1-3: Observing Extended PC Network Information
„ Lab 2-1: Connecting to Remote Lab Equipment
„ Lab 2-2: Performing Switch Startup and Initial Configuration
„ Lab 2-3: Enhancing the Security of Initial Switch Configuration
„ Lab 2-4: Operating and Configuring a Cisco IOS Device
„ Lab 4-1: Converting Decimal to Binary and Binary to Decimal
„ Lab 4-2: Classifying Network Addressing
„ Lab 4-3: Computing Usable Subnetworks and Hosts
„ Lab 4-4: Calculating Subnet Masks
„ Lab 4-5: Performing Initial Router Startup
„ Lab 4-6: Performing Initial Router Configuration
„ Lab 4-7: Enhancing the Security of Initial Router Configuration
„ Lab 4-8: Using Cisco SDM to Configure DHCP Server Function
„ Lab 4-9: Managing Remote Access Sessions
„ Lab 5-1: Connecting to the Internet
„ Lab 5-2: Connecting to the Main Office
„ Lab 5-3: Enabling Dynamic Routing to the Main Office
„ Lab 6-1: Using Cisco Discovery Protocol
„ Lab 6-2: Managing Router Startup Options
„ Lab 6-3: Managing Cisco Devices
„ Lab 6-4: Confirming the Reconfiguration of the Branch Network
„ Answer Key

2 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 1-1: Using Windows Applications as Network
Tools
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will be able to use Windows applications and commands to investigate the
IP configuration of your PC, and your local network. After completing this activity, you will be
able to meet these objectives:
„ Using the Windows command ipconfig, determine the current network addressing
information of a PC.
„ Using the Windows command ping, determine test connectivity to the default gateway
router.
„ Using the Windows command arp –a, view the ARP table of the local PC and determine
the association between the IP address and the MAC address of the default-gateway

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 1-1


Using Windows Applications as Network Tools

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—3

Required Resources
These are the resources and equipment that are required to complete this activity:
„ A PC connected to a functioning network, with connectivity to the Internet

© 2007 Cisco Systems, Inc. Lab Guide 3


Command List
The table describes the commands that are used in this activity.

Windows Commands

Command Description

arp -a This command with the –a parameter obtains the output of


the ARP table. It should be remembered that the entries to
the ARP table are removed after 5 minutes of inactivity.

ipconfig This command outputs the current IP address, network


mask, and default gateway IP address.

ping ping (-t)

Job Aids
These job aids are available to help you complete the lab activity.
„ There are no job aids for this lab.

Task 1: Obtain the Current IP Address Information


In order to obtain the current IP address information, it is necessary to use the Windows
ipconfig command. To access Windows commands it is necessary to open a Command
window.

Activity Procedure
Complete these steps:
Step 1 From the Windows desktop, click start.

Step 2 Choose run, and enter cmd in the Run window dialog box. Click OK to continue.

Step 3 From the Command window prompt, enter ipconfig. It is not necessary to capitalize
the command.

Step 4 Your output should resemble one of the four examples below.

Nonworking example 1: The output indicates no connectivity; probably the Ethernet cable is
not physically connected.

C:\Documents and Settings>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Nonworking example 2: The output indicates the PC is waiting to obtain its IP address
information automatically. This will be a transient output; it will either successfully get an
address or retry the ipconfig command periodically until it changes to one of the remaining
examples below.

4 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
C:\Documents and Settings>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :


IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :

Nonworking example 3: The output indicates the PC network adapter was unable to obtain an
IP address automatically, so the PC will use a generated link local address. Getting an address
may seem like success, but it really indicates that there is no connectivity to an IP address
server. This address will not be useful for network connectivity. If you see an IP address
beginning with 169.254.x.x, you do not have a valid address.

C:\Documents and Settings>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :


Autoconfiguration IP Address. . . : 169.254.249.221
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :

Working example 1: The output indicates that the PC either has a preconfigured IP address or
it successfully obtained its IP address automatically. Your IP address, subnet mask, or default
gateway will most likely be different than what is shown.

C:\Documents and Settings>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : cisco.com


IP Address. . . . . . . . . . . . : 192.168.1.105
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

Step 1 If you have a problem, ask your instructor for assistance. Continue only if you have
a valid IP address.

Step 2 Write the values you obtained from the ipconfig command in the spaces below, as
you will be using them in later tasks:

PC IP address

IP default gateway address

© 2007 Cisco Systems, Inc. Lab Guide 5


Activity Verification
You have completed this task when you attain this result:
„ You obtained valid IP address information from the ipconfig command.

Task 2: View the Network Properties of the PC Ethernet


Adapter
Use the Windows operating system Network Properties dialog window. In this task you will
only view the configuration, but the same process would be followed should it be necessary to
modify or supply new IP network address values.

Activity Procedure
Complete these steps:
Step 1 From the Windows desktop, click the Local Area Connection shortcut on your
desktop.

Step 2 From the Local Area Connection status window, click the Properties button.

6 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 3 At the Local Area Connection Properties window scroll down to the bottom and left-
click the Internet Protocol(TCP/IP) to highlight it. Then click the Properties
button.

Step 4 At the Internet Protocol (TCP/IP) Properties window, you might find the Obtain an
IP Address Automatically radio button already set, with all the fields blank, as
shown below.

Step 5 Alternatively, you might see the Use the Following IP Address radio button chosen,
and the fields configured with IP address information matching the output you
obtained from the ipconfig command.

Note Below is an example only. Do not change your settings.

Step 6 Close all the dialog boxes and return to the Windows desktop.

Activity Verification
You have completed this task when you attain these results:
„ You used the Windows TCP/IP properties to view the current configuration for the local
area connection.
„ The values set in the TCP/IP properties were consistent with the information you obtained
using the ipconfig command.

© 2007 Cisco Systems, Inc. Lab Guide 7


Task 3: Test Connectivity to the Default Gateway Router
Using the Windows command ping allows you to test the connectivity of the network. Its
output demonstrates success or failure and gives an indication of the round-trip time taken.

Activity Procedure
Complete these steps:

Step 1 From the Command window prompt, enter ping followed by the address of your
default gateway that you obtained in Task 1.

Step 2 The first example below is an unsuccessful ping. Should you get this output you
should ask your instructor for assistance.

Nonworking example: The output indicates that no reply was received from the target IP
address.
C:\Documents and Settings>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.


Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.1:


Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Working example: This indicates successful receipt of replies from the target IP address.
C:\Documents and Settings>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255


Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.1.1:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Step 3 Notice that by default the Windows command sends four ping packets (ICMP echo
requests).

Activity Verification
You have completed this task when you attain these results:
„ You used the Windows ping command to test the connectivity to your default gateway
router.
„ The round trip time should be very low.

8 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Task 4: View the ARP Bindings of IP Address to MAC Address
The Windows command arp –a allows you to view the binding of the logical IP address and
the physical MAC address.

Activity Procedure
Complete these steps:

Step 1 From the Command window prompt, enter arp –a. It is necessary to use the –a
parameter to get the output of the ARP table.
C:\Documents and Settings>arp -a

Interface: 192.168.1.125 --- 0x2


Internet Address Physical Address Type
192.168.1.1 00-00-0c-07-ac-04 dynamic

Step 2 Your output should resemble the output in Step 1. If you did not get any values, it
may be that the ARP table has timed-out the entry and you need to repeat Step 1 of
the previous task.
Step 3 Close your open Command window by typing exit at the prompt.

Activity Verification
You have completed this task when you attain this result:
„ You were able to view the binding of the IP address to the MAC address.

© 2007 Cisco Systems, Inc. Lab Guide 9


Lab 1-2: Observing the TCP Three-Way
Handshake
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will use a packet sniffer software application to view the TCP initial
three-way handshake. After completing this activity, you will be able to meet these objectives:
„ Start the packet sniffer software application, to monitor the appropriate Ethernet interface
for recording the packet flow
„ Generate a TCP connection using a web browser
„ Observe the initial packets of the TCP flow, especially the SYN packet, SYN ACK packet,
and finally the ACK packet

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 1-2


Observing the TCP Three-Way Handshake

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—4

Required Resources
These are the resources and equipment that are required to complete this activity:
„ A PC with access to the Internet
„ The Wireshark packet sniffer Windows application
„ Student Guide Module 1, Lesson 1

10 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Command List
The table describes the applications that are used in this activity.

PC Applications

Windows Application Description

Internet Explorer Web browser, provides access to rich media content.

Wireshark A packet sniffer application.

Caution Installing and or using a packet sniffer application may be considered a breach of an
organization’s security policy, leading to serious legal and financial consequences. It is
recommended that before downloading, installing, or running such an application, you obtain
permission to do so.

Job Aids
These job aids are available to help you complete the lab activity.
„ There are no job aids for this lab.

Task 1: Prepare the Sniffer Software to Capture a TCP Flow


In this task you will open the Wireshark application and apply the packet capture to your active
Ethernet interface.

Activity Procedure
Complete these steps:

Step 1 Open the Wireshark application by double-clicking its icon, which should be visible on your
desktop.

© 2007 Cisco Systems, Inc. Lab Guide 11


Step 2 Choose Capture, then choose Interfaces from the drop-down menu.

Step 3 Choose your local network Ethernet interface adapter. If this process is unclear, ask your
instructor for assistance. Click the Start button associated with the chosen interface. Make a
note of the IP address associated with your chosen Ethernet adapter, because it will be the
source IP address you will look for when examining captured packets.

Note your IP address here: _______________________________

12 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 4 The capture windows will now be active.

Step 5 You will look more closely at the capture windows after you have captured the TCP flow.

Step 6 You may see some packets filling up the uppermost window. This will depend on the level of
background activity on the network you are attached to.

Activity Verification
You have completed this task when you attain this result:
„ You have an open packet-capture window, associated with the Ethernet interface connected
to your default router.

Task 2: Generate the TCP Flow to Be Captured


You will use a web browser (Internet Explorer) to connect to a web server. The actual web
server chosen is not really important. The HTTP data that is used to carry web page text and
graphics uses TCP transport for reliability. The alternative best-effort protocol, you will recall,
would be UDP. All you are interested in is the initial exchange done by TCP to set up the
connection.

Activity Procedure
Complete these steps:

Step 1 At the PC desktop double-click the Internet Explorer icon to launch the web
browser.

Step 2 Enter the destination name or address. Your instructor may provide you with a name
or address different from “www.cisco.com.” If so, write down this information in
the space provided: ___________________________________________________

© 2007 Cisco Systems, Inc. Lab Guide 13


Step 3 Return to the already open Wireshark application and choose Capture > Stop from
the drop-down menu.

Step 4 If you have many TCP packets that are unrelated to your TCP connection, you may
need to use the filter capability of Wireshark.

Step 5 To use a preconfigured filter, click the Analyze tab. Then click Display Filters.

Step 6 In the Wireshark: Display Filter window, click TCP only then click the OK
button.

14 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 7 In the top window of the Wireshark application, use the scroll bar to place the first
captured TCP packet at the top of the window. This should be the first packet in the
flow.

Step 8 Observe the Info column of the captured packets in the top window; look for three
packets similar to those shown below. Two groups of three packets are shown
highlighted as an example.

Step 9 Note the first packet number in the sequence you have identified in your capture
window. There is no need to find more than one sequence of packets. In the example
above, packet 1 and packet 12 both begin a sequence. You will observe the contents
of these packets in detail in the next task.

Write down the packet number of first packet in TCP sequence in the space provided:
________________________________________________________________________

Step 10 If necessary, return to Step 4 in this task.

© 2007 Cisco Systems, Inc. Lab Guide 15


Activity Verification
You have completed this task when you attain these results:
„ You have identified that you have captured the packet sequence described in Step 8.
„ You have noted the first packet in the sequence to be inspected in detail.

Task 3: Inspect the TCP Initialization Sequence


You will use the Packet Details window of the Wireshark application to view the TCP
parameters exchanged during the initial startup sequence, often referred to as the “three-way
handshake.”

Activity Procedure
Complete these steps:

Step 1 In the top window of the Wireshark application click (anywhere) on the line
containing the first packet identified in the previous task. This will highlight the line
and make the two lower windows fill with the decoded information from that packet.
Step 2 In the example that follows. the Wireshark windows were adjusted to allow the
information to be viewed in a compact size. The middle window contains the
detailed decoding of the packet.
Step 3 Clicking the “+” icon on the left side will expand the view of the TCP information.
The view can be contracted by clicking the “–” icon.

Step 4 Notice in this example that the (forward) sequence number is set to zero, and the
SYN bit is 1 (set) in the Flags field.

16 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 5 Click the next packet in the sequence (top window) and the detailed information will
change to match the new values.

Step 6 Notice in the reply packet that the (backward) sequence number is set to 0, and that
the acknowledgment number appears and is set to 1. Also in the Flags field, the
acknowledgment bit and the SYN bit are 1 (set).

Step 7 Click the next packet in the sequence (top window) and the detailed information will
change to match the new values.

© 2007 Cisco Systems, Inc. Lab Guide 17


Step 8 In the third and final packet in the exchange, notice that the (forward) sequence
number is now set to 1, the acknowledgment number is set to 1, and in the Flags
field, only the acknowledgment bit is 1 (set). At this point, the TCP connection is
said to be “established,” as both ends have synchronized their sequence and
acknowledgment numbers, as well as other parameters not discussed.

Step 9 Close the Wireshark application and all other open windows.

Activity Verification
You have completed this task when you attain this result:
„ You have selected and decoded your three identified captured packets, and the values
match those shown and discussed in the examples within the task.

18 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 1-3: Observing Extended PC Network
Information
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will use PC tools to gather network-related information. After completing
this activity, you will be able to meet these objectives:
„ Using the Windows command ipconfig /all, determine IP addresses of the DNS servers
available to your PC
„ Using the IP address of one of the DNS servers from Task 1, test connectivity to the DNS
servers using the Windows ping command
„ Using the Windows command tracert /d, obtain the IP addresses of the routers traversed to
reach the DNS server tested in Task 2

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 1-3


Observing Extended PC Network Information

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—5

Required Resources
These are the resources and equipment that are required to complete this activity:
„ A PC connected to a functioning network, with connectivity to the Internet

© 2007 Cisco Systems, Inc. Lab Guide 19


Command List
The table describes the commands that are used in this activity.

Windows Commands

Command Description

ipconfig /all This command outputs all the current IP network


information.

ping ping (-t)

tracert /d <ip Address> Displays the IP address of the router at each hop as a
packet traverses the network towards the destination IP
address.

Job Aids
These job aids are available to help you complete the lab activity.
„ There are no job aids for this lab.

Task 1: Obtain the Full Current IP Addressing Information


In order to obtain the full current IP address information on your PC, it is necessary to use the
Windows ipconfig /all command. To access Windows commands it is necessary to open a
Command window.

Activity Procedure
Complete these steps:
Step 1 From the Windows desktop, click start.

Step 2 Choose run, and enter cmd in the run window dialog box; click OK to continue.

Step 3 From the Command window prompt, enter ipconfig /all. It is necessary to add the
/all to get the full output.

20 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 4 You will see from your own output that some extra, useful information is now
visible.
Step 5 Note the IP address of the first DNS server from the output of the prior step in the
space provided.

_________________________________________________________________

Activity Verification
You have completed this task when you attain this result:
„ You have obtained the IP address of a DNS server from the output of the ipconfig /all
command on your PC.

Task 2: Test Connectivity to the DNS Server


In this task you will use the ping command to test the connectivity that you noted in the
previous task.

Activity Procedure
Complete these steps:

Step 1 From the Command window prompt, enter ping <DNS IP Address>. Your output
should be similar to the example below (which uses a fictitious IP address).

Step 2 A successful ping indicates both that the packets are being received and that the
return packets are being routed back to your PC successfully.

Step 3 The implications of an unsuccessful ping sequence require more investigation. If


you assume the ping attempts were unsuccessful, then the next step would be to try
to see where in the network the problem was occurring.

Activity Verification
You have completed this task when you attain this result:
„ You have used the Windows ping command to successfully test connectivity to the IP
address of the DNS server you noted in Task 1.

© 2007 Cisco Systems, Inc. Lab Guide 21


Task 3: Tracing Connectivity to the DNS Server
In this task you will use the tracert /d command to trace the path to your DNS server that you
noted in the previous task. The /d parameter in the command stops the attempt to use DNS to
look up the IP addresses discovered along the path and put them in the output. In this scenario,
DNS is not working, so attempting a lookup would waste time. You will use tracert without /d
to see what the output would look like when DNS is able to resolve the some or all of the IP
addresses.

Activity Procedure
Complete these steps:

Step 1 Below is an example of an unsuccessful trace attempt to the DNS server. The
sequence would have continued until 30 hops had been tried. You will see that ^C
<ctrl-C> was used to terminate the command earlier than the default number.

Step 2 From the Command window prompt, enter tracert /d <DNS IP Address>. Your
output should be similar to the example below (which uses fictitious IP addresses).

22 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 3 Now that you have seen that the route to the DNS server is working, use the
command without the /d parameter to see what the output looks like when symbolic
names are available. Your output should be similar to the example below (which
uses fictitious IP addresses).

Step 4 Close the Command window by clicking the X button in the top right corner.

Activity Verification
You have completed this task when you attain these results:
„ You have used the tracert /d command on your PC to suppress DNS lookup during the
trace to the destination address.
„ You have used the tracert command without the /d parameter on your PC to display the
symbolic names associated with specific IP addresses discovered during the trace to the
destination address.

© 2007 Cisco Systems, Inc. Lab Guide 23


Lab 2-1: Connecting to Remote Lab Equipment
Complete this lab activity to test the connectivity in your pod and to practice the methods for
both connection to the console server and connecting using the VPN client.

Activity Objective
In this activity, you will begin preparations for subsequent labs by testing and practicing the
connectivity for your assigned workgroup equipment, which you will use for the remaining lab
practice exercises in the course. After completing this activity, you will be able to meet these
objectives:
„ Connect to your assigned workgroup equipment using a console (terminal) server so that
switches and routers may be configured via the console ports.
„ Connect to your assigned workgroup equipment using the VPN client software so your PC
will be connected through an interface on your workgroup switch. This will allow the
configuration of your workgroup router using Cisco Router and Security Device Manager
(SDM).

Visual Objective
The figures illustrate what you will accomplish in this activity.

Visual Objective for Lab 2-1


Connecting to Remote Lab Equipment

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—6

Your lab equipment is located remotely and will be accessed in two distinct ways.

The first method is by connecting using SSH connectivity. This provides access to a console
server (also known as a terminal server). The console server has serial connections to the
console ports of the Cisco switches and routers used in the labs. This first method sends packets
across the Internet. In these packets, the data is individually protected by encryption.

24 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
The second method is by connecting using a VPN. This provides access via a VPN router to the
same network that your workgroup switch is connected to. This second method sends packets
via an encrypted tunnel across the Internet.

Required Resources
These are the resources and equipment required to complete this activity:
„ Lab topology configured for the this course
„ Student pod consisting of one Cisco Catalyst 2960 switch and one Cisco 2811 router (or
functionally equivalent Cisco devices)

Classroom reference materials as follows:


„ Lab Guide
„ Student PC or workstation with SSH and VPN client access to workstation pod devices

Command List
The table describes the applications and command used in this activity.

PC Application

Windows Applications Description

Putty SSH Client Terminal emulation application which supports SSH protocol

Cisco VPN Client VPN client software application

Windows Command

ipconfig /all Command that outputs all the current IP network information

Job Aid
This job aid is available to help you complete the lab activity:
„ Fill in this table of class-dependent network and connection information, using the values
provided by your instructor.

Table 1: Network and Connection Information

Information Instructor-Assigned Value

Your assigned workgroup (letter)

IP address of the console server

Username and password for SSH

IP address of the VPN-RTR (if different from above)

VPN Client Connection Entry name

Username and Password for VPN (if different from


SSH)

SSH terminal emulation application

© 2007 Cisco Systems, Inc. Lab Guide 25


Table 2: TFTP Server IP Address Information

Workgroup TFTP Server IP Workgroup TFTP Server IP


Address Address

A 10.2.2.1 E 10.6.6.1

B 10.3.3.1 F 10.7.7.1

C 10.4.4.1 G 10.8.8.1

D 10.5.5.1 H 10.9.9.1

Task 1: Connect to Remote Console Server


In this task you will use an SSH-capable terminal emulation application. This terminal emulator
will enable you to configure and control the Cisco remote network devices via their “console”
port.

Activity Procedure
Complete these steps:

Step 1 From the desktop of your PC, double-click the icon of the terminal emulator. In the
example, PuTTY is being used.

26 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 2 Ensure that the SSH radio button is selected. Enter the IP address of the console
server in the Host Name field and click Open.

Step 3 Enter the SSH login name and password at the prompts, using those you have noted
in Table 1. You may see a PuTTY security warning if PuTTY does not have the host
key cached; answer Yes to proceed.

© 2007 Cisco Systems, Inc. Lab Guide 27


Step 4 A banner message followed by a table showing item numbers used to connect to the
workgroups is displayed. Read the information regarding the escape sequence used
to return from a switch or router connection to the menus. To do this, press the
following keys simultaneously: Ctrl-Shift-6. Then release them and press x
(lowercase).

Step 5 Select your workgroup by entering its associated item number.

28 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 6 You are now at the Workgroup menu. Your choices are to choose 1 to connect to the
router, 2 to connect to the switch type, or exit to return to the previous menu. Type
exit to return to the previous menu. Type exit followed by the Enter key.

Step 7 Now type exit followed by the Enter key to end the SSH session.

Step 8 Depending on the terminal emulator used, the window may close, go blank, or
appear unchanged. However, the session has ended, and any keystrokes will be
ignored.

Step 9 Close the terminal emulation application, if it did not close automatically.

Activity Verification
You have completed this task when you attain these results:
„ You were able to access the remote console server using the information provided in Table
1.

© 2007 Cisco Systems, Inc. Lab Guide 29


„ You were able to access the Workgroup menu of your assigned pod.
„ You were able to navigate back to the main menu, end the terminal session, and close the
application.

Task 2: Connect to Remote VPN Router


In this task you will use the Cisco VPN client software to access the remote lab. Once there you
will observe the changes to your local PC IP addressing and discuss the changes to the packet
forwarding behavior.

Activity Procedure
Complete these steps:

Step 1 From your PC desktop, open the Cisco VPN client by clicking the VPN Client icon.

Step 2 Choose the connection entry associated with your assigned workgroup.

Step 3 Click the Connect icon on top left of the application window.

30 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 4 The Connect icon changes and a User Authentication window opens.

Step 5 Type the VPN username and password you recorded in Table 1, and press Enter.
After a momentary pause, the VPN windows close. A small Padlock icon that was
placed in the system tray at the bottom right side of the screen goes from an open
padlock to a closed padlock. If the window does NOT close, manually minimize it.

Step 6 In order to view the changes to the IP addressing of the PC, it is necessary to open a
Command window and use the IPCONFIG command.

Step 7 When you do this you will observe that a second Ethernet adapter now has an IP
address and mask. Your output may be different, however this address and mask is
specific to the workgroup addressing used in the labs which follow. The VPN
adapter does NOT have a default gateway specified, as the packet forwarding
behavior has been modified such that networks that have been configured on the
VPN router will be forwarded through the tunnel. This will occur automatically, and
any not matching will be sent to the configured default gateway associated with the
other Ethernet adapter.

Step 8 You should be able to ping successfully the address 10.x.x.1, where x = 2 for WG A,
3 for WG B, and so forth, with x = 9 for WG H. If you are unsuccessful, you should
ask your instructor for assistance. Your output should be similar to the example
below.
C:\Documents and Settings>ping 10.10.10.1

Pinging 10.10.10.1 with 32 bytes of data:

Reply from 10.10.10.1: bytes=32 time=9ms TTL=127


Reply from 10.10.10.1: bytes=32 time=8ms TTL=127
Reply from 10.10.10.1: bytes=32 time=9ms TTL=127
Reply from 10.10.10.1: bytes=32 time=8ms TTL=127

Ping statistics for 10.10.10.1:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 9ms, Average = 8ms

© 2007 Cisco Systems, Inc. Lab Guide 31


Step 9 In later labs you will use the VPN tunnel to allow the connection of a browser to
your workgroup router.
Step 10 In order to terminate your VPN connection, double-click the system tray Padlock
icon, which will open the VPN application window. You can also right-click the
padlock icon and choose Disconnect.

Step 11 Click the Disconnect icon in the top right of the VPN application window. This will
close the tunnel connection and remove the IP addressing changes to the PC.
Step 12 Close the VPN application window.

Step 13 Confirm that the PC has its original network IP address by using the IPCONFIG
command in the Command window.

Step 14 Having confirmed that the connection information has been removed, close any
remaining Windows applications.

32 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Activity Verification
You have completed this task when you attain these results:
„ You were able to access the remote lab network, using the VPN client application and the
information recorded in Table 1.
„ You were able to confirm access using ping and web connectivity.

© 2007 Cisco Systems, Inc. Lab Guide 33


Lab 2-2: Performing Switch Startup and Initial
Configuration
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will connect to your workgroup switch and complete the initial device
configuration. After completing this activity, you will be able to meet these objectives:
„ Restart the switch and verify the initial configuration messages
„ Complete the initial configuration of the Cisco Catalyst switch

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 2-2 Performing


Switch Startup and Initial Configuration

Workgroup Switch IP
Hostname Address Subnet Mask
SwitchA 10.2.2.11 255.255.255.0
SwitchB 10.3.3.11 255.255.255.0
SwitchC 10.4.4.11 255.255.255.0
SwitchD 10.5.5.11 255.255.255.0
SwitchE 10.6.6.11 255.255.255.0
SwitchF 10.7.7.11 255.255.255.0
SwitchG 10.8.8.11 255.255.255.0
SwitchH 10.9.9.11 255.255.255.0

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—7

Required Resources
These resources and equipment are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod information from Lab 2-1

Command List
The table describes the commands that are used in this activity.

34 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Switch Cisco IOS Commands

Command Description

configure terminal Activates the configuration mode from the terminal.

copy running-config Copies the switch running configuration file to another


destination destination. A typical destination is the startup
configuration.

enable Activates the privileged EXEC mode. In privileged EXEC


mode, more commands are available. This command
requires you to enter the enable password if an enable
password is configured.

enable password password The enable password protects access to the enable mode.
However this password is stored in cleartext in the
configuration.

enable secret secret_password The encrypted enable password protects access to the
enable mode. An enable secret password overrides the
cleartext enable password, should both be configured.

end This configuration command terminates the configuration


mode.

erase startup-config Erases the startup configuration stored in nonvolatile


memory.

hostname hostname Sets the system name, which forms part of the prompt.

interface vlan 1 Enters the interface configuration mode for VLAN 1 to set
the switch management IP address.

ip address ip-address mask Sets the IP address and mask of the interface.

ip default-gateway ip-address Sets the default gateway of the switch. The default
gateway is the router, which will forward IP packets that are
not destined for the local network.

line vty 0 15 Enters the virtual terminal line configuration mode. Vty lines
allow access to the switch for remote network
management. The number of vty line available is
dependant on the Cisco IOS Software version. Typical
values are 0-4 and 0-15 (inclusive).

login This configuration line command applies a login process


requiring a username and password for access.

password line password Assigns a password to the console or vty ports.

reload Restarts the switch and reloads the Cisco IOS operating
system and configuration.

show interface vlan 1 Displays the switch IP address information (Cisco Catalyst
2950).

[no] shutdown Use the shutdown interface configuration command to


disable an interface. Use the no form of this command to
restart a disabled interface.

Job Aids
These job aids are available to help you complete the lab activity. The table contains the
required information to be entered during initial switch configuration.

© 2007 Cisco Systems, Inc. Lab Guide 35


Table 1: Password Information

Configuration Parameter Value

Enable password cisco

Enable secret password sanfran

Hostname Refer to Table 2

IP address and subnet mask Refer to Table 2

IP default gateway 10.x.x.3 (where x.x is your workgroup’s second- and third-
octet address)

vty password sanjose

Table 2: Switch IP Address Information

Workgroup Hostname Switch IP Address Mask

A SwitchA 10.2.2.11 255.255.255.0

B SwitchB 10.3.3.11 255.255.255.0

C SwitchC 10.4.4.11 255.255.255.0

D SwitchD 10.5.5.11 255.255.255.0

E SwitchE 10.6.6.11 255.255.255.0

F SwitchF 10.7.7.11 255.255.255.0

G SwitchG 10.8.8.11 255.255.255.0

H SwitchH 10.9.9.11 255.255.255.0

Task 1: Connect to Your Assigned Workgroup Switch


In this task you will connect to your assigned workgroup using the information and procedure
from Lab 2-1.

Activity Procedure
Complete these steps:

Step 1 Connect via SSH to your workgroup switch using the information from Lab 2-1.

Step 2 At the first menu enter the item number that corresponds to your assigned
workgroup. This will be a number from between 1 and 8.

Step 3 At the workgroup menu, enter cls2. When you are prompted to confirm, press the
Enter key. This clears any previous open connection; you may need to do this in
later labs if your connection is terminated unexpectedly. Your display should be
similar to the example below.

36 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
************************ ICND WG_Z **************************
************************ MENU **************************
To exit ssh session and return to the menu press
<CTRL>+<SHFT>+<6> then <X>. To clear a connection to begin
a new console session type cls# (where # = the menu item number)
Type "exit" to return to main menu.
*****************************************************************
ITEM# DEVICE NAME
-----------------------------------------------------------------

1 WorkGroup Z Router

2 WorkGroup Z Switch

exit Return to main menu

Please enter selection: cls2


[confirm]<ENTER>
[OK]

Step 4 Connect to your workgroup switch by entering the menu number 2 and then pressing
Enter. Your display should be similar to this example.
************************ ICND WG_Z **************************
************************ MENU **************************
To exit ssh session and return to the menu press
<CTRL>+<SHFT>+<6> then <X>. To clear a connection to begin
a new console session type cls# (where # = the menu item number)
Type "exit" to return to main menu.
*****************************************************************
ITEM# DEVICE NAME
-----------------------------------------------------------------

1 WorkGroup Z Router

2 WorkGroup Z Switch

exit Return to main menu

Please enter selection: 2


Trying swa (10.10.10.12, 2067)... Open

Activity Verification
You have completed this task when you attain this result:
„ You were able to access your assigned workgroup switch on the remote lab network, using
the SSH client application and the information recorded in Table 1 of Lab 2-1.

Task 2: Verify That Switch Is Unconfigured and Reload


In this task, you will use the erase startup-config command to ensure that the switch has no
prior configuration saved to the startup-config file stored in NVRAM (nonvolatile memory).
You will then reload the switch software and observe the output generated during the reload.

Activity Procedure
Complete these steps:

Step 1 You will need to press Enter several times to get the switch to display the prompt. If
you see the output “Switch>” proceed to Step 3. If not, proceed to Step 2.

© 2007 Cisco Systems, Inc. Lab Guide 37


Step 2 If your output resembles that displayed below, answer Yes to the question shown.
Press Enter twice.

Would you like to terminate autoinstall? [yes]: yes

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Switch>
Switch>

Step 3 You are currently in the user mode. To see the effect of entering a privileged
command in the user mode, enter the command erase startup-config. Your display
should be similar to the example below.
Switch>erase startup-config
^
% Invalid input detected at '^' marker.

Step 4 The output is the response to entering a privileged EXEC command when in user
mode. Enter the command enable. Your display should be similar to the example
below.

Switch>enable
Switch#

Step 5 Notice that the switch prompt changed from Switch> to Switch#. This indicates that
you are in enable EXEC mode. When you now enter the erase startup-config
command, it is accepted. Press the Enter key to confirm and press Enter again to get
the switch prompt. Your display should be similar to the example below.
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]<ENTER>
[OK]
Erase of nvram: complete
00:18:46: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram <ENTER>
Switch#
Step 6 Enter the reload command. The switch will prompt for confirmation. Confirm that
you want to proceed with the reload. You will then be presented with a lot of output,
giving the status of the switch during the reload process. Your display should be
similar to the example below. Some repeating text has been omitted to reduce the
output length.
Switch#reload
Proceed with reload? [confirm]<ENTER>

00:21:00: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

Base ethernet MAC Address: 00:1a:6d:44:6c:80


Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash...
flashfs[0]: 597 files, 19 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32514048
flashfs[0]: Bytes used: 8208384
flashfs[0]: Bytes available: 24305664
flashfs[0]: flashfs fsck took 9 seconds.
...done Initializing Flash.

38 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Boot Sector Filesystem (bs) installed, fsid: 3
done.
Loading "flash:c2960-lanbasek9-mz.122-25.SEE2/c2960-lanbasek9-mz.122-
25.SEE2.bin"...@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
..
.. text omitted
..
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File "flash:c2960-lanbasek9-mz.122-25.SEE2/c2960-lanbasek9-mz.122-25.SEE2.bin"
uncompressed and installed, entry point: 0x3000
executing...

Restricted Rights Legend

Use, duplication, or disclosure by the Government is


subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.


170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2, RELEASE


SOFTWARE (fc1)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 28-Jul-06 11:57 by yenanh
Image text-base: 0x00003000, data-base: 0x00BB7944

Initializing flashfs...

flashfs[1]: 597 files, 19 directories


flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 32514048
flashfs[1]: Bytes used: 8208384
flashfs[1]: Bytes available: 24305664
flashfs[1]: flashfs fsck took 1 seconds.
flashfs[1]: Initialization complete....done Initializing flashfs.

POST: CPU MIC register Tests : Begin


POST: CPU MIC register Tests : End, Status Passed

POST: PortASIC Memory Tests : Begin


POST: PortASIC Memory Tests : End, Status Passed

POST: CPU MIC PortASIC interface Loopback Tests : Begin


POST: CPU MIC PortASIC interface Loopback Tests : End, Status Passed

POST: PortASIC RingLoopback Tests : Begin


POST: PortASIC RingLoopback Tests : End, Status Passed

POST: PortASIC CAM Subsystem Tests : Begin


POST: PortASIC CAM Subsystem Tests : End, Status Passed

POST: PortASIC Port Loopback Tests : Begin


POST: PortASIC Port Loopback Tests : End, Status Passed

Waiting for Port download...Complete

This product contains cryptographic features and is subject to United

© 2007 Cisco Systems, Inc. Lab Guide 39


States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to


export@cisco.com.

cisco WS-C2960-24TT-L (PowerPC405) processor (revision B0) with 61440K/4088K bytes of


memory.
Processor board ID FOC1048ZE27
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.


Base ethernet MAC Address : 00:1A:6D:44:6C:80
Motherboard assembly number : 73-10390-03
Power supply part number : 341-0097-02
Motherboard serial number : FOC10483A1C
Power supply serial number : DCA104382KM
Model revision number : B0
Motherboard revision number : C0
Model number : WS-C2960-24TT-L
System serial number : FOC1048ZE27
Top Assembly Part Number : 800-27221-02
Top Assembly Revision Number : C0
Version ID : V02
CLEI Code Number : COM3L00BRA
Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image


------ ----- ----- ---------- ----------
* 1 26 WS-C2960-24TT-L 12.2(25)SEE2 C2960-LANBASEK9-M

Press RETURN to get started!

00:00:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down


00:00:40: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:01:01: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2, RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 28-Jul-06 11:57 by yenanh
00:01:03: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:01:03: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up
00:01:03: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
00:01:03: %LINK-3-UPDOWN: Interface FastEthernet0/12, changed state to up
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state
to up
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state
to up
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state
to up

40 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state
to up
00:01:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Step 7 At the prompt, to terminate AutoInstall, press Enter to accept the default, which is
yes—you do want to terminate AutoInstall.
Would you like to terminate autoinstall? [yes]:<ENTER>
Step 8 Now you are at the prompt to enter the initial configuration dialog. At this point you
have completed this task. Note that you will answer the question in Step 1 of next task.
--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]:

Activity Verification
You have completed this task when you attain these results:
„ You were able to erase any existing configuration.
„ You were able to obtain the output similar that that given in Steps 6 through 8.

Task 3: Use System Configuration Dialog to Produce an Initial


Configuration
Continuing the process started in the last task, you will choose the initial configuration dialog
and will see the System Configuration Dialog displayed. You will then enter basic values for
your switch. This configuration mode is also known as “setup,” from the command-line method
to activate it.

Activity Procedure
Complete these steps:

Step 1 You are ready to complete the initial configuration. At the prompt (from the last step
of the previous task repeated below), Enter yes and then press Enter. To continue
with the switch configuration. Throughout the following configuration, your entries
are shown in bolded text.
--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]:yes

Step 2 Decline entering basic management setup by entering no.


At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Basic management setup configures only enough connectivity


for management of the system, extended setup will ask you
to configure each interface on the system

Would you like to enter basic management setup? [yes/no]: no

Step 3 Decline the review of interfaces by entering no to this question.

First, would you like to see the current interface summary? [yes]: no

© 2007 Cisco Systems, Inc. Lab Guide 41


Step 4 Enter the hostname for your assigned switch (for example SwitchJ ).
Configuring global parameters:

Enter host name [Switch]: SwitchX

Step 5 Enter all the passwords using the information in Lab 2-2, Table 1.

The enable secret is a password used to protect access to privileged EXEC and
configuration modes. This password, after entered, becomes encrypted in the
configuration.
Enter enable secret: sanfran

Step 6 The enable password is used when you do not specify an enable secret password, with
some older software versions and some boot images.

Enter enable password: cisco

Step 7 The virtual terminal password is used to protect access to the router over a network
interface.

Enter virtual terminal password: sanjose

Step 8 Answer no to the Configure SNMP Network Management prompt.

Configure SNMP Network Management? [no]: no

Step 9 Answer yes to “Do You Want to Configure Vlan1 Interface?” Your IP address
information can be obtained Table 2.

Configuring interface parameters:

Do you want to configure Vlan1 interface? [no]: yes


Configure IP on this interface? [no]: yes
IP address for this interface: 10.x.x.11
Subnet mask for this interface [255.0.0.0] : 255.255.255.0
Class A network is 10.0.0.0, 24 subnet bits; mask is /24

Step 10 Answer no to all the remaining Configure Interface prompts.

Do you want to configure FastEthernet0/1 interface? [yes]: no

Do you want to configure FastEthernet0/2 interface? [yes]: no

Do you want to configure FastEthernet0/3 interface? [yes]: no

Do you want to configure FastEthernet0/4 interface? [yes]: no

Do you want to configure FastEthernet0/5 interface? [yes]: no

Do you want to configure FastEthernet0/6 interface? [yes]: no

Do you want to configure FastEthernet0/7 interface? [yes]: no

Do you want to configure FastEthernet0/8 interface? [yes]: no

Do you want to configure FastEthernet0/9 interface? [yes]: no

Do you want to configure FastEthernet0/10 interface? [yes]: no

42 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Do you want to configure FastEthernet0/11 interface? [yes]: no

Do you want to configure FastEthernet0/12 interface? [yes]: no

Do you want to configure FastEthernet0/13 interface? [yes]: no

Do you want to configure FastEthernet0/14 interface? [yes]: no

Do you want to configure FastEthernet0/15 interface? [yes]: no

Do you want to configure FastEthernet0/16 interface? [yes]: no

Do you want to configure FastEthernet0/17 interface? [yes]: no

Do you want to configure FastEthernet0/18 interface? [yes]: no

Do you want to configure FastEthernet0/19 interface? [yes]: no

Do you want to configure FastEthernet0/20 interface? [yes]: no

Do you want to configure FastEthernet0/21 interface? [yes]: no

Do you want to configure FastEthernet0/22 interface? [yes]: no

Do you want to configure FastEthernet0/23 interface? [yes]: no

Do you want to configure FastEthernet0/24 interface? [yes]: no

Do you want to configure GigabitEthernet0/1 interface? [yes]: no

Do you want to configure GigabitEthernet0/2 interface? [yes]: no

Step 11 Answer no to the Enable as a Cluster Command Switch prompt.

Would you like to enable as a cluster command switch? [yes/no]: no

Step 12 The setup process now outputs the Cisco IOS commands, which you should verify are
correct. Press the Spacebar when prompted with --More-- to get additional output.
The following configuration command script was created:

hostname SwitchX
enable secret 5 $1$3PTL$CG2pEpzgAJO3pkB7If4P9.
enable password cisco
line vty 0 15
password sanjose
no snmp-server
!
!
interface Vlan1
no shutdown
ip address 10.10.10.11 255.255.255.0
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!

© 2007 Cisco Systems, Inc. Lab Guide 43


interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
end

Step 13 If the initial configuration displayed is correct, enter 2 to save this configuration to the
startup configuration in NVRAM and exit the setup mode.

[0] Go to the IOS command prompt without saving this config.


[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2


Building configuration...
[OK]
Use the enabled mode 'configure' command to modify this configuration.

Activity Verification
You have completed this task when you attain these results:
„ Your initial configuration output accurately matched the values assigned to your
workgroup switch.
„ You chose option 2 to save to NVRAM and exit the setup mode.

44 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Task 4: Add Default Gateway to Initial Configuration
Having used the setup mode to configure your switch, it is necessary to add the IP of the default
gateway router. The default gateway will be used when packets need to be forwarded via the
Vlan 1 management interface to a non-directly-connected network. You will be configuring the
router in a later lab.

Activity Procedure
Complete these steps:

Step 1 To go from user EXEC mode to enable mode, enter the enable command. Then enter
the password when prompted.

Note Remember that you set the enable password to “sanfran” in the previous task.

Step 2 From the enable mode, enter configure terminal command. This command is often
abbreviated to conf t. Your display should be similar to the example below.
SwitchX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#
Step 3 Enter the command ip default-gateway 10.x.x.3, where x.x represents the second and
third octets of the address assigned to your switch interface VLAN 1. Your display
should be similar to the example below.
SwitchX(config)#ip default-gateway 10.10.10.3
SwitchX(config)#
Step 4 Leave the configuration mode by entering the command end. Your display should be
similar to the example below.
SwitchX(config)#end
SwitchX#
1d00h: %SYS-5-CONFIG_I: Configured from console by console
Step 5 Enter the command copy running-config startup-config to save the running
configuration to NVRAM. You will be prompted to confirm the destination filename.
Confirm it by pressing the Enter key. Your display should be similar to the example
below.
SwitchX#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
SwitchX#

Note A common shorthand entry for copy running-config startup-config is copy run start.

Activity Verification
You have completed this task when you attain these results:
„ You have added the default gateway IP address to the running configuration
„ You saved the running configuration to the startup-config file

© 2007 Cisco Systems, Inc. Lab Guide 45


Lab 2-3: Enhancing the Security of Initial Switch
Configuration
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will increase the security of the initial switch configuration. After
completing this activity, you will be able to meet these objectives:
„ Add password protection to the console and vty lines
„ Use the Cisco IOS configuration command to encrypt all passwords
„ Add a banner message to the login process
„ Increase the security of remote management of the switch by adding the SSH protocol to
the vty lines
„ Increase the security of the physical interfaces by configuring various methods of MAC
address security
„ Disable unused interfaces

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 2-3 Enhancing


the Security of Switch Configuration

Workgroup Switch IP
Hostname Address Subnet Mask
SwitchA 10.2.2.11 255.255.255.0
SwitchB 10.3.3.11 255.255.255.0
SwitchC 10.4.4.11 255.255.255.0
SwitchD 10.5.5.11 255.255.255.0
SwitchE 10.6.6.11 255.255.255.0
SwitchF 10.7.7.11 255.255.255.0
SwitchG 10.8.8.11 255.255.255.0
SwitchH 10.9.9.11 255.255.255.0

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—8

46 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod information from Lab 2-1
„ Successful completion of Lab 2-2

Command List
The table describes the commands that are used in this activity.

Switch Cisco IOS Commands

Command Description

? or help In user EXEC mode, Cisco IOS Software lists the subset of commands
available at that privilege level.

banner login Allows the configuration of a message which will be displayed at the
time of the login process.

clear mac-address-table dynamic Clears the dynamically learned MAC addresses associated with the
interface int-id interface specified.

clear port-security sticky Clears the secure MAC addresses associated with the interface
interface int-id access specified. The access parameter ensures that trunk ports are not
affected.

configure terminal Activates the configuration mode from the terminal.

copy running-config destination Copies the switch running configuration file to another destination.
Typical destination is the startup configuration.

copy running-config startup- Copies the switch running configuration file to the startup configuration
config file that is held in local NVRAM.

crypto key generate rsa Generates the RSA key pairs to be used.

enable Activates the privileged EXEC mode. In privileged EXEC mode, more
commands are available. This command requires you to enter the
enable password if an enable password is configured.

end This configuration command terminates the configuration mode.

interface int-id Enters interface configuration mode.

interface range int-id - last-port- Allows the grouping of interfaces, such that following interface
number configuration commands will be applied to all the interfaces specified
simultaneously.

ip domain-name name Supplies an IP domain name, which is required by the crypto key
generation process.

ip ssh version [1 | 2] Specifies the version of SSH to be run. To disable the version of SSH
that was configured and to return to compatibility mode, use the no
form of this command.

line console 0 Enters the line console 0 configuration mode.

© 2007 Cisco Systems, Inc. Lab Guide 47


line vty 0 15 Enters the virtual terminal line configuration mode. Vty lines allow
access to the switch for remote network management. The number of
vty lines available depends on the Cisco IOS Software version. Typical
values are 0 to 4 and 0 to 15 (inclusive).

login Activates the login process on the console or vty lines.

login local Activates the login process on the console or vty lines to require using
the local authentication database

logout Exits the EXEC mode, requiring reauthentication (if enabled).

password Assigns a password to the console or vty lines.

ping ip-address Common tool used to troubleshoot the accessibility of devices. It uses
ICMP path echo requests and ICMP path echo replies to determine
whether a remote host is active. The ping command also measures
the amount of time it takes to receive the echo reply.

reload Restarts the switch, reloads the Cisco IOS operating system

service password-encryption Enable the service which will encrypt all passwords in the running
configuration.

show ip arp Display the IP address resolution table, which hold the binding
between IP addresses and their respective MAC addresses.

show ip ssh Shows the current settings of the SSH protocol.

show mac-address-table Displays only the dynamically learned MAC addresses in the table.
dynamic

show mac-address-table Displays only the MAC addresses in the table associated with the
interface int-id specified interface.

show port-security interface int-id Displays all administrative and operational status of all secure ports on
a switch. Optionally displays specific interface security settings or all
secure MAC addresses.

show running-config Displays the active configuration.

show running-config interface Displays the running configuration of the interface specified in the
int-id command.

shutdown Disables and enables an interface.


no shutdown

switchport mode access Sets the port to access mode. Use the no version of this command to
reset default values.

switchport port-security Enables port security on an interface. Entered without keywords.

switchport port-security mac- Sets the secure MAC addresses associated with an interface to be
address sticky learned dynamically.

switchport port-security Sets the maximum number of secure MAC addresses for the interface.
maximum [number] Use the no version of this command to remove it.

switchport port-security Sets the action to be taken when a security violation occurs. Protect,
violation violation mode restrict, and shutdown are the three valid modes.

transport input telnet ssh Specifies which protocols to use to connect to a specific line of the
switch.

username username password Creates a username and password pair, which can then be used as a
password local authentication database.

48 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Job Aids
These job aids are available to help you complete the lab activity.
„ Refer to Lab 2-1 for information regarding connection.

Table 1: Current Passwords


Switch console login none

Switch enable password cisco

Switch enable secret password sanfran

Switch vty login password sanjose

Task 1: Add Password Protection to Console Port and Vty


Lines
Following the initial configuration of the switch, where passwords have been configured for the
vty lines, two potential security holes exist. First, a security breach is possible when the vty
lines have the login process deactivated and the password is too simple. Second, security can be
breached when the console port currently is not protected by a password at all.

Activity Procedure
Complete these steps:

Step 1 Connect to your remote workgroup switch via the console server, and enter the
necessary commands and passwords to get to the enable EXEC prompt.
Step 2 At the user EXEC prompt, enter the command enable, followed by the enable
password for your switch.

Step 3 At the privileged EXEC prompt (sometimes called the “enable prompt”) of your
assigned switch, enter config t.

Step 4 Access the console port configuration by entering the command line console 0.

Step 5 At the line console configuration mode, use the password “sanjose” for the console
line. Enter the command password sanjose.

Step 6 Enter the command login, which will require a password to be supplied to access the
switch via the console in the future.

Step 7 Enter the command line vty 0 15.

Step 8 Enter the command login, which will be applied to all 16 lines (0 through 15).

Step 9 Enter the command end, which will return you to the enable EXEC prompt.

Step 10 Enter the show running-config command and observe the output to see that you
have correctly configured line console 0 and vty lines 0 through 15. Your output
should be similar to the example below, where the line configuration is shown in
bold text. You will observe that the passwords for both the line console and vty lines
are stored in cleartext.

© 2007 Cisco Systems, Inc. Lab Guide 49


SwitchX#show running-config
..
..Text omitted
..
!
line con 0
password sanjose
login
line vty 0 4
password sanjose
login
line vty 5 15
password sanjose
login
!
end
Step 11 You will now test your configured password by logging out of and back into the
switch via the console.

Step 12 Enter the command logout.

Step 13 Press the Enter key to get a password prompt.

Step 14 Supply the password the you just configured to get to the user EXEC prompt.

Step 15 Enter the command and password to get to the enable EXEC prompt.

Step 16 Your output for Steps 12 though 15 should be similar to the example below.
SwitchX#logout

..
..empty lines omitted
..

SwitchX con0 is now available

Press RETURN to get started.

..
..empty lines omitted
..

User Access Verification

Password:
SwitchX>enable
Password:
SwitchX#

Activity Verification
You have completed this task when you attain these results:
„ You configured the console and vty lines to require a password.
„ You inspected the configuration and observed that the line passwords are stored in
cleartext.
„ You tested the login process and password access to the console line successfully.
„ Your output matches the example in Step 14.

50 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Task 2: Activate Password Encryption Service
As discussed in the previous task, some passwords are stored in cleartext. This can be a security
issue when the configurations are transmitted and stored on remote file systems. In this task,
you will configure the password encryption service to secure all cleartext passwords with
encryption.

Activity Procedure
Complete these steps:

Step 1 From the enable EXEC prompt, enter the command to get to global configuration
mode.
Step 2 Enter the command service password-encryption.

Step 3 Enter the command to return to the enable EXEC prompt.

Step 4 Enter the command to see the running configuration. Concentrate on the first few
lines and the last few lines of the configuration to see that the service password-
encryption command is now active and the effect it has on the line passwords. Your
output should be similar to the example below, with the bold text highlighting output
of particular interest.
SwitchX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#service password-encryption
SwitchX(config)#end
SwitchX#
00:38:45: %SYS-5-CONFIG_I: Configured from console by console
SwitchX#show running-config
Building configuration...

Current configuration : 1453 bytes


!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
..
..Text omitted
..

!
!
line con 0
password 7 14041305060B392E
login
line vty 0 4
password 7 14041305060B392E
login
line vty 5 15
password 7 120A041918041F01
login
!
end

Step 5 Enter the command to save the running configuration to startup-config.

© 2007 Cisco Systems, Inc. Lab Guide 51


Activity Verification
You have completed this task when you attain these results:
„ You have enabled the password encryption service
„ You have displayed the running configuration and observed the encryption of the line
passwords
„ You have saved your running configuration

Task 3: Apply a Login Banner


As part of any security policy it is necessary to ensure that network resources are clearly
identified as being off limits to the casual visitor. Hackers have in the past successfully used the
fact that a “welcome” screen was presented at login as a legal defense for forced entry into the
network. A message that clearly states that access is restricted should be presented when a user
is attempting to access a network device (switch, router, and so on). The banner Cisco IOS
configuration command allows this to be done.

Activity Procedure
Complete these steps:

Step 1 Enter the command to access the global configuration prompt.


Step 2 Enter the command banner login % and press the Enter key. The percent symbol
(%) is the opening delimiter of the text that will form the message.

Step 3 Enter text to form your message followed by %.

Note Do NOT use percent symbols as part of your banner message text—they will be interpreted
as the closing delimiter of your message.

Step 4 Below is an example of the output of the configuration of a banner message.


SwitchX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#banner login %
Enter TEXT message. End with the character '%'.
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************%
SwitchX(config)#
Step 5 Enter the command to return to the EXEC mode.

Step 6 Enter the command to display the running configuration. Your output should be
similar to the example below, which has been edited to show just the banner
configuration. Notice that your text delimiter has been replaced with a ^C, which is a
nontext control character.

52 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
Step 7 Use the logout command to end your console session. Then log back in to the enable
prompt. Observe the display to see your banner message being presented, prior to
password entry. Your output should be similar to the example below, which has
been edited to reduce space.
SwitchX#logout

SwitchX con0 is now available

Press RETURN to get started.

********* Warning *************


Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************

User Access Verification

Password:
SwitchX>en
Password:
SwitchX#
Step 8 Enter the command to save the running configuration to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ You have configured a login banner message that clearly states that access to the switch is
restricted.
„ You have tested the login message, and it does give a warning prior to password prompt.
„ You have saved your configuration.

Task 4: Enable SSH Protocol for Remote Management


In a previous task, you protected passwords by using encryption. However, if the process of
remote management uses the Telnet protocol, which sends all characters in cleartext including
passwords, the potential exists for packet capture and exploitation of that information. In this
task you will configure the SSH protocol as an alternative to Telnet. If it is possible in your
environment, it would be best to replace Telnet with SSH. To operate, SSH requires the
following:
„ A username and password
„ A defined hostname
„ A defined IP domain
„ An RSA encryption key

© 2007 Cisco Systems, Inc. Lab Guide 53


Activity Procedure
Complete these steps:

Step 1 At the enable EXEC prompt, enter the command to access the global configuration
prompt.

Step 2 The SSH protocol requires the use of a username and password pair. As this has not
yet been configured, you must configure it now. Enter the command username
username password password. In this example, you will use “netadmin” for both.
Obviously, in the real-world environment, a much stronger username and password
pair should be used.

Step 3 The generation of a SSH cryptographic key requires that both the hostname and
domain name be configured. You have configured the hostname, so it is necessary to
configure the domain name. Normally you would use your organization domain
name, but in the lab you will use “cisco.com.”

Step 4 Enter the command ip domain-name domain name.

Step 5 Enter the command crypto key generate rsa. You will be prompted for a key size;
512 is the default, but you will enter 1024 to produce a more secure key. Your
output should be similar to the example below, which is edited to include only the
lines pertaining to this task.
SwitchX(config)#username netadmin password netadmin
SwitchX(config)#ip domain-name cisco.com
SwitchX(config)#crypto key generate rsa
The name for the keys will be: SwitchX.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys ...[OK]

01:26:52: %SSH-5-ENABLED: SSH 1.99 has been enabled


Step 6 Enter the command ip ssh version 2 to enable the required SSH version.

Step 7 Enter the command line vty 0 15.

Step 8 Enter the command login local. This changes the login process to use the locally
configured username and password pairs.

Step 9 Enter the command transport input telnet ssh. This configures the 16 vty lines to
support both Telnet or SSH. Your output should be similar to the example below.
SwitchX(config)#line vty 0 15
SwitchX(config-line)#login local
SwitchX(config-line)#transport input telnet ssh
Step 10 Enter the command to return to enable EXEC prompt.

Step 11 Enter the command show ip ssh.


SwitchX#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

54 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 12 To test your configuration, you need to make a VPN tunnel connection to the remote
lab using the method from Lab 2-1, Task 2. On your PC, open your SSH terminal
client application. Use the IP address of your workgroup switch and the username
and password pair that you configured in Step 2 of this task.

Step 13 Below is an example of a successful connection with the PuTTY application and
using SSH.

Step 14 Enter the logout command to exit the PuTTY connection.

Step 15 Open the Windows Command window and enter the command telnet 10.x.x.11
(your workgroup switch IP address). Your output should be similar to the example
below.

Step 16 Enter the username and password in the new Telnet Command window that
automatically opens. Having established that Telnet is working simultaneously with
SSH, type logout at the user EXEC prompt and close your Command window by
typing exit at the Command window prompt. Your output should be similar to the
example below.

© 2007 Cisco Systems, Inc. Lab Guide 55


Step 17 Enter the command to save your configuration to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ You configured the vty lines to support the SSH version 2 protocol.
„ You successfully directly connected to your workgroup switch using SSH and Telnet, thus
proving that both are being supported simultaneously.
„ You saved your configuration.

Task 5: Configure Port Security on a Switch


In this task, you will configure the switch to permit only a defined number of MAC addresses
on the first access port, and also specify the action to take should this number be exceeded. You
will determine how many addresses are being learned dynamically, then modify the interface to
permit one less than this number, so that a MAC violation will occur. You will use show
commands to observe the status and behavior of the switch before finally setting the secure
number of addresses back to a viable non-error-producing value.

Activity Procedure
Access your SwitchX console port, where x identifies your pod. Complete the following steps
to configure port security on the workgroup switch:

Caution You should have saved the current running configuration at the end of the previous lab. If
you are in doubt then save your running configuration to startup-config prior to reloading.

Step 1 Enter the commands to reload your switch.

Step 2 Enter the commands to get to the enable EXEC prompt.

Step 3 Enter the command ping to test connectivity to the IP address in the table below.
You will complete the table in Steps 4 and 5.

MAC Address Table

Device IP address MAC address

10.x.x.100

Unmanaged device

Step 4 Enter the command show ip arp. This will display the bindings between the IP
address and the MAC address. Enter the corresponding MAC address in the
table above. Your output should be similar to the example below.
SwitchX#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.x.x.11 - 001a.6d44.6cc0 ARPA Vlan1
Internet 10.x.x.100 0 001a.2fe7.3089 ARPA Vlan1

56 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 5 Enter the command show mac-address-table int fa0/1. There should be one MAC
not associated with the IP address you just pinged. This is the MAC address of the
unmanaged device. Use this to complete the table from Step 3 above. Your output
should be similar to the example below.
SwitchX#show mac-address-table int fa0/1
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports


---- ----------- -------- -----
1 0017.5a78.be01 DYNAMIC Fa0/1
1 001a.2fe7.3089 DYNAMIC Fa0/1
Total Mac Addresses for this criterion: 2

Step 6 Before you configure port security, you need to clear the dynamically learned MAC
address entries. Enter the command clear mac-address-table dynamic int fa0/1.
Step 7 Wait at least 10 seconds before entering the show mac-address-table int fa0/1 to
see the effect of this command. You will see that the MAC address of the
unmanaged device is still in the MAC address table. This is because this device is
periodically sending Layer 2 frames. Other Ethernet interfaces may be set to
periodically send keep-alive frames. However, you should see only the MAC
addresses being learned at this time. Your output should be similar to the example
below.
SwitchX#show mac-address-table int fa0/1
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports


---- ----------- -------- -----
1 0017.5a78.be0f DYNAMIC Fa0/1
Total Mac Addresses for this criterion: 1
Step 8 Enter the command configure t.

Step 9 Enter the command interface fa0/1.

Step 10 Disable the interface by entering the shutdown command.


Step 11 Before port security features can be applied to an switchport, it has to be in non-
auto-negotiation mode. Enter the command switchport mode access.

Step 12 Before activating port security, it is necessary to set the maximum number of MAC
addresses to an appropriate value if there are more than the default of 1. However, as
the intention is to trigger a MAC address violation, and in Step 5 you saw there were
two MAC addresses associated with this interface, no action is necessary.

Step 13 Another parameter that should be set before the activation of port security is what
action to take when more MAC addresses attempt to use the interface than have
been configured. This is known as the violation action. The default action is
shutdown, which will error-disable the interface. Initially you will use this default
value, so that you get experience resetting the interface.

Step 14 Enter the command switchport port-security mac-address sticky. This will cause
MAC addresses that are learned to be saved in the running configuration. If the
configuration is subsequently saved to startup-config, they will be remembered upon
a restart.

© 2007 Cisco Systems, Inc. Lab Guide 57


Step 15 Enter the command switchport port-security. Entering the command without any
parameters activates port security. If this is not done, then port-security remains
disabled.

Step 16 Enter the command no shutdown to re-enable the switchport.

Step 17 Enter the command end to leave configuration mode and return to the enable EXEC
prompt.

Step 18 Wait for 20 seconds before entering the command show running-config int fa0/1 to
display the portion of the running configuration for interface fa0/1. Your output
should be similar to the example below, which has some lines shown in bold for
emphasis.
SwitchX#show running-config int fa0/1
Building configuration...

Current configuration : 128 bytes


!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5a78.be0f
end
Step 19 Enter the show port-security int fa0/1 command to display the current port security
settings.
SwitchX#show port-security int fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0017.5a78.be01:1
Security Violation Count : 0
Step 20 Enter the command show mac-address dynamic int fa0/1 to show the dynamic
MAC table entries for int fa0/1 only. You should not see any entries, because they
would have been converted to static (sticky) entries. Your output should be similar
to the example below.
SwitchX#show mac-address dynamic int fa0/1
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
Step 21 Use the ping command to create a port-security violation, ping 10.x.x.100. Your
output should be similar to the example below.
23:07:41: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1,
putting Fa0/1 in err-disable state
23:07:41: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
caused by MAC address 001a.2fe7.3089 on port FastEthernet0/1.
23:07:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to down.
23:07:43: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down....
Success rate is 0 percent (0/5)
SwitchX#

58 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 22 Enter the show port-security interface fa0/1 command to display the current port
security settings.
SwitchX#show port-security int fa0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 001a.2fe7.3089:1
Security Violation Count : 1
Step 23 It is now necessary to modify the maximum value of allowable MAC addresses to
two. It is also necessary to change the violation action to restrict and then return the
interface from error disable state to administratively up.
Step 24 Before you attempt to modify the port security setting, it is best to clear the MAC
table entries.

Step 25 Enter the command clear port-security sticky int fa0/1 access. Note: By restricting
the action of the clear command to only the interface that you are currently dealing
with, you avoid the risk of inadvertently impacting other interfaces.

Step 26 Enter the command configure t.


Step 27 Enter the command int fa0/1.

Step 28 Enter the command switchport port-security maximum 2.

Step 29 Enter the command switchport port-security violation restrict. The restrict
violation action does not shut down the interface; instead it blocks the frames,
generates a local message, and increments the security violation count. This
violation action is appropriate for a low-security environment.

Step 30 To return the interface to administratively up from error disable, it is necessary to


first enter the command shutdown and then enter the command no shutdown to
bring the interface back up.
Step 31 Enter the command end to leave configuration mode and return to the enable EXEC
prompt.

Step 32 Wait 20 seconds before you test your configuration by using the ping command to
10.x.x.100.

Step 33 The example below shows the output of the show running-config int fa0/1
command. Your output should be similar.
SwitchX#show running-config int fa0/1
Building configuration...

Current configuration : 329 bytes


!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5a78.be01

© 2007 Cisco Systems, Inc. Lab Guide 59


switchport port-security mac-address sticky 001a.2fe7.3089
end

Step 34 The example below shows the output of the show port-security int fa0/1 command.
SwitchX#show port-security int fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address:Vlan : 001a.2fe7.3089:1
Security Violation Count : 0
Step 35 Compare the bolded text with the output of Step 22, which should show that the port
is up and that the violation mode is now to Restrict rather than Shutdown the
interface.
Step 36 Save your running configuration to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ The switch was configured to permit one dynamically learned MAC addresses on the first
access port (fa0/1)
„ The port was forced into a port-security violation resulting in it being error disabled
„ The configuration was then changed to support two dynamically learned addresses, and the
violation action was modified to restrict access and not shutdown the port
„ The port was returned from error disable to administratively up state
„ The port was retested and no port-security violations were triggered
„ The running configuration was saved to startup-config

Task 6: Disable Unused Ports and Place All Ports in Access


Mode
In this task, you will shut down all unused ports. You will also move all switchports from auto
negotiation to fixed in access mode. This action makes the switch more resilient to security
attacks from devices which have direct connection to the switch. In this task, it is given that the
following ports are currently not in use: Fa0/3 through Fa0/10, Fa0/13 through fa0/24, and
Gi0/1 through Gi0/2.

Activity Procedure
Complete these steps:
Step 1 At the enable EXEC prompt enter the command to access the global configuration
prompt.

Step 2 Enter the command interface range fa0/3 - 10. All the commands that follow will
be applied to the ports specified.

60 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 3 Enter the command shutdown.

Step 4 Enter the command interface range fa0/13 - 24 to replace the previous range
command.

Step 5 Enter the command shutdown.

Step 6 Enter the command interface range gi0/1 - 2 to replace the previous range
command.

Step 7 Enter the command shutdown.

Step 8 Return to the enable EXEC prompt.

Step 9 Enter the command to display the running configuration to confirm that only the
intended interfaces were shut down.

Step 10 Enter the command to access the global configuration prompt.

Step 11 Enter the command interface range fa0/1 - 24, gi0/1 - 2 to include all ports in the
range. Notice in this instance the interface ranges have been grouped into a single
command by using the , (comma) as a separator.
Step 12 Enter the command switchport mode access.

Step 13 Return to the enable EXEC prompt.

Step 14 Enter the command to display the running configuration to confirm that all the
interfaces were placed into access mode.

Step 15 When you are certain that all ports are in access mode, and all ports with the
exception of fa0/1, fa0/2, fa0/11, and fa0/12 are shut down, save your running
configuration to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ Configured the given range of unused ports to be shut down
„ Configured all ports to be in access mode
„ Saved the running configuration to startup-config

© 2007 Cisco Systems, Inc. Lab Guide 61


Lab 2-4: Operating and Configuring a Cisco IOS
Device
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will demonstrate and practice the use of the CLI features of your
workgroup switch. After completing this activity, you will be able to meet these objectives:
„ Explore context-sensitive help
„ Edit incorrect CLI commands on the switch
„ Examine the switch status using show commands

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 2-4


Operating and Configuring a Cisco IOS Device

Workgroup Switch IP
Hostname Address Subnet Mask
SwitchA 10.2.2.11 255.255.255.0
SwitchB 10.3.3.11 255.255.255.0
SwitchC 10.4.4.11 255.255.255.0
SwitchD 10.5.5.11 255.255.255.0
SwitchE 10.6.6.11 255.255.255.0
SwitchF 10.7.7.11 255.255.255.0
SwitchG 10.8.8.11 255.255.255.0
SwitchH 10.9.9.11 255.255.255.0

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—9

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod information from Lab 2-1

62 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity.

Switch Cisco IOS Commands

Command Description

? or help In user mode, Cisco IOS Software lists a subset of the


available commands.

After you enter enable and enter your enable password for
privileged mode, a much larger list of available commands
is displayed.

clock set Manages the system clock.

configure terminal Activates the configuration mode from the terminal.

enable Activates privileged mode. In privileged mode, more


commands are available.

This command requires you to enter the enable password if


an enable password is configured. If an enable secret
password is also configured, the enable secret password
overrides the enable password.

exec time-out Sets the inactivity time allowed before a session will be
automatically logged out.

history size Sets the number of lines held in the history buffer for recall.
Two separate buffers are used, one for EXEC mode
commands and the other for configuration mode
commands.

[no] ip domain-lookup The command-line interpreter by default tries, when


receiving a command it does not recognize, to interpret it
as a symbolic name for an IP address. The no form of this
command turns off this default action, thus speeding up the
interpretation of erroneous entries.

line console 0 Enters the line console 0 configuration mode.

line vty 0 15 Enters the virtual terminal line configuration mode. Vty lines
allow access to the switch for remote network
management. The number of vty lines available is
dependant on the Cisco IOS Software version. Typical
values are 0-4 and 0-15 (inclusive).

logging synchronous Synchronizes unsolicited messages and debug privileged


EXEC command output with solicited device output and
prompts for a specific console port line or vty line.

show clock Displays the system clock.

show history Displays recently entered commands.

show interfaces Displays information on all of the router interfaces.

show running-config Displays the active configuration.

show terminal Displays the current settings for the terminal.

show version Displays the configuration of the router hardware and the
various software versions.

terminal history size Sets the command history buffer size.

© 2007 Cisco Systems, Inc. Lab Guide 63


Job Aids
These job aids are available to help you complete the lab activity.

Current Passwords
Switch Console Login sanjose

Switch Enable Password cisco

Switch Enable Secret Password sanfran

Switch VTY Login User ID netadmin

Switch VTY Login Password netadmin

Task 1: Explore Context-Sensitive Help


In this task, you will use context-sensitive help in both user and privileged EXEC modes to
locate commands and complete command syntax.

Activity Procedure
Complete these steps:

Step 1 Connect to your workgroup switch using the information from Lab 2-1.

Step 2 Enter the help command (?). At the user EXEC prompt, you should see a partial list
of commands available. Your output should resemble the example below.
Exec commands:
access-enable Create a temporary Access-List entry
clear Reset functions
connect Open a terminal connection
..
..Text omitted
..
set Set system parameter (not config)
show Show running system information
ssh Open a secure shell client connection
systat Display information about terminal lines
telnet Open a telnet connection
--More--
Step 3 Press the Spacebar to complete or continue the list.

Step 4 Enter privileged EXEC mode.

Step 5 Notice the prompt which indicates that the switch mode was “>” and is now “#.”

Step 6 Enter the help (?) command at the privileged EXEC mode prompt. Use help to
determine the keyword command that manages the system clock.

Step 7 Your console should be displaying a prompt of “--More--“ as it waits for you to
press a key before displaying more output. Enter q to terminate continuation of the
output.

Step 8 Enter the clock ? command. You should see the context-sensitive help. Your output
should resemble the example below.
SwitchX#clock ?
set Set the time and date

64 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 9 Set the system clock to the current time and date. Remember to use context-sensitive
help to guide you through the process.
Step 10 At the switch# prompt, enter sh? You should see another example of the context
sensitive help. Your output should resemble the example below.
SwitchX#sh?
show

Step 11 Press the Tab key. You should see the command-completion feature in action.
When enough letters of a command or keyword have been entered, the Tab key will
complete the word and place a space so that it is ready to receive any further input.
Step 12 Enter the show clock command. Your output should reflect the changes you made
using the clock set command in Step 9. Your output should be similar to the
example below.
SwitchX#show clock
10:45:25.073 UTC Tue Jul 10 2007

Activity Verification
You have completed this task when you attain this result:
„ You used the system help facility and the command-completion facility.

Task 2: Edit an Incorrect Command


In this task, you will use Cisco IOS Software enhanced editing features to correct command-
line errors.

Activity Procedure
Complete these steps:
Step 1 Enter the following comment line at the prompt: “This command changes the
clock speed for the router”. Enter the text without the quotes (“).
SwitchX#This command changes the clock speed for the router.
^
% Invalid input detected at '^' marker.

Step 2 Enter the following comment line, preceded by the exclamation point (!): !ths
comand changuw the clck sped for the swch,. An exclamation point (!) before the
text line indicates that you are entering a comment.
SwitchX#!ths comand changuw the clck sped for the swch,

Step 3 Enter Ctrl-P or press the Up Arrow key to see the previous line.

Step 4 Use the editor commands Ctrl-A, Ctrl-F, Ctrl-E, and Ctrl-B to move along the line
and the Backspace key to delete unwanted characters.

Step 5 Using the editing commands, correct the comment line to read !This command
changes the clock speed for the switch.

Activity Verification
You have completed this task when you attain this result:
„ You used the built-in editor and used those keystrokes for cursor navigation.

© 2007 Cisco Systems, Inc. Lab Guide 65


Task 3: Improve the Usability of the CLI
In this task, you will enter commands to improve the usability of the CLI. You will increase the
number of lines in the history buffers, increase the inactivity timer on the console port, and stop
the attempted name resolution of mistyped commands.

Activity Procedure
Complete these steps:

Step 1 Enter the command show terminal. Your output should be similar to the example
below, which has been edited to reduce unwanted lines.
SwitchX#sh terminal
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
..
..Text omitted
..
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
Step 2 The size of the history buffers is 10. You could change this by using the command
terminal history size 100. However, this value would have to be entered every time
you log out of and back into the switch. The history size can be set in the
configuration, associated with the console and vty lines.

Step 3 Enter the command config t to get to the global configuration prompt.

Step 4 Enter the command line console 0.


Step 5 Enter the command history size 100.

Step 6 While you are in the console line mode, it is a good idea to change the EXEC
timeout from the 15-minute value to 60 minutes. Enter the command exec-timeout
60.

Step 7 Enter the command logging synchronous to synchronize unsolicited messages and
debug privileged EXEC command output with the input from the CLI.
Step 8 Enter the command line vty 0 15 to configure the vty lines.

Step 9 Enter the commands to configure the history size to 100 and to synchronize the
messages.
Step 10 Enter the exit command to return to the global configuration mode.

Step 11 Enter the command no ip domain-lookup to disable the resolution for symbolic
names.
Step 12 Return to enable EXEC prompt.

66 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 13 Use the history recall to enter the show terminal command. Your output should be
similar to the example below, which has been edited to reduce unwanted lines.

SwitchX#sh term
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
..
..Text omitted
..
Editing is enabled.
History is enabled, history size is 100.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters

Step 14 Enter the show running-config command to confirm that the configuration changes
just made are correct.
Step 15 When you are satisfied that your running configuration reflects the changes, then
save it to startup-config.

Step 16 Close your connection(s) to your workgroup switch.

Activity Verification
You have completed this task when you attain these results:
„ The inactivity timeout on the console line is set to 60 minutes
„ You have verified that the history buffer value is set to 100 lines on the console and vty
lines
„ You have verified that logging synchronous is configured on the console and vty lines
„ You have saved your configuration to starting configuration
„ You close any open connections to your workgroup switch

© 2007 Cisco Systems, Inc. Lab Guide 67


Lab 4-1: Converting Decimal to Binary and
Binary to Decimal
Complete the lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you convert decimal and binary numbers. After completing this activity, you
will be able to meet these objectives:
„ Convert decimal numbers to binary
„ Convert binary numbers to decimal

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-1 Converting


Decimal to Binary and Binary to Decimal

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—10

Required Resources
There are no resources for this lab activity.

Command List
There are no commands used in this lab activity.

Job Aids
There are no job aids for this lab activity.

68 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Activity Preparation
There is no preparation for this lab activity.

Task 1: Convert from Decimal Notation to Binary Format


Activity Procedure
Complete the following table, which provides practice in converting a number from decimal
notation to binary format.

Base 2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

48 0 0 1 1 0 0 0 48 = 32 +16 =
0
00110000

146 1 0 0 1

222

119

135

60

Task 2: Convert from Binary Notation to Decimal Format


Activity Procedure
Complete the following table, which provides practice in converting a number from binary
notation to decimal format.

Base 2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11001100 1 1 0 0 1 1 0 0 128 + 64 + 8 + 4 = 204

10101010 1 0 1 0

11100011

10110011

00110101

10010111

Activity Verification
You have completed this lab when you attain these results:
„ You can accurately convert decimal format numbers to binary notation.
„ You can accurately convert binary notation numbers to decimal format.

© 2007 Cisco Systems, Inc. Lab Guide 69


Lab 4-2: Classifying Network Addressing
Complete the lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you classify network addresses with IPv4 and IPv6. After completing this
activity, you will be able to meet these objectives:
„ Convert decimal IP addresses to binary numbers
„ Convert binary numbers to IP addresses
„ Identify classes of IP addresses
„ Identify valid and invalid host IP addresses

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-2


Classifying Network Addressing
Convert decimal IP addresses to binary
ƒ 145.32.59.24 = 10010001.00100000.__________.__________
Convert binary IP addresses to decimal
ƒ 10010001.00011011.00111101.10001001 = 216.____.____.____
Identifying IP Address Classes

0.124.0.0?
255.255.255.255?
23.75.345.200?
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—11

Required Resources
There are no resources for this lab activity.

Command List
There are no commands used in this activity.

Job Aids
There are no job aids for this lab activity.

70 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Activity Preparation
There is no preparation for this lab activity.

Task 1: Convert from Decimal IP Address to Binary Format


Activity Procedure
Complete the following steps:

Step 1 Complete the following table to express 145.32.59.24 in binary format.

Base 2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

145 1 0 0 1 0 0 0 1 10010001

32 0 0 1 0 0 0 0 0 00100000

59

24

Binary Format IP Address 10010001. 00100000. ___________ . ___________

Step 2 Complete the following table to express 200.42.129.16 in binary format.

Base 2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

200

42

129

16

Binary Format IP Address

Step 3 Complete the following table to express 14.82.19.54 in binary format.

Base 2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

14

82

19

54

Binary Format IP Address

© 2007 Cisco Systems, Inc. Lab Guide 71


Task 2: Convert from Binary Format to Decimal IP Address
Activity Procedure
Complete the following steps:
Step 1 Complete the following table to express 11011000.00011011.00111101.10001001 in
decimal IP address format.

Base 2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11011000 1 1 0 1 1 0 0 0 216

00011011

00111101

10001001

Decimal Format IP Address 216. _____ . _____ . _____

Step 2 Complete the following table to express 11000110.00110101.10010011.00101101 in


decimal IP address format.

Base 2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11000110

00110101

10010011

00101101

Decimal Format IP Address

Step 3 Complete the following table to express 01111011.00101101.01000011.01011001 in


decimal IP address format.

Base 2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

01111011

00101101

01000011

01011001

Decimal Format IP Address

72 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Task 3: Identify IP Address Classes
Activity Procedure
Complete this table to identify the address class, number of bits in the network ID, and
maximum number of hosts.

Maximum
Number of Number of
Address Bits in Hosts
Binary IP Address Decimal IP Address Class Network ID (2h – 2)

10010001.00100000.00111011.00011000 145.32.59.24 Class B 16

11001000.00101010.10000001.00010000 200.42.129.16

00001110.01010010.00010011.00110110 14.82.19.54

11011000.00011011.00111101.10001001 216.27.61.137

10110011.00101101.01000011.01011001 179.45.67.89

11000110.00110101.10010011.00101101 198.53.147.45

Task 4: Identify Valid and Invalid Host IP Addresses


Activity Procedure
Complete the following table to identify which host IP addresses are valid and which are not
valid.

Decimal IP Address Valid or Invalid If Invalid, Indicate Reason

23.75.345.200

216.27.61.134

102.54.94

255.255.255.255

142.179.148.200

200.42.129.16

0.124.0.0

Activity Verification
You have completed this lab when you attain these results:
„ You can accurately convert decimal format IP addresses to binary format
„ You can accurately convert binary format IP addresses to decimal format
„ You can identify the address class of a given IP address
„ You can identify valid and invalid IP addresses

© 2007 Cisco Systems, Inc. Lab Guide 73


Lab 4-3: Computing Usable Subnetworks and
Hosts
Complete the lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you determine the number of bits to borrow from the host ID to create the
required number of subnets for a given IP address. After completing this activity, you will be
able to meet these objectives:
„ Determine the number of bits required to create different subnets
„ Determine the maximum number of host addresses available in a given subnet

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-3 Computing


Usable Subnetworks and Hosts

Given:
ƒ Class C network address of 192.168.89.0
ƒ Class B network address of 172.25.0.0
ƒ Class A network address of 10.0.0.0
How many subnets can you create?
How many hosts per subnet can you create?

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—12

Required Resources
There are no resources for this lab activity.

Command List
There are no commands used in this activity.

Job Aids
There are no job aids for this lab activity.

74 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Activity Preparation
There is no preparation for this lab activity.

Task 1: Determine the Number of Bits Required to Subnet a


Class C Network
Activity Procedure
Given a Class C network address of 192.168.89.0, complete the table to identify the number of
bits that are required to define the specified number of subnets for the network, and then
determine the number of hosts per subnet.

Number of
Subnets Number of Bits to Borrow Number of Hosts per Subnet (2h – 2)

12

24

40

Task 2: Determine the Number of Bits Required to Subnet a


Class B Network
Activity Procedure
Given a Class B network address of 172.25.0.0, complete the table to identify the number of
bits that are required to define the specified number of subnets for the network, and then
determine the number of hosts per subnet.

Number of
Subnets Number of Bits to Borrow Number of Hosts per Subnet (2h – 2)

14

20

35

© 2007 Cisco Systems, Inc. Lab Guide 75


Task 3: Determine the Number of Bits Required to Subnet a
Class A Network
Activity Procedure
Given a Class A network address of 10.0.0.0, complete the table to identify the number of bits
that are required to define the specified number of subnets for the network, and then determine
the number of hosts per subnet.

Number of
Subnets Number of Bits to Borrow Number of Hosts per Subnet (2h – 2)

10

14

20

40

80

Activity Verification
You have completed this lab when you attain these results:
„ Given a Class A, B, or C network, you can identify the number of bits to borrow to create a
given number of subnets
„ Given a Class A, B, or C network, you can determine the number of hosts on the network,
given a number of subnets and number of bits to borrow

76 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 4-4: Calculating Subnet Masks
Complete the lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you calculate subnet masks. After completing this activity, you will be able to
meet these objectives:
„ Given a network address, determine the number of possible network addresses and the
binary subnet mask to use
„ Given a network IP address and subnet mask, determine the range of subnet addresses
„ Identify the host addresses that can be assigned to a subnet and the associated broadcast
addresses

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-4


Calculating Subnet Masks

ƒ Given a network address, determine the number of possible


network addresses and the binary subnet mask to use.
ƒ Given a network IP address and subnet mask, determine the _
range of subnets addresses.
ƒ Identify the host addresses that can be assigned to a subnet
and the associated broadcast addresses.

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—13

Required Resources
There are no resources for this lab activity.

Command List
There are no commands used in this activity.

© 2007 Cisco Systems, Inc. Lab Guide 77


Job Aids
There are no job aids for this lab activity.

Activity Preparation
There is no preparation for this lab activity.

Task 1: Determine the Number of Possible Network Addresses


Activity Procedure
Given a Class A network and the net bits identified, complete this table to identify the subnet
mask and the number of host addresses possible for each mask.

Number of Hosts
Classful per Subnet
Address Decimal Subnet Mask Binary Subnet Mask (2h – 2)

/20

/21

/22

/23

/24

/25

/26

/27

/28

/29

/30

Task 2: Given a Network Address, Define Subnets


Activity Procedure
Assume that you have been assigned the 172.25.0.0 /16 network. You need to establish twelve
subnets. Complete the following questions.
1. How many bits do you need to borrow to define 12 subnets?

_________________________________________________________________________

2. Specify the classful address and subnet mask in binary and decimal that allows you to
create 12 subnets.

_________________________________________________________________________

3. Use the eight-step method to define the 12 subnets.

78 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step Description Example

1. Write down the octet that is being split in binary.

2. Write the mask or classful prefix length in binary.

3. Draw a line to delineate the significant bits in the


assigned IP address.
Cross out the mask so that you can view the
significant bits in the IP address.

4. Copy the significant bits four times.

5. In the first line, define the network address by


placing 0s in the remaining host bits.

6. In the last line, define the directed-broadcast


address by placing 1s in the host bits.

7. In the middle lines, define the first and last host ID


for this subnet.

8. Increment the subnet bits by one to determine the


next subnet address.
Repeat Steps 4 through 8 for all subnets.

4. Complete the following table to define each subnet.

Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

...

Task 3: Given Another Network Address, Define Subnets


Activity Procedure
Assume that you have been assigned the 192.168.1.0 /24 network.
1. How many bits do you need to borrow to define six subnets?

_________________________________________________________________________

2. Specify the classful address and subnet mask in binary and decimal that allows you to
create six subnets.

_________________________________________________________________________

© 2007 Cisco Systems, Inc. Lab Guide 79


3. Use the eight-step method to define the six subnets.

Step Description Example

1. Write down the octet that is being split in binary.

2. Write the mask or classful prefix length in binary.

3. Draw a line to delineate the significant bits in the


assigned IP address.

Cross out the mask so that you can view the


significant bits in the IP address.

4. Copy the significant bits four times.

5. In the first line, define the network address by


placing 0s in the remaining host bits.

6. In the last line, define the directed-broadcast


address by placing 1s in the host bits.

7. In the middle lines, define the first and last host ID


for this subnet.

8. Increment the subnet bits by one to determine the


next subnet address.

Repeat Steps 4 through 8 for all subnets.

4. Complete this table to define each subnet.

Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

Task 4: Given a Network Address and Classful Address, Define


Subnets
Activity Procedure
Assume that you have been assigned the 192.168.111.129 address in a /28 network block.
1. Specify the subnet mask in binary and decimal.

_________________________________________________________________________
2. How many subnets can you define with the specified mask?

_________________________________________________________________________

80 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
3. How many hosts will be in each subnet?
_______________________________________________________________________

4. Use the eight-step method to define the subnets.

Step Description Example

1. Write down the octet that is being split in binary.

2. Write the mask or classful prefix length in binary.

3. Draw a line to delineate the significant bits in the


assigned IP address.
Cross out the mask so that you can view the
significant bits in the IP address.

4. Copy the significant bits four times.

5. In the first line, define the network address by


placing 0s in the remaining host bits.

6. In the last line, define the directed-broadcast


address by placing 1s in the host bits.

7. In the middle lines, define the first and last host ID


for this subnet.

8. Increment the subnet bits by one to determine the


next subnet address.

Repeat Steps 4 through 8 for all subnets.

5. Complete this table to define each subnet.

Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

Task 5: Given a Network Block and Classful Address, Define


Subnets
Activity Procedure
Assume that you have been assigned the 172.25.112.0 address in a /23 network block.
1. Specify the subnet mask in binary and decimal.

_________________________________________________________________________

© 2007 Cisco Systems, Inc. Lab Guide 81


2. How many subnets can you define with the specified mask?

_________________________________________________________________________

3. How many hosts will be in each subnet?

_________________________________________________________________________

4. Use the eight-step method to define the subnets.

Step Description Example

1. Write down the octet that is being split in binary.

2. Write the mask or classful prefix length in binary.

3. Draw a line to delineate the significant bits in the


assigned IP address.

Cross out the mask so that you can view the


significant bits in the IP address.

4. Copy the significant bits four times.

5. In the first line, define the network address by


placing 0s in the remaining host bits.

6. In the last line, define the directed-broadcast


address by placing 1s in the host bits.

7. In the middle lines, define the first and last host ID


for this subnet.

8. Increment the subnet bits by one to determine the


next subnet address.

Repeat Steps 4 through 8 for all subnets.

5. Complete this table to define each subnet.

Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

82 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Task 6: Given a Network Block and Classful Address, Define
Subnets
Activity Procedure
Assume that you have been assigned the 172.20.0.129 address in a /25 network block.
1. Specify the subnet mask in binary and decimal.

_________________________________________________________________________

2. How many subnets can you define with the specified mask?

_________________________________________________________________________

3. How many hosts will be in each subnet?

_________________________________________________________________________

4. Use the eight-step method to define the subnets.

Step Description Example

1. Write down the octet that is being split in binary.

2. Write the mask or classful prefix length in binary.

3. Draw a line to delineate the significant bits in the


assigned IP address.

Cross out the mask so that you can view the


significant bits in the IP address.

4. Copy the significant bits four times.

5. In the first line, define the network address by


placing 0s in the remaining host bits.

6. In the last line, define the directed-broadcast


address by placing 1s in the host bits.

7. In the middle lines, define the first and last host ID


for this subnet.

8. Increment the subnet bits by one to determine the


next subnet address.

Repeat Steps 4 through 8 for all subnets.

5. Complete this table to define the subnets.

© 2007 Cisco Systems, Inc. Lab Guide 83


Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

Activity Verification
You have completed this lab when you attain these results:
„ Given a network address, you can determine the number of possible network addresses and
the binary subnet mask to use
„ Given a network IP address and subnet mask, you can apply the mask to determine the
range of subnet addresses

You can apply subnet masks to identify the host addresses that can be assigned to a subnet and
the associated broadcast addresses.

84 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 4-5: Performing Initial Router Startup
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will connect to your remote workgroup router, ensure that it is
unconfigured, and examine the startup process. After completing this activity, you will be able
to meet these objectives:
„ Remove any existing residual router configuration
„ Restart the router and observe the output
„ Decline the initial configuration dialog request when the restart process completes

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-5


Performing Initial Router Startup

Workgroup Router IP
Hostname Address Subnet Mask
RouterA 10.2.2.3 255.255.255.0
RouterB 10.3.3.3 255.255.255.0
RouterC 10.4.4.3 255.255.255.0
RouterD 10.5.5.3 255.255.255.0
RouterE 10.6.6.3 255.255.255.0
RouterF 10.7.7.3 255.255.255.0
RouterG 10.8.8.3 255.255.255.0
RouterH 10.9.9.3 255.255.255.0

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—14

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod access information from Lab 2-1

Command List
The table describes the commands that are used in this activity.

© 2007 Cisco Systems, Inc. Lab Guide 85


Router Cisco IOS Commands

Command Description

enable Enters the privileged EXEC mode command interpreter.

erase startup-config Erases the startup configuration from memory.

Reload Reboots the router to make your changes take effect.

Job Aids
These job aids are available to help you complete the lab activity.

Current Passwords
Router console login None

Router enable password None

Router enable secret password None

Router vty login user ID None

Router vty login password None

Switch console login sanjose

Switch enable password cisco

Switch enable secret password sanfran

Switch vty login user ID netadmin

Switch vty login password netadmin

Task 1: Remove Any Residual Configuration from Your Router


In this task, you will start the workgroup router and verify that the router starts correctly. The
router may have the default configuration which supports initial configuration using Cisco
SDM (Router and Security Device Manager) and requires the username cisco and the password
cisco to gain access to the enable prompt.

Activity Procedure
Complete these steps:

Step 1 Connect to your workgroup router using the access information from Lab 2-1, also
refer to visual objective for IP address information.

Step 2 If prompted for a username and password, user cisco for both. If not proceed to next
step.

Step 3 If the prior step did not result in being enabled, enter the command to get to the
enable prompt.

Step 4 Enter the command erase startup-config, Confirm that you do wish to continue.
Your output should be similar to the example below.
Username: cisco
Password:
yourname#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]

86 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Erase of nvram: complete
yourname#
*Apr 24 00:16:13.683: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
yourname#

Activity Verification
You have completed this task when you attain this result:
„ You have erased the startup configuration

Task 2: Reload the Router and Observe the Startup Output


In this task, you will observe the output of the router. This should be similar to the output
obtained when you observed your workgroup switch being reloaded.

Activity Procedure
Complete these steps:

Step 1 Enter the command reload. Confirm the question to continue with reload using the
ENTER key. Your output should resemble the example below
yourname#reload
Proceed with reload? [confirm]
.
Step 2 Observe the output as the reload progresses. You will have to wait a few minutes for
all the output and a final prompt. Your output should be similar to the example
below, which has been edited to reduce the length of some lines.
*Apr 24 00:18:02.043: %SYS-5-RELOAD: Reload requested by cisco on console.
Reload Reason: Reload Command.

System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)


Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.

Initializing memory for ECC


.
c2811 platform with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC enabled

Upgrade ROMMON initialized


program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xcb80

program load complete, entry point: 0x8000f000, size: 0x228d9f8


Self decompressing the image :
##############################################################################
########################################### [OK]

Smart Init is enabled


smart init is sizing iomem
ID MEMORY_REQ TYPE
0003E7 0X003DA000 C2811 Mainboard
0X00263F50 Onboard VPN
0X000021B8 Onboard USB
0X002C29F0 public buffer pools
0X00211000 public particle pools
TOTAL: 0X00B13AF8

If any of the above Memory Requirements are


"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and

© 2007 Cisco Systems, Inc. Lab Guide 87


system operation may be compromised.
Rounded IOMEM up to: 12Mb.
Using 4 percent iomem. [12Mb/256Mb]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is


subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.


170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version


12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
Image text-base: 0x40093160, data-base: 0x42B00000

This product contains cryptographic features and is subject to United


States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to


export@cisco.com.

Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.


Processor board ID FTX1108A3G8
2 FastEthernet interfaces
2 Low-speed serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

--- System Configuration Dialog ---

Step 3 Answer no to the question “Would you like to enter the initial configuration
dialog?” Wait until the output has completed before pressing the Enter key to get a
prompt.

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

sslinit fn

*Apr 24 00:19:27.795: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State


changed to: Initialized

88 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
*Apr 24 00:19:27.799: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
changed to: Enabled
*Apr 24 00:19:29.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-
Null0, changed state to up
*Apr 24 00:19:29.059: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state
to up
*Apr 24 00:19:29.063: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state
to up
*Apr 24 00:19:29.063: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to
down
*Apr 24 00:19:29.063: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to
down
*Apr 24 00:19:30.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to down
*Apr 24 00:19:30.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
*Apr 24 00:19:30.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/0, changed state to down
*Apr 24 00:19:30.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to down
*Apr 24 00:19:32.295: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
*Apr 24 00:19:32.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
*Apr 24 00:29:25.479: %IP-5-WEBINST_KILL: Terminating DNS process
*Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface FastEthernet0/0, changed
state to administratively down
*Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface FastEthernet0/1, changed
state to administratively down
*Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to
administratively down
*Apr 24 00:29:26.659: %LINK-5-CHANGED: Interface Serial0/0/1, changed state to
administratively down
*Apr 24 00:29:26.991: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
*Apr 24 00:29:26.995: %SNMP-5-COLDSTART: SNMP agent on host Router is
undergoing a cold start
*Apr 24 00:29:27.203: %SYS-6-BOOTTIME: Time taken to reboot after reload =
684 seconds
*Apr 24 00:29:27.383: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Apr 24 00:29:27.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to down
*Apr 24 00:29:27.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
<ENTER>
Router>

Activity Verification
You have completed this task when you attain these results:
„ You have reloaded your workgroup router
„ You have declined the initial configuration dialog

© 2007 Cisco Systems, Inc. Lab Guide 89


Lab 4-6: Performing Initial Router Configuration
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will perform the initial minimal configuration. After completing this
activity, you will be able to meet these objectives:
„ Use the setup command to apply a minimal configuration for router operation
„ Use show commands to validate your configuration

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-6


Performing Initial Router Configuration

Workgroup Router IP
Hostname Address Subnet Mask
RouterA 10.2.2.3 255.255.255.0
RouterB 10.3.3.3 255.255.255.0
RouterC 10.4.4.3 255.255.255.0
RouterD 10.5.5.3 255.255.255.0
RouterE 10.6.6.3 255.255.255.0
RouterF 10.7.7.3 255.255.255.0
RouterG 10.8.8.3 255.255.255.0
RouterH 10.9.9.3 255.255.255.0

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—15

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod access information from Lab 2-1
„ Successful completion of Lab 2-4

Command List
The table describes the commands that are used in this activity.

90 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Router Cisco IOS Commands

Command Description

configure terminal Activates the configuration mode from the terminal.

setup Enters the initial configuration dialog mode.

show running-config Displays the router configuration settings that are currently
in effect.

show startup-config Displays the router configuration settings that are stored in
NVRAM.

Job Aids
These job aids are available to help you complete the lab activity.

Current Passwords
Router console login none

Router enable password none

Router enable secret password none

Router vty login user ID none

Router vty login password none

Switch console login sanjose

Switch enable password cisco

Switch enable secret password sanfran

Switch vty login user ID netadmin

Switch vty login password netadmin

Task 1: Enter the Initial Configuration Using the setup


Command
In this task, you will use the initial configuration dialog to enter basic router configuration.

Activity Procedure
Complete these steps:

Step 1 If you are not continuing from Lab 4-5m then connect to your workgroup router
using the access information from Lab 2-1 and refer to the visual objective for IP
address and subnet mask information.

Step 2 Enter the enable command to get into the privileged EXEC mode.

Step 3 At the enable prompt enter the command setup. This command starts the initial
configuration dialog.

Step 4 Enter yes to the question “Continue with configuration dialog?”


Continue with configuration dialog? [yes/no]: yes

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.

© 2007 Cisco Systems, Inc. Lab Guide 91


Default settings are in square brackets '[]'.

Step 5 Enter no to the question “Would you like to enter basic management setup?”
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system

Would you like to enter basic management setup? [yes/no]: no

Step 6 Enter yes to the question “First, would you like to see the current interface
summary?” Your output should look similar to the following display:
First, would you like to see the current interface summary? [yes]: yes

Interface IP-Address OK? Method Status Protocol


FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 unassigned YES unset administratively down down

Configuring global parameters:

Step 7 Enter your assigned workgroup router hostname at the prompt “Enter host name,”
where x in the example below is your workgroup letter (A, B, C, D, E, F, G or H).
Enter host name [Router]: RouterX

Step 8 Enter the enable secret password at the prompt “Enter enable secret.”

The enable secret is a password used to protect access to privileged EXEC and
configuration modes. This password, after entered, becomes encrypted in the
configuration.

Enter enable secret: sanfran

Step 9 Enter the enable password at the prompt “Enter enable password.”

The enable password is used when you do not specify an enable secret password,
with some older software versions, and some boot images.

Enter enable password: cisco

Step 10 Enter the vty password at the prompt “Enter virtual terminal password.”

The virtual terminal password is used to protect access to the router over a network
interface.

Enter virtual terminal password: sanjose

Step 11 Enter no to the question “Configure SNMP Network Management?”


Configure SNMP Network Management? [no]:no

Step 12 Enter yes to the question “Configure IP?”


Configure IP? [yes]:yes

92 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 13 Enter no to the question “Configure RIP routing?”
Configure RIP routing? [yes]: no

Step 14 Enter no to the question “Configure CLNS?”


Configure CLNS? [no]:no

Step 15 Enter no to the question “Configure bridging?”


Configure bridging? [no]:no

Step 16 Enter yes to the question “Do you want to configure FastEthernet0/0 interface?”
Configuring interface parameters:

Do you want to configure FastEthernet0/0 interface? [no]: yes

Step 17 Enter no to the question “Use the 100 Base-TX (RJ-45) connector?”
Use the 100 Base-TX (RJ-45) connector? [yes]:no

Step 18 Enter no to the question “Operate in full-duplex mode?”


Operate in full-duplex mode? [no]:no

Step 19 Enter yes to the question “Configure IP on this interface?”


Configure IP on this interface? [no]: yes

Step 20 Enter the IP address of your assigned workgroup router. (See the visual objective for
this lab.)
IP address for this interface: 10.x.x.3

Step 21 Enter the subnet mask of your assigned workgroup router. Notice that the Cisco IOS
Software can calculate the IP addressing class.
Subnet mask for this interface [255.0.0.0] : 255.255.255.0
Class A network is 10.0.0.0, 24 subnet bits; mask is /24

Step 22 Enter no to the question “Do you want to configure FastEthernet0/1 interface?”
Do you want to configure FastEthernet0/1 interface? [no]:no

Step 23 Enter no to the question “Do you want to configure Serial0/0/0 interface?”
Do you want to configure Serial0/0/0 interface? [no]:no

Step 24 Enter no to the question “Do you want to configure Serial0/0/1 interface?”
Do you want to configure Serial0/0/1 interface? [no]:no

Step 25 Enter no to the question “Would you like to go through AutoSecure configuration?”
Would you like to go through AutoSecure configuration? [yes]: no
AutoSecure dialog can be started later using "auto secure" CLI

Step 26 The setup process outputs the configuration script that can be applied depending on
your answer to the question that follows. Notice that by default the router has only
five (0 to 4) vty lines preconfigured. You may recall that the switch had 16 ( 0 to
15). You will need to press the Spacebar when prompted with --More-- to get
additional output.

© 2007 Cisco Systems, Inc. Lab Guide 93


The following configuration command script was created:

hostname RouterX
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
enable password cisco
line vty 0 4
password sanjose
no snmp-server
!
ip routing
no clns routing
no bridge 1
!
interface FastEthernet0/0
no shutdown
half-duplex
ip address 10.x.x.3 255.255.255.0
no mop enabled
!
interface FastEthernet0/1
shutdown
no ip address
!
interface Serial0/0/0
shutdown
no ip address
!
interface Serial0/0/1
shutdown
no ip address
dialer-list 1 protocol ip permit
!
end

[0] Go to the IOS command prompt without saving this config.


[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]:2


Step 27 Enter 2 to save this configuration to NVRAM and exit.

Step 28 Observe the output displayed. You may see that the running Cisco IOS version
announces that the hostname does not match the latest CLI standards; however, the
name is accepted.
Building configuration...
[OK]
*Apr 24 00:37:02.203: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state
to up
Use the enabled mode 'configure' command to modify this configuration.

RouterX#
*Apr 24 00:37:04.867: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up

Activity Verification
You have completed this task when you attain these results:
„ You have entered your workgroup router configuration information using the setup
command
„ You have selected the option to save and exit on completion of the configuration dialog

94 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Task 2: Validate the Router Configuration
You will use the show commands to check that the router configuration matches your
requirements, and is saved to the startup configuration in the startup-config file.

Activity Procedure
Complete these steps:

Step 1 Enter the command show running-config. Observe the output, validate that the
passwords are set and match those you entered in Task 1, also check that the
interface FastEthernet 0/0 has the IP address assigned for your workgroup router and
does not have the shutdown command applied to the interface. Below is an excerpt
from the output; your display should be similar.
..Text omitted!
..
!
interface FastEthernet0/0
ip address 10.x.x.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
..Text omitted!
Step 2 Enter the command show startup-config. Observe the output and validate that the
information you verified in Step 1 above matches. This demonstrates that the setup
command saved the configuration to both the running configuration and startup
configuration.

Activity Verification
You have completed this task when you attain these results:
„ Your output of the show running-config command matched your input in Task 1.
„ Your startup configuration was the same as your running configuration.

© 2007 Cisco Systems, Inc. Lab Guide 95


Lab 4-7: Enhancing the Security of Initial Router
Configuration
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will increase the security of the router following its initial configuration.
After completing this activity, you will be able to meet these objectives:
„ Add password protection to the console line
„ Use the Cisco IOS configuration command to encrypt all passwords
„ Add a banner message to the login process
„ Increase the remote management security of the router by adding the SSH protocol to the
vty lines

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-7 Enhancing


the Security of Initial Router Configuration

Workgroup Router IP
Hostname Address Subnet Mask
RouterA 10.2.2.3 255.255.255.0
RouterB 10.3.3.3 255.255.255.0
RouterC 10.4.4.3 255.255.255.0
RouterD 10.5.5.3 255.255.255.0
RouterE 10.6.6.3 255.255.255.0
RouterF 10.7.7.3 255.255.255.0
RouterG 10.8.8.3 255.255.255.0
RouterH 10.9.9.3 255.255.255.0

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—16

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application

96 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
„ Your assigned pod access information from Lab 4.1
„ Successful completion of Lab 4-6

Command List
The table describes the commands that are used in this activity.

Command Description

banner login Allows the configuration of a message which will be displayed at


the time of the login process.

configure terminal From privileged EXEC mode, enters global configuration mode.

copy running-config startup- Copies the switch running configuration file to the startup
config configuration file which is held in local NVRAM.

crypto key generate rsa Generates the RSA key pairs to be used.

enable Activates the privileged EXEC mode. In privileged EXEC mode,


more commands are available. This command requires you to
enter the enable password if an enable password is configured.

end This configuration command terminates the configuration mode.

exit Exits the current configuration mode.

ip domain-name name Supplies an IP domain name, which is required by the crypto key
generation process.

ip ssh version [1 | 2] Specifies the version of Secure Shell (SSH) to be run. To disable
the version of SSH that was configured and to return to
compatibility mode, use the no form of this command.

line console 0 Specifies the console line and enters line configuration mode.

line vty 0 4 Enters the virtual terminal line configuration mode. Vty lines
allow access to the switch for remote network management. The
number of vty line available is dependant on the Cisco IOS
Software version. Typical values are 0 to 4 and 0 to 15
(inclusive).

login Activates the login process on the console or vty lines.

login local Activates the login process on the console or vty lines to require
using the local authentication database.

logout Exits the EXEC mode requiring reauthentication (if enabled).

password Assigns a password to the console or vty lines.

service password-encryption Enable the service which will encrypt all passwords in the
running configuration.

show ip ssh Show the current settings of the SSH protocol.

show running-config Displays the router configuration settings that are currently in
effect.

transport input telnet ssh Specifies which protocols to use to connect to a specific line of
the router.

username username password Creates a username and password pair, which can then be used
password as a local authentication database.

© 2007 Cisco Systems, Inc. Lab Guide 97


Job Aids
These job aids are available to help you complete the lab activity.

Current Passwords
Router console login none

Router enable password cisco

Router enable secret password sanfran

Router vty login user ID none

Router vty login password sanjose

Switch console login sanjose

Switch enable password cisco

Switch enable secret password sanfran

Switch vty login user ID netadmin

Switch vty login password netadmin

Task 1: Add Password Protection to Console Port


Following the initial configuration of the router, where passwords have been configured for the
vty lines, a potential security hole exists because the console port currently is not protected by a
password at all. Use the password sanjose for the console line unless your instructor has given
you a different password, which you should record below.

Activity Procedure
Complete these steps:
Step 1 Connect to your remote workgroup router via the console server. You will need to
use the VTY password configured earlier to get to the user EXEC mode.

Step 2 Enter the enable command and password to get to the enable EXEC prompt.

Step 3 At the enable prompt of your assigned router, enter config t.

Step 4 Enter the command line console 0.

Step 5 At the line console configuration mode, enter the command password password.
Use the same password that is set for the vty lines.

Step 6 Enter the command login, which will require a password to be supplied to access the
router via the console in future.
Step 7 Enter the end command to exit the configuration mode.

Step 8 Enter the show running-config command and observe the output to see that you
have correctly configured line console 0 and vty lines 0-4. Your output should be
similar to the example below, where the line configuration is shown in bold text.
You will observe that the passwords for both the line console and vty lines are stored
in cleartext.

98 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
RouterX#show running-config
..
..Text omitted
..
!
line con 0
password sanjose
login
line aux 0
line vty 0 4
password sanjose
login
!
end
Step 9 Test your configured password by logging out of and back into the router via the
console.
Step 10 Enter the command logout.

Step 11 Use the Enter key to get a password prompt.

Step 12 Supply the password that you just configured to get to the user EXEC prompt.
Step 13 Enter the command and password to get to the enable EXEC prompt.

Step 14 Your output for Steps 10 though 13 should be similar to the example below.
RouterX#logout

..
..empty lines omitted
..

RouterX con0 is now available

Press RETURN to get started.

..
..empty lines omitted
..

User Access Verification

Password:
RouterX>enable
Password:
RouterX#

Activity Verification
You have completed this task when you attain these results:
„ You configured the console line to require a password
„ You inspected the configuration and observed that the line passwords are stored in cleartext
„ You tested the login process and password access to the console line successfully
„ Your output matches the example in Step 14

© 2007 Cisco Systems, Inc. Lab Guide 99


Task 2: Activate Password Encryption Service
As discussed in the previous task, some passwords are stored in cleartext. This can be a security
issue when the configurations are transmitted and stored on remote file systems. In this task
you will configure the password encryption service to secure all cleartext passwords with
encryption.

Activity Procedure
Complete these steps:

Step 1 From the enable EXEC prompt enter the command to get to global configuration
mode.
Step 2 Enter the command service password-encryption.

Step 3 Enter the command to return to the enable EXEC prompt.

Step 4 Enter the command to see the running configuration. Concentrate on the first few
lines and the last few lines of the configuration, to see that your command is now
active and the effect it has on the line passwords. Your output should be similar to
the example below, with bold text highlighting output of particular interest.
RouterX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterX(config)#service password-encryption
RouterX(config)#end
RouterX#
*Mar 16 20:19:40.509: %SYS-5-CONFIG_I: Configured from console by console
RouterX#show running-config
Building configuration...

Current configuration : 940 bytes


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
..
..Text omitted
..

!
!
line con 0
password 7 051807012B435D0C
login
line aux 0
line vty 0 4
password 7 051807012B435D0C
login
!
scheduler allocate 20000 1000
!
end
Step 5 Enter the command to save the running configuration to startup-config.

100 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Activity Verification
You have completed this task when you attain these results:
„ You have enabled the password encryption service.
„ You have displayed the running configuration and observed the encryption of the line
passwords.
„ You have saved your running configuration.

Task 3: Apply a Login Banner


As part of any security policy, it is necessary to ensure that network resources are clearly
identified as being off limits to the casual visitor, hackers have in the past used the fact that a
“welcome” screen was presented at login, as a (successful) legal defense. A message that
clearly states that access is restricted should be presented when an attempting to access a
network device (switch, router, and so on). The banner Cisco IOS configuration command
allows this to be done.

Activity Procedure
Complete these steps:

Step 1 Enter the command to access the global configuration prompt.


Step 2 Enter the command banner login %. The percent sign is the opening delimiter of
the text that will form the message.

Step 3 Enter text to form your message followed by %. Do NOT include a percent sign in
your text; it will be interpreted as the closing delimiter of your message. Below is an
example of the output of the configuration of a banner message.
RouterX#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterX(config)#banner login %
Enter TEXT message. End with the character '%'.
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C

RouterX(config)#end
Step 4 Enter the command to display the running configuration. Your output should be
similar to the example below, which has been edited to show just the banner
configuration. Notice that your text delimiter has been replaced with a ^C, which is a
nontext control character.
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
Step 5 Use the logout command to end your console session. Then log back in to the enable
prompt. Observe the display to see your banner message being presented, prior to
password entry. Your output should be similar to the example below, which has
been edited to reduce space.

© 2007 Cisco Systems, Inc. Lab Guide 101


RouterX#logout

RouterX con0 is now available

Press RETURN to get started.

********* Warning *************


Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************

User Access Verification

Password:
RouterX>en
Password:
RouterX#
Step 6 Enter the command to save the running configuration to NVRAM.

Activity Verification
You have completed this task when you attain these results:
„ You have configured a login banner message which clearly states that access is restricted to
the router
„ You have tested the login message, and it does give a warning prior to password prompt
„ You have saved your configuration

Task 4: Enable SSH Protocol for Remote Management


In a previous task, you protected the passwords by using encryption. However, if the process of
remote management uses the Telnet protocol, which sends all characters in cleartext including
passwords, the potential exists for packet capture and exploitation of the information. In this
task, you will configure the Secure Shell (SSH) protocol as an alternative to Telnet. If it is
possible in your environment, it would be best to the replace Telnet with SSH.

Activity Procedure
Complete these steps:

Step 1 At the enable EXEC prompt enter the command to access the global configuration
prompt.
Step 2 The SSH protocol requires the use of a username and password pair. These have not
yet been configured, so you will do that now. Enter the command username
netadmin password netadmin. It this example, you use a simple username, but in a
real-world environment, a much stronger username and password must be used.

Step 3 Enter the command ip domain-name domain-name. The generation of a SSH


cryptographic key requires that both the hostname and domain name be configured.
The hostname is already configured, so it is necessary to configure the domain
name. Normally you would use the domain name of your organization; in the lab,
you will use cisco.com.

102 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 4 Enter the command crypto key generate rsa. You are prompted for a key size; 512
is the default, but you will enter 1024. Your output should be similar to the example
below, which is edited to include only those lines pertaining to this task.
RouterX(config)#username netadmin password netadmin
RouterX(config)#ip domain-name cisco.com
RouterX(config)#crypto key generate rsa
The name for the keys will be: RouterX.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024


% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

RouterX(config)#
*Mar 16 20:32:15.613: %SSH-5-ENABLED: SSH 1.99 has been enabled
Step 5 Enter the command ip ssh version 2 to specify the required SSH version.

Step 6 Enter the command line vty 0 4.

Step 7 Enter the command login local. This changes the login process to use the locally
configured username and password pairs.

Step 8 Enter the command transport input telnet ssh. This configures the five vty lines to
support both Telnet or SSH. Your output should be similar to the example below.
RouterX(config)#line vty 0 4
RouterX(config-line)#login local
RouterX(config-line)#transport input telnet ssh
Step 9 Enter the command to return to enable EXEC prompt.
Step 10 Enter the command show ip ssh.
RouterX#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Step 11 To test your configuration you need to make a VPN tunnel connection to the remote
lab using the method from Lab 2-1. You may get a security warning regarding the
crypto key; accept the key by clicking the Yes button in the popup window.

Step 12 On your PC, open your SSH terminal client application. Use the IP address of your
workgroup router (10.x.x.3), and the username and password pair that you
configured in Step 2 of this task.

Step 13 Below is an example of a successful connection using the PuTTY application using
SSH.

© 2007 Cisco Systems, Inc. Lab Guide 103


Step 14 Open the Windows Command window and enter the command telnet 10.x.x.3 (enter
the IP address of your workgroup router). Your output should be similar to the
example below.

Step 15 Enter the username and password in the new Telnet Command window that
automatically opens. Having established that Telnet is working simultaneously with
SSH, type logout at the user EXEC prompt and close your Command window by
typing exit at the Command window prompt. Your output should be similar to the
example below.

Step 16 Enter the command to save your configuration to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ You configured the vty lines to support the SSH version 2 protocol
„ You successfully connected directly to your workgroup router using SSH and Telnet, thus
proving both are being supported simultaneously
„ You saved your configuration

104 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 4-8: Using Cisco SDM to Configure DHCP
Server Function
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will use Cisco SDM to configure DHCP server functionality on your
workgroup router. After completing this activity, you will be able to meet these objectives:
„ You will use Cisco SDM to configure a DHCP pool of addresses
„ You will use Cisco SDM to verify at least one DHCP client has received an address from
the pool just created
„ You will use Cisco IOS commands to locate the switch port through which the DHCP
client is attaching to your workgroup switch

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-8 Using Cisco


SDM to Configure DHCP Server Function

Pod Router IP Address Switch IP Address

A 10.2.2.3 /24 10.2.2.11 /24


B 10.3.3.3 /24 10.3.3.11 /24
C 10.4.4.3 /24 10.4.4.11 /24
D 10.5.5.3 /24 10.5.5.11 /24
E 10.6.6.3 /24 10.6.6.11 /24
F 10.7.7.3 /24 10.7.7.11 /24
G 10.8.8.3 /24 10.8.8.11 /24
H 10.9.9.3 /24 10.9.9.11 /24

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—17

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application

© 2007 Cisco Systems, Inc. Lab Guide 105


„ Your assigned pod access information from Lab 4.1
„ Successful completion of Lab 4-7

Command List
The table describes the commands that are used in this activity.

Router and Switch Cisco IOS Commands

Command Description

ping Used to diagnose basic network connectivity.

show mac-address-table dynamic Displays dynamic MAC address table entries only; use
the command in privileged EXEC mode.

show ip arp Used to display the ARP cache.

Job Aids
This job aid is available to help you complete the lab activity.

Table 1: DHCP Server Pool Information

Work DHCP Pool DHCP Pool Starting IP Ending IP Default Lease Time
group Name Network/Mask Router (Days:
Hrs:Mins)

A wgA_clients 10.2.2.0/24 10.2.2.150 10.2.2.199 10.2.2.3 0:0:5

B wgB_clients 10.3.3.0/24 10.3.3.150 10.3.3.199 10.3.3.3 0:0:5

C wgC_clients 10.4.4.0/24 10.4.4.150 10.4.4.199 10.4.4.3 0:0:5

D wgD_clients 10.5.5.0/24 10.5.5.150 10.5.5.199 10.5.5.3 0:0:5

E wgE_clients 10.6.6.0/24 10.6.6.150 10.6.6.199 10.6.6.3 0:0:5

F wgF_clients 10.7.7.0/24 10.7.7.150 10.7.7.199 10.7.7.3 0:0:5

G wgG_clients 10.8.8.0/24 10.8.8.150 10.8.8.199 10.8.8.3 0:0:5

H wgH_clients 10.9.9.0/24 10.9.9.150 10.9.9.199 10.9.9.3 0:0:5

106 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Current Passwords
Router console login sanjose

Router enable password cisco

Router enable secret password sanfran

Router vty login user ID netadmin

Router vty login password netadmin

Switch console login sanjose

Switch enable password cisco

Switch enable secret password sanfran

Switch vty login user ID netadmin

Switch vty login password netadmin

Task 1: Configuring the Router to Support Web-Based


Applications, a User with Privilege 15, and Telnet and SSH
This task will provide you with practice on enabling Cisco SDM on a router that has been
configured using the Cisco IOS startup sequence or the CLI. If you erased the factory startup
configuration in order to use the Cisco IOS startup sequence, you can still use Cisco SDM. To
do so, you must configure the router to support web-based applications, configure it with a user
account defined with privilege level 15, and then configure it to support the Telnet and SSH
protocols. These changes can be made using a Telnet session or using a console connection.

Activity Procedure
Complete these steps:
Step 1 Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the enable EXEC prompt.

Step 2 The current configurations have the HTTP service already enabled. However, it is
preferable to use the secure HTTP services (HTTPS). To enable the HTTP/HTTPS
server on your workgroup router, enter the ip http secure-server command.
Router(config)# ip http secure-server

Note The ability to support the secure server depends on the Cisco IOS version running on the
router. If HTTPS were not supported, then the HTTP server could still be enabled.

Step 3 It is also necessary to configure the HTTPS services with the method to be used for
authentication. To enable the workgroup router HTTP/HTTPS server authentication
method, enter the ip http authentication local command in global configuration
mode.
Router(config)# ip http authentication local
Step 4 To modify your netadmin user account to a privilege level of 15 (full enable
privileges), enter the username netadmin privilege 15 command in global
configuration mode.
Router(config)# username netadmin privilege 15

© 2007 Cisco Systems, Inc. Lab Guide 107


Task 2: Use Cisco SDM to Configure a DHCP Pool
In this task, you will use Cisco SDM to configure a DHCP pool on your workgroup router.

Activity Procedure
Complete these steps:

Step 1 Open a VPN connection to your remote workgroup.

Step 2 Open a Windows Internet Explorer window and enter your workgroup router IP
address in the Address bar in the form of a URL; for example, https://10.x.x.3.

Step 3 In the new window that opens, enter your netadmin username and password.

Step 4 You may see this message. If so, click Yes to it and any subsequent security
windows.

108 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 5 Eventually, you should see the screen below.

Step 6 Choose the Configure tab.

Step 7 New options will appear on the left side of the window. Choose Additional Tasks
(the bottom option).

© 2007 Cisco Systems, Inc. Lab Guide 109


Step 8 In the Additional Tasks pane, open the DHCP tab, and choose DHCP Pools.

Step 9 In the DHCP Pools pane, choose the Add button.

110 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 10 In the Add DHCP Pool window, add the information from Table 1 for your specific
workgroup. When you have finished click the OK button.

Step 11 The Commands Delivery window opens, indicating the status of the transfer of
configuration commands to your workgroup router. When the status indicates
“Configuration delivered to router,” click the OK button.

Step 12 Wait a few minutes for any clients on your network to obtain an address. Then click
the DHCP Pool Status button.

© 2007 Cisco Systems, Inc. Lab Guide 111


Step 13 Your DHCP Pool Status should have a similar output, indicating that a client has an
address in the pool range. You may have to use the Refresh button in the main
window to get your display updated.

Step 14 Note the IP address of the DHCP client in the space below.

Step 15 Click the OK button to close the DHCP Pool Status window.

Activity Verification
You have completed this task when you attain these results:
„ You connected to your workgroup router and opened the Cisco SDM window.
„ You configured your router to support a DHCP pool.
„ You used Cisco SDM to confirm that a client obtained an address from the pool.
„ You noted the actual address of the DHCP client.

Task 2: Using Tools to Correlate Network Information


When you are implementing networks, it is necessary to confirm your configuration, also
maintenance and security tasks require that you are able to find and use network information
for specific reasons. In this activity you will use addressing information you gather to
determine the attachment point of an end system to your network. Other typical reasons for
doing this would be to track down sources of duplicate addresses and trace the path of packets
through a network while troubleshooting.

Activity Procedure
Complete these steps:

Step 1 Open a SSH connection to your workgroup router.

Step 2 At the enable prompt workgroup router, enter ping IP_address_dhcp_client. Your
output should be similar to the example below.
RouterX#ping 10.10.10.150

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.10.10.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

112 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 3 Enter the show ip arp IP_address_dhcp_client command to obtain the hardware
address (MAC address) that is bound to the IP address you just pinged. Your output
should be similar to the example below.
RouterX#show ip arp 10.10.10.150
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.150 63 001a.6ca1.eea9 ARPA FastEthernet0/0

Step 4 Note the hardware address (MAC address) of your DHCP client in the space below.

Step 5 Open a console connection to your workgroup switch.

Step 6 At the workgroup switch enable prompt, enter the show mac-address-table
dynamic command to display only the dynamically learned entries. Your output
should be similar to the example below.
SwitchX#show mac-address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports


---- ----------- -------- -----
1 001a.6ca1.eea9 DYNAMIC Fa0/11
1 001a.6ca1.eed8 DYNAMIC Fa0/2
1 001a.6dd7.1981 DYNAMIC Fa0/11
1 001a.6dfb.c401 DYNAMIC Fa0/12
Total Mac Addresses for this criterion: 4
Step 7 Using the MAC address from the previous step, identify the port on the switch,
which the DHCP client attaches to the network, and record it in the space below.

Step 8 You have located the switchport through which the DHCP client is entering your
network. If your network consists of any number of switches and routers, you can
use the same process to trace the physical location of any device, given its IP and
MAC (hardware address) addresses.

Step 9 You should close any open connections and the VPN tunnel.

Activity Verification
You have completed this task when you attain these results:
„ You used the IP address of the DHCP client identified in Task 1, in a ping command.
„ You used the information from the output of the ping command to identify the MAC
address of that DHCP client.
„ You used the workgroup switch mac-address-table command to identify the port through
which the DHCP client is accessing the network.

© 2007 Cisco Systems, Inc. Lab Guide 113


Lab 4-9: Managing Remote Access Sessions
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will use Telnet and SSH connections to access Cisco routers and switches.
After completing this activity, you will be able to meet these objectives:
„ Be able to initiate, suspend, resume and close a Telnet session from a Cisco router or
switch
„ Be able to initiate, suspend, resume and close a SSH session from a Cisco router or switch

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 4-9


Managing Remote Access Sessions

Pod Router IP Address Switch IP Address

A 10.2.2.3 /24 10.2.2.11 /24


B 10.3.3.3 /24 10.3.3.11 /24
C 10.4.4.3 /24 10.4.4.11 /24
D 10.5.5.3 /24 10.5.5.11 /24
E 10.6.6.3 /24 10.6.6.11 /24
F 10.7.7.3 /24 10.7.7.11 /24
G 10.8.8.3 /24 10.8.8.11 /24
H 10.9.9.3 /24 10.9.9.11 /24

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—18

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod access information from Lab 2-1
„ Successful completion of Lab 4-8

Command List
The table describes the commands that are used in this activity.

114 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Cisco IOS Router and Switch Commands

Command Description

Ctrl-Shift-6 x Telnet or SSH escape sequence.

disconnect [session] Disconnect an existing network connection. Optionally a


session number can be entered.

exec-timeout mins [secs] Sets the amount of idle time that can elapse before a
connection is automatically closed.

exit The exit command in EXEC mode exits the active session
(logs off the device).

history size number Sets the number of line held in the history buffer for recall.
Two separate buffers are used, one for EXEC mode
commands and the second for configuration mode
commands.

ip domain-lookup Supplies an IP domain name, which is required by the


crypto key generation process.

line console 0 Enters the line console configuration mode.

logging synchronous Synchronizes unsolicited messages and debug privileged


EXEC command output with solicited device output and
prompts for a specific console port line or vty line.

logout Exits the EXEC mode requiring reauthentication or


reconnection.

resume Switches to another open Telnet, SSH connection.

show sessions Displays information about open Telnet, or SSH


connections.

show users Displays information about the active lines.

ssh ip_address Starts an encrypted session with a remote networking


device using the current user’s ID. The IP address
identifies the destination device.

telnet ip_address Establishes a Telnet protocol network connection. The IP


address identifies the destination device.

Job Aids
„ There are no job aids for this lab activity.

Task 1: Improve the Usability of the Router CLI


In this task, you will enter commands to improve the usability of the CLI as you did for your
workgroup switch. You will increase the number of lines that are stored in the history buffer,
increase the inactivity timer on the console port, and stop attempts to resolve the names of
mistyped commands.

Activity Procedure
Complete these steps:

Step 1 Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the enable mode.

© 2007 Cisco Systems, Inc. Lab Guide 115


Step 2 The size of the history buffers is 20. You could change this by using the command
terminal history size 100. However, this value would have to be entered every time
you log out of and back into the switch. The history size can be set in the
configuration, associated with the vty and console lines.

Step 3 Enter the command config t to get to the global configuration prompt.

Step 4 Enter the command line console 0.

Step 5 Enter the command history size 100 to change the history buffer size.

Step 6 Enter the command exec-timeout 60 to extend the idle timeout value.

Step 7 Enter the command logging synchronous to synchronize unsolicited messages and
debug privileged EXEC command output with the input from the CLI.

Step 8 Enter the command line vty 0 4 to configure the vty lines.

Step 9 Enter the commands to configure the history size to 100 and to synchronize the
messages.

Step 10 Enter the exit command to return to the global configuration mode.
Step 11 Enter the command no ip domain-lookup to disable the resolution for symbolic
names.

Step 12 Enter the command end to return to enable EXEC prompt.


Step 13 Use the history recall to enter the show terminal command. Your output should be
similar to the example below, which has been edited to reduce unwanted lines.
RouterX#show terminal
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
..
..Text omitted
..
Editing is enabled.
History is enabled, history size is 100.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are pad telnet rlogin lapb-ta mop v120 ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
Step 14 Enter the show running-config command to view the running configuration to
confirm that the configuration changes you made are correct.

Step 15 When you are satisfied that your running configuration reflects the changes. save it
to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ The inactivity timeout on the console line is set to 60 minutes.
„ You have verified that the history buffer value is set to 100 lines on the console and vty
lines.

116 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
„ You have verified that logging synchronous is configured on the console and vty lines.
„ You have verified that IP domain lookup is disabled.
„ You saved your running configuration to startup-config.

Task 2: Connect to Your Remote Workgroup via VPN Tunnel


In this task you will open a VPN connection to your remote workgroup and then login to your
assigned workgroup router using the terminal emulation application. Use the username and
password netadmin. You will then increase the VTY lines automatic idle timeout to 30
minutes for the duration of this lab on your workgroup router.

Activity Procedure
Complete these steps:

Step 1 From your PC, open a VPN connection to your designated workgroup.

Step 2 From your PC, use PuTTY to connect to the IP address of your workgroup router
and get to the enable EXEC prompt. Use the username and password netadmin
during this activity.

Step 3 Get to the enable EXEC prompt and enter the command show sessions. Your output
should look similar to the following display:
login as: netadmin

********** Warning *************


Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
netadmin@10.10.10.3's password:

RouterX#show sessions
% No connections open
RouterX#

Step 4 Enter the command show users to see the current users connected to your
workgroup router. Your output should look similar to the following display:
RouterX#sh users
Line User Host(s) Idle Location
*322 vty 0 netadmin idle 00:00:00 10.10.10.134
Interface User Mode Idle Peer Address

Step 5 The user “netadmin” is associated with the address of your PC, because of the VPN
connection you made in Step 2 of this task.

Step 6 Enter the command conf t to get to the global configuration prompt.

Step 7 Enter the command line vty 0 4 to get to the VTY line configuration mode.

Step 8 Enter the command exec-timeout 30 to extend the idle timer period to 30 minutes.

Step 9 Return to the EXEC prompt by entering the command end. Your output should look
similar to the following display:

© 2007 Cisco Systems, Inc. Lab Guide 117


RouterX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterX(config)#line vty 0 4
RouterX(config-line)#exec-timeout 30
RouterX(config-line)#end
RouterX#

Activity Verification
You have completed this task when you attain these results:
„ You connected from your PC to your remote workgroup router using PuTTY via VPN
tunnel.
„ You increased the idle timeout of the router vty lines to 30 minutes.
„ You used the show sessions command to verify that the router has no open sessions at this
time.
„ You used the show users command to identify that you are the only user currently
connected to your router.

Task 3: Using the Cisco IOS CLI Commands to Control Telnet


and SSH Sessions
In this task, you will practice the initiation, suspension, and resumption of Telnet and SSH
sessions from the Cisco IOS CLI. Use the username and password netadmin during this
activity. You will also increase the vty line automatic idle timeout to 30 minutes for the
duration of this activity on your workgroup switch.

Activity Procedure
Complete these steps:

Step 1 From your workgroup router, open a Telnet session to your assigned workgroup
switch, using the telnet ip_address command.

Step 2 Enter the command to get to the enable EXEC prompt. Your output should look
similar to the following display:
RouterX#telnet 10.10.10.11
Trying 10.10.10.11 ... Open

********** Warning *************


Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************

User Access Verification

Username: netadmin
Password:
SwitchX>enable
Password:
SwitchX#
Step 3 Enter the command conf t to get to the global configuration prompt.

Step 4 Enter the command line vty 0 15 to get to the VTY line configuration mode.

Step 5 Enter the command exec-timeout 30 to extend the idle timer period to 30 minutes.

118 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 6 Return to the EXEC prompt by entering the command end. Your output should look
similar to the following display:
SwitchX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#line vty 0 15
SwitchX(config-line)#exec-timeout 30
SwitchX(config-line)#end
SwitchX#
Step 7 Enter the escape sequence Ctrl-Shift-6, x to suspend the session and get the
RouterX# prompt.

Step 8 Enter the command show sessions to display the currently active sessions. Your
output should look similar to the following display with the exception that the
escape sequence has been indicated in bold text:
SwitchX#<cntrl+shift+6,x>
RouterX#show sessions
Conn Host Address Byte Idle Conn Name
* 1 10.10.10.11 10.10.10.11 0 0 10.10.10.11

RouterX#
Step 9 Enter the command ssh ip_address to open a second connection to your workgroup
switch using the SSH protocol.

Note: You need to enter the password associated with the username “netadmin.”

Your output should look similar to the following display:


RouterX#ssh 10.10.10.11

********** Warning *************


Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************
Password:

SwitchX>
Step 10 Enter the escape sequence Ctrl-Shift-6, x to suspend the session and get the
RouterX# prompt.
Step 11 Enter the command show sessions to display the currently active sessions. Your
output should look similar to the following display with the exception that the
escape sequence has been indicated in bold text:
SwitchX><ctrl+shift+6,x>
RouterX#show sessions
Conn Host Address Byte Idle Conn Name
1 10.10.10.11 10.10.10.11 0 4 10.10.10.11
* 2 10.10.10.11 10.10.10.11 0 0

RouterX#
Step 12 Enter the command resume 1 to resume your first connection to the workgroup
switch. Notice that this session has the enable prompt.
<ENTER>
RouterX#resume 1
[Resuming connection 1 to 10.10.10.11 ... ]
<ENTER>
SwitchX#show users
Line User Host(s) Idle Location
* 1 vty 0 netadmin idle 00:00:00 10.10.10.3
2 vty 1 netadmin idle 00:00:22 10.10.10.3

© 2007 Cisco Systems, Inc. Lab Guide 119


Interface User Mode Idle Peer Address

SwitchX#
Step 13 From your switch, Telnet to your workgroup router without prefixing the address
with “Telnet,” and notice that you were automatically enabled on the router. Your
output should look similar to the following display:
SwitchX#10.10.10.3
Trying 10.10.10.3 ... Open

********** Warning *************


Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C

User Access Verification

Username: netadmin
Password:
RouterX#
Step 14 Enter the command show sessions to display any sessions associated with this
connection. Your output should look similar to the following display:
RouterX#show sessions
% No connections open
RouterX#

Note At this point in the activity, you have established a Telnet connection from the router to the
switch and a Telnet connection from the switch to the router. Also, you have an SSH
connection from the router to the switch.

Step 15 Your current view is at the router user EXEC via your initial Telnet connection
through the switch. If at this point you use a single escape sequence, you will return
to the Router# prompt (session 1). However, if you use two escape sequences
followed by pressing x, you will return to the switch.

Step 16 Enter the sequence Ctrl-Shift-6, Ctrl-Shift-6, x, and notice that the x is used only
once at the end. You are returned to your switch. Your output should look similar to
the following display:
RouterX#<ctrl-shift-6, ctrl-shift-6, x>
SwitchX#sh sessions
Conn Host Address Byte Idle Conn Name
* 1 10.10.10.3 10.10.10.3 0 0 10.10.10.3

SwitchX#
Step 17 Enter the escape sequence Ctrl-Shift-6, x, to suspend the original session initiated
from the router and get the RouterX# prompt. Your output should look similar to the
following display:
SwitchX#<ctrl-shift-6, x>
RouterX#sh sessions
Conn Host Address Byte Idle Conn Name
* 1 10.10.10.11 10.10.10.11 0 0 10.10.10.11
2 10.10.10.11 10.10.10.11 0 7

Step 18 Observe the output. The asterisk (*) is by the number 1. This indicates that this is the
active session. If you press the Enter key without adding any other text, the session
will automatically be resumed.

120 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 19 Press the Enter key twice. The first resumes the connection to the switch, and the
second is interpreted at the switch to resume its session to the router. You will need
to press Enter a third time to get the router prompt. Your output should look similar
to the following display:
RouterX#<ENTER>
[Resuming connection 1 to 10.10.10.11 ... ]
<ENTER>
[Resuming connection 1 to 10.10.10.3 ... ]
<ENTER>
RouterX#

Step 20 Enter the sequence Ctrl-Shift-6, Ctrl-Shift-6, x, to return to your switch. Your
output should look similar to the following display:
RouterX#<ctrl-shift-6, ctrl-shift-6, x>
SwitchX#
Step 21 Close the connection to the router by using the disconnect command. Entering the
command without any numerical value is interpreted as closing the last created
connection. You will need to confirm your requested action. Your output should
look similar to the following display:
SwitchX#disconnect
Closing connection to 10.10.10.3 [confirm]
SwitchX#
Step 22 Remove the modification to the EXEC timeout value by setting it back to its default
value of 10 minutes. Your output should look similar to the following display:
SwitchX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#line vty 0 15
SwitchX(config-line)#exec-timeout 10
SwitchX(config-line)#end
SwitchX#
Step 23 Use the sequence Ctrl-Shift-6, x, to return to your router and enter the show
sessions command. Your output should look similar to the following display:
SwitchX#<ctrl-shift-6, x>
RouterX#show sessions
Conn Host Address Byte Idle Conn Name
* 1 10.10.10.11 10.10.10.11 0 1 10.10.10.11
2 10.10.10.11 10.10.10.11 0 39
Step 24 Use the disconnect command to close both connections to the switch. Your output
should look similar to the following display:
RouterX#disconnect 1
Closing connection to 10.10.10.11 [confirm]
RouterX#disconnect 2
Closing connection to 10.10.10.11 [confirm]
RouterX#
Step 25 Remove the modification to the EXEC timeout value by setting it back to its default
value of 10 minutes. Your output should look similar to the following display:
RouterX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterX(config)#line vty 0 4
RouterX(config-line)#exec-timeout 10
RouterX(config-line)#end
RouterX#
Step 26 Close your SSH connection to your workgroup router by using the logout command.
Then close your VPN connection.

© 2007 Cisco Systems, Inc. Lab Guide 121


Activity Verification
You have completed this task when you attain these results:
„ You initiated Telnet connections between your workgroup router and switch.
„ You initiated SSH connection between your workgroup router and switch.
„ You used the show sessions command to identify current connections and their values
including active session and session numbers.
„ You used the show users command to identify currently connected users to your
workgroup router and switch.
„ You used the escape sequence to suspend the connection (session) that you were using
(active).
„ You used the resume command to choose which of your open connections (sessions) you
would use.
„ You returned the exec-timeout command value to 10 minutes on your workgroup router
and switch.
„ You used disconnect and logout to close all connections.
„ You terminated the VPN tunnel from your PC to your remote workgroup.

122 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 5-1: Connecting to the Internet
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will be able to configure your WAN Ethernet interface to use a DHCP
obtained IP address, and will provide PAT. After completing this activity, you will be able to
meet these objectives:
„ Using Cisco SDM to configure the WAN Ethernet interface to use a DHCP obtained IP
address
„ Using Cisco SDM to configure the router to support PAT of the inside Ethernet interface to
through the WAN Ethernet interface
„ Using Cisco SDM to verify that the configuration matches the requirements of the lab
„ Using the CLI to test and observe that PAT is taking place through the WAN Ethernet
interface

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 5-1


Connecting to the Internet

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—19

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application

© 2007 Cisco Systems, Inc. Lab Guide 123


„ Your assigned pod access information from Lab 2-1
„ Successful completion of Lab 4-9

Command List
The table describes the commands that are used in this activity.

Router Cisco IOS Commands

Command Description

clear ip nat translation * Uses clear dynamic NAT translations from the translation
table.

ping ip_address Common tool used to troubleshoot the accessibility of


devices. It uses ICMP path echo requests and ICMP
path echo replies to determine whether a remote host is
active. The ping command also measures the amount of
time it takes to receive the echo reply.

show dhcp lease Displays the DHCP addresses leased from a server.

show ip nat translations Displays active NAT translations.

Job Aids
There are no job aids for this lab activity.

Task 1: Use Cisco SDM to Configure the Ethernet Connection


to the Internet
In this task you will use the Cisco SDM tool to configure your WAN Ethernet connection to
use DHCP to obtain its IP address. This interface will also be used in the NAT port address
translation mode.

Activity Procedure
Complete these steps:
Step 1 Open a VPN connection to your remote workgroup.

Step 2 Open an Internet Explorer window and enter your workgroup router IP address in
the Address field in the form of a URL; for example, https://10.x.x.3.

124 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 3 In the new window that opens, enter your username netadmin and password
netadmin.

Step 4 You may see this window; if so, click Yes to it and any subsequent security
windows.

© 2007 Cisco Systems, Inc. Lab Guide 125


Step 5 Eventually, you should see the screen below.

Step 6 Choose the Configure tab.

126 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 7 Choose the Create Connection tab, and click the Ethernet PPPoE or
Unencapsulated Routing radio button.

Step 8 Click the Create New Connection button at the bottom of the pane.

Step 9 At the Welcome to the Ethernet WAN Configuration Wizard window, click the Next
button at the bottom of the pane.

Step 10 At the Encapsulation window, make no choices. Click the Next button at the bottom
of the pane to proceed.

© 2007 Cisco Systems, Inc. Lab Guide 127


Step 11 At the IP address window, make no choices. Only the Dynamic (DHCP Client)
radio button should be set. Click Next to proceed.

Step 12 At the Advanced Options window, check the Port Address Translation check box,
You should see “FastEthernet0/0” appear automatically in the LAN Interface to Be
Translated box. Click the Next button at the bottom of the pane to proceed.

128 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 13 Review the information in the Summary window. Click the Finish button to finalize
the wizard.

Step 14 The configuration commands are transferred. Click the OK button to close the
Commands Delivery Status window.

© 2007 Cisco Systems, Inc. Lab Guide 129


Step 15 In the Edit Interface/Connection tab that opened up following the previous step,
choose FastEthernet0/1 .

Step 16 Observe that the IP address is set and that it has (DHCP) following the value. Notice
also that in the lower pane, NAT has a value of Outside.

Note You may need to click the Refresh button to force an update of the display.

Step 17 Close both your Cisco SDM session and your VPN connection.

Activity Verification
You have completed this task when you attain these results:
„ You have verified that the FastEthernet0/1 interface has an address obtained using DHCP.
„ You have verified in Step 15 that your FastEthernet0/0 interface has been identified as
being an inside interface in the PAT configuration.
„ You have verified in Step 15 that your FastEthernet0/1 interface has been identified as
being an outside interface in the PAT configuration.

Task 2: Use the CLI to Verify and Observe the Operation of PAT
on Your Workgroup Router
In this task you will connect to your workgroup via the SSH connection. You will use CLI
commands to ping the DHCP provided default gateway IP address. Then observe the PAT
information stored by the workgroup router by using the clear and show ip nat translations
commands.

130 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Activity Procedure
Complete these steps:

Step 1 Using the SSH-capable terminal emulation application, connect to your assigned
workgroup router.

Step 2 At the enable prompt, enter the show dhcp lease command. Your output should look
similar to the following display, but will be different for each pod.
RouterX#show dhcp lease
Temp IP addr: 172.20.21.5 for peer on Interface: FastEthernet0/1
Temp sub net mask: 255.255.255.0
DHCP Lease server: 172.20.21.254, state: 3 Bound
DHCP transaction id: 1F7E
Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs
Temp default-gateway addr: 172.20.21.254
Next timer fires after: 11:53:31
Retry count: 0 Client-ID: 001a.6ca1.eed9
Client-ID hex dump: 001A6CA1EED9
Hostname: RouterX
RouterX#
Step 3 Use the clear ip nat translation * command to clear any residual NAT information
before proceeding to the next step.

Step 4 Use the show ip nat translations command to verify that there is no data to display.
RouterX#clear ip nat translation *
RouterX#show ip nat translations

RouterX#
Step 5 Using the IP address of the default router obtained in your output, use the ping
command to test connectivity.
Step 6 Use the show ip nat translations command to observe if any translation was made.
Your output should look similar to the following display:
RouterX#show ip nat translations

RouterX#

Caution You may be surprised that no entry was made for the ping that you just successfully
completed. The reason for this is in the behavior of the ping process, which uses the IP
address of the outgoing interface as the source IP address in the packets it uses. For the
test that you just did, the outgoing interface (FastEthernet0/1) has the IP address
172.20.x.254, which does not need to be translated. In order to test this, you need to go to
your workgroup switch and repeat the ping command, then return to your router to view the
translation entry.

Step 7 At your workgroup switch user EXEC prompt enter the ping command to the
default router IP address you used in Step 5. Your output should look similar to the
following display:
SwitchX>ping 172.20.21.254

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.20.21.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
SwitchX>

© 2007 Cisco Systems, Inc. Lab Guide 131


Step 8 Return to your workgroup router and enter the show ip nat translations command.
RouterX#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.20.21.5:33 10.10.10.11:33 172.20.21.254:33 172.20.21.254:33
Step 9 Observe that in your output, the inside local IP address was your workgroup switch,
and the inside global IP address was your FastEthernet0/1 interface.

Step 10 Save your running configuration to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ You were able to get the DHCP obtained IP address of the default gateway.
„ You tested the operation of PAT, using a ping locally generated on your workgroup router.
The show ip nat translation command failed to show any translation because of the
behavior of the ping packets (use of source IP addresses).
„ You retested the ping, from your workgroup switch and using the show ip nat translation
command. This sequence of packets did generate a translation.
„ You saved your running configuration to startup-config.

132 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 5-2: Connecting to the Main Office
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will configure the serial connection and configure a static route. After
completing this activity, you will be able to meet these objectives:
„ Configure your serial interface to use PPP
„ Configure a static route to a given IP network which can be reached via the serial interface

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 5-2


Connecting to the Main Office

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—20

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod access information from Lab 2-1
„ Successful completion of Lab 5-1

© 2007 Cisco Systems, Inc. Lab Guide 133


Command List
The table describes the commands that are used in this activity.

Router Cisco IOS Commands

Command Description

description description Allows descriptive text to be associated with an interface.

interface serial 0/0/0 Enters the interface configuration mode of the interface
specified.

encapsulation ppp Sets PPP as the encapsulation method used by a serial


interface.

ip address ip_address mask Sets the IP address and mask of the interface.

ip route net-prefix prefix-mask Establishes a static route to destination.


next_hop_ip_address

shutdown Disables and enables an interface.


no shutdown

ping ip_address Uses ICMP path echo requests and ICMP path echo
replies to determine whether a remote host is active.

show ip route Displays the current state of the routing table.

traceroute ip_addess Discovers the IP routes that packets will actually take
when traveling to their destination.

Job Aids
This job aid is available to help you complete the lab activity.

Table 1: Serial WAN Information

Workg WAN Interface Remote WAN Remote Network Remote Host


roup s0/0/0 IP Address interface IP address Reachable via s0/0/0 Reachable via s0/0/0
Mask 255.255.255.0 (Next-Hop Router)

A 10.140.1.2 10.140.1.1 192.168.21.0 192.168.21.200

B 10.140.2.2 10.140.2.1 192.168.22.0 192.168.22.200

C 10.140.3.2 10.140.3.1 192.168.23.0 192.168.23.200

D 10.140.4.2 10.140.4.1 192.168.24.0 192.168.24.200

E 10.140.5.2 10.140.5.1 192.168.25.0 192.168.25.200

F 10.140.6.2 10.140.6.1 192.168.26.0 192.168.26.200

G 10.140.7.2 10.140.7.1 192.168.27.0 192.168.27.200

H 10.140.8.2 10.140.8.1 192.168.28.0 192.168.28.200

134 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Current Passwords
Router console login sanjose

Router enable password cisco

Router enable secret password sanfran

Router vty login user ID netadmin

Router vty login password netadmin

Switch console login sanjose

Switch enable password cisco

Switch enable secret password sanfran

Switch vty login user ID netadmin

Switch vty login password netadmin

Task 1: Configure Your Workgroup Router Serial 0/0/0


In this task you will configure your first serial interface with its assigned IP address. Also, you
will configure the interface to support PPP encapsulation.

Activity Procedure
Complete these steps:

Step 1 Connect to your assigned workgroup router console port, and get to the EXEC
enable prompt.
Step 2 Enter the command config terminal to get to the global configuration prompt.

Step 3 Enter the command interface s0/0/0 to get to the interface configuration mode of
your first serial interface.
Step 4 Enter the command encapsulation ppp to enable the use of PPP instead of the
default encapsulation of HDLC.

Step 5 Enter the command ip address ip_address 255.255.255.0, where you supply your
WAN IP address from Table 1 at the beginning of this lab.

Step 6 Enter the command description Link to Main Office to associate text with the
interface.
Step 7 Enter the command no shutdown to bring the interface up.

Step 8 Wait a few moments for the status messages to stop. Then enter the command end to
exit to EXEC prompt.
Step 9 Your output for Steps 3 through 8 should look similar to the following display:
RouterX(config)#int s0/0/0
RouterX(config-if)#encapsulation ppp
RouterX(config-if)#ip address 10.140.10.2 255.255.255.0
RouterX(config-if)#description Link to Main Office
RouterX(config-if)#no shutdown
*Mar 26 21:10:35.451: %SYS-5-CONFIG_I: Configured from console by console
RouterX#
*Mar 26 21:10:35.983: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
RouterX#

© 2007 Cisco Systems, Inc. Lab Guide 135


*Mar 26 21:10:37.015: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0,
changed state to up
RouterX(config-if)#end
Step 10 Enter the command show interface s0/0/0 to display the current status of your serial
interface.

Step 11 Notice the bolded lines in the example below, which should be similar to your
output.
RouterX#show interface s0/0/0
Serial0/0/0 is up, line protocol is up
Hardware is GT96K Serial
Description: Link to Main Office
Internet address is 10.140.10.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, loopback not set
Keepalive set (10 sec)
..
Text omitted
Step 12 If your serial interface line protocol is NOT up, then recheck that you entered your
information correctly.

Activity Verification
You have completed this task when you attain these results:
„ You have correctly configured a username and password pair for PPP to use.
„ You have configured your interface to use the assigned IP address from Table 1 in this Lab.
„ You have verified using the show interface command that your serial interface is up, with
the line protocol up.

Task 2: Test Connectivity to Your Assigned Remote Network


You will unsuccessfully test with the ping command the connectivity to your given remote
network, which can only be reached through the serial interface you just configured. You will
then use various Cisco IOS commands to investigate the reason why you cannot reach the
network.

Activity Procedure
Complete these steps:

Step 1 Enter the ping remote_host command using the assigned IP address of the remote
host from Table 1 above. Your output should look similar to the following display:
RouterX#ping 192.168.21.200

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 192.168.21.200, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Step 2 Enter the traceroute remote_host command, using the same IP address you used in
Step 1 above. Your output should look similar to the following display:
RouterX#traceroute 192.168.21.200

Type escape sequence to abort.


Tracing the route to 192.168.21.200

136 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
1 172.20.21.254 0 msec 4 msec 0 msec
2 172.20.21.254 !H * !H
Step 3 The output should indicate that the packets are being sent to the “Internet” IP
address via FastEthernet 0/1.
Step 4 Enter the command show ip route to view the current information held in the route
table. Your output should look similar to the following display:
RouterX#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.20.21.254 to network 0.0.0.0

172.20.0.0/24 is subnetted, 1 subnets


C 172.20.21.0 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
C 10.140.10.1/32 is directly connected, Serial0/0/0
C 10.140.10.0/24 is directly connected, Serial0/0/0
S* 0.0.0.0/0 [254/0] via 172.20.21.254
Step 5 Notice in the example the two lines that are bolded. These indicate that the only
place that the router can send packets with destination addresses that are not found
on directly connected networks is via the default route. Recall that the default route
is indicated using 0.0.0.0.

Activity Verification
You have completed this task when you attain these results:
„ You observed using the traceroute command where your packets were being sent.
„ You observed using the show ip route commands that there is no entry in the routing table
that matches the network you were trying to reach. Also, the routing table has an entry for
forward “unknown” destinations, known as the gateway of last resort.

Task 3: Add a Static Route Entry for Your Remote Network


You have determined that the reason for the problem in reaching your remote network is that
there is no routing table entry for that network. In this task, you will correct this problem by
adding a static route entry to the configuration. You will then test that this action has corrected
the problem. You should note that in order for your static route to correct this issue, there needs
to be a reciprocal static entry in the distant router pointing back to your workgroup. You can
assume that this has already been done by the administrator of the that router.

Activity Procedure
Complete these steps:
Step 1 At the enable EXEC prompt, enter the command conf t to get to global
configuration mode.

Step 2 Enter the command ip route remote_network remote_network_mask


IP_next_hop_router, where the information to complete this can be obtained from
Table 1. Your output should look similar to the following display:

© 2007 Cisco Systems, Inc. Lab Guide 137


RouterX(config)#ip route 192.168.2x.0 255.255.255.0 10.140.x.1
Step 3 Enter the command end to exit the configuration mode and return to the EXEC
prompt.
Step 4 Enter the command show ip route to view the current information held in the route
table. Your output should look similar to the following display:
RouterX#show ip route
..
..Text omitted
..
Gateway of last resort is 172.20.21.254 to network 0.0.0.0

172.20.0.0/24 is subnetted, 1 subnets


C 172.20.21.0 is directly connected, FastEthernet0/1
S 192.168.21.0/24 [1/0] via 10.140.10.1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
C 10.140.10.1/32 is directly connected, Serial0/0/0
C 10.140.10.0/24 is directly connected, Serial0/0/0
S* 0.0.0.0/0 [254/0] via 172.20.21.254
RouterX#
Step 5 Enter the command ping remote_network_host to test reachability to the remote
network. Your output should look similar to the following display:
RouterX#ping 192.168.21.200

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 192.168.21.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
RouterX#
Step 6 Enter the command traceroute remote_network_host to display the path taken by
packets going to your remote network. Your output should look similar to the
following display:
RouterX#traceroute 192.168.21.200

Type escape sequence to abort.


Tracing the route to 192.168.21.200

1 10.140.10.1 12 msec * 12 msec


Step 7 Notice that because the remote network is only one hop away, there is only one line
in the traceroute output.

Step 8 Save your running configuration to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ You configured a static route entry pointing to the next hop router IP address of your serial
0/0/0 interface in the configuration of your workgroup router.
„ You used the show ip route command to verify that there is now an entry to your remote
network.
„ You successfully tested reachability using the ping command.
„ You used the traceroute command to verify that the path taken was through the IP subnet
used on the serial 0/0/0 interface.
„ You saved your running configuration to startup-config.

138 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 5-3: Enabling Dynamic Routing to the Main
Office
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will enable the use of the dynamic routing protocol RIP. After completing
this activity, you will be able to meet these objectives:
„ Configure RIP on your workgroup router
„ Verify that RIP is operating
„ Remove the now unnecessary static route to an adjacent network

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 5-3 Enabling


Dynamic Routing to the Main Office

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—21

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod access information from Lab 2-1
„ Successful completion of Lab 5-2

© 2007 Cisco Systems, Inc. Lab Guide 139


Command List
The table describes the commands that are used in this activity.

Commands

Command Description

configure terminal Activates the configuration mode from the terminal.

end Terminates the configuration mode.

[no] ip route Removes a previously configured static route.

network network_prefix Specifies a list of networks for the RIP routing process will
use. RIP will send and listen for routing update on
interfaces whose IP address matches the network
specified.

router rip Activates the RIP routing process.

show ip protocol Displays the currently configured values for various


properties of enabled routing protocols.

show ip route Displays the current state of the routing table.

traceroute ip_address Discovers the IP routes that packets will actually take when
traveling to their destination.

version {1 | 2} Specifies the RIP version used globally by the router.

Job Aids
Table 1: Remote Host Information

Workgr Remote Host IP Address on Networks Reachable via s0/0/0


oup

A 192.168.21.200 192.168.121.200 192.168.221.200

B 192.168.22.200 192.168.122.200 192.168.222.200

C 192.168.23.200 192.168.123.200 192.168.223.200

D 192.168.24.200 192.168.124.200 192.168.224.200

E 192.168.25.200 192.168.125.200 192.168.225.200

F 192.168.26.200 192.168.126.200 192.168.226.200

G 192.168.27.200 192.168.127.200 192.168.227.200

H 192.168.28.200 192.168.128.200 192.168.228.200

These addresses can be used as destination addresses in the ping or traceroute commands.
These are valid only for the workgroup specified.

Task 1: Configure RIP Routing Protocol on Your Workgroup


Router
In this task you configure the RIP routing protocol operation on your workgroup router. You
will then use Cisco IOS commands to verify its operation.

140 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Activity Procedure
Complete these steps:

Step 1 At the EXEC prompt, enter the show ip route command to display the current route
table entries. Your output should look similar to the following display:
RouterX#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.20.21.254 to network 0.0.0.0

172.20.0.0/24 is subnetted, 1 subnets


C 172.20.21.0 is directly connected, FastEthernet0/1
S 192.168.21.0/24 [1/0] via 10.140.10.1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
C 10.140.10.1/32 is directly connected, Serial0/0/0
C 10.140.10.0/24 is directly connected, Serial0/0/0
S* 0.0.0.0/0 [254/0] via 172.20.21.254
Step 2 Enter the configure terminal command to get to the global configuration mode.

Step 3 Enter the command router rip to configure the RIP routing protocol.

Step 4 Enter the network 10.0.0.0 command to enable RIP on interfaces whose IP address
matches the network address, in this case network 10.0.0.0.

Step 5 Enter the command end to exit the configuration mode. Your output should look
similar to the following display:
RouterX#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterX(config)#router rip
RouterX(config-router)#network 10.0.0.0
RouterX(config-router)#end
Step 6 Enter the show ip protocol command to display information about IP routing
protocols configured on your router. Your output should look similar to the
following display:
RouterX#show ip protocol
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 0 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 1 1 2
Serial0/0/0 1 1 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
Step 7 Notice that the output indicates that this router will send version 1 updates, but
will recognize and use version 1 and 2 updates.

© 2007 Cisco Systems, Inc. Lab Guide 141


Step 8 Enter the commands necessary to configure RIP to use version 2. Your output
should look similar to the following display:
RouterX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterX(config)#router rip
RouterX(config-router)#version 2
RouterX(config-router)#end
Step 9 Enter the show ip protocol command to display information about IP routing
protocols configured on your router. Your output should look similar to the
following display:
RouterX#show ip protocol
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 28 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Serial0/0/0 2 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
10.140.10.1 120 00:00:01
Distance: (default is 120)
Step 10 Notice that RIP will now send and receive only version 2 updates.

Activity Verification
You have completed this task when you attain these results:
„ You enabled the RIP routing protocol.
„ You used show ip protocol to verify that it was operational.
„ You modified your configuration to use only RIP version 2 updates.
„ You used show ip protocol to verify this change was implemented.

Task 2: Replace the Existing Static Route and Test Connectivity


In this task, you will remove the static route configured in a prior lab. You will also test
connectivity to a remote network leaned via the RIP routing protocol.

Activity Procedure
Complete these steps:

Step 1 Enter the show ip route command to via the current route table entries. Your output
should look similar to the following display:
RouterX#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
..
..Text omitted
..

142 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Gateway of last resort is 172.20.21.254 to network 0.0.0.0

R 192.168.121.0/24 [120/1] via 10.140.10.1, 00:00:12, Serial0/0/0


172.20.0.0/24 is subnetted, 1 subnets
C 172.20.21.0 is directly connected, FastEthernet0/1
R 192.168.131.0/24 [120/1] via 10.140.10.1, 00:00:12, Serial0/0/0
S 192.168.21.0/24 [1/0] via 10.140.10.1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
C 10.140.10.1/32 is directly connected, Serial0/0/0
C 10.140.10.0/24 is directly connected, Serial0/0/0
R 192.168.221.0/24 [120/2] via 10.140.10.1, 00:00:13, Serial0/0/0
S* 0.0.0.0/0 [254/0] via 172.20.21.254
Step 2 Notice that there are more network entries learned via RIP updates. These are
indicated in the display with an “R.” However a static route is still being used as the
entry for the route to 192.168.2x.0 (where x represents your pod number) network.
This is indicated with an “S.” This route therefore does not take advantage of the
dynamic updates available using RIP. Recall that the routing table uses the
administrative distance to determine which route should populate the route table.
The value for RIP is 120 and for a static route is 1.

Step 3 Enter the conf terminal command to enter the global configuration mode.
Step 4 Enter the command no ip route 192.168.2x.0 255.255.255.0 10.140.10.1 to remove
the static route entry from the configuration.

Step 5 Enter the end command to exit the configuration mode.


Step 6 Enter the show ip route 192.168.2x.0 command to display only the information for
the route specified. Your output should look similar to the following display:
RouterX#sh ip route 192.168.21.0
Routing entry for 192.168.21.0/24
Known via "rip", distance 120, metric 1
Redistributing via rip
Last update from 10.140.10.1 on Serial0/0/0, 00:00:13 ago
Routing Descriptor Blocks:
* 10.140.10.1, from 10.140.10.1, 00:00:13 ago, via Serial0/0/0
Route metric is 1, traffic share count is 1
Step 7 Enter the traceroute 192.168.22x.200 command to use the ICMP protocol to follow
the path taken to reach the host on the network. Your output should look similar to
the following display:
RouterX#traceroute 192.168.221.200

Type escape sequence to abort.


Tracing the route to 192.168.221.200

1 10.140.10.1 16 msec 12 msec 12 msec


2 192.168.131.253 16 msec * 12 msec
Step 8 Enter the command to save your configuration to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ You removed the static route configured in a prior lab.
„ You verified the removal using show ip route command.
„ You validated reachability to the network by using traceroute command.
„ You saved your running configuration to startup-config.

© 2007 Cisco Systems, Inc. Lab Guide 143


Lab 6-1: Using Cisco Discovery Protocol
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will use Cisco Discovery Protocol to obtain information about directly
attached Cisco devices, also you will disable Cisco Discovery Protocol from running on
selected interfaces. After completing this activity, you will be able to meet these objectives:
„ Verify that Cisco Discovery Protocol is running on your workgroup router and switch
„ Display information about neighboring Cisco devices
„ Limit which interfaces run Cisco Discovery Protocol as a security measure
„ Verify your changes

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 6-1


Using Cisco Discovery Protocol

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—22

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod access information from Lab 2-1
„ Successful completion of Lab 5-3

144 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Command List
The table describes the commands that are used in this activity.

Router Cisco IOS Commands

Command Description

[no] cdp enable Enables Cisco Discovery Protocol on an interface, no


form of the command disables Cisco Discovery Protocol
on an interface.

[no] cdp run Enables Cisco Discovery Protocol globally on a router or


switch, the no form disable Cisco Discovery Protocol
globally.

interface range interface Allows the grouping of interfaces, such that following
interfacenumber - interfacenumber interface configuration commands will be applied to all the
interfaces specified simultaneously.

show cdp Displays global Cisco Discovery Protocol information,


including timer and hold-time information

show cdp entry * Displays information about a specific neighboring device


discovered using Cisco Discovery Protocol, the * matches
all current entries.

show cdp interfaces Displays information about the interfaces on which Cisco
Discovery Protocol is enabled.

show cdp neighbors [detail] Displays detailed information about neighboring devices
discovered using Cisco Discovery Protocol.

show cdp traffic Displays information about traffic between devices


gathered using Cisco Discovery Protocol

Job Aids
There are no job aids are available for this lab activity.

Task 1: Use and Control Cisco Discovery Protocol on Your


Workgroup Router
In this task, you will use Cisco Discovery Protocol to obtain information about directly
connected Cisco devices. You will also control which interfaces run Cisco Discovery Protocol,
because the information supplied by Cisco Discovery Protocol can be used by a hacker to
obtain information for launching a security exploit.

Activity Procedure
Complete these steps:

Step 1 Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the EXEC enable prompt.

Step 2 Enter the show cdp command to verify that Cisco Discovery Protocol is enabled
and to display global information.
RouterX#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

© 2007 Cisco Systems, Inc. Lab Guide 145


Step 3 Enter the show cdp interface command to display the interfaces that are running
Cisco Discovery Protocol. Your output should look similar to the following display:
RouterX#show cdp interface
FastEthernet0/0 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
FastEthernet0/1 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Serial0/0/0 is up, line protocol is up
Encapsulation PPP
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Serial0/0/1 is administratively down, line protocol is down
Encapsulation HDLC
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Step 4 Enter the show cdp neighbors command to display any known Cisco devices. Your
output should look similar to the following display:
RouterX#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID


MainRouter Ser 0/0/0 167 R S I 2811 Ser 1/0
SwitchX.cisco.com
Fas 0/0 137 S I WS-C2960- Fas 0/2
Step 5 Using the information gathered in the previous step, enter the show cdp entry
MainRouter command to view the detailed Cisco Discovery Protocol information
of the Cisco router learned through the serial interface. Your output should look
similar to the following display:
RouterX#show cdp entry MainRouter
-------------------------
Device ID: MainRouter
Entry address(es):
IP address: 10.140.10.1
Platform: Cisco 2811, Capabilities: Router Switch IGMP
Interface: Serial0/0/0, Port ID (outgoing port): Serial1/0
Holdtime : 150 sec

Version :
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team

advertisement version: 2
VTP Management Domain: ''
Step 6 Observe in your display that the IP address of the remote device is output, as is the
router platform and software information.
Step 7 Using the IP address from your output in Step 5, you could attempt to log in to
router MainRouter; however, this would be unsuccessful because MainRouter has an
ACL preventing unauthorized access.
Step 8 Enter the show cdp neighbors detail command to display the same information that
show cdp entry did. However, the neighbors detail command will display all

146 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
known neighbors without requiring any other parameters. Your output should look
similar to the following display:
RouterX#show cdp neighbors detail
-------------------------
Device ID: MainRouter
Entry address(es):
IP address: 10.140.10.1
Platform: Cisco 2811, Capabilities: Router Switch IGMP
Interface: Serial0/0/0, Port ID (outgoing port): Serial1/0
Holdtime : 167 sec

Version :
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team

advertisement version: 2
VTP Management Domain: ''

-------------------------
Device ID: SwitchX.cisco.com
Entry address(es):
IP address: 10.10.10.11
Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/2
Holdtime : 135 sec

Version :
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE2,
RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 28-Jul-06 11:57 by yenanh

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27,
value=00000000FFFFFFFF010221FF000000000000001A6D446C80FF0000
VTP Management Domain: ''
Native VLAN: 1
Duplex: half
Step 9 From the output of the cdp commands or by knowing the topology, you can
determine which interfaces connect to your network infrastructure. Any interfaces
that do not connect to the infrastructure should have Cisco Discovery Protocol
disabled because it offers the potential for assisting hackers to gain knowledge of
your network. From the perspective of the workgroup routers perspective, interfaces
fa0/1 and serial 0/0/1 should have Cisco Discovery Protocol disabled.
Step 10 At the global configuration mode, enter interface fa0/1 and then enter the no cdp
enable command to disable Cisco Discovery Protocol only on this interface.

Step 11 Enter the same sequence of commands to disable Cisco Discovery Protocol on your
serial 0/0/1 interface, then return to the enable EXEC prompt.

Step 12 Enter the show cdp interface command to verify that only Fa0/0 and s0/0/0 are
running Cisco Discovery Protocol at this time. Your output should look similar to
the following display:
RouterX#show cdp interface
FastEthernet0/0 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Serial0/0/0 is up, line protocol is up

© 2007 Cisco Systems, Inc. Lab Guide 147


Encapsulation PPP
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Step 13 Having verified your configuration changes, save your configuration to startup-
config.

Activity Verification
You have completed this task when you attain these results:
„ You observed the Cisco Discovery Protocol output for your directly attached Cisco
neighbors.
„ You disabled Cisco Discovery Protocol on the interfaces that do not connect to your
network infrastructure.
„ You saved your workgroup router configuration to startup-config.

Task 2: Use and Control Cisco Discovery Protocol on Your


Workgroup Switch
In this task you will use Cisco Discovery Protocol to obtain information about directly
connected Cisco devices to your workgroup switch. For the same security reasons, you will
control which interfaces run Cisco Discovery Protocol. In fact, a switch is more likely to be the
first network device to confront a potential hacker.

Activity Procedure
Complete these steps:

Step 1 Connect to your remote workgroup switch via the console server, and enter the
necessary commands and passwords to get to the EXEC enable prompt.

Step 2 Enter the show cdp command to verify that Cisco Discovery Protocol is enabled and
also to display global information. Your output should look similar to the following
display with the exception that some text has been omitted to save space.
SwitchX#show cdp interface
FastEthernet0/1 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
FastEthernet0/2 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
FastEthernet0/3 is administratively down, line protocol is down
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
FastEthernet0/4 is administratively down, line protocol is down
Encapsulation ARPA
..
..Text omitted
..
GigabitEthernet0/2 is administratively down, line protocol is down
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds

148 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 3 Enter the show cdp neighbor command to view directly connected Cisco devices.
Your output should look similar to the following display:
SwitchX#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID


RouterX.cisco.com
Fas 0/2 150 R S I 2811 Fas 0/0
Step 4 Notice that the only neighbor found is your workgroup router. This confirms your
network diagram as the only interface that should run Cisco Discovery Protocol is
Fa0/2.

Step 5 Enter the necessary commands to have only interface fa0/2 running Cisco Discovery
Protocol. Your output should look similar to the following display:
SwitchX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchX(config)#interface range fa0/1 - 24, gi0/1 - 2
SwitchX(config-if-range)#no cdp enable
SwitchX(config-if-range)#interface fa0/2
% Command exited out of interface range and its sub-modes.
Not executing the command for second and later interfaces
SwitchX(config-if)#cdp enable
SwitchX(config-if)#end
Step 6 Enter the show cdp interface command to verify your changes have been
implemented. Your output should look similar to the following display:
SwitchX#sh cdp interface
FastEthernet0/2 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Step 7 Enter the show cdp traffic command to view information regarding the nature of the
Cisco Discovery Protocol updates being sent and received. This can be useful should
you suspect that there are some problems with the Cisco Discovery Protocol process.
Your output should look similar to the following display:
SwitchX#sh cdp traffic
CDP counters :
Total packets output: 645, Input: 164
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0, Fragmented: 0
CDP version 1 advertisements output: 0, Input: 0
CDP version 2 advertisements output: 645, Input: 164
Step 8 Having verified the operation and also your configuration changes, save your
configuration to startup-config.

Activity Verification
You have completed this task when you attain these results:
„ You observed the cdp command output on your workgroup switch for your directly
attached Cisco neighbors.
„ You disabled Cisco Discovery Protocol on the interfaces that do not connect to your
network infrastructure.
„ You used the show cdp traffic command and verified that there were no errors in the Cisco
Discovery Protocol update process.
„ You saved your running configuration to startup-config.

© 2007 Cisco Systems, Inc. Lab Guide 149


Lab 6-2: Managing Router Startup Options
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will be able to make changes to control your router startup behavior. After
completing this activity, you will be able to meet these objectives:
„ Display the configuration register, modify it to a specified value, and return it to its original
value
„ Validate by inspection of output whether a displayed configuration is from the running
configuration or the startup configuration in the startup-config file.
„ Modify the sequence of Cisco IOS file loaded at startup, using a sequenced list of boot
system commands
„ Observe a reload and verify which of the boot statements was processed to obtain the
running Cisco IOS binary file

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 6-2


Managing Router Startup Options

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—23

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application

150 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
„ Your assigned pod access information from Lab 2-1
„ Successful completion of Lab 6-1

Command List
The table describes the commands that are used in this activity.

Router Cisco IOS Commands

Command Description

boot system flash [filename] Specifies the system image that the router loads at
startup is obtained from flash memory with the given
filename.

boot system tftp filename server_ip Specifies the system image that the router loads at
startup is obtained from a TFTP server using the given
filename at the IP address specified by the server_ip
option..

config-register value Changes the configuration register settings, where value


is a hexadecimal number.

show flash Displays the layout and contents of a flash memory file
system.

show running-config Displays the currently running configuration.

show startup-config Displays the contents of the configuration that is held in


NVRAM and that will be used following a reload of the
router.

show version Displays information about the currently loaded software


version along with hardware and device information.

Job Aids
The following job aid is available to help you complete the lab activity.

Table 1: TFTP Server IP Address Information

Workgroup TFTP Server IP Workgroup TFTP Server IP


Address Address

A 10.2.2.1 E 10.6.6.1

B 10.3.3.1 F 10.7.7.1

C 10.4.4.1 G 10.8.8.1

D 10.5.5.1 H 10.9.9.1

Task 1: Modify the Configuration Register


In this task, you will change the value of the configuration register and observe how this is
displayed. You will then restore the configuration register to the value it had at the start of this
task.

© 2007 Cisco Systems, Inc. Lab Guide 151


Activity Procedure
Complete these steps:

Step 1 Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the EXEC enable prompt.

Step 2 Enter the show version command and press the Spacebar to complete the output.
Your output should look similar to the following display:
RouterX#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

RouterX uptime is 2 minutes


System returned to ROM by reload at 23:05:39 UTC Fri Mar 30 2007
System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"

This product contains cryptographic features and is subject to United


..
..Text omitted
..
Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
Processor board ID FTX1050A3Q6
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102


Step 3 Write down the value of the configuration register (exactly as it appears) in the line
below.

Step 4 In the global configuration mode, enter the config-register 0x2104 command to
modify the configuration setting.
RouterX#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterX(config)#config-register 0x2104
Step 5 Exit the global configuration mode and enter the show version command to display
the new value. Your output should look similar to the following display:
RouterX(config)#^Z
RouterX#
RouterX#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

RouterX uptime is 8 minutes


System returned to ROM by reload at 23:05:39 UTC Fri Mar 30 2007
..

152 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
..Text omitted
..
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102 (will be 0x2104 at next reload)

RouterX#
Step 6 You will see that your new value will not be active until the next reload.

Step 7 You can (optionally) enter the show running-config command to look for the
config-register parameter; however, it will not be displayed as it is NOT part of the
running configuration.

Step 8 Enter the commands necessary to restore your configuration register to the value you
recorded in Step 3. When you have done this, you should enter the show version
command and verify that the configuration register has been restored to its original
value.

Step 9 It can sometimes seem confusing when viewing output to distinguish which display
is the running configuration and which is the startup configuration.

Step 10 Enter the show running-config command and use q to quit the output after the first
screen is displayed. Your output should look similar to the following display:
RouterX#show running-config
Building configuration...

Current configuration : 2170 bytes


!
version 12.4
..
..Text omitted
..
--More--q
Step 11 Notice that the output starts with the words “Building configuration.” This is
because the running configuration is NOT a file. It is the stored parameter values
within the executing Cisco IOS program.

Step 12 Enter the show startup-config command and use q to quit the output after the first
screen is displayed. Your output should look similar to the following display:
RouterX#sh startup-config
Using 2170 out of 245752 bytes
!
version 12.4
..
..Text omitted
..
--More--q
Step 13 Notice that the output in the example displayed has the words “Using 2170 out of
245752 bytes,” which indicates that a certain amount of the NVRAM is being used
to hold the configuration file.

Activity Verification
You have completed this task when you attain these results:
„ You observed and recorded the current value of the configuration register.

© 2007 Cisco Systems, Inc. Lab Guide 153


„ You modified the configuration register value, displayed the output of the show version
command, and identified that it had been changed but that this change would not be active
until after the router was restarted.
„ You then returned the configuration register to its original value.
„ You displayed and identified the differences in the output between showing the running
configuration and the startup configuration when using the show commands.

Task 2: Observe the Flash File System and Add Boot System
Commands
In this task you will determine the Cisco IOS system file being used. You will then add three
boot system commands that modify the default behavior of file choice at startup. Changes to
the booting process flow should be used with extreme caution, as errors may leave your router
potentially unreachable over the network. This is why usually this process is done only by
senior network administrators.

Activity Procedure
Complete these steps:
Step 1 Enter the show flash: command to output the files that are currently stored in the
flash memory. Your output should look similar to the following display:
RouterX#show flash:
-#- --length-- -----date/time------ path
1 36232088 Mar 28 2007 17:27:46 +00:00 c2800nm-advipservicesk9-mz.124-12.bin
2 1823 Dec 14 2006 08:25:40 +00:00 sdmconfig-2811.cfg
3 4734464 Dec 14 2006 08:26:10 +00:00 sdm.tar
4 833024 Dec 14 2006 08:26:26 +00:00 es.tar
5 1052160 Dec 14 2006 08:26:46 +00:00 common.tar
6 1038 Dec 14 2006 08:27:02 +00:00 home.shtml
7 102400 Dec 14 2006 08:27:24 +00:00 home.tar
8 491213 Dec 14 2006 08:27:48 +00:00 128MB.sdf

20557824 bytes available (43458560 bytes used)

Step 2 You should note that the Cisco IOS binary file is identified with a .bin extension.
The other files (in the example display above) are related to the Cisco SDM
configuration program. It is possible to have multiple Cisco IOS images in flash
memory. Write the file name of Cisco IOS binary file in the space below; in the
example, it is c2800nm-advipservicesk9-mz.124-12.bin.

Step 3 The first found binary file in flash determines the Cisco IOS image loaded at a
restart. This order can be modified by using the boot system flash filename.bin
configuration commands.

Caution Extreme care should be taken when using boot system commands because an error may
leave the router unable to start, which can lead to significant downtime while the boot
process is restored. For this reason, only senior network administrators usually modify the
Cisco IOS flash files and modify the boot sequence.

154 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 4 At the global configuration prompt, enter the boot system tftp filename
tftp_address, where filename is the name you noted in Step 2 and tftp_address is the
IP address of your workgroup TFTP server, which can be found in Table 1. By
entering this command first, the router on reload attempts to locate and load its
Cisco IOS file from the TFTP server specified. Your output should look similar to
the following display:
RouterX(config)#boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.x.x.1
Step 5 Enter boot system flash filename, where filename is the name you copied in Step 2.
If this command is processed, the router will attempt to load the Cisco IOS file from
flash memory using the filename specified. Your output should look similar to the
following display:
RouterX(config)#boot system flash c2800nm-advipservicesk9-mz.124-12.bin
Step 6 Enter boot system flash. No filename is necessary. This command, if processed,
will load the router with the first Cisco IOS file found in flash memory Your output
should look similar to the following display:
RouterX(config)#boot system flash
Step 7 Enter the command to leave the configuration mode.

Step 8 Enter show run command, and observe the output to verify that your boot system
commands are accurately entered. Your output should look similar to the following
display but should show your workgroup hostname and filenames:
..
..Text omitted
..
hostname RouterX
!
boot-start-marker
boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.x.x.1
boot system flash c2800nm-advipservicesk9-mz.124-12.bin
boot system flash
boot-end-marker
!
Step 9 Make any corrections necessary before proceeding to next step.

Step 10 Enter copy run start command to save your running configuration to NVRAM.

Note The reload process will take a variable amount of time, with the low end being approximately
5 to 8 minutes, depending on router hardware and the performance of the TFTP server. A
reload from flash memory takes 2 to 3 minutes for same router hardware.

Step 11 Enter and confirm the reload command. Observe the output displayed during the
reload. In the space below, write the location that you believe provided the Cisco
IOS file to load.

Step 12 Your output should look similar to the following display:


RouterX#reload
Proceed with reload? [confirm]<ENTER>

*Apr 6 18:17:24.619: %SYS-5-RELOAD: Reload requested by console. Reload


Reason: Reload Command.

System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

© 2007 Cisco Systems, Inc. Lab Guide 155


..
..Text omitted
..
<ENTER><ENTER>
*Apr 6 18:22:16.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^

User Access Verification

Password:
Step 13 When your router has finished reloading, press Enter twice to ensure that you are at
a login prompt. Enter the information to get to the privileged EXEC mode.

Step 14 Enter show version command and observe the display to confirm the location of the
Cisco IOS file. Your output should look similar to the following display:
RouterX#sh version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

RouterX uptime is 1 minute


System returned to ROM by reload at 18:17:24 UTC Fri Apr 6 2007
System image file is "tftp://10.x.x.1/c2800nm-advipservicesk9-mz.124-12.bin"

..
..TEXT omitted
..
--More--q
Step 15 If there was a problem with the TFTP download, then you may have the following
line in the show version command display:
System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"

Activity Verification
You have completed this task when you attain these results:
„ You observed and recorded the current Cisco IOS binary file stored in flash memory.
„ You added three boot systems commands to modify the startup behavior of the router on
reload in the following order:
— First, attempt to locate a specified Cisco IOS file via a TFTP server.
— If unsuccessful, attempt to locate a specified Cisco IOS file from flash memory.
— Finally, locate the first found Cisco IOS file from flash memory.
„ You reloaded your router and observed the output to determine which of the boot system
commands resulted in the system file used at startup.
„ You used the show version command to verify which method was actually being used.

156 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 6-3: Managing Cisco Devices
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will use Cisco IOS copy and debug commands. After completing this
activity, you will be able to meet these objectives:
„ Save your running configuration on a remote TFTP server
„ Upload and download configuration files
„ Copy and delete files to local flash memory
„ Ensure that the router is lightly loaded before using debugging commands
„ Turn debugging on and off

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 6-3


Managing Cisco Devices

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—24

Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your assigned pod access information from Lab 2-1
„ Successful completion of Lab 6-2

© 2007 Cisco Systems, Inc. Lab Guide 157


Command List
The table describes the commands that are used in this activity.

Router Cisco IOS Commands

Command Description

copy running-config tftp A multiline command that copies the running configuration
file to a TFTP server.

copy tftp flash A multiline command that copies from a TFTP server
configuration file to flash memory.

copy tftp running-config A multiline command that copies from a TFTP server
configuration file to the running configuration.

copy tftp startup-config A multiline command that copies from a TFTP server
configuration file to the startup-config file, also known as
NVRAM.

debug ip icmp Displays debug information on ICMP transactions

debug ip rip Displays debug information on RIP routing protocol


transactions

no debug all Turns off all debugging operations.

delete flash:filename Removes the specified file from flash memory.

more flash:filename Displays as text the contents of the file in flash memory.

ping ip_address Common tool used to troubleshoot the accessibility of


devices. It uses ICMP path echo requests and ICMP path
echo replies to determine whether a remote host is active.
The ping command also measures the amount of time it
takes to receive the echo reply.

show debugging Displays information about the types of debugging that are
enabled on your router.

show flash Displays the layout and contents of a flash memory file
system.

show processes Displays information about the active processes, including


the CPU loading.

show running-config interface Displays only the current configuration of the specified
interface_id interface.

show startup-config Displays the configuration settings of the startup


configuration file in NVRAM.

158 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Job Aids
These following job aid is available to help you complete the lab activity.

Table 1: TFTP Server IP Address Information

Work TFTP Server IP Work TFTP Server IP


group Address group Address

A 10.2.2.1 E 10.6.6.1

B 10.3.3.1 F 10.7.7.1

C 10.4.4.1 G 10.8.8.1

D 10.5.5.1 H 10.9.9.1

Task 1: Copy Configuration Files


You will use Cisco IOS commands to save and modify your configuration by uploading and
downloading configuration files to and from a TFTP server.

Activity Procedure
Complete these steps:

Step 1 Connect to your remote workgroup router via the console server, and enter the
necessary commands and passwords to get to the user EXEC prompt.

Step 2 Enter the command to get to the enable EXEC prompt.

Step 3 Before attempting to save or copy a configuration from a TFTP server, it is a very
good idea to test that the server is reachable. Enter the command to ping your
workgroup TFTP server; refer to Table 1 for the address. Your output should look
similar to the following display:
RouterX#ping 10.10.10.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Step 4 Enter the command copy running tftp.
Step 5 At the prompt, enter your workgroup assigned TFTP server IP address from Table 1.

Step 6 At the prompt, accept the default name based on your router hostname by using the
Enter key.
Step 7 Your output from these steps should look similar to the following display:
RouterX#copy running tftp
Address or name of remote host []? 10.x.x.1
Destination filename [RouterX-confg]?
.!!
2140 bytes copied in 4.760 secs (450 bytes/sec)

© 2007 Cisco Systems, Inc. Lab Guide 159


Step 8 Enter the show run int s0/0/0 to display only the configuration for your serial
interface. Your output should look similar to the following display:
RouterX#show run int s0/0/0
Building configuration...

Current configuration : 125 bytes


!
interface Serial0/0/0
description Link to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
end
Step 9 Enter the copy tftp run command to copy from the TFTP server to your running
configuration.

Step 10 Use the IP address of your workgroup TFTP server when prompted for the address.
Step 11 Use the filename “descript-confg” when prompted for the source filename.

Step 12 Accept the default destination filename.

Step 13 Your output from these steps should look similar to the following display:
RouterX#copy tftp run
Address or name of remote host []? 10.10.10.1
Source filename []? descript-confg
Destination filename [running-config]?
Accessing tftp://10.10.10.1/descript-confg...
Loading descript-confg from 10.10.10.1 (via FastEthernet0/0): !
[OK - 289 bytes]

289 bytes copied in 2.024 secs (143 bytes/sec)


Step 14 Enter the show run int s0/0/0 to display only the configuration for your serial
interface. Your output should look similar to the following display:
RouterX#show run int s0/0/0
Building configuration...

Current configuration : 164 bytes


!
interface Serial0/0/0
description Connection to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
end
Step 15 Your display should show that a description statement has overwritten the prior
description on the serial interface.

Step 16 Enter the copy tftp flash command to copy from the TFTP server to your local flash
memory.

Step 17 Enter the IP address of your workgroup TFTP server when prompted for the address.

Step 18 Enter the filename “descript-confg” when prompted for the source filename.

Step 19 Accept the default destination filename.

160 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 20 Your output from these steps should look similar to the following display:
RouterX#copy tftp flash:
Address or name of remote host [10.x.x.1]?
Source filename [descript-confg]?
Destination filename [descript-confg]?
Accessing tftp://10.x.x.1/descript-confg...
Loading descript-confg from 10.x.x.1 (via FastEthernet0/0): !
[OK - 289 bytes]

289 bytes copied in 2.228 secs (130 bytes/sec)


Step 21 Enter the show flash command to display the files stored in flash memory.

Step 22 You should see the filename of the file you just uploaded displayed.
Step 23 Enter more flash:descript-confg to display as text the contents of the file.

Step 24 Your output from these steps should look similar to the following display:
RouterX#more flash:descript-confg
! This file demonstrates the way the IOS removes remarks
! from configuration files
! and allows parts of a configuration to be updated
!*********************[
interface serial 0/0/0
description Connection to Main Office
interface serial 0/0/1
description Unused Interface
end
Step 25 Notice that the file contains only a small number of configuration commands that
were added to (or merged with) the existing running configuration. Also notice that
the file contains comments. These comments are ignored and not stored in the
running configuration.

Step 26 Enter the delete flash:descript-confg command to remove the file that you just
uploaded from flash memory. Your output should look similar to the following
display:
RouterX#delete flash:descript-confg
Delete filename [descript-confg]?
Delete flash:descript-confg? [confirm]

Step 27 Enter the command and subsequent parameters to copy the file descript-confg to
startup-config. Your output should look similar to the following display:
RouterX#copy tftp start
RouterX#copy tftp startup-config
Address or name of remote host [10.x.x.1]?10.x.x.1
Source filename [descript-confg]?descript-confg
Destination filename [startup-config]?
Accessing tftp://10.x.x.1/descript-confg...
Loading descript-confg from 10.x.x.1 (via FastEthernet0/0): !
[OK - 289 bytes]
[OK]
289 bytes copied in 3.348 secs (86 bytes/sec)
Step 28 Enter the show startup command to display the contents of the startup-config file.
Your output should look similar to the following display:
RouterX#show startup
Using 289 out of 245752 bytes! This file demonstrates the way the IOS removes
remarks
! from configuration files
! and allows parts of a configuration to be updated
!*********************[
interface serial 0/0/0

© 2007 Cisco Systems, Inc. Lab Guide 161


description Connection to Main Office
interface serial 0/0/1
description Unused Interface
end
Step 29 Notice that your starting configuration has been completely replaced by the small
configuration file. This demonstrates that copying to the startup file is a replacement
(or overwrite) operation. If your router were to restart now, it would not have any
functioning interfaces!

Step 30 Enter the command to save your running configuration to startup-config.

Step 31 Use show startup to verify that the partial configuration in your startup-config file
has been replaced by the full configuration from the running configuration.

Activity Verification
You have completed this task when you attain these results:
„ You saved your running configuration to your assigned TFTP server.
„ You uploaded a small configuration file to your running configuration.
„ You uploaded the configuration file to flash memory, and used the more command to
output the file as text.
„ You removed the uploaded file from flash memory.
„ You uploaded the configuration file to the startup-config file and verified that it had
overwritten all previous configuration entries.
„ Your copied your running configuration to startup-config, replacing the partial
configuration with the full running configuration.

Task 2: Use debug Commands


In this task, you will use show and debug commands to selectively display chosen dynamic
events, while guarding against causing performance problems.

Activity Procedure
Complete these steps:

Step 1 In a nontraining environment, prior to issuing a debug command, you should check
how heavily loaded the CPU is because this affects router performance. The debug
commands are given the highest priority and can cause a router to restart. This may
happen because software timers are not serviced, causing a fatal error to be inferred.

Step 2 Enter the command show processes to display information about the CPU
utilization. Quit the display after the first page is output. Your output should look
similar to the following display:
RouterX#show processes
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
1 Cwe 400A7A2C 0 4 0 5456/6000 0 Chunk Manager
2 Csp 4008C430 4 1614 2 2528/3000 0 Load Meter
3 M* 0 7832 379196 20 7200/12000 0 Exec
..
..Text omitted
..

162 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step 3 You should review the first line of the output, which indicates the CPU utilization
over three time periods. This is bolded text in the example above. Your display
should indicate a very low value also.

Step 4 Enter the show debugging command to verify that no other debug commands are
active. Your output should indicate that there are is no active debugging taking
place.

Step 5 Enter the debug ip icmp command to turn on debugging of ICMP messages. Your
output should look similar to the following display:
RouterX#debug ip icmp
ICMP packet debugging is on
Step 6 Repeat Step 4; your display should look something like the following:
RouterX#sh debugging
Generic IP:
ICMP packet debugging is on
Step 7 Enter ping 10.x.x.1 to send ICMP echo request packets to your assigned TFTP
server IP address. Your output should look similar to the following display:
RouterX#ping 10.10.10.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RouterX#
*Apr 3 19:44:43.699: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
*Apr 3 19:44:43.703: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
*Apr 3 19:44:43.703: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
*Apr 3 19:44:43.703: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
*Apr 3 19:44:43.707: ICMP: echo reply rcvd, src 10.10.10.1, dst 10.10.10.3
Step 8 Enter the debug ip rip command to turn on the debugging of RIP routing packets.

Step 9 Wait a few minutes to observe some RIP routing protocol updates being sent and
received. Your output should look similar to the following display:
RouterX#
*Apr 3 20:12:01.355: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0
(10.10.10.3)
*Apr 3 20:12:01.355: RIP: build update entries
*Apr 3 20:12:01.355: 10.140.10.0/24 via 0.0.0.0, metric 1, tag 0
*Apr 3 20:12:01.355: 10.140.10.1/32 via 0.0.0.0, metric 1, tag 0
*Apr 3 20:12:01.355: 192.168.21.0/24 via 0.0.0.0, metric 1, tag 0
*Apr 3 20:12:01.355: 192.168.121.0/24 via 0.0.0.0, metric 1, tag 0
*Apr 3 20:12:01.355: 192.168.131.0/24 via 0.0.0.0, metric 1, tag 0
*Apr 3 20:12:01.355: 192.168.221.0/24 via 0.0.0.0, metric 3, tag 0
RouterX#
*Apr 3 20:12:06.083: RIP: sending v2 update to 224.0.0.9 via Serial0/0/0 (10.140.10.2)
*Apr 3 20:12:06.083: RIP: build update entries
*Apr 3 20:12:06.083: 10.10.10.0/24 via 0.0.0.0, metric 1, tag 0
RouterX#
*Apr 3 20:12:27.295: RIP: received v2 update from 10.140.10.1 on Serial0/0/0
*Apr 3 20:12:27.295: 192.168.21.0/24 via 0.0.0.0 in 1 hops
*Apr 3 20:12:27.295: 192.168.121.0/24 via 0.0.0.0 in 1 hops
*Apr 3 20:12:27.295: 192.168.131.0/24 via 0.0.0.0 in 1 hops
*Apr 3 20:12:27.295: 192.168.221.0/24 via 0.0.0.0 in 2 hops
RouterX#

© 2007 Cisco Systems, Inc. Lab Guide 163


Step 10 Enter the command to display how many debug commands are active. Your output
should look similar to the following display:
RouterX#show debugging
Generic IP:
ICMP packet debugging is on
IP routing:
RIP protocol debugging is on

Step 11 Although it is possible to individually turn off each debug command, it is quicker
and more certain to turn off all debugging using a single command. Enter the no
debug all command to remove all active debugging from the router.
RouterX#no debug all
All possible debugging has been turned off

Activity Verification
You have completed this task when you attain these results:
„ You observed that your router had a very low CPU utilization using the show processes
command.
„ You used debug commands to observe the output of ICMP packets and RIP routing
protocol updates.
„ You used the show debug command to verify which, if any, debug commands were active
on your router.
„ You turned off all debugging operations using a single command.

164 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 6-4: Confirming the Reconfiguration of the
Branch Network
Complete this lab activity to practice what you learned in the related module.

Activity Objective
In this activity, you will assume that you are taking over the reconfiguration of a branch
network from an administrator who has not completed the configuration. In fact, there may be
misconfiguration of some of the settings. You will use the knowledge and experience gained
from the earlier labs to complete the reconfiguration, correction, and testing. After completing
this activity, you will be able to meet these objectives:
„ Complete the configuration of your assigned workgroup switch using information provided
in checklist below
„ Complete the configuration of your workgroup router using information provided in the
checklists below
„ See the routes indicated in the visual objective after enabling dynamic routing on your
workgroup router
„ Perform tests to validate that your final configuration meets the new topology information

Visual Objective
The figure illustrates what you will accomplish in this activity.

Visual Objective for Lab 6-4 Confirming


the Reconfiguration of the Branch Network

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—24

© 2007 Cisco Systems, Inc. Lab Guide 165


Required Resources
These are the resources and equipment that are required to complete this activity:
„ PC with connectivity to the remote lab
„ An SSH-capable terminal emulation application
„ Your new assigned pod access information for this lab provided in the Job Aids section

Command Lists
Refer to the command lists associated with the prior lab associated with the task you are
completing.

Job Aids
These job aids are available to help you complete the lab activity.
„ Visual objective for this lab
„ Switch tasks worksheet
„ Router tasks worksheet
„ Table containing the addressing information for each workgroup

Table 1: Workgroup Address Information

Workgroup Switch VLAN 1 Router Fa0/0


Hostname IP Address Mask /24 Hostname IP Address Mask /24

AA SwitchAA 10.22.22.11 RouterAA 10.22.22.3

BB SwitchBB 10.33.33.11 RouterBB 10.33.33.3

CC SwitchCC 10.44.44.11 RouterCC 10.44.44.3

DD SwitchDD 10.55.55.11 RouterDD 10.55.55.3

EE SwitchEE 10.66.66.11 RouterEE 10.66.66.3

FF SwitchFF 10.77.77.11 RouterFF 10.77.77.3

GG SwitchGG 10.88.88.11 RouterGG 10.88.88.3

HH SwitchHH 10.99.99.11 RouterHH 10.99.99.3

Table 2: Router s0/0/0 Address Information

Workgroup s0/0/0 IP Address Workgroup s0/0/0 IP Address


Mask /24 Mask /24

AA 10.140.11.2 EE 10.140.55.2

BB 10.140.22.2 FF 10.140.66.2

CC 10.140.33.2 GG 10.140.77.2

DD 10.140.44.2 HH 10.140.88.2

166 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Switch Task Worksheet

Done Switch Task Worksheet Workgroup:

9 Task and Property (Lab) Information and Configuration Hint

1) Basic Configuration (Labs 2-2, 2-3)

Hostname (workgroup AA through HH) hostname SwitchXX

Interface vlan 1

IP address and subnet mask ip address ip_address mask

IP default gateway ip default-gateway ip_address

Enable password cisco

Enable secret sanfran

Use password encryption service password-encryption

Username and password for console and vty lines. username netadmin privilege 15 password
netadmin
Netadmin has privilege level 15

Vty lines line vty 0 15

Login uses local username and passwords login local

Console line line console 0

Login password required login

Console password sanjose

Login banner with suitable security message banner login % message %

Verify

2) Configure to Use SSH ONLY (Lab 2-3, Task 4)

Username and password netadmin


netadmin

IP domain-name cisco.com

Generate crypto key RSA – 1024 bit

SSH version 2

Vty lines line vty 0 15

Limit protocols supported transport input ssh

Verify show run

3) Configure Port Security (Lab 2-3, Task 5)

Interface fa0/1

Switchport mode switchport mode access

Maximum number of addresses switchport port-security max 2

Violation action restrict switchport port-security violation restrict

MAC address learning = sticky switchport port-security mac-address


sticky

Enable port security switchport port-security

Verify show port-security interface

© 2007 Cisco Systems, Inc. Lab Guide 167


Done Router Task Worksheet Workgroup:

9 Task and Property (Lab) Information and Configuration Hint

4) Secure Switch (Lab 2-3, Task 6, Lab 6-1, Task 2)

Shut down unused ports fa0/3-10, fa0/13-24, gi0/1-2

Limit Cisco Discovery Protocol to interface connected to router no cdp enable

Verify

Router Task Worsheet

Done Router Task Worksheet Workgroup:

9 Task and Property (Lab) Information and Configuration Hint

1) Basic Configuration (Lab 4-6)

Hostname (workgroup AA through HH) hostname RouterXX

Interface interface fa0/0

IP Address and subnet mask ip address ip_address mask

Enable password enable password cisco

Enable secret enable secret sanfran

Verify

2) Enhanced Configuration (Lab 4-7, Lab 6-1, Task 1)

Use password encryption service password-encryption

Username and password for console and vty lines. username netadmin privilege level
password netadmin
User has privilege level 15

Vty lines line vty 0 4

Login uses local username and passwords login local

Console line line console 0

Login uses password login

Console password password sanjose

Login banner with suitable security message banner login % message %

Limit Cisco Discovery Protocol to interface connected to switch no cdp enable

Verify

3) Configure to Use SSH ONLY (Lab 4-7, Task 4)

IP domain name cisco.com

Generate crypto key RSA – 1024 bit

Use version SSH v2 ip ssh version 2

Vty lines line vty 0 4

Limit protocols supported transport input ssh

Verify

168 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Done Router Task Worksheet Workgroup:

9 Task and Property (Lab) Information and Configuration Hint

4) Configure to Support Cisco SDM (Lab 4-8, Task 1)

Allows connection via HTTP ip http server

Allows connection via HTTPS ip http secure-server

Authentication uses local username and passwords ip http authentication local

5) Configure DHCP Server (Lab 4-8, Task 2) Support clients on Fa0/0 interface

Pool name Branchxx-clients

Starting IP address .150 150

Ending IP address .199 199

Lease time: 5 minutes 005

Default router: this router 10.xx.xx.3

Verify

6) Configure Internet Access (Lab 5-1)

Interface fa0/1

IP address uses DHCP Dynamic (DHCP Client)

PAT outside interface fa0/1

PAT inside interface fa0/0

Verify

7) Configure Connection to Main Office (Lab 5-2)

Interface s0/0/0

IP address of serial 0/0/0 – see table 2 ip address address mask

Encapsulation encapsulation ppp

Verify

8) Configure RIPv2 Routing (Lab 5-3)

Routing protocol router rip

RIP version 2 version 2

Protocol runs on interfaces network 10.0.0.0

Verify

9) Configure Boot Startup (Lab 6-2)

TFTP server address is .1 host on your local network. 10.nn.nn.1

Boot order should be specified as: Cisco IOS file in flash; Cisco boot system flash filename
IOS file from TFTP server; first found Cisco IOS file in flash
boot system tftp filename address

boot system flash

Verify

© 2007 Cisco Systems, Inc. Lab Guide 169


Task 1: Connect to the Remote Lab
Activity Procedure
You will connect to your newly assigned workgroup using the same menus that you used for
the previous labs. Your new workgroup is identified using double letters. For example, if you
are assigned to workgroup AA in this lab, then you use menu A, or if you are assigned to BB,
use menu B, and so on.

In order to connect via a VPN tunnel to use Cisco SDM to perform configuration tasks on your
workgroup router, you will need to use a different VPN client configuration profile. This
profile will ensure that you are attached to the correct subnet to match your new workgroup
subnet address.

Activity Verification
You have completed this task when you attain these results:
„ You have connected to the remote lab and attached to your workgroup devices using the
same menus used in previous labs.
„ You have connected to the remote lab using the new VPN client profile to support using
Cisco SDM for configuration of your workgroup router.

Task 2: Prepare to Verify Your Configuration


Activity Procedure
In order to verify that your branch is configured correctly, you will need to ensure that discrete
parameters are configured in accordance with the values given for both your switch and router.
You will use Cisco IOS commands to test that the overall branch configuration works
appropriately. It is suggested that you perform this in three phases, and you may repeat the
phases to reach a final working configuration.

In phase 1, gather together the necessary information regarding your assigned workgroup
switch and router.

In phase 2, inspect your switch and router to ensure that the configuration matches the values
you collected in phase 1. You may have to perform corrective action on the configuration,
replacing missing or incorrect values. It may be necessary to use either Cisco SDM or the CLI
for this phase. Reference to prior labs will provide you with the correct syntax and procedure to
implement your configuration.

170 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
In phase 3, use Cisco IOS commands to test the functionality of the switch and router working
together to support the overall configuration. These may be ping commands or explicit show
commands that demonstrate that, for example, that a DHCP client has received an address. If
you encounter problems in this phase, you will have to consider where to look to remedy the
problem. You should assume that the network around you is correctly configured and will work
if your configuration matches the values supplied in the job aids and tables. If you have tried to
fix your problems without success, ask your instructor for assistance.

Use the information provided in the Tables 1 and 2 and transfer it to the visual objective so that
you have your IP addressing information ready to reference as you proceed through the switch
and router task sheets.

Activity Verification
You have completed this task when you attain this result:
„ You have read through the instructions and have prepared the necessary reference
information ready to proceed to the next task.

Task 3: Verify Your Configuration


Activity Procedure
Use the information provided in the Tables 1 and 2 and transfer it to the visual objective so that
you have your IP addressing information ready to reference as you proceed through the switch
and router worksheet sheet tasks.

Use the check boxes as you work through the worksheet. You may need to refer to the labs that
you completed earlier for more detailed information on completing or verifying your
configuration.

No detailed steps are provided here, because all the information that you need is in either this
lab or a prior lab. If you need any further guidance, you should discuss this with your
instructor.

Activity Verification
You have completed this task when you attain these results for your branch:
„ Your basic switch configuration properties match those assigned to your workgroup.
„ Your switch has a banner message with suitable warning text.
„ Your switch SSH configuration properties match those assigned to your workgroup.
„ Your switch port security configuration properties match those assigned to your
workgroup.
„ You secured your switch to match the properties assigned to your workgroup.
„ Your basic router configuration properties match those assigned to your workgroup.
„ Your router has a banner message with suitable warning text.
„ Your router password configuration properties match those assigned to your workgroup.
„ Your router SSH configuration properties match those assigned to your workgroup.
„ Your router DHCP server configuration properties match those assigned to your
workgroup.

© 2007 Cisco Systems, Inc. Lab Guide 171


„ Your router Internet access configuration properties match those assigned to your
workgroup.
„ Your router main office connection configuration properties match those assigned to your
workgroup.
„ Your router dynamic routing configuration properties match those assigned to your
workgroup.
„ Your router boot system configuration properties match those assigned to your workgroup.
„ You tested your branch for successful connectivity, routing, and DHCP server services.

172 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Answer Key
The correct answers and expected solutions for the activities that are described in this guide
appear here.

Labs 1-1, 1-2, 1-3, and 2-1 contained their answers within the labs and resulted in no
configuration changes.

Lab 2-2 Answer Key: Performing Switch Startup


and Initial Configuration
When you complete this activity, your workgroup switch configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SwitchX
!
enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr.
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9

© 2007 Cisco Systems, Inc. Lab Guide 173


!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.3
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 0 4
password sanjose
no login
line vty 5 15
password sanjose
no login
!
end

174 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 2-3 Answer Key: Enhancing the Security of
Initial Switch Configuration
When you complete this activity, your workgroup switch configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SwitchX
!
enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr.
enable password 7 05080F1C2243
!
username netadmin password 7 030A5E1F070B2C4540
no aaa new-model
ip subnet-zero
!
ip domain-name cisco.com
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-1833200768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1833200768
revocation-check none
rsakeypair TP-self-signed-1833200768
!
!
crypto ca certificate chain TP-self-signed-1833200768
certificate self-signed 01
3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886 F70D0109
02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033 30313030
30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603 55040313
26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313833
33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73 775F612E
63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A 41932329
8FB4A8EE 142FAEC4 744CB8BE 021BDAE5 BF005CA6 99D0BDC7 68C4A873 25A2F06C
E460FAE5 1435B900 43505E02 3F0F5E4B D61D6787 59B6AE32 13558C75 561A6BB0
42C15C96 D078A449 669E4B58 CD5857D0 1B570F43 008B811F 45CD05B0 50D144BA
F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63 6F6D301F
0603551D 23041830 16801414 679B7C0E C82E65FB 8953EC84 1FC9DD49 E672A630
1D060355 1D0E0416 04141467 9B7C0EC8 2E65FB89 53EC841F C9DD49E6 72A6300D
06092A86 4886F70D 01010405 00038181 006C7E92 A7F96199 D1D81ADA FA16C868
0660013D 4A91A319 6D6DBD61 B5147AAA FF0FCF26 3DF20CA7 9694B3B8 24ABBEAC
F8942F5F E53466BB 04E12200 25432AFE A09DDFCF A07A5A4A 145BE58D 4040040A
5B085A4E 895C45BC 4DF264BC BFE32124 F4AA3BDB B9CF2CC2 35F3B42A B16BFD69
44531337 B03B7055 48A0B320 0A6C3173 C0
quit
!
!

© 2007 Cisco Systems, Inc. Lab Guide 175


no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5a78.be01
switchport port-security mac-address sticky 001a.2fe7.3089
!
interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access
shutdown
!
interface FastEthernet0/4
switchport mode access
shutdown
!
interface FastEthernet0/5
switchport mode access
shutdown
!
interface FastEthernet0/6
switchport mode access
shutdown
!
interface FastEthernet0/7
switchport mode access
shutdown
!
interface FastEthernet0/8
switchport mode access
shutdown
!
interface FastEthernet0/9
switchport mode access
shutdown
!
interface FastEthernet0/10
switchport mode access
shutdown
!
interface FastEthernet0/11
switchport mode access
!
interface FastEthernet0/12
switchport mode access
!
interface FastEthernet0/13
switchport mode access
shutdown
!
interface FastEthernet0/14

176 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
switchport mode access
shutdown
!
interface FastEthernet0/15
switchport mode access
shutdown
!
interface FastEthernet0/16
switchport mode access
shutdown
!
interface FastEthernet0/17
switchport mode access
shutdown
!
interface FastEthernet0/18
switchport mode access
shutdown
!
interface FastEthernet0/19
switchport mode access
shutdown
!
interface FastEthernet0/20
switchport mode access
shutdown
!
interface FastEthernet0/21
switchport mode access
shutdown
!
interface FastEthernet0/22
switchport mode access
shutdown
!
interface FastEthernet0/23
switchport mode access
shutdown
!
interface FastEthernet0/24
switchport mode access
shutdown
!
interface GigabitEthernet0/1
switchport mode access
shutdown
!
interface GigabitEthernet0/2
switchport mode access
shutdown
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.3
ip http server
ip http secure-server
!
control-plane
!

© 2007 Cisco Systems, Inc. Lab Guide 177


banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
password 7 111A180B1D1D1809
login
line vty 0 4
password 7 111A180B1D1D1809
login local
line vty 5 15
password 7 111A180B1D1D1809
login local
!
end

178 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 2-4 Answer Key: Operating and Configuring
a Cisco IOS Device
When you complete this activity, your workgroup switch configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SwitchX
!
enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr.
enable password 7 05080F1C2243
!
username netadmin password 7 030A5E1F070B2C4540
no aaa new-model
ip subnet-zero
!
ip domain-name cisco.com
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-1833200768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1833200768
revocation-check none
rsakeypair TP-self-signed-1833200768
!
!
crypto ca certificate chain TP-self-signed-1833200768
certificate self-signed 01
3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886 F70D0109
02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033 30313030
30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603 55040313
26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313833
33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73 775F612E
63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A 41932329
8FB4A8EE 142FAEC4 744CB8BE 021BDAE5 BF005CA6 99D0BDC7 68C4A873 25A2F06C
E460FAE5 1435B900 43505E02 3F0F5E4B D61D6787 59B6AE32 13558C75 561A6BB0
42C15C96 D078A449 669E4B58 CD5857D0 1B570F43 008B811F 45CD05B0 50D144BA
F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63 6F6D301F
0603551D 23041830 16801414 679B7C0E C82E65FB 8953EC84 1FC9DD49 E672A630
1D060355 1D0E0416 04141467 9B7C0EC8 2E65FB89 53EC841F C9DD49E6 72A6300D
06092A86 4886F70D 01010405 00038181 006C7E92 A7F96199 D1D81ADA FA16C868
0660013D 4A91A319 6D6DBD61 B5147AAA FF0FCF26 3DF20CA7 9694B3B8 24ABBEAC
F8942F5F E53466BB 04E12200 25432AFE A09DDFCF A07A5A4A 145BE58D 4040040A
5B085A4E 895C45BC 4DF264BC BFE32124 F4AA3BDB B9CF2CC2 35F3B42A B16BFD69
44531337 B03B7055 48A0B320 0A6C3173 C0
quit
!
!

© 2007 Cisco Systems, Inc. Lab Guide 179


no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5a78.be01
switchport port-security mac-address sticky 001a.2fe7.3089
!
interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access
shutdown
!
interface FastEthernet0/4
switchport mode access
shutdown
!
interface FastEthernet0/5
switchport mode access
shutdown
!
interface FastEthernet0/6
switchport mode access
shutdown
!
interface FastEthernet0/7
switchport mode access
shutdown
!
interface FastEthernet0/8
switchport mode access
shutdown
!
interface FastEthernet0/9
switchport mode access
shutdown
!
interface FastEthernet0/10
switchport mode access
shutdown
!
interface FastEthernet0/11
switchport mode access
!
interface FastEthernet0/12
switchport mode access
!
interface FastEthernet0/13
switchport mode access
shutdown
!
interface FastEthernet0/14

180 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
switchport mode access
shutdown
!
interface FastEthernet0/15
switchport mode access
shutdown
!
interface FastEthernet0/16
switchport mode access
shutdown
!
interface FastEthernet0/17
switchport mode access
shutdown
!
interface FastEthernet0/18
switchport mode access
shutdown
!
interface FastEthernet0/19
switchport mode access
shutdown
!
interface FastEthernet0/20
switchport mode access
shutdown
!
interface FastEthernet0/21
switchport mode access
shutdown
!
interface FastEthernet0/22
switchport mode access
shutdown
!
interface FastEthernet0/23
switchport mode access
shutdown
!
interface FastEthernet0/24
switchport mode access
shutdown
!
interface GigabitEthernet0/1
switchport mode access
shutdown
!
interface GigabitEthernet0/2
switchport mode access
shutdown
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.3
ip http server
ip http secure-server
!
control-plane
!

© 2007 Cisco Systems, Inc. Lab Guide 181


banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
password 7 111A180B1D1D1809
login
line vty 0 4
password 7 111A180B1D1D1809
login local
line vty 5 15
password 7 111A180B1D1D1809
login local
!
end

182 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 4-1 Answer Key: Converting Decimal to
Binary and Binary to Decimal
When you complete this activity, your results will match the results here.

Task 1: Convert from Decimal Notation to Binary Format


Base-2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

48 0 0 1 1 0 0 0 0 48 = 32+16 = 00110000

146 1 0 0 1 0 0 1 146 = 128+16+2


0
= 10010010

222 1 1 0 1 1 1 1 0 222 = 128+64+16+8+4+2


= 1101110

119 0 1 1 1 0 1 1 1 119 = 64+32+16+4+2+1


= 01110111

135 1 0 0 0 0 1 1 1 135 = 128+4+2+1


= 10000111

60 0 0 1 1 1 1 0 0 60 = 32+16+8+4
= 00111100

Task 2: Convert from Binary Notation to Decimal Format


Base-2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11001100 1 1 0 0 1 1 0 0 128+64+8+4 = 204

10101010 1 0 1 0 1 0 1 0 128+32+8+2 = 170

11100011 1 1 1 0 0 0 1 1 128+64+32+2+1 = 227

10110011 1 0 1 1 0 0 1 1 128+32+16+2+1 = 179

00110101 0 0 1 1 0 1 0 1 32+16+4+1 = 53

10010111 1 0 0 1 0 1 1 1 128+16+4+2+1 = 151

© 2007 Cisco Systems, Inc. Lab Guide 183


Lab 4-2 Answer Key: Classifying Network
Addressing
When you complete this activity, your results will match the results here.

Task 1: Convert from Decimal IP Address to Binary Format


The table to express 145.32.59.24 in binary format is shown here.

Base-2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

145 1 0 0 1 0 0 0 1 10010001

32 0 0 1 0 0 0 0 0 00100000

59 0 0 1 1 1 0 1 1 00111011

24 0 0 0 1 1 0 0 0 00011000

Binary Format IP Address 10010001.00100000.00111011.00011000

Step 1 The table to express 200.42.129.16 in binary format is shown here.

Base-2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

200 1 1 0 0 1 0 0 0 11001000

42 0 0 1 0 1 0 1 0 00101010

129 1 0 0 0 0 0 0 1 10000001

16 0 0 0 1 0 0 0 0 00010000

Binary Format IP Address 11001000.00101010.10000001.00010000

Step 2 The table to express 14.82.19.54 in binary format is shown here.

Base-2 27 26 25 24 23 22 21 20

Decimal 128 64 32 16 8 4 2 1 Binary

14 0 0 0 0 1 1 1 0 00001110

82 0 1 0 1 0 0 1 0 01010010

19 0 0 0 1 0 0 1 1 00010011

54 0 0 1 1 0 1 1 0 00110110

Binary Format IP Address 00001110.01010010.00010011.00110110

184 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Task 2: Convert from Binary Format to Decimal IP Address
Step 1 The table to express 11011000.00011011.00111101.10001001 in decimal IP address
format is shown here.

Base-2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11011000 1 1 0 1 1 0 0 0 216

00011011 0 0 0 1 1 0 1 1 27

00111101 0 0 1 1 1 1 0 1 61

10001001 1 0 0 0 1 0 0 1 137

Decimal Format IP Address 216.27.61.137

Step 2 The table to express 11000110.00110101.10010011.00101101 in decimal IP address


format is shown here.

Base-2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

11000110 1 1 0 0 0 1 1 0 198

00110101 0 0 1 1 0 1 0 1 53

10010011 1 0 0 1 0 0 1 1 147

00101101 0 0 1 0 1 1 0 1 45

Decimal Format IP Address 198.53.147.45

Step 3 The table to express 01111011.00101101.01000011.01011001 in decimal IP address


format is shown here.

Base-2 27 26 25 24 23 22 21 20

Binary 128 64 32 16 8 4 2 1 Decimal

01111011 0 1 1 1 1 0 1 1 123

00101101 0 0 1 0 1 1 0 1 45

01000011 0 1 0 0 0 0 1 1 67

01011001 0 1 0 1 1 0 0 1 89

Decimal Format IP Address 123.45.67.89

© 2007 Cisco Systems, Inc. Lab Guide 185


Task 3: Identify IP Address Classes
Maximum
Number of Number of
Address Bits in Hosts
Binary IP Address Decimal IP Address Class Network ID (2h-2)

10010001.00100000.00111011.00011000 145.32.59.24 Class B 16 216-2 =


65,534

11001000.00101010.10000001.00010000 200.42.129.16 Class C 24 28-2 = 254

00001110.01010010.00010011.00110110 14.82.19.54 Class A 8 224-2 =


16,777,214

11011000.00011011.00111101.10001001 216.27.61.137 Class C 24 28-2 = 254

10110011.00101101.01000011.01011001 179.45.67.89 Class B 16 216-2 =


65,534

11000110.00110101.10010011.00101101 198.53.147.45 Class C 24 28-2 = 254

Task 4: Identify Valid and Invalid Host IP Addresses


Decimal IP Address Valid or Invalid If Invalid, Indicate Reason

23.75.345.200 Invalid 345 exceeds an 8-bit value (maximum = 255)

216.27.61.134 Valid

102.54.94 Invalid One octet is missing

255.255.255.255 Invalid Valid number but is an administrative number that should not
be assigned to a host

142.179.148.200 Valid

200.42.129.16 Valid

0.124.0.0 Invalid A Class A address cannot use 0 as the first octet

186 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 4-3 Answer Key: Computing Usable
Subnetworks and Hosts
When you complete this activity, your results will match the results here.

Task 1: Determine the Number of Bits Required to Subnet a


Class C Network
Given a Class C network address of 192.168.89.0, the completed table is shown here.

Number of
Subnets Number of Bits to Borrow Number of Hosts per Subnet (2h – 2)

2 1 27-2 = 126

5 3 25-2 = 30

12 4 24-2 = 14

24 5 23-2 = 6

40 6 22-2 = 2

Task 2: Determine the Number of Bits Required to Subnet a


Class B Network
Given a Class B network address of 172.25.0.0, the completed table is shown here.

Number of
Subnets Number of Bits to Borrow Number of Hosts per Subnet (2h – 2)

5 3 213-2 = 8,190

8 3 213-2 = 8,190

14 4 212-2 = 4,094

20 5 211-2 = 2,046

35 6 210-2 = 1,022

Task 3: Determine the Number of Bits Required to Subnet a


Class A Network
Given a Class A network address of 10.0.0.0, the completed table is shown here.

Number of
Subnets Number of Bits to Borrow Number of Hosts per Subnet (2h – 2)

10 4 220 – 2 = 1,048,574

14 4 220 – 2 = 1,048,574

20 5 219 – 2 = 524,286

40 6 218 – 2 = 262,142

80 7 217 – 2 = 131,070

© 2007 Cisco Systems, Inc. Lab Guide 187


Lab 4-4: Answer Key
When you complete this activity, your results will match the results here.

Task 1: Determine the Number of Possible Network Addresses


Number of
Hosts per
Classful Subnet
Address Decimal Subnet Mask Binary Subnet Mask (2h – 2)

/20 255.255.240.0 11111111.11111111.11110000.00000000 4,094

/21 255.255.248.0 11111111.11111111.11111000.00000000 2,046

/22 255.255.252.0 11111111.11111111.11111100.00000000 1,022

/23 255.255.254.0 11111111.11111111.11111110.00000000 510

/24 255.255.255.0 11111111.11111111.11111111.00000000 254

/25 255.255.255.128 11111111.11111111.11111111.10000000 126

/26 255.255.255.192 11111111.11111111.11111111.11000000 62

/27 255.255.255.224 11111111.11111111.11111111.11100000 30

/28 255.255.255.240 11111111.11111111.11111111.11110000 14

/29 255.255.255.248 11111111.11111111.11111111.11111000 6

/30 255.255.255.252 11111111.11111111.11111111.11111100 2

Task 2: Given a Network Block, Define Subnets


Assume that you have been assigned the 172.25.0.0 /16 network block. You need to establish
eight subnets. Complete the following questions.
1. How many bits do you need to borrow to define 12 subnets? 4

2. Specify the classful address and subnet mask in binary and decimal that allows you to
create 12 subnets.
Classful address: /20
Subnet mask (binary): 11111111.11111111.11110000.00000000
Subnet mask (decimal): 255.255.240.0

3. Use the eight-step method to define the 12 subnets.

Step Description Example

1. Write down the octet that is being split in binary. 00000000

2. Write the mask or classful prefix length in binary. 11110000

3. Draw a line to delineate the significant bits in the 0000 0000


assigned IP address.
1111 0000
Cross out the mask so that you can view the
significant bits in the IP address.

188 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step Description Example

4. Copy the significant bits four times. 0000 0000 (first subnet)

5. In the first line, define the network address by 0000 0001 (first host address)
placing 0s in the remaining host bits.
0000 1110 (last host address)
6. In the last line, define the directed-broadcast
address by placing 1s in the host bits. 0000 1111 (broadcast address)

7. In the middle lines, define the first and last host ID


for this subnet.

8. Increment the subnet bits by one to determine the 0001 0000 (next subnet)
next subnet address.

Repeat Steps 4 through 8 for all subnets.

4. Complete this table to define each subnet.

Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

0 172.25.0.0 172.25.1.0 to 172.25.14.0 172.25.15.0

1 172.25.16.0 172.25.17.0 to 172.25.30.0 172.25.31.0

2 172.25.32.0 172.25.33.0 to 172.25.46.0 172.25.47.0

3 172.25.48.0 172.25.49.0 to 172.25.62.0 172.25.63.0

4 172.25.64.0 172.25.65.0 to 172.25.78.0 172.25.79.0

5 172.25.80.0 172.25.81.0 to 172.25.92.0 172.25.95.0

6 172.25.94.0 172.25.95 to 172.25.108.0 172.25.109.0

7 172.25.110.0 172.25.111.0 to 172.25.124.0 172.25.125.0

Task 3: Given Another Network Block, Define Subnets


Assume that you have been assigned the 192.168.1.0 /24 network block.
1. How many bits do you need to borrow to define six subnets? 3

2. Specify the classful address and subnet mask in binary and decimal that allows you to
create six subnets.
Classful address: /27
Subnet mask (binary): 11111111.11111111.11111111.11100000
Subnet mask (decimal): 255.255.255.224

3. Use the eight-step method to define the six subnets.

Step Description Example

1. Write down the octet that is being split in binary. 00000000

2. Write the mask or classful prefix length in binary. 11100000

3. Draw a line to delineate the significant bits in the 000 00000


assigned IP address.

© 2007 Cisco Systems, Inc. Lab Guide 189


Step Description Example

Cross out the mask so that you can view the 111 00000
significant bits in the IP address.

4. Copy the significant bits four times. 000 00000 (first subnet)

5. In the first line, define the network address by 000 00001 (first host address)
placing 0s in the remaining host bits.
000 11110 (last host address)
6. In the last line, define the directed-broadcast
address by placing 1s in the host bits. 000 11111 (broadcast address)

7. In the middle lines, define the first and last host ID


for this subnet.

8. Increment the subnet bits by one to determine the 001 00000 (next subnet)
next subnet address.

Repeat Steps 4 through 8 for all subnets.

4. Complete this table to define each subnet.

Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

0 192.168.1.0 192.168.1.1 to 192.168.1.30 192.168.1.31

1 192.168.1.32 192.168.1.33 to 192.168.1.62 192.168.1.63

2 192.168.1.64 192.168.1.65 to 192.168.1.94 192.168.1.95

3 192.168.1.96 192.168.1.97 to 192.168.1.126 192.168.1.127

4 192.168.1.128 192.168.1.129 to 192.168.1.158 192.168.1.159

5 192.168.1.160 192.168.1.161 to 192.168.1.190 192.168.1.191

Task 4: Given a Network Block and Classful Address, Define


Subnets
Assume that you have been assigned the 192.168.111.0 /28 network block.
1. Specify the subnet mask in binary and decimal.
Subnet mask (binary): 11111111.11111111.11111111.11110000
Subnet mask (decimal): 255.255.255.240

2. How many subnets can you define with the specified mask? 16
3. How many hosts will be in each subnet? 14

4. Use the eight-step method to define the subnets.

Step Description Example

1. Write down the octet that is being split in binary. 10000001

2. Write the mask or classful prefix length in binary. 11110000

3. Draw a line to delineate the significant bits in the 1000 0001


assigned IP address.
1111 0000
Cross out the mask so that you can view the
significant bits in the IP address.

190 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step Description Example

4. Copy the significant bits four times. 1000 0000 (first subnet)

5. In the first line, define the network address by 1000 0001 (first host address)
placing 0s in the remaining host bits.
1000 1110 (last host address)
6. In the last line, define the directed-broadcast
address by placing 1s in the host bits. 1000 1111 (broadcast address)

7. In the middle lines, define the first and last host ID


for this subnet.

8. Increment the subnet bits by one to determine the 1001 0000 (next subnet)
next subnet address.

Repeat Steps 4 through 8 for all subnets.

5. Complete this table to define the subnets.

Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

0 192.168.111.0 192.168.111.1 to 192.168.111.126 192.168.111.127

1 192.168.111.128 192.168.111.129 to 192.168.111.142 192.168.111.143

2 192.168.111.144 192.168.111.145 to 192.168.111.158 192.168.111.159

3 192.168.111.160 192.168.111.161 to 192.168.111.174 192.168.111.175

4 192.168.111.176 192.168.111.177 to 192.168.111.190 192.168.111.191

5 192.168.111.192 192.168.111.193 to 192.168.111.206 192.168.111.207

6 192.168.111.208 192.168.111.209 to 192.168.111.222 192.168.111.223

Task 5: Given a Network Block and Classful Address, Define


Subnets
Assume that you have been assigned the 172.25.0.0 /23 network block.
1. Specify the subnet mask in binary and decimal.
Subnet mask (binary): 11111111.11111111.11111110.00000000
Subnet mask (decimal): 255.255.254.0

2. How many subnets can you define with the specified mask?
126

3. How many hosts will be in each subnet?


510
4. Use the eight-step method to define the subnets.

Step Description Example

1. Write down the octet that is being split in binary. 01110000.00000000

2. Write the mask or classful prefix length in binary. 11111110.00000000

© 2007 Cisco Systems, Inc. Lab Guide 191


Step Description Example

3. Draw a line to delineate the significant bits in the 0111000 0.00000000


assigned IP address.
1111111 0.00000000
Cross out the mask so that you can view the
significant bits in the IP address.

4. Copy the significant bits four times. 0111000 0.00000000 (first subnet)

5. In the first line, define the network address by 0111000 0.00000001 (first host address)
placing 0s in the remaining host bits.
0111000 1.11111110 (last host address)
6. In the last line, define the directed-broadcast
address by placing 1s in the host bits. 0111000 1.11111111 (broadcast
address)
7. In the middle lines, define the first and last host ID
for this subnet.

8. Increment the subnet bits by one to determine the 0111001 0.00000000 (next subnet)
next subnet address.

Repeat Steps 4 through 8 for all subnets.

5. Complete this table to define each subnet.

Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

0 172.25.0.0 172.25.0.1 to 172.25.1.254 172.25.1.255

1 172.25.2.0 172.25.2.1 to 172.25.3.254 172.25.3.255

2 172.25.4.0 172.25.4.1 to 172.25.5.254 172.25.5.255

3 172.25.6.0 172.25.6.1 to 172.25.7.254 172.25.7.255

4 172.25.8.0 172.25.8.1 to 172.25.9.254 172.25.9.255

...

Task 6: Given a Network Block and Classful Address, Define


Subnets
Assume that you have been assigned the 172.20.0.0 /25 network block.
1. Specify the subnet mask in binary and decimal.
Subnet mask (binary): 11111111.11111111.11111111.10000000
Subnet mask (decimal): 255.255.255.128

2. How many subnets can you define with the specified mask?
510

3. How many hosts will be in each subnet?


126

4. Use the eight-step method to define the subnets.

192 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Step Description Example

1. Write down the octet that is being split in binary. 00000000.10000001

2. Write the mask or classful prefix length in binary. 11111111.10000000

3. Draw a line to delineate the significant bits in the 1 0000001


assigned IP address.
1 0000000
Cross out the mask so that you can view the
significant bits in the IP address.

4. Copy the significant bits four times. 00000000.10000000 (first subnet)

5. In the first line, define the network address by 00000000.10000001 (first host address)
placing 0s in the remaining host bits.
00000000.11111110 (last host address)
6. In the last line, define the directed-broadcast
address by placing 1s in the host bits. 00000000.11111111 (broadcast
address)
7. In the middle lines, define the first and last host ID
for this subnet.

8. Increment the subnet bits by one to determine the 00000001.10000000 (next subnet)
next subnet address.
Repeat Steps 4 through 8 for all subnets.

5. Complete this table to define the subnets.

Subnet Directed-Broadcast
Number Subnet Address Range of Host Addresses Address

0 172.20.0.0 172.20.0.1 to 172.20.0.126 172.20.0.127

1 172.20.0.128 172.20.0.129 to 172.20.0.254 172.20.0.255

2 172.20.1.0 172.20.1.1 to 172.20.1.126 172.20.1.127

3 172.20.1.128 172.20.1.129 to 172.20.1.254 172.20.1.255

4 172.20.2.0 172.20.2.1 to 172.20.2.126 172.20.2.127

5 172.20.2.128 172.20.2.129 to 172.20.2.254 172.20.2.255

...

© 2007 Cisco Systems, Inc. Lab Guide 193


Lab 4-5 Answer Key: Performing Initial Router
Startup
When you complete this activity, your workgroup switch will have no configuration. Displayed
here is the output of the erase startup-config command. Remember that the username and
password “cisco” and “cisco” come from the default Cisco SDM configuration. Your output
will be similar to the results here:
Username: cisco
Password:
yourname#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
yourname#
*Mar 13 17:28:00.003: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
yourname#reload
Proceed with reload? [confirm]

*Mar 13 17:28:07.939: %SYS-5-RELOAD: Reload requested by console. Reload Reason:


Reload Command.

System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)


Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.

Initializing memory for ECC


.
c2811 platform with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC enabled

Upgrade ROMMON initialized


program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xcb80

program load complete, entry point: 0x8000f000, size: 0x228d9f8


Self decompressing the image :
################################################################################
################################################################################
####################################### [OK]

Smart Init is enabled


smart init is sizing iomem
ID MEMORY_REQ TYPE
0003E7 0X003DA000 C2811 Mainboard
0X00263F50 Onboard VPN
0X000021B8 Onboard USB
0X002C29F0 public buffer pools
0X00211000 public particle pools
TOTAL: 0X00B13AF8

If any of the above Memory Requirements are


"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Rounded IOMEM up to: 12Mb.

194 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Using 4 percent iomem. [12Mb/256Mb]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is


subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.


170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12),


RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
Image text-base: 0x40093160, data-base: 0x42B00000

This product contains cryptographic features and is subject to United


States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to


export@cisco.com.

Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.


Processor board ID FTX1050A3Q6
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

sslinit fn

*Mar 13 17:29:36.819: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State


changed to: Initialized

© 2007 Cisco Systems, Inc. Lab Guide 195


*Mar 13 17:29:36.819: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
changed to: Enabled
*Mar 13 17:29:38.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-
Null0, changed state to up
*Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state
to up
*Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state
to up
*Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Mar 13 17:29:38.087: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to
down
*Mar 13 17:29:39.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to down
*Mar 13 17:29:39.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
*Mar 13 17:29:39.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/0, changed state to up
*Mar 13 17:29:39.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to down
*Mar 13 17:29:41.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
*Mar 13 17:29:41.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
*Mar 13 17:30:04.463: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/0, changed state to down
*Mar 13 17:30:07.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/0, changed state to up
*Mar 13 17:31:02.663: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/0, changed state to down
*Mar 13 17:31:44.471: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state
to administratively down
*Mar 13 17:31:44.471: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state
to administratively down
*Mar 13 17:31:44.471: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to
administratively down
*Mar 13 17:31:44.475: %LINK-5-CHANGED: Interface Serial0/0/1, changed state to
administratively down
*Mar 13 17:31:44.491: %IP-5-WEBINST_KILL: Terminating DNS process
*Mar 13 17:31:45.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to down
*Mar 13 17:31:45.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
*Mar 13 17:31:46.007: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12),
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
*Mar 13 17:31:46.011: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing
a cold start
*Mar 13 17:31:46.219: %SYS-6-BOOTTIME: Time taken to reboot after reload = 216
seconds
*Mar 13 17:31:46.399: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

196 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 4-6 Answer Key: Performing Initial Router
Configuration
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
version 12.4
!
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
enable password cisco
!
no aaa new-model
!
!
ip cef
!
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address

© 2007 Cisco Systems, Inc. Lab Guide 197


shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
no ip http secure-server
!
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password sanjose
login
!
scheduler allocate 20000 1000
!
end

198 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 4-7 Answer Key: Enhancing the Security of
Initial Router Configuration
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
!
version 12.4
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
enable password 7 14141B180F0B
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username netadmin password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
duplex half

© 2007 Cisco Systems, Inc. Lab Guide 199


speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
no ip http secure-server
!
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
password 7 14041305060B392E
login
line aux 0
line vty 0 4
password 7 071C204244060A00
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

200 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 4-8 Answer Key: Using Cisco SDM to
Configure DHCP Server Function
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
!
version 12.4
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
enable password 7 14141B180F0B
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.149
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool wgA_clients
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3715519608
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3715519608

© 2007 Cisco Systems, Inc. Lab Guide 201


revocation-check none
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
ip http authentication local
ip http secure-server
!

202 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
password 7 14041305060B392E
login
line aux 0
line vty 0 4
password 7 071C204244060A00
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

© 2007 Cisco Systems, Inc. Lab Guide 203


Lab 4-9 Answer Key: Managing Remote Access
Sessions
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
!
version 12.4
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
enable password 7 14141B180F0B
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.149
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool wgA_clients
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3715519608
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3715519608

204 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
revocation-check none
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
ip http authentication local
ip http secure-server
!

© 2007 Cisco Systems, Inc. Lab Guide 205


dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

206 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 5-1 Answer Key: Connecting to the Internet
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
!
version 12.4
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
enable password 7 14141B180F0B
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.149
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool wgA_clients
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3715519608
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3715519608
revocation-check none
rsakeypair TP-self-signed-3715519608

© 2007 Cisco Systems, Inc. Lab Guide 207


!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
!
ip http server
ip http authentication local
ip http secure-server
!
dialer-list 1 protocol ip permit
!

208 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

© 2007 Cisco Systems, Inc. Lab Guide 209


Lab 5-2 Answer Key: Connecting to the Main
Office
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
!
version 12.4
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
enable password 7 14141B180F0B
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.149
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool wgA_clients
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3715519608
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3715519608

210 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
revocation-check none
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
description Link to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip route 192.168.21.0 255.255.255.0 10.140.10.1

© 2007 Cisco Systems, Inc. Lab Guide 211


!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

212 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 5-3 Answer Key: Enabling Dynamic Routing
to the Main Office
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
!
version 12.4
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
enable password 7 14141B180F0B
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.149
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool wgA_clients
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3715519608
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3715519608

© 2007 Cisco Systems, Inc. Lab Guide 213


revocation-check none
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
description Link to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
router rip

214 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
version 2
network 10.0.0.0
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

© 2007 Cisco Systems, Inc. Lab Guide 215


Lab 6-1 Answer Key: Using Cisco Discovery
Protocol
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
version 12.4
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.dET$BDxkofHF3aAsRthe/c0.c.
enable password 7 14141B180F0B
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.149
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool wgA_clients
import all
network 10.10.10.0 255.255.255.0
lease 0 0 5
!
!
no ip domain lookup
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3715519608
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3715519608
revocation-check none

216 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 082F495A081D081E1C
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
description Link to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
router rip

© 2007 Cisco Systems, Inc. Lab Guide 217


version 2
network 10.0.0.0
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 14041305060B392E
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 071C204244060A00
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SwitchX

218 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
!
enable secret 5 $1$A11O$0z83HwmswM/vk5.RSZpVr.
enable password 7 05080F1C2243
!
username netadmin password 7 030A5E1F070B2C4540
no aaa new-model
ip subnet-zero
!
no ip domain-lookup
ip domain-name cisco.com
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-1833200768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1833200768
revocation-check none
rsakeypair TP-self-signed-1833200768
!
!
crypto ca certificate chain TP-self-signed-1833200768
certificate self-signed 01
3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
53312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383333 32303037 36383120 301E0609 2A864886 F70D0109
02161177 675F7377 5F612E63 6973636F 2E636F6D 301E170D 39333033 30313030
30313033 5A170D32 30303130 31303030 3030305A 3053312F 302D0603 55040313
26494F53 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D313833
33323030 37363831 20301E06 092A8648 86F70D01 09021611 77675F73 775F612E
63697363 6F2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 8100B444 4F07E979 88953526 E0B8480C 52DBC1E7 E5FF660A 41932329
8FB4A8EE 142FAEC4 744CB8BE 021BDAE5 BF005CA6 99D0BDC7 68C4A873 25A2F06C
E460FAE5 1435B900 43505E02 3F0F5E4B D61D6787 59B6AE32 13558C75 561A6BB0
42C15C96 D078A449 669E4B58 CD5857D0 1B570F43 008B811F 45CD05B0 50D144BA
F83865F5 8BFD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF
301C0603 551D1104 15301382 1177675F 73775F61 2E636973 636F2E63 6F6D301F
0603551D 23041830 16801414 679B7C0E C82E65FB 8953EC84 1FC9DD49 E672A630
1D060355 1D0E0416 04141467 9B7C0EC8 2E65FB89 53EC841F C9DD49E6 72A6300D
06092A86 4886F70D 01010405 00038181 006C7E92 A7F96199 D1D81ADA FA16C868
0660013D 4A91A319 6D6DBD61 B5147AAA FF0FCF26 3DF20CA7 9694B3B8 24ABBEAC
F8942F5F E53466BB 04E12200 25432AFE A09DDFCF A07A5A4A 145BE58D 4040040A
5B085A4E 895C45BC 4DF264BC BFE32124 F4AA3BDB B9CF2CC2 35F3B42A B16BFD69
44531337 B03B7055 48A0B320 0A6C3173 C0
quit
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5a78.be01
switchport port-security mac-address sticky 001a.2fe7.3089
!

© 2007 Cisco Systems, Inc. Lab Guide 219


interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/4
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/5
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/6
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/7
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/8
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/9
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/10
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/11
switchport mode access
no cdp enable
!
interface FastEthernet0/12
switchport mode access
no cdp enable
!
interface FastEthernet0/13
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/14
switchport mode access
shutdown
no cdp enable
!

220 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
interface FastEthernet0/15
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/16
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/17
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/18
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/19
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/20
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/21
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/22
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/23
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/24
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet0/1
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet0/2
switchport mode access
shutdown
no cdp enable
!
interface Vlan1

© 2007 Cisco Systems, Inc. Lab Guide 221


ip address 10.10.10.11 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.3
ip http server
ip http secure-server
!
control-plane
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 111A180B1D1D1809
logging synchronous
login
history size 100
line vty 0 4
password 7 111A180B1D1D1809
logging synchronous
login local
history size 100
line vty 5 15
password 7 111A180B1D1D1809
logging synchronous
login local
history size 100
!
end

222 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 6-2 Answer Key: Managing Router Startup
Options
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterX
!
boot-start-marker
boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.10.10.1
boot system flash c2800nm-advipservicesk9-mz.124-12.bin
boot system flash
boot-end-marker
!
no logging buffered
enable secret 5 $1$X.GH$OkseupwTuqqjGp4oP4Fdg0
enable password 7 121A0C041104
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.149
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool wgA_clients
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.3
lease 0 0 5
!
!
no ip domain lookup
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!

© 2007 Cisco Systems, Inc. Lab Guide 223


crypto pki trustpoint TP-self-signed-3715519608
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3715519608
revocation-check none
rsakeypair TP-self-signed-3715519608
!
!
crypto pki certificate chain TP-self-signed-3715519608
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373135 35313936 3038301E 170D3037 30343035 32333135
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313535
31393630 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D0D2 4D67CC33 F0966C60 96BD12D2 675EB867 42087A6F 4310110E 1E852852
E965291B A9E21580 7F77960A B83618A5 65A718BE 4E81DB21 669B48D1 172E1FF3
73575C54 6B25A849 6E886C49 3EA0D03C CC5E7AFA 186AE594 22F612D6 8CA089EC
355AFCF5 9FBA492A EEEB13C8 27A6F2BE EEC51E85 18B52144 10DDA46C C0831824
D0450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1177675F 726F5F61 2E636973 636F2E63 6F6D301F 0603551D
23041830 168014B7 CBDB7C0C C2AEB57B B2CA8F85 6C9567DA ACA8F430 1D060355
1D0E0416 0414B7CB DB7C0CC2 AEB57BB2 CA8F856C 9567DAAC A8F4300D 06092A86
4886F70D 01010405 00038181 0061FD2F C903A4A2 0E241513 68AD17EA 16856A52
46C655CA 7AD9C703 DE996CD7 7F009ED1 19829639 6D57B06C 5225DEF4 5F3325D1
1567E90F 60858412 AB1E106A 3110FD46 9439D60A 7FFB783D D740FDAC EC00C4B5
388FFD58 436F2B2A A305F71B 00E91CAD 90B5F317 D705450E DC511A46 E777ACAC
1C07F960 64CCE156 F65330FE 02
quit
username netadmin privilege 15 password 7 0208014F0A02022842
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
description Link to Main Office
ip address 10.140.10.2 255.255.255.0
encapsulation ppp
no fair-queue
!
interface Serial0/0/1
no ip address

224 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
shutdown
clock rate 2000000
!
router rip
version 2
network 10.0.0.0
!
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************^C
!
line con 0
exec-timeout 60 0
password 7 051807012B435D0C
logging synchronous
login
history size 100
line aux 0
line vty 0 4
password 7 051807012B435D0C
logging synchronous
login local
history size 100
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

© 2007 Cisco Systems, Inc. Lab Guide 225


Lab 6-3 Answer Key: Managing Cisco Devices
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
There were no overall changes to the configuration.!

226 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
Lab 6-4 Answer Key: Confirming the
Reconfiguration of the Branch Network
When you complete this activity, your workgroup router configuration will be similar to the
results here, with differences that are specific to your device or workgroup:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterXX
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-12.bin
boot system tftp c2800nm-advipservicesk9-mz.124-12.bin 10.10.10.1
boot system flash
boot-end-marker
!
enable secret 5 $1$t7tb$L8Par/.s/MaoshaZH1cLq0
enable password 7 0822455D0A16
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.149
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool branchXX-clients
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.3
lease 0 0 5
!
!
ip domain name cisco.com
ip ssh version 2
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3575601183
enrollment selfsigned

© 2007 Cisco Systems, Inc. Lab Guide 227


subject-name cn=IOS-Self-Signed-Certificate-3575601183
revocation-check none
rsakeypair TP-self-signed-3575601183
!
!
crypto pki certificate chain TP-self-signed-3575601183
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353735 36303131 3833301E 170D3037 30353034 32313439
31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35373536
30313138 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E3CA 6B4F5C16 545F1796 C3600BE9 433F7C87 CB676A33 D42BF42A A6433BAF
25582787 6028AE73 F3EAFD24 EA37AFEE CF6F101D 14EF2CCF 8EF4085C 2ED0E54B
E1758915 13A5499E 378275C7 3BBE4F32 009DB10E 5039EB40 2C43D4EA 1407B634
A0EFEB26 23E4045E EAFE99BE 88C4DA01 357684AC 65572494 ABDC6A99 AA85D645
D8530203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 74657258 301F0603 551D2304 18301680 14E0035D
916FE499 69EDA5C0 C15FDB83 17F62591 45301D06 03551D0E 04160414 E0035D91
6FE49969 EDA5C0C1 5FDB8317 F6259145 300D0609 2A864886 F70D0101 04050003
81810070 7B5F8CB1 BB014CBA 3E317573 C2303187 3534E5C7 71FDDDE5 EC4D6331
A0498B71 49FE6A9A 5A5F6703 091EBDDC B828F955 4851F005 B214B407 4A0E67C0
87AC8E94 52F130E9 73E28BD9 EC4A028B 6424BCF2 EF0A993C 1BA75BED E3E0D217
E1129982 E1A40C9C 98F43F91 363474F2 97E3BBFF E60A7AA5 01327A27 EA69FCE6 0C4D36
quit
username netadmin privilege 15 password 7 0505031B2048430017
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/1
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
ip address 10.140.100.2 255.255.255.0
encapsulation ppp
no cdp enable
!
interface Serial0/0/1
no ip address
shutdown
no cdp enable
!
router rip
version 2

228 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
network 10.0.0.0
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login
************* Warning **********************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
**************************************************************
!
line con 0
exec-timeout 60 0
password 7 08324D4003161612
logging synchronous
login
history size 100
line aux 0
line vty 0 4
logging synchronous
login local
history size 100
transport input ssh
!
scheduler allocate 20000 1000
!
end

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SwitchXX
!
enable secret 5 $1$LLvt$3gBuRQzm6eAcGfQjsgHC01
enable password 7 01100F175804
!

© 2007 Cisco Systems, Inc. Lab Guide 229


username netadmin privilege 15 password 7 1419171F0D0027222A
no aaa new-model
ip subnet-zero
!
no ip domain-lookup
ip domain-name cisco.com
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-809024768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-809024768
revocation-check none
rsakeypair TP-self-signed-809024768
!
!
crypto ca certificate chain TP-self-signed-809024768
certificate self-signed 01
3082028B 308201F4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
52312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38303930 32343736 38312030 1E06092A 864886F7 0D010902
16115377 69746368 582E6369 73636F2E 636F6D30 1E170D39 33303330 31303030
3130305A 170D3230 30313031 30303030 30305A30 52312E30 2C060355 04031325
494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 38303930
32343736 38312030 1E06092A 864886F7 0D010902 16115377 69746368 582E6369
73636F2E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
02818100 D2D79D92 1395A6CB 46CAAD3C 6873B3D3 75B1B226 1E4EC5BC 87906C24
DAC40D83 6380CE06 C04AE1DE B6DBD7A4 5941D5E5 C2FA7464 DC6135A6 EFED87E4
966DC533 6BB18EDF 213503E7 B5B0E919 99C666B9 89AB8988 553288C0 400D6821
912B2908 B076FE8D 4645B79C 1FDEEBEF 83DBB7AF 3C92B363 52F68131 E2BEEDC3
4E0CC8FB 02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C
0603551D 11041530 13821153 77697463 68582E63 6973636F 2E636F6D 301F0603
551D2304 18301680 14B5A18A 31CE43E7 9D9704B4 815246B1 3D601AB8 A7301D06
03551D0E 04160414 B5A18A31 CE43E79D 9704B481 5246B13D 601AB8A7 300D0609
2A864886 F70D0101 04050003 81810007 16DD332F F2711854 434842FA 026C6F29
82718220 8249778B 4CDFFE66 1B52B55E AA6BC328 CF0CD466 E9DE6464 CF1836A3
F62723B8 14D8A873 535C205E BDC26BAC E73C448D 0E0B8194 402C6A67 CD6EFA78
CDD0A83A 0335EB3E 9ADCA41E 768FA332 572AE050 1121207E D4E79437 894E3588
65E3D60A 57150B63 9206A35B C71BB9
quit
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5a78.be0f
switchport port-security mac-address sticky 001a.2fe7.3089
no cdp enable
!
interface FastEthernet0/2
switchport mode access
!

230 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
interface FastEthernet0/3
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/4
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/5
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/6
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/7
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/8
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/9
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/10
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/11
switchport mode access
no cdp enable
!
interface FastEthernet0/12
switchport mode access
no cdp enable
!
interface FastEthernet0/13
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/14
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/15
switchport mode access
shutdown

© 2007 Cisco Systems, Inc. Lab Guide 231


no cdp enable
!
interface FastEthernet0/16
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/17
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/18
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/19
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/20
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/21
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/22
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/23
switchport mode access
shutdown
no cdp enable
!
interface FastEthernet0/24
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet0/1
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet0/2
switchport mode access
shutdown
no cdp enable
!
interface Vlan1
ip address 10.10.10.11 255.255.255.0
no ip route-cache
!

232 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.
ip default-gateway 10.10.10.3
ip http server
ip http secure-server
!
control-plane
!
banner login
********** Warning *************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

**************************************************************
!
line con 0
exec-timeout 60 0
password 7 04480A08052E5F4B
logging synchronous
login
history size 100
line vty 0 4
password 7 03175A01091C24
logging synchronous
login local
history size 100
transport input ssh
line vty 5 15
password 7 001712080E541803
logging synchronous
login local
history size 100
transport input ssh
!
end

© 2007 Cisco Systems, Inc. Lab Guide 233


234 Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.0 © 2007 Cisco Systems, Inc.