Network Simulation using PacketTracer

From Sinfronteras
Jump to: navigation, search


Contents

Cisco - PacketTracer

Packet Tracer is a powerful network simulation program which allows students to experiment with network behavior. It supplements physical equipment in the classroom by allowing students to create a network with an almost unlimited number of devices, encouraging practice, discovery and troubleshooting.



Installation

He guardado las versiones descargadas en:

/home/adelo/1-system/1-disco_local/1-mis_archivos/1-pe/1-ciencia/1-computacion/stockage-computacion/SO-Programas

El paquete (Linux or Windows) se descarga de la página oficial de Cisco (netacad): https://www.netacad.com/group/offerings/packet-tracer

La versión 6.2 puede ser descargada aquí: https://arief-jr.blogspot.ie/2016/01/download-cisco-packet-tracer-62-for.html

Otro link para la versión 7.2 (tuve problemas para descargar el el paquete desde el sitio oficial la última vez. La descarga comenzaba muy muy lenta y luego se detenía en cierto puto): https://www.itechtics.com/download-cisco-packet-tracer-7-2/

Creé una cuenta en Cisco para poder tener acceso a PacketTracer. Contraseña: Aa16407742**


Intalación en Ubuntu:

sudo ~/Downloads/PacketTracer70/./install


Luego para porder launch packettracer in a terminal:

sudo ln -s /opt/packetTracer/packetTracer6.2-student/packettracer /usr/local/bin/packettracer6.2


Es muy importante notar que luego de la instalación de Packet Tracer, en el directorio se encontrarán dos ejecutables:

/opt/packetTracer/packetTracer6.2-student/packettracer
/opt/packetTracer/packetTracer6.2-student/bin/PacketTracer6

El ejecutable adecuado es «/opt/packetTracer/packetTracer6.2-student/packettracer». El que se encuentra en la carpeta /bin también inicia la aplicación, pero por alguna razón generó problemas en la última instalación en Ubuntu 18.04. En la versión 6.2, bin/PacketTracer6 inicia la aplicación pero ésta no funciona correctametne; en la versión 7.1 bin/PacketTracer7 genera un «Segmentation fault», la aplicación crash y se cierra.

No tengo ni la más remota idea de por qué existe este otro ejecutable en la directorio /bin. Creo (no estoy seguro) que la primera vez que instalé Packet Tracer estuve usando el ejecutable de /bin para iniciar la aplicación y no generó estos problemas. Esto me trajo muchos problemas la última vez que instalé Packet Tracer porque se tiende a pensar que el ejecutable se encuentra en los directorios /bin. Es por ello que pensé que éste era el correcto y estuve dos días buscando la solución para el segmentation fault.



Error while loading shared libraries: libcrypto.so.1.0.0

./PacketTracer6: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory


64bit:

https://unix.stackexchange.com/questions/283607/libraries-libcrypto-so-1-0-0-cannot-open-shared-object-file-no-such-file-or-d

La librería «libcrypto.so.1.0.0» se encuentra es este paquete:

sudo apt-get install libssl1.0.0

Luego de la instalación, el paquete se encontrará aquí:

/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0

Em el siguiente vídeo también proponen la instalación del siguiente paquete para la instalación de PacketTracer 7 64bit: https://www.youtube.com/watch?v=HKozuo2FmMA&vl=en

sudo apt-get install libqt5webkit5


32bit - PacketTracer6.2: Dependencies on PacketTracer6.2 use 32 bit version.

La versión 32bit de la librería «libcrypto.so.1.0.0» se encuentra en el siguiente paquete:

sudo apt-get install libssl1.0.0:i386

Luego de la instalación, el paquete se encontrará aquí:

/usr/lib/i386-linux-gnu/libcrypto.so.1.0.0

Antes de instalar la librería «libssl1.0.0:i386» realicé la siguiente instalación. No sé si es necesario pero lo hice probando otras propuestas antes de encontrar la solución. Es posible que sea también necesario completar estos pasos antes de instalar «libssl1.0.0:i386»: https://blog.teststation.org/ubuntu/2016/05/12/installing-32-bit-software-on-ubuntu-16.04/

Enable the i386 architecture (as root user):

dpkg --add-architecture i386
apt-get update

Install 32-bit libraries (as root user):

apt-get install libc6:i386 libstdc++6:i386


Al tratar de intalar PacketTracer 6.2 en Ubuntu 18.04, aunque en mi sistema se encontraba instalada la librería para 64bit, PacketTracer6.2 seguía generando el error. Luego me percaté que en el link desde el cual descargué la vesión 6.2 dice:

If using linux for installation packet tracer you must installed multilib, because dependencies on packet tracer use 32 bit version.

Por lo tanto, el problema era que no tenía la librería correspondiente para 32bit; como se propone en este forum: https://ubuntuforums.org/showthread.php?t=2218961


También instalé algunos de los paquetes mostrados en el siguiente link con el fin de solucionar este error durante la instalación de la versión 6.2 en Ubuntu 18.04. Realmente no sé si sirvió de algo porque al instalarlos no se solucionó el error; pero sigue siendo posible que también hayan contribuido a la solución del problema, aunque no creo: https://askubuntu.com/questions/637113/unable-to-locate-package-lib32bz2-1-0



Otro error solucionado

La primera vez que lo isntalé se generó el error descrito y solucionado aquí: https://forum.ubuntu-fr.org/viewtopic.php?id=2014677

J'ai complété l'installation du logiciel puis j'ai essayé de me rendre dans le tableau de bord( dash) pour y trouver le logiciel où il ne se trouvait pas. Par ligne de commande, j'ai essayé de taper : packettracer et cela me dit simplement: "Starting Packet Tracer 7.1" et ne fait plus rien ensuite.

Donc tu ouvres un beau terminal, et tu lances :

/opt/pt/bin/PacketTracer7

Quand j'accède au fichier pour ./PacketTracer7: error while loading shared libraries: libQt5Script.so.5: cannot open shared object file: No such file or directory

Instalar:

libqt5script5

Je viens de le faire mais à l'instant mais ça ne résous pas mon cas,

je suis retourné voir le fichier /opt/pt/bin/PacketTracer7 et quand je l'ouvre, il m'indique qu'il me manque la librairie : " libQt5ScriptTools.so.5" j'ai donc essayé de refaire la même chose que précédemment en l'adaptant à la librairie , donc je tape :

sudo apt-get install  libqt5scripttools5

Et maintenant, ça fonctionne quand je vais chercher le fichier /usr/pt/bin/PacketTracer7



Configuration más frecuentes using PacketTracer

  • IP configuration on a PC: Click on the desktop tab, then selecting the IP configuration icon.
  • Verify connectivity settings: On a PC, verify the connectivity settings by going to Desktop and clicking on command prompt. At the command prompt, type the command:
ipconfig : To view your network device information.
ipconfig /release :
ipconfig /renew : To force the PC to request an IP address from the Router.



Configuring Wireless Access and Security

In this lab, you will configure a Linksys WRT300N (https://en.wikipedia.org/wiki/Linksys_routers#WRT300N) in Packet Tracer.

Figure 1: Topology Network diagram.
Table 1: Addressing table.



Cofigurar la conección entre el Router y la WAN / LAN


Setup the device topology diagram

  • Setup the devices as shown in Figure 1:
    • PC1 will be acting as the Internet connection
    • PC0 and Laptop0 will be in our LAN.
  • Connect a crossover cable from PC1 to the wireless router’s WAN (Internet) port and connect a straight through cable from PC0 to one of the wireless router’s LAN (Ethernet) ports.
  • Podemos pensar en esta configuración de la siguiente forma: el Wireless Router podría, por ejemplo, representar el Router que se encuentra integrado en la Box de nuestra home network; al cual hemos conectado una PC0 a través de un cable y nuestra Laptop a la Wireless Network. PC1 representa cualquier PC fuera de nuestra LAN.



Configurar la conexión en PC1 y PC0

NOTA: Normalmente deberíamos configurar el Router antes de los dispositivos en la LAN. Esto porque el DHCP Server del Router asignará los IP's a nuestros dispositivos en la LAN; y las confuguraciones en el Router afectarán, por supuesto, las IP's otorgadas a los dispositivos. Sin embargo, a manera de ejercicio, y con el fin de destacar ciertos detalles, vamos primero a realizar las configuraciones en los dispositivos dentro de la LAN.

  • PC1 will be acting as the Internet connection, so we need to set the IP address, subnet mask, and default gateway statically as listed in Table 1.
  • Set the IP configuration on PC0 to DHCP by clicking on the desktop tab, then selecting the IP configuration icon.
    • The wireless router will provide an IP address to the PC0 using the default DHCP configuration.
  • Verify connectivity settings for PC0: Go to Desktop and click on command prompt. At the command prompt, type the command ipconfig to view your network device information.
    • If the PC does not receive an IP address in the command prompt type ipconfig /renew, this will force the PC to request an IP address from the Router.
    • Notice which IP address is the default gateway. This is the default IP address of a Linksys WRT300N. Por tanto, el Router a asignado un IP a PC0 a través de la configuración por defecto (ver Nota al inicio de esta sección).



Configurar el Router

Click on the Wirelessrouter0 and select the Setup tab for the wireless router’s GUI.



Log in

In the real world the default login credentials are a username admin and a password of: admin. Note that this is very insecure since it is the factory default and provided publicly. You will set our own password in a later task.



Configure the WAN interface

Normally an Internet Service Provider would use DHCP to give out addresses to the WAN port. For this lab, you will assign the address statically.

  • Configure the WAN port to have a static IP address:
    • From the Internet Connection Type pull-down menu, select Static IP and set the IP address settings for Internet Setup:
      • Internet IP Address - set to: 172.17.88.35
      • Subnet Mask: 255.255.255.0
      • Default Gateway - set to the ISP address: 172.17.88.1



Configure the LAN IP addressing
  • Set the Network Setup Address:
    • Under Network Setup, enter the Router IP of 172.17.30.1 / Subnet Mask: 255.255.255.0
      • NOTE: At this point you would be disconnected from the web page if you were configuring from a PC, as you just changed the IP address you are connected to. It would take a minute or two, and you would need to refresh your browser, but you should be redirected to the new URL of the web utility. If not, you would need to release your IP address and request a new one, before your navigate your browser there. You would be asked to login again.

Verify IP address changes:

La configuración de la LAN IP addressing en el Router, afectará, por supuesto, la IP Address que el DHCP Server del Router asígnará a las PC's de la LAN. Para observar dichos cambios vamos al Command prompt de PC0 y ejecutamos:

ipconfig /release ipconfig /renew

Luego de esto, note la nueva IP asignada por el DHCP Server del Router.



Verify connectivity

Ping the WAN IP Address of the Wireless Router (172.17.88.35) to verify you can get to the outside of your network. The pings should succeed. If you try to Ping PC1 172.17.88.1, it may fail if your firewall won’t allow replies back in.



Wireless settings


Basic wireless wettings on the Routher

The Linksys WRT300N allows you to choose which network mode to operate in. Currently, the most common network mode for clients is Wireless-G and for routers is BG-Mixed. When a router is operating in BG-Mixed, it can accept both B and G clients. However, if a B client connects, the router must scale down to the slower level of B. For this lab, pick the fastest speed your clients can support.

On WRS1, navigate to the Wireless page:

  • Set the Network Name (SSID) to WRS_1
  • Wireless-N Only – Radio Band – Change to Standard – 20MHz Channel.
  • Standard Channel – Leave at default
  • SSID Broadcast – Leave Enabled for now.



Incorporar una Wireless Network Card a la Laptop

Por defecto, Packet Tracer no incorpora una Wireless Network Card (en este caso compatible con Linksys WRT300N) a la Laptop. Debemos entonces incorporar una antes de intentar hacer la Wireless conection.

Si intentamos verificar la conexión en la Laptop antes de incorporar la Wireless Network Card:

  • Go to the Desktop tab then select the PC Wireless Icon.

... el programa desplegará el siguiente mensaje: «A WMP300N or WPC300N wireless interface is required to connect»

Para incorporar la Wireless Network Card:

  • Click on the Laptop > Physical
    • Observar el diseño de la Laptop (observar los diseños de los dispositivos que presenta la Laptop) (Figure 2)
    • Note que la Network Card corresponde a un puerto FastEthernet.
    • Antes de realizar el cambio, debemos apagar la Laptop. Para esto haga clic en el botón que se encuentra al lado de la conexión electrica. Arriba de la luz verde que simboliza que el dispositivo se encuentra encendido. Note que luego de prescionarlo desaparece la luz verde, lo cual indica que el dispositivo se encuentra apagado. (Figure 2 and Figure 3)
  • Utilizando el cursor del mouse, arraste la actual tarjeta de red (FastEthernet) hacia la esquina inferior derecha, hacia el espacio en donde se muestra el diseño de los dispositivos físicos. Note que si se ha arrastrado correctamente, el espacio en donde se encontraba la tajeta de red en la Laptop quedará libre. (Figure 3 and Figure 4)
  • Ahora arrastre la tarjeta que desea instalar desde las distintas opciones que se encuentran en el panel a la derecha hacia el espacio libre en la Laptop. (Figure 4)
  • En este caso debemos escoger una WPC300N. (Figure 4)
Figure 2: Physical configuration of the Laptop - Changing the Network Card.
Figure 3: Physical configuration of the Laptop - Changing the Network Card.
Figure 4: Physical configuration of the Laptop - Changing the Network Card.



Verify wireless connection

Ahora que hemos incorporado una Wireless network card a nuestra Laptop, podemos entonces verificar la Wireless connection:

  • Go to the Desktop tab then select the PC Wireless Icon. Click on the Connect Tab.
  • If necessary, you may have to click on Refresh to update your wireless networks. You should see the new network (WRS_1).
  • Click on the name to highlight it and then click Connect. Click on the Link Information Tab. When it is done, it will congratulate you on creating a profile (Message: You have successfully connected to the access point).



Configure DHCP Settings


Give a static DHCP binding to PC0 and Laptop0

  • On Laptop0, verify connectivity settings going into cmd. At the command prompt, type the command Ipconfig /all to view your network device information. Note the Physical Address (MAC) of the Wireless Connection.
  • On the Router, navigate back to the Setup page (the Basic Setup is the default tab). In the middle of the Basic Setup Page, under DHCP Server Settings, click the DHCP Reservations button. Una nueva ventana se abrirá...
  • There are two ways to assign DHCP addresses:
    • The first method will always assign the client the same address the client has right now.
      • Find PC0 by its MAC address in the list of current DHCP clients (Hint: it should be listed as a LAN connection)
      • Check the Select box next to your PC. Click Add Clients. Now PC0 will show up under Clients Already Reserved.
      • This gives PC0 (in this example, the computer with a MAC address of 00:60:5C:D9:2D:1D) the same IP address it has right now (172.17.30.100) whenever it requests an address through DHCP.
  • The second method to assign DHCP addresses is to select the address you want the machine to get. You will assign Laptop0 the static IP address listed in the Addressing Table, not the one it received initially.
    • Under Manually Adding Client, enter your client’s actual name (puse Laptop0 aquí pero no estoy seguro) , .24 for the IP address, the actual MAC address of your PC’s Wireless Connection, and click Add. Now whenever Laptop0 connects to the wireless router, it receives the IP address 172.17.30.24 via DHCP.



Configure other DHCP server settings

Right underneath the DHCP Reservation are the other settings for the DHCP server.

What is the default maximum number of users the WRS300N will hand out DHCP addresses to?

  • 50 users.
  • Start IP Address - Change to: 172.17.30.50.
  • Maximum Number of Users - Change to: 75

These settings give any PC that connects (wired or wirelessly) to this router requesting an IP address through DHCP, an address between 172.17.30.50–124. Only 75 clients at a time are able to get an IP address and they can only have the address for 24 hours, after which time they must request a new one.



Verify the static IP address change and conection

On both PC0 and Laptop0, at the command prompt, type:

Ipconfig /release
Ipconfig /renew

... to verify the IP addresses you assigned are used. On Laptop0, ping the IP address of the WAN port to verify you can reach the Internet.



Configuring basic router settings with the Cisco IOS CLI

Cisco IOS (Internetwork Operating System) CLI (IOS Command Line Interface)

In this lab, you will build a multi-router network and configure the routers to communicate using the most common Cisco IOS configuration commands.

""" Resumen de comandos """

Al tratar de configurar un puerto serial en el cual conecté un cable serial DTE:
clock rate 250000
This command applies only to DCE interfaces

enable
#configure terminal
""""""""""""""""""""""""""""""""
(config)#hostname R1
""""""""""""""""""""""""""""""""
(config)#line console 0
(config-line)#password cisco
(config-line)#login
(config-line)#exit
""""""""""""""""""""""""""""""""
(config)#line vty 0 4
(config-line)#password cisco
(config-line)#login
(config-line)#exit
""""""""""""""""""""""""""""""""
(config)#enable password cisco
(config)#enable secret class
""""""""""""""""""""""""""""""""
(config)#banner motd #Unauthorized Use Prohibited#
""""""""""""""""""""""""""""""""
(config)#no ip domain-lookup
""""""""""""""""""""""""""""""""
(config)#line console 0
(config-line)#logging synchronous
""""""""""""""""""""""""""""""""
show ip interface brief
""""""""""""""""""""""""""""""""
(config)#interface serial 0/0/0
(config-if)#description WAN link to R2
(config-if)#ip address 172.17.0.1 255.255.0.0
(config-if)#clock rate 64000
(config-if)#no shutdown
(config-if)#exit

#show interfaces serial 0/0/0
""""""""""""""""""""""""""""""""
(config)#interface FastEthernet 0/0
(config-if)#description R1 LAN Default Gateway
(config-if)#ip address 172.16.0.1 255.255.0.0
(config-if)#no shutdown
(config-if)#exit

#show interfaces FastEthernet 0/0
""""""""""""""""""""""""""""""""
#copy running-config startup-config
""""""""""""""""""""""""""""""""
#show running-config

Configuring basic router settings

Utilizaremos un Router-PT (Generic)

In real life tenemos que conectar un console cable from a computer to the router para poder hacer las configuraciones en el Router. Sin embargo en Packettracer podemos simplemente hacer clic en el routar y acceder al CLI.

  • Click on the Router > CLI:
Would you like to enter the initial configuration dialog?

No (para así entrar a la línea de comandos desde el inicio, sin que el sistema nos proponga las opciones de configuración automáticamente).

Enter privileged EXEC mode

Router> 
Router>enable 
Router#

El comando «enables» is used to enter privileged EXEC mode. Como el Router aún no ha sido configurado, éste no solicita un password luego del comando «enable». Ya veremos como configurar un password. Note que luego de ingresar el comando «enable» aparece un # que indica que estamos en privileged EXEC mode.

Access global configuration mode

Router#configure terminal
Router(config)#

El comando «configure terminal» is used to access global configuration mode. This command can only be used in privileged EXEC mode.

Ya estando en el «global configuration mode» podemos empezar las configuraciones:



Configure a host name

Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#   // Después de configurar el host name, nuestra línea de comandos se verá así



Configure a console password and enable login

Este es el password que será requerido al ingresar al CLI.

R1(config)#line console 0
R1(config-line)#password cisco  // "cisco" will be our console password
R1(config-line)#login
R1(config-line)#exit
R1(config)#



Configure the password on the vty lines

R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit



Configure the enable and enable secret passwords

R1(config)#enable password cisco  // "cisco" will be our enable password
R1(config)#enable secret class    // "class" will be our enable secret password

The «enable secret password» es el que será requerido al ingresar el comando «enable» (to enter privileged EXEC mode).

Note: Remember that the enable secret password is encrypted when viewing the configuration. Also do not type enable secret password class. If you do, the secret password will be password, not class. The enable secret password takes precedence over the enable password. When an enable secret password is configured, the enable password is no longer accepted. It will be necessary to enter the enable secret password to enter privileged EXEC mode. Some network administrators may choose to configure only the enable secret password.



Configure a message-of-the-day (MOTD) banner

When a user connects to the router, the MOTD banner appears before the login prompt. In this example, the number sign (#) is used to start and end the message. The # is converted to ^C when the running-config is displayed.

R1(config)#banner motd #Unauthorized Use Prohibited#



Configure the router to not attempt to resolve host names using a DNS server

If this is not configured, the router assumes that any mistyped command is a host name and attempts to resolve it by looking for a DNS server. On some routers, it can take considerable time before the prompt returns.

R1(config)#no ip domain-lookup



Console messages do not interfere with command input

Configure the router so that console messages do not interfere with command input. This is helpful when exiting configuration mode, because it returns you to the command prompt and prevents having messages from breaking into the command line.

R1(config)#line console 0
R1(config-line)#logging synchronous



Configure the serial interface

In global configuration mode, configure serial interface 0/0/0 on R1:

R1(config)#interface serial 0/0/0
R1(config-if)#description WAN link to R2
R1(config-if)#ip address 172.17.0.1 255.255.0.0
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown
R1(config-if)#exit

Note: Enter the clock rate only on the router serial interface to which the DCE interface end of the cable is attached. The cable type (DTE or DCE) is printed on the outside of each end of the null serial cable. When in doubt, enter the clock rate command on both router serial interfaces. The command is ignored on the router to which the DTE end is attached. The no shutdown command turns on the interface. The shutdown command turns the interface off.



Display information about the serial interface

Enter the show interfaces command on R1:

R1#show interfaces serial 0/0/0
Serial0/0/0 is down, line protocol is down
  Hardware is PowerQUICC Serial
  Description: WAN link to R2
  Internet address is 172.17.0.1/16
  MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:01:55
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
  0 packets input, 0 bytes, 0 no buffer
  Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
  6 packets output, 906 bytes, 0 underruns
  0 output errors, 0 collisions, 3 interface resets
  0 output buffer failures, 0 output buffers swapped out
  0 carrier transitions
  DCD=down DSR=down DTR=up RTS=up CTS=down



What did you discover by issuing the show interfaces command
  • Serial 0/0/0 status is:
  • Line protocol is:
  • Internet address:
  • Encapsulation:
  • If the serial interface was configured, why did the show interfaces serial 0/0/0 indicate that the interface is down?



Configure the Fast Ethernet interface

In global configuration mode, configure the Fast Ethernet 0/0 interface on router R1:

R1(config)#interface FastEthernet 0/0
R1(config-if)#description R1 LAN Default Gateway
R1(config-if)#ip address 172.16.0.1 255.255.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

Note: Ethernet interfaces do not have a DTE or DCE distinction; therefore, it is not necessary to enter the clock rate command.



Display information about the Fast Ethernet interface

Enter the show interfaces command on R1:

R1#show interfaces FastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
  Hardware is AmdFE, address is 000c.3076.8460 (bia 000c.3076.8460)
  Description: R1 LAN Default Gateway
  Internet address is 172.16.0.1/16
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
    reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto Speed, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:18, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue :0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
    0 packets input, 0 bytes
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
    0 watchdog
    0 input packets with dribble condition detected
    52 packets output, 5737 bytes, 0 underruns
    0 output errors, 0 collisions, 1 interface resets
    0 babbles, 0 late collision, 0 deferred
    52 lost carrier, 0 no carrier
    0 output buffer failures, 0 output buffers swapped out



What did you discover by issuing the show interfaces command
  • Fast Ethernet 0/0 status is:
  • Line protocol is:
  • Internet address:
  • Encapsulation:
  • To which OSI layer is the encapsulation referring?
  • Why did the show interfaces FastEthernet 0/0 command show that the interface is up?:



Save the configuration

Save the running configuration to the startup configuration from the privileged EXEC prompt.

R1#copy running-config startup-config

Note: Save the running configuration for the next time that the router is restarted. The router can be restarted either by a software reload command or a power cycle. The running configuration is lost if it is not saved. The router uses the startup configuration when the router is started.



View the router running configuration

From the privileged EXEC prompt:

R1#show running-config  //This command can be abbreviated as sh run

Este comando muestra todas las configuraciones llevadas a cabo:

*** Some output omitted ***

Building configuration...
Current configuration : 605 bytes
!
hostname R1
!
enable secret 5 $1$eJB4$SH2vZ.aiT7/tczUJP2zwT1
enable password cisco
!
no ip domain lookup
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
banner motd ^CUnauthorized Use Prohibited^C
!
line con 0
 password cisco
 logging synchronous
 login
 line aux 0
 line vty 0 4
 password cisco
 login
!
end

Note que el «enable cisco password» es el único password encrypted.



Configuring Challenge Handshake Authentication Protocol Bi-directional

  • PPP: point to point.
  • CHAP: Challenge Handshake Authentication Protocol. Is'a PPP authentication protocol.


In this lab we will learn:

  • How to configure CHAP on routers.
  • How to set PPP encapsulation on routers


CHAP is the authentication options requiring that the calling side of the link, the peer, enter authentication information to help ensure that the user has the network administrator's permission to make the call. In this lab, however, two-way authentication will be used. Therefore, each router requires the peer router to authenticate.

CHAP does not itself prevent unauthorized access; it merely identifies the remote end. The router or access server then determines whether that user is allowed access.


When configuring PPP authentication, you can select:

  • Challenge Handshake Authentication Protocol (CHAP) or,
  • Password Authentication Protocol (PAP).

In general, CHAP is the preferred protocol:

  • Because CHAP offers features such as periodic verification to improve security; this makes CHAP more effective than PAP because CHAP requires a challenge before authentication can take place.
    • CHAP is used to periodically verify the identity of the remote node, using a threeway handshake. This is done upon initial link establishment and can be repeated any time after the link has been established.
  • Also, CHAP passwords are a shared secret and are not sent over the line in clear text like PAP.



Initial configuration of the Network

Antes de realizar la configuración CHAP, vamos a conectar dos routers (Generic Router PT) y realizar las configuraciones básicas aprendidas en el Lab 4.

  • Conecte dos Routers a través de un cable serial DCE.
  • Sería apropiado (aunque no indispensable para este lab) realizar todas las configuraciones básicas aprendidas en el lab 4. Las que sí son indispensables para este lab son:
- Renombre los router como: Lab_A y Lab_b
- Configure las interfaces correspondientes (en donde se conectó el cable serial) en cada Router:
Lab_A(config)#interface serial 0/0/0
Lab_A(config-if)#ip address 192.168.1.1 255.255.255.0
Lab_A(config-if)#no shutdown
Lab_A(config-if)#clock rate 250000

Lab_B(config)#interface serial 0/0/0
Lab_B(config-if)#ip address 192.168.1.2 255.255.255.0
Lab_B(config-if)#no shutdown

Note que el clock rate ha sido establecido sólo en Lab_A...

  • Ensure connectivity by pinging between routers...



Define username and password to expect from the remote router

Lab_A(config)#username Lab_B password clavechap
Lab_B(config)#username Lab_A password clavechap

username is the peer router’s name and the password is a shared password between Lab_A and Lab_B.



Configure the interface on for PPP encapsulation

Lab_A(config)#interface serial 0/0/0
Lab_A(config-if)#encapsulation ppp

Repetir en Lab_B



See which ppp authentication options are available

Lab_A(config-if)#ppp authentication ?

La orden alterior (?) retorna las ppp authentications available.



Now configure for CHAP authentication

Lab_A (config-if)#ppp authentication chap

Repetir en Lab_B

Ensure connectivity by pinging between routers...



Troubleshooting / debugging

En esta sección aprenderemos como detectar problemas de conectividad. Para ello vamos a utilizar debug command

  • Enable debugging on both routers with the command:
Lab_A#debug ppp authentication
Lab_B#debug ppp authentication
  • Cuando activamos debug command, el sistema automáticamente imprimirá información en el CLI (debug output) cuando detecte irregularidades.
  • The router continues to generate such output until you enter the corresponding no debug command (in this case, the no debug ppp authentication command). En caso de que hayamos activado distintos debug commands, to stop all debug messages usamos el comando no debug all
  • Delete the serial link between the two routers by deleting the cable from S0/0/0 on either router. Wait for the interface to go into a down state before proceeding to next step.
  • Plug a serial cable back in from Lab_A to Lab_B to reestablish the connection and view the debug output of CHAP authentication.
    • Ensure to place the clocking side in Lab_A. El clocking side es indicado con un la imagen de un reloj en el cable.
  • Al conectar el cable se debe generar automáticamente el debug output en el CLI. Does the output indicate success or failure?
  • Now delete the username or password on both routers:
Lab_A(config)#no username name password password
  • Configure an incorrect username or password on both routers:
Lab_A(config)#username wrong_name password wrong_password
  • Shutdown the interface:
Lab_A(config)#interface serial 0/0/0
Lab_A(config-if)#shutdown
  • Then start the interface back up and view the authentication process displayed in the debug output:
Lab_A(config-if)#no shutdown
  • Does the debug output indicate success or failure? How would this output help to solve authentication problems?



Configuring and verifying static routes

objectives: Implement Static routing and verify that network routes working properly.

Static routing is one method of telling routers where to send traffic. Knowledge of static routes and how to configure them using the Cisco IOS CLI is essential to success as a network technician. In this lab, you build a multi-router network and use static routing to manually create routes, so hosts on remote networks can communicate.

Topology diagram of the network


Topology diagram of the network. Realizado en PacketTracer

When configuring static routes on the routers we need to specify either:

  • The next-hop IP address OR
  • The exit interface of the Router

In this lab, we will specify the next hop IP address.


""" Resumen de comandos """

>show ip route
>show ip route static
>show ip route connected

(config)#ip route 192.168.0.0 255.255.255.0 172.16.10.5

If you make a mistake with the route:
(config)#no ip route 192.168.0.0 255.255.255.0 172.16.10.5 
Undos the configuration of a static route to the 192.168.0.0/24 network sending traffic to a router interface with an address of 172.16.0.5

Extension Task:

  1. How many valid ip addresses can be used on the WAN between router 1 and router 2 as the subnet mask is 255.255.255.224. Are all of these ddresses necessary? Suggest another mask that wastes fewer addresses.



Configuring RIP Routing Protocol

File:ConfiguringRIPv2.pdf

Dynamic IP route configuration: RIP v2

router rip
version 2
network 192.168.1.0
network 192.168.4.0
network 192.168.5.0
no auto-summary
"Éstas son las redes conectadas al Router. Con estos comandos le estamos diciendo a R1 que comparta sus redes con los routers vecinos"

Es muy importante notar que la dirección de la network que será introducida dependerá de la network class (A, B, C). Por ejemplo, si una interface presenta la siguiente configuración: 10.1.1.9 255.255.255.252, se deduce que la network correspondiente es: 10.1.1.8/30; sin embargo, debido a que 10.1.1.8 es una network clase A:

Class A: (See Networking#Classful network

0 - 127
Masque de sous-réseau par défaut: 255.0.0.0

debemos entonces introducir:

network 10.0.0.0


Si queremos elimitar una network:

no network 192.168.5.0



Configuring OSPF Routing Protocol

File:Configuring OSPF Routing Protocol.pdf

File:ConfiguringOSPF-Packettracer_file.zip


Scenario:

In the scenario, you will learn how to configure the routing protocol OSPF.The segments of the network have been subnetted using VLSM (variable-length subnet mask).

OSPF is a classless routing protocol that can be used to provide subnet mask information in the routing updates. This will allow VLSM subnet information to be propagated throughout the network.



Topology Diagram:

OSPF-Topology.png
Built in Packettracer by myselft



Addressing Table:

Device Interface IP Address Subnet Mask Default Gateway
R1 Fa0/0 172.16.1.17 255.255.255.240 N/A
S0/0/0

(DCE)

192.168.10.1 255.255.255.252 N/A
S0/0/1 192.168.10.5 255.255.255.252 N/A
R2 Fa0/0 10.10.10.1 255.255.255.0 N/A
S0/0/0 192.168.10.2 255.255.255.252 N/A
S0/0/1

(DCE)

192.168.10.9 255.255.255.252 N/A
R3 Fa0/0 172.16.1.33 255.255.255.248 N/A
S0/0/0

(DCE)

192.168.10.6 255.255.255.252 N/A
S0/0/1 192.168.10.10 255.255.255.252 N/A
PC1 NIC 172.16.1.20 255.255.255.240 172.16.1.17
PC2 NIC 10.10.10.10 255.255.255.0 10.10.10.1
PC3 NIC 172.16.1.35 255.255.255.248 172.16.1.33



Required Resources:

  • Routers Cisco 1841
  • Switches Cisco 2960



Task 1 - Perform Basic Router Configurations

# Basic configuration
enable
configure terminal
no ip domain-lookup
hostname R1


# Interface IP address
interface serial 0/0/0
ip address 192.168.10.1  255.255.255.252
clock rate 64000 
no shutdown
exit


copy running-config startup-config



Task 2 - Configure OSPF


  • Configure OSPF on the R1 Router:
  • Step 1: Use the router ospf command in global configuration mode to enable OSPF on the R1 router. Enter a process ID of 1 for the process-ID parameter:
R1(config)# router ospf 1
First, the router ospf 1 global command puts the user in OSPF configuration mode, and sets the OSPF process-id. This number just needs to be unique on the local router, allowing the router to support multiple OSPF processes in a single router by using different process IDs. (The router command uses the process-id to distinguish between the processes) The process-id does not have to match on each router, and it can be any integer between 1 and 65,535


  • Step2: Configure the networkstatement for the LAN network.
Once you are in the Router OSPF configuration sub-mode, configure the LAN network 172.16.1.16/28 to be included in the OSPF updates that are sent out of R1:
R1(config-router)# network 172.16.1.16  0.0.0.15  area 0
The OSPF network command uses a combination of network-address and wildcard-mask similar to that which can be used by EIGRP. Unlike EIGRP, the wildcard mask in OSPF is required.
Use an area ID of 0 for the OSPF area-id parameter. 0 will be used for the OSPF area ID in all of the network statements in this topology.


  • Step 3: Configure the router to advertise the 192.168.10.0/30 network attached to the Serial0/0/0 interface:
R1(config-router)# network 192.168.10.0  0.0.0.3  area 0


  • Step 4: Configure the router to advertise the 192.168.10.4/30 network attached to the Serial0/0/1 interface:
R1(config-router)# network 192.168.10.4  0.0.0.3  area 0


  • Step 5: When you are finished with the OSPF configurationfor R1, return to privileged EXEC mode:
R1(config-router)# end



  • Configure OSPFon the R2 Routers:
R2(config)# router ospf 1
R2(config-router)# network 10.10.10.0  0.0.0.255  area 0
R2(config-router)# network 192.168.10.0  0.0.0.3  area 0
R2(config-router)# network 192.168.10.8  0.0.0.3  area 0
R2(config-router)# end
Notice that when the network for the serial link from R1 to R2 is added to the OSPF configuration, the routersends a notificationmessage to the console stating that a neighborrelationship with another OSPFrouter has been established:
00:07:27: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.10.5 on Serial0/0/0 from EXCHANGE to FULL, Exchange Done



  • Configure OSPFon the R3 Routers:
R3(config)# router ospf 1
R3(config-router)# network 172.16.1.32  0.0.0.7  area 0
R3(config-router)# network 192.168.10.4  0.0.0.3  area 0
R3(config-router)# network 192.168.10.8  0.0.0.3  area 0
R3(config-router)# end



Task 3 - Configure OSPF Router IDs

The OSPF router ID is used to uniquely identify the router in the OSPF routing domain. A router ID is an IP address. Cisco routers derive the Router ID in one of three ways and with the following precedence:

  • IP address configured with the OSPF «router-id» command.
  • Highest IP address of any of the router's loopback addresses.
  • Highest active IP address on any of the router's physical interfaces.



Examine the current router IDs in the topology

Since no router IDs or loopback interfaces have been configured on the three routers, the router ID for each router is determined by the highest IP address of any active interface:

  • What is the router ID for R1? : Router ID 192.168.10.5
  • What is the router ID for R2? : Router ID 192.168.10.9
  • What is the router ID for R3? : Router ID 192.168.10.10

The router ID can also be seen in the output of the «show ip protocols», «show ip ospf», and «show ip ospf interfaces» commands:

R3#show ip protocols

R3#show ip ospf

R3#show ip ospf interface


R1#show ip route
     10.0.0.0/24 is subnetted, 1 subnets
O        10.10.10.0 [110/65] via 192.168.10.2, 00:07:48, Serial0/0/0
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.1.16/28 is directly connected, FastEthernet0/0
O        172.16.1.32/29 [110/65] via 192.168.10.6, 00:06:12, Serial0/0/1
     192.168.10.0/30 is subnetted, 3 subnets
C        192.168.10.0 is directly connected, Serial0/0/0
C        192.168.10.4 is directly connected, Serial0/0/1
O        192.168.10.8 [110/128] via 192.168.10.2, 00:05:54, Serial0/0/0
                      [110/128] via 192.168.10.6, 00:05:54, Serial0/0/1

The code of "O" on the left identifies a route as being learned by OSPF. The output lists three such IP routes. Next, take a look at the first OSPF route (to subnet 10.0.0.0). It lists the subnet ID and mask, identifying the subnet. It also lists two numbers in brackets. The first, 110, is the administrative distance of the route. All the OSPF routes in this example use the default of 110. The second number, 65, is the OSPF metric for this route.



Use loopback addresses to change the router IDs of the routers in the topology

R1(config)#interface loopback 0
R1(config-if)#ip address 10.1.1.1 255.255.255.255

R2(config)#interface loopback 0
R2(config-if)#ip address 10.2.2.2 255.255.255.255

R3(config)#interface loopback 0
R3(config-if)#ip address 10.3.3.3 255.255.255.255

A loopback interface is a virtual interface that can be configured with the «interface loopback <interface-number>» command, where <interface-number> is an integer. Loopback interfaces are always in an "up and up" state unless administratively placed in a shutdown state. For example, a simple configuration of the command interface loopback 0, followed by ip address 2.2.2.2 255.255.255.255, would create a loopback interface and assign it an IP address. Because loopback interfaces do not rely on any hardware, these interfaces can be up/up whenever IOS is running, making them good interfaces on which to base an OSPF RID.



Reload the routers to force the new Router IDs to be used

When a new Router ID is configured, it will not be used until the OSPF process is restarted. Make sure that the current configuration is saved to NRAM, and then use the «reload» command to restart each of the routers.

  • When the router is reloaded, what is the router ID for R1? : 10.1.1.1
  • When the router is reloaded, what is the router ID for R2? : 10.2.2.2
  • When the router is reloaded, what is the router ID for R3? : 10.3.3.3

OSPF routers use a three-step process to eventually add OSPF-learned routes to the IP routing table:

  • First, they create neighbor relationships.
  • Then they build and flood LSAs, so each router in the same area has a copy of the same LSDB.
  • Finally, each router independently computes its own IP routes using the SPF algorithm and adds them to its routing table.

The «show ip ospf neighbor», «show ip ospf database», and «show ip route» commands display information for each of these three steps, respectively. To verify OSPF, you can use the same sequence. Or, you can just go look at the IP routing table, and if the routes look correct, OSPF probably worked.



Use the show ip ospf neighbor command to verify that the router IDs have changed

R1#show ip ospf neighbor
Neighbor ID   Pri State     Dead Time   Address        Interface
10.3.3.3      0   FULL/ -   00:00:30    192.168.10.6   Serial0/0/1
10.2.2.2      0   FULL/ -   00:00:33    192.168.10.2   Serial0/0/0

The detail in the output mentions several important facts, and for most people, working right to left works best in this case. For example, looking at the headings:

  • Interface: This is the local router’s interface connected to the neighbor. For example, the first neighbor in the list is reachable through R1’s S0/0/1 interface.
  • Address: This is the neighbor’s IP address on that link. Again, for this first neighbor, the neighbor, which is R3, uses IP address 192.168.10.6
  • State: While many possible states exist, for the details discussed in this chapter, FULL is the correct and fully working state in this case.
  • Neighbor ID: This is the router ID of the neighbor.



Use the router-id command to change the router ID on the R1 router

Note: Some IOS versions do not support the router-id command. If this command is not available, continue to Task 7.

R1(config)#router ospf 1
R1(config-router)#router-id 10.4.4.4
Reload or use "clear ip ospf process" command, for this to take effect

If this command is used on an OSPF router process which is already active (has neighbors), the new router-ID is used at the next reload or at a manual OSPF process restart. To manually restart the OSPF process, use the «clear ip ospf process» command:

R1#(config-router)#end
R1# clear ip ospf process
Reset ALL OSPF processes? [no]:yes
R1#



Remove the configured router ID with the no form of the router-id command

R1(config)#router ospf 1
R1(config-router)#no router-id 10.4.4.4
Reload or use "clear ip ospf process" command, for this to take effect
R1(config-router)#end
R1# clear ip ospf process
Reset ALL OSPF processes? [no]:yes
R1#

Note: It may be necessary to save your running-configuration to NVRAM (copy run start) and reload so that loopback now becomes the RID again.




Task 4 - Verify OSPF Operation

On the R1 router, Use the show ip ospf neighbor command to view the information about the OSPF neighbor routers R2 and R3. You should be able to see the neighbor ID and IP address of each adjacent router, and the interface that R1 uses to reach that OSPF neighbor.

R1#show ip ospf neighbor

On the R1 router, use the «show ip protocols» command to view information about the routing protocol operation.

Notice that the information that was configured in the previous Tasks, such as protocol, process ID, neighbor ID, and networks, is shown in the output. The IP addresses of the adjacent neighbors are also shown:

R1#show ip protocols



Task 5 - Examine OSPF Routes in the Routing Tables

View the routing table on the R1 router. OSPF routes are denoted in the routing table with an "O":

R1#show ip route



OSPF Metrics

OSPF Metrics (Cost)

OSPF calculates the metric for each route, choosing the route with the best metric for each destination subnet. OSPF routers can influence that choice by changing the OSPF interface cost on any and all interfaces.

Cisco routers allow two different ways to change the OSPF interface cost. The one straightforward way is to set the cost directly, with an interface subcommand: ip ospf cost x:

R1(config)#int serial 0/0/0
R1(config-if)#ip ospf cost 20
R1(config-if)#exit
R1#show ip ospf interface serial 0/0/0



Configuring DHCPv4 on a Router

Media:5-configuring DHCPv4 on a Router using packettracer.zip

"Specifies the range of addresses not to be leased out to clients:"
Router(config)#ip dhcp excluded-address 192.168.0.1 192.168.0.9

"Creates a DHCP pool named in this case CCT. The name can be anything of your choosing:"
Router(config)#ip dhcp pool CCT

"Defines the range of addresses to be leased:"
Router(dhcp-config)#network 192.168.0.0 255.255.255.0

"Defines the address of the default router for the client:"
Router(dhcp-config)#default-router 192.168.0.1

"Defines the address of the Domain Name Server for the client:"
Router(dhcp-config)#dns-server 8.8.8.8

"Defines the domain name for the client (Not support in PacketTracer):"
Router(dhcp-config)#domain-name fakedoaminname.com



Part 1: Build the Network and Configure Basic Device Settings


Cable the network as shown in the topology


Initialize and reload the routers and switches


Add serial interfaces


Configure basic settings for each router

hostname R1

no ip domain-lookup

service password-encryption

enable secret class

banner motd #Unauthorized access is strictly prohibited.#

line con 0

password cisco

login

logging synchronous

line vty 0 4

password cisco

login



Configure the IPv4 addresses on the router as shown in the topology

interface G0/0
ip address to 192.168.0.1 255.255.255.0
.
.
.

"Configure the clock rate for the Serial interface:"
clock rate 128000

Configure dynamic, default, and static routing on the routers

Configure RIPv2 for R1
R1(config)# router rip
R1(config-router)# version 2
R1(config-router)# network 192.168.2.252
R1(config-router)# network 192.168.0.0
R1(config-router)# network 192.168.1.0
R1(config-router)# no auto-summary



Configure RIPv2 and a default route to the ISP on R2
R2(config)# router rip
R2(config-router)# version 2
R2(config-router)# network 192.168.2.252
R2(config-router)# default-information originate
R2(config-router)# exit
R2(config)# ip route 0.0.0.0 0.0.0.0 209.165.200.225

The above configuration in b) firstly sets up rip version 2 for the network 192.168.2.0. Then using the line default-information originate command, it tells the router if the IPv4 routing table has a default route in it, advertise a default route with RIP.

IOS allows the configuration of a static default route by using special values for the subnet and mask fields in the ip route command: 0.0.0.0 0.0.0.0. For example the command ip route 0.0.0.0 0.0.0.0 209.165.200.225 creates a static default route on R2 – a route that matches all IP packets and sends those packets out to the next hop of the ISP router.



Configure a summary static route on ISP to reach the networks on the R1 and R2 routers
ISP(config)# ip route 192.168.0.0 255.255.252.0 209.165.200.226



Verify network connectivity between the routers


Verify the host PCs are configured for DHCP


Part 2: Configure a DHCPv4 Server and a DHCP Relay Agent


Configure DHCPv4 server settings on router R2

R2(config)# ip dhcp excluded-address 192.168.0.1 192.168.0.9
R2(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.9
R2(config)# ip dhcp pool R1G1
R2(dhcp-config)# network 192.168.1.0 255.255.255.0
R2(dhcp-config)# default-router 192.168.1.1
R2(dhcp-config)# dns-server 209.165.200.225
"***Unfortunately, the below tasks will not work in PT 6.2. Skip these.
R2(dhcp-config)# domain-name ccna-lab.com
R2(dhcp-config)# lease 2
"
***

Continue...
R2(dhcp-config)# exit
R2(config)# ip dhcp pool R1G0
R2(dhcp-config)# network 192.168.0.0 255.255.255.0
R2(dhcp-config)# default-router 192.168.0.1
R2(dhcp-config)# dns-server 209.165.200.225

"
R2(dhcp-config)# domain-name ccna-lab.com
R2(dhcp-config)# lease 2
"



Configure R1 as a DHCP relay agent

R1(config)# interface g0/0
R1(config-if)# ip helper-address 192.168.2.254
R1(config-if)# exit
R1(config-if)# interface g0/1
R1(config-if)# ip helper-address 192.168.2.254



Configuring VLANs and Trunking Topology

File:ConfiguringVLANs_and_Trunking.pdf


Configuring VLANs and Trunking Topology.png


Device Interface IP Address Subnet Mask Default Gateway
S1 VLAN 1 192.168.1.11 255.255.255.0 N/A
S2 VLAN 1 192.168.1.12 255.255.255.0 N/A
PC-A NIC 192.168.10.3 255.255.255.0 192.168.10.1
PC-B NIC 192.168.10.4 255.255.255.0 192.168.10.1
PC-C NIC 192.168.20.3 255.255.255.0 192.168.20.1


  • Part 1: Build the Network and Configure Basic Device Settings
  • Part 2: Create VLANs and Assign Switch Ports
  • Part 3: Maintain VLAN Port Assignments and the VLAN Database
  • Part 4: Configure an 802.1Q Trunk between the Switches
  • Part 5: Delete the VLAN Database

Modern switches use virtual local-area networks (VLANs) to improve network performance by separating large Layer 2 broadcast domains into smaller ones. VLANs can also be used as a security measure by controlling which hosts can communicate. In general, VLANs make it easier to design a network to support the goals of an organization

VLAN trunks are used to span VLANs across multiple devices. Trunks allow the traffic from multiple VLANS to travel over a single link, while keeping the VLAN identification and segmentation intact.

In this lab:

  • You will create VLANs on both switches in the topology
  • Assign VLANs to switch access ports
  • Verify that VLANs are working as expected, and then
  • Create a VLAN trunk between the two switches to allow hosts in the same VLAN to communicate through the trunk, regardless of which switch the host is actually attached to.

Note: The switches used are Cisco Catalyst 2960s with Cisco IOS Release 15.0(2) (lanbasek9 image). Other switches and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and output produced might vary from what is shown in the labs.

Required Resources:

  • 2 Switches (Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
  • 3 PCs (Windows 7, Vista, or XP with terminal emulation program, such as Tera Term)
  • Console cables to configure the Cisco IOS devices via the console ports
  • Ethernet cables as shown in the topology



Part 1 - Build the Network and Configure Basic Device Settings


Step 1 - Cable the network as shown in the topology

Como siempre, between different devices we use a Copper Straight-Through cable and between same devices a Copper Cross-Over cable.



Step 2 - Initialize and reload the switches as necessary


Step 3 - Configure basic settings for each switch

## Console into the switch (go to the CLI) and enter global configuration mode:
enable
configure terminal

## Basic configuration:
no ip domain-lookup
service password-encryption
enable secret class
banner motd #
Unauthorized access is strictly prohibited. #
line con 0
password cisco
login
logging synchronous
line vty 0 15
password cisco
logging synchronous
login
exit

## Configure the host name as shown in the topology:
hostname S1

## Configure the IP address listed in the Addressing Table for VLAN 1 on the switch:
interface vlan 1
ip address 192.168.1.11 255.255.255.0
no shutdown

exit

## Copy the running configuration to the startup configuration:
exit
copy running-config startup-config



Step 4 - Configure PC hosts

  • Configuring static ip addresses as shown in the table:
    • Desktop > IP Configuration



Step 5 - Test connectivity

Note: It may be necessary to disable the PCs firewall to ping between PCs.

  • Can PC-A ping PC-B? ... Yes
  • Can PC-A ping PC-C? ... No
  • Can PC-A ping S1? ... No
  • Can PC-B ping PC-C? ... No
  • Can PC-B ping S2? ... No
  • Can PC-C ping S2? ... No
  • Can S1 ping S2? ... Yes


  • If you answered no to any of the above questions, why were the pings unsuccessful?


  • Pings were unsuccessful when trying to ping a device on a different subnet. For those pings to be successful, a default gateway must exist to route traffic from one subnet to another.



Part 2 - Create VLANs and Assign Switch Ports

In Part 2, you will create student, faculty, and management VLANs on both switches. You will then assign the VLANs to the appropriate interface. The «show vlan» command is used to verify your configuration settings.



Step 1 - Create VLANs on the switches

  • Create the VLANs on S1:
vlan 10
name Student
vlan 20
name Faculty
vlan 99
name Management
end
  • Create the same VLANs on S2.
  • Issue the «show vlan» command to view the list of VLANs on S1:
S1# show vlan



Step 2 - Assign VLANs to the correct switch interfaces

  • Assign VLANs to the interfaces on S1:
  • Assign PC-A to the Student VLAN:
interface f0/6
switchport mode access
switchport access vlan 10
  • Move the switch IP address VLAN 99
interface vlan 1
no ip address
interface vlan 99
ip address 192.168.1.11 255.255.255.0
end


  • Issue the show vlan brief command and verify that the VLANs are assigned to the correct interfaces:
show vlan brief


  • Issue the show ip interface brief command:
show ip interface brief
  • What is the status of VLAN 99? Why?
  • The status of VLAN 99 is up/down, because it has not been assigned to an active port yet.


  • Use the Topology to assign VLANs to the appropriate ports on S2:


  • Remove the IP address for VLAN 1 on S2:


  • Configure an IP address for VLAN 99 on S2 according to the Addressing Table:


  • Use the show vlan brief command to verify that the VLANs are assigned to the correct interfaces:
  • Is PC-A able to ping PC-B? Why?
  • No. Interface F0/1 is not assigned to VLAN 10, so VLAN 10 traffic will not be sent over it.
  • Is S1 able to ping S2? Why?
  • No. The IP addresses for the switches now reside in VLAN 99. VLAN 99 traffic will not be sent over interface F0/1.



Part 3 - Maintain VLAN Port Assignments and the VLAN Database

In Part 3, you will change VLAN assignments to ports and remove VLANs from the VLAN database.



Step 1 - Assign a VLAN to multiple interfaces

  • On S1, assign interfaces F0/11 – 24 to VLAN 10.
interface range f0/11-24
switchport mode access
switchport access vlan 10
end


  • Issue the show vlan brief command to verify VLAN assignments:
show vlan brief


  • Reassign F0/11 and F0/21 to VLAN 20:
interface range f0/11, f0/21
switchport access vlan 20
end


  • Verify that VLAN assignments are correct: show vlan brief



Step 2 - Remove a VLAN assignment from an interface

  • Use the no switchport access vlan command to remove the VLAN 10 assignment to F0/24:
interface f0/24
no switchport access vlan
end
  • Verify that the VLAN change was made: show vlan brief
  • Which VLAN is F0/24 now associated with?
  • VLAN 1, the default VLAN.



Part 4: Configure an 802.1Q Trunk Between the Switches

In Part 4, you will configure interface F0/1 to use the Dynamic Trunking Protocol (DTP) to allow it to negotiate the trunk mode. After this has been accomplished and verified, you will disable DTP on interface F0/1 and manually configure it as a trunk.



Step 1 - Use DTP to initiate trunking on F0 1

Use DTP to initiate trunking on F0/1

The default DTP mode of a 2960 switch port is dynamic auto. This allows the interface to convert the link to a trunk if the neighboring interface is set to trunk or dynamic desirable mode.

  • Set F0/1 on S1 to negotiate trunk mode:
interface f0/1
switchport mode dynamic desirable


  • Issue the show vlan brief command on S1 and S2. Interface F0/1 is no longer assigned to VLAN 1. Trunked interfaces are not listed in the VLAN table: show vlan brief


  • Issue the show interfaces trunk command to view trunked interfaces. Notice that the mode on S1 is set to desirable, and the mode on S2 is set to auto: show interfaces trunk
  • Note: By default, all VLANs are allowed on a trunk. The switchport trunk command allows you to control what VLANs have access to the trunk. For this lab, keep the default settings which allows all VLANs to traverse F0/1.


  • Verify that VLAN traffic is traveling over trunk interface F0/1:
  • Can S1 ping S2? ... Yes
  • Can PC-A ping PC-B? ... Yes
  • Can PC-A ping PC-C? ... No
  • Can PC-B ping PC-C? ... No
  • Can PC-A ping S1? ... No
  • Can PC-B ping S2? ... No
  • Can PC-C ping S2? ... No


  • PC-C cannot ping PC-A or PC-B because PC-C is in a different VLAN. The switches are in different VLANs than the PCs; therefore, the pings were unsuccessful.



Step 2 - Manually configure trunk interface F0 1

Manually configure trunk interface F0/1

The switchport mode trunk command is used to manually configure a port as a trunk. This command should be issued on both ends of the link.

  • Change the switchport mode on interface F0/1 to force trunking. Make sure to do this on both switches:
S1(config)# interface f0/1
S1(config-if)# switchport mode trunk

S2(config)# interface f0/1
S2(config-if)# switchport mode trunk


  • Issue the show interfaces trunk command to view the trunk mode. Notice that the mode changed from desirable to on: show interfaces trunk
  • Why might you want to manually configure an interface to trunk mode instead of using DTP?
  • Not all equipment uses DTP. Using the switchport mode trunk command ensures that the port will become a trunk no matter what type of equipment is connected to the other end of the link.



Configuring 802 1Q trunk-based inter-VLAN routing

File:Configuring_802_1_QTrunk-Based_InterVLAN_Routing.pdf


Background / Scenario:

A second method of providing routing and connectivity for multiple VLANs is through the use of an 802.1Q trunk between one or more switches and a single router interface. This method is also known as router-on-a-stick inter-VLAN routing. In this method, the physical router interface is divided into multiple sub-interfaces that provide logical pathways to all VLANs connected.

In this lab, you will configure trunk-based inter-VLAN routing and verify connectivity to hosts on different VLANs as well as with a loopback on the router.

Note: The routers used with CCNA hands-on labs are Cisco 1941 Integrated Services Routers (ISRs) with Cisco IOS, Release 15.2(4) M3(universal k9 image). The switches used are Cisco Catalyst 2960s with Cisco IOS, Release 15.0(2) (lanbasek9 image). Other routers, switches and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and output produced might vary.

Note: Make sure that the routers and switches have been erased and have no startup configurations. If you are unsure, contact your instructor.



Spanning Tree Protocol (STP)

STP (Spanning Tree Protocol) is the key protocol of Switching world. With STP, link redundancy is provided and switching loops are avoided.

STP has different versions:

  • Per-VLAN Spanning Tree (PVST) and Per-VLAN Spanning Tree Plus (PVST+)
  • RSTP (Rapid Spanning Tree Protocol). Like it name, RSTP (Rapid Spanning Tree Protocol) is the fastest converged version of STP.



PVST and PVST Plus

PVST and PVST+

http://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-l2guide/GUID-F9905D20-F2BB-4286-B606-49BC36596CF1.html

Per VLAN Spanning Tree (PVST) is a Cisco proprietary protocol that allows a Cisco device to have multiple spanning trees. The Cisco device can interoperate with spanning trees on other PVST devices but cannot interoperate with IEEE 802.1Q devices. An IEEE 802.1Q device has all its ports running a single spanning tree. PVST+ is an extension of PVST that allows a Cisco device to also interoperate with devices that are running a single spanning tree (IEEE 802.1Q).


Enhanced PVST+ support allows a Ruckus device to interoperate with PVST spanning trees and the IEEE 802.1Q spanning tree at the same time.


IEEE 802.1Q and PVST regions cannot interoperate directly but can interoperate indirectly through PVST+ regions. PVST BPDUs are tunnelled through 802.1Q regions, while PVST BPDUs for VLAN 1 (the IEEE 802.1Q VLAN) are processed by PVST+ regions. The following figure shows the interaction of IEEE 802.1Q, PVST, and PVST+ regions.



Configuring Per-VLAN Spanning Tree Plus and Load Balancing

File:Configuring_Per-VLAN_Spanning_TreePlus_and_Load_Balancing.pdf

Per-VLAN Spanning Tree Plus (PVST+)


Background / Objectives:

  • Part 1: ConfigureVLANs
  • Part 2: Configure Spanning Tree PVST+ and Load Balancing
  • Part 3: ConfigurePortFastand BPDU Guard



Topology:

ConfiguringPVST-Topology.png



Addressing Table:

Device Interface IP Address Subnet Mask Default Gatewa
S1 VLAN 99 172.31.99.1 255.255.255.0 N/A
S2 VLAN 99 172.31.99.2 255.255.255.0 N/A
S3 VLAN 99 172.31.99.3 255.255.255.0 N/A
PC1 NIC 172.31.10.21 255.255.255.0 172.31.10.254
PC2 NIC 172.31.20.22 255.255.255.0 172.31.20.254
PC3 NIC 172.31.30.23 255.255.255.0 172.31.30.254



Switch Port Assignment Specifications:

Ports Assignments Network
S1 F0/6 VLAN 30 172.17.30.0/24
S2 F0/18 VLAN 20 172.17.20.0/24
S3 F0/11 VLAN 10 172.17.10.0/24



Part 1 - Configure VLANs


Step 1 - Enable the user ports on S1 S2 and S3 in access mode

Refer to the topology diagram to determine which switch ports (S1, S2 and S3) are activated for end-user device access. These three ports will be configured for access mode and enabled with the no shutdown command.

S1(config)#interface f0/6
S1(config-if)#switchport mode access
S1(config-if)#no shutdown

S2(config)#interface f0/18
S2(config-if)#switchport mode access
S2(config-if)#no shutdown

S3(config)#interface f0/11
S3(config-if)#switchport mode access
S3(config-if)#no shutdown



Step 2 - Create VLANs

Using the appropriate commands, create VLANs 10, 20, 30, 40, 50, 60, 70, 80 and 99 on all of the switches:

vlan 10
vlan 20
vlan 30
vlan 40
vlan 50
vlan 60
vlan 70
vlan 80
vlan 99
end



Step 3 - Assign VLANs to switch ports

Port assignments are listed in the table at the beginning of the activity. Save your configurations after assigning switch ports to the VLANs.

S1(config)# interface f0/6
S1(config-if)#switchport access vlan 30

S2(config)# interface f0/18
S2(config-if)#switchport access vlan 20

S3(config)# interface f0/11
S3(config-if)#switchport access vlan 10



Step 4 - Verify the VLANs

Use the show vlan brief command on all switches to verify that all VLANs are registered in the VLAN table.



Step 5 - Assign the trunks to native VLAN 99

Use the appropriate command to configure ports F0/1 to F0/4 on each switch as trunk ports, and assign these trunk ports to native VLAN 99:

S1(config)#interface range f0/1-4
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport trunk native vlan 99

S2(config)#interface range f0/1-4
S2(config-if-range)# switchport mode trunk
S2(config-if-range)# switchport trunk native vlan 99

S3(config)#interface range f0/1-4
S3(config-if-range)# switchport mode trunk
S3(config-if-range)# switchport trunk native vlan 99



Step 6 - Configure the management interface on all three switches with an address
S1(config)#interface vlan99
S1(config-if)#ipaddress 172.31.99.1255.255.255.0

S2(config)#interface vlan99
S2(config-if)#ip address 172.31.99.2 255.255.255.0

S3(config)#interface vlan99
S3(config-if)#ip address 172.31.99.3 255.255.255.0


Verify that the switches are correctly configured by pinging between them.



Part 2 - Configure Spanning Tree PVST+ and Load Balancing

Because there is a separate instance of the spanning tree for every active VLAN, a separate root election is conducted for each instance. If the default switch priorities are used in root selection, the same root is elected for every spanning tree instance, as we have seen. This could lead to an inferior design. Some reasons to control the selection of the root switch include:

  • The root switch is responsible for generating BPDUs for STP 802.1D and is the focal point for spanning tree to control traffic. The root switch must be capable of handling this additional load.
  • The placement of the root defines the active switched paths in the network. Random placement is likely to lead to suboptimal paths. Ideally the root is in the distribution layer.
  • Consider the topology used in this activity. Of the six trunks configured, only three are carrying traffic. While this prevents loops, it is a waste of resources. Because the root can be defined on the basis of the VLAN, you can have some ports blocking for one VLAN and forwarding for another. This is demonstrated below.



Configure STP mode

Use the spanning-tree mode command to configure the switches so they use PVST as the STP mode:

S1(config)# spanning-tree mode pvst

S2(config)# spanning-tree mode pvst

S3(config)# spanning-tree mode pvst


Step 2 - Configure Spanning Tree PVST+ and load balancing
  • Configure S1 to be the primary root for VLANs 1, 10, 30, 50,and 70.
  • Configure S3 to be the primary root for VLANs 20, 40, 60, 80, and 99.
  • Configure S2 to be the secondary root for all VLANs.
S1(config)#spanning-tree vlan1,10,30,50,70 root primary

S2(config)#spanning-tree vlan 1,10,20,30,40,50,60,70,80,99 root secondary

S3(config)#spanning-tree vlan 20,40,60,80,99root primary

Verify your configurations using the show spanning-tree command.



Part 3 - Configure PortFast and BPDU Guard


Step 1 - Configure PortFaston the switches

PortFast causes a port to enter the forwarding state almost immediately by dramatically decreasing the time of the listening and learning states. PortFast minimizes the time it takes for the server or workstation to come online. Configure PortFast on the switch interfaces that are connected to PCs.

S1(config)#interfacef0/6
S1(config-if-range)#spanning-tree portfast

S2(config)#interfacef0/18
S2(config-if-range)#spanning-tree portfast

S3(config)#interfacef0/11
S3(config-if-range)#spanning-tree portfast



Step 2 - Configure BPDU guard on the switches

The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are unable to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into the err-disable state, and a message appears on the console. Configure BPDU guard on switchinterfaces that are connected to PCs:

S1(config)#interfacef0/6
S1(config-if)#spanning-tree bpduguard enable

S2(config)#interfacef0/18
S2(config-if)#spanning-tree bpduguard enable

S3(config)#interface f0/11
S3(config-if)#spanning-tree bpduguard enable


Use the show running-configurationcommand to verify your configuration.



Rapid Spanning Tree Protocol

RSTP (Rapid Spanning Tree Protocol)

https://ipcisco.com/lesson/rstp-configuration-on-cisco-packet-tracer/



Building a Switched Network with Redundant Links - Spanning Tree Protocol (STP)

File:Building_a_Switched_Network_with_Redundant_Links-Spanning_Tree_Protocol-STP.pdf


Building a Switched Network with Redundant Links-STP-Topology.png



Background / Scenario:

Redundancy increases the availability of devices in the network topology by protecting the network from a single point of failure.


Redundancy in a switched network is accomplished through the use of multiple switches or multiple links between switches.


When physical redundancy is introduced into a network design, loops and duplicate frames can occur. The Spanning Tree Protocol (STP) was developed as a Layer 2 loop-avoidance mechanism for redundant links in a switched network.


STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop.


In this lab, you will use the show spanning-tree command to observe the STP election process of the root bridge. You will also observe the port selection process based on cost and priority.



Required Resources:

  • The switches used are Cisco Catalyst 2960s.



Part 1 - Determine the Root Bridg

Every spanning-tree instance (switched LAN or broadcast domain) has a switch designated as the root bridge.


The root bridge serves as a reference point for all spanning-tree calculations to determine which redundant paths to block. An election process determines which switch becomes the root bridge.


The switch with the lowest bridge identifier (BID) becomes the root bridge. The BID is made up of:

  • The bridge priority value
The priority value can range from 0 to 65,535, in increments of 4,096, with a default value of 32,768.
  • An extended system ID, and
The extended system ID is always the VLAN number.
  • The MAC address of the switch.



Step 1 - Display spanning tree information

Issue the show spanning-tree command on all three switches.

In the example below, all three switches have equal Bridge ID Priority values:

Where default priority = 32768, VLAN number = 1.
Therefore, the switch with the lowest MAC address becomes the root bridge (Switch0 in the example).


Note: The default STP mode on the 2960 switch is Per VLAN Spanning Tree (PVST)

Switch0# show spanning-tree


# Output:
VLAN0001
    Spanning tree enabled protocol ieee
    Root ID    Priority    32769
               Address     0001.633C.DED5
               This bridge is the root
               Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec


Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
           Address     0001.633C.DED5
           Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
           Aging Time  20
           
Interface        Role Sts Cost      Prio.Nbr Type
-----------------------------------------------------
Fa0/4            Desg FWD 19        128.4    P2p
Fa0/5            Desg FWD 19        128.5    P2p


Based on the output from your switches, answer the following questions.

  • Which switch is the root bridge?
  • Why did spanning tree select this switch as the root bridge?
  • Which ports are the root ports on the switches?
  • Which ports are the designated ports on the switches?
  • What port is showing as an alternate port and is currently being blocked?
  • Why did spanning tree select this port as the non-designated (blocked) port?



Part 2 - Observe STP Port Selection based on Port Cost

The spanning tree algorithm (STA) uses the root bridge as the reference point and then determines which ports to block, based on path cost.


The port with the lower path cost is preferred. If port costs are equal, then spanning tree compares BIDs. If the BIDs are equal, then the port priorities are used to break the tie. Lower values are always preferred.


Locate the switch with the blocked port:

With the current configuration, only one switch should have a port that is blocked by STP. Issue the show spanning-tree command on both non-root switches. In the example below, spanning tree is blocking port F0/1 on the switch 2 with the highest BID (Switch 2)



Step 1 - Configuring priority to influence the root election


Step 2 - Observe spanning tree changes


Configuring Switch Security Features

In this lab, you will follow some best practices for configuring security features on LAN switches:

  • You will only allow SSH sessions only.
  • You will shut down all unused physical ports.
  • You will also configure and verify port security to lock out any device with a MAC address not recognized by the switch.


Topology


Device Interface IP Address Subnet Mask Default Gateway
R1 G0/1 172.16.99.1 255.255.255.0 N/A
S1 VLAN 99 172.16.99.11 255.255.255.0 172.16.99.1
PC-A NIC DHCP DHCP DHCP



Part 1 - Cable the network as shown in the topology

Required Resources:

  • 1 Router (Cisco 1941 with Cisco IOS Release 15.2(4)M3 universal image or comparable).
  • 1 Switch (Cisco 2960 with Cisco IOS Release 15.0(2) or comparable).
  • 1 PC Generic.
  • The connections between devices has to be done using Straight-Through cables (Remember the general rule: Straight cables to connect different devices and Cross-over to connect equal devices).



Part 2 - Configure Basic Device Settings and Verify Connectivity

Configure basic settings on the router, switch, and PC. Refer to the Topology and Addressing Table.



Step 1 - Configure an IP address on PC-A to obtain one automatically from router DHCP

  • Console into the router and enter global configuration mode.
  • Configure the IP address of the Router:
Router(config)#interface gig 0/1
Router(config-if)#ip address 172.16.99.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#exit


  • Configure a DHCP server on the Router:
Router(config)#ip dhcp excluded-address 172.16.99.1 172.16.99.20
Router(config)#ip dhcp pool CCT
Router(dhcp-config)#network 172.16.99.0 255.255.255.0
Router(dhcp-config)#default-router 172.16.99.1
Router(dhcp-config)#dns-server 8.8.8.8	
Router(dhcp-config)#exit


Explanation of commands:

Router(config)#ip dhcp excluded-address 172.16.99.1 172.16.99.20
Specifies the range of addresses not to be leased out to clients.

Router(config)#ip dhcp pool CCT
Creates a DHCP pool named in this case CCT. The name can be anything of your choosing. 

Router(dhcp-config)#network 172.16.99.0 255.255.255.0
Defines the range of addresses to be leased.

Router(dhcp-config)#default-router 172.16.99.1
Defines the address of the default router for the client.

Router(dhcp-config)#dns-server 8.8.8.8


  • Defines the address of the Domain Name Server for the client:

Now go into your PC and change the radio button from static to dynamic. You should get a window like below? Why did it give the PC the address 172.16.99.21?



Step 2 - Configure basic settings on R1

  • Console into R1 and enter global configuration mode. Copy the following basic configuration and paste it to running-configuration on R1:
no ip domain-lookup
hostname R1
service password-encryption
enable secret class
banner motd #
Unauthorized access is strictly prohibited. #
line con 0
password cisco
login
logging synchronous
line vty 0 4
password cisco
login
end

Then, save the running configuration to startup configuration.



Step 3 - Configure basic settings on S1

  • Console into S1 and enter global configuration mode. Copy the following basic configuration and paste it to running-configuration on S1:
no ip domain-lookup
hostname S1
service password-encryption
enable secret class
banner motd #
Unauthorized access is strictly prohibited. #
line con 0
password cisco
login
logging synchronous
exit


  • Create VLAN 99 on the switch and name it Management:
S1(config)# vlan 99
S1(config-vlan)# name Management
S1(config-vlan)# exit
S1(config)#


  • Configure the VLAN 99 management interface IP address, as shown in the Addressing Table, and enable the interface:
S1(config)# interface vlan 99
S1(config-if)# ip address 172.16.99.11 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# end
S1#


  • Issue the show vlan command on S1:
What is the status of VLAN 99?: Active


  • Issue the show ip interface brief command on S1:
What is the status and protocol for management interface VLAN 99?: Status is up, and protocol is down:
Why is the protocol down, even though you issued the no shutdown command for interface VLAN 99?
No physical ports on the switch have been assigned to VLAN 99.


  • Assign ports to VLAN 99 on the switch:
S1# config t
S1(config)# interface gigabitEthernet 0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# exit
S1(config-if)# interface gigabitEthernet 0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# end


  • Save the running configuration to startup configuration.


  • Issue the show ip interface brief command on S1. What is the status and protocol showing for interface VLAN 99?
Up and up
Note: There may be a delay while the port states converge.



Step 4 - Verify connectivity between devices

  • From PC-A, ping the default gateway address on R1 (172.16.99.1). Were your pings successful? Yes
  • From PC-A, ping the Management address of S1 (172.16.99.11). Were your pings successful? Yes
  • From S1, ping the default gateway address on R1 (172.16.99.1). Were your pings successful? Yes


  • Note: The non-secure web interface (HTTP server) on a Cisco 2960 switch is enabled by default. A common security measure is to disable this service, as we'll described in Part 4.



Part 3 - Configure and Verify SSH Access on S1


Step 1 - Configure S1 to allow SSH connections only

  • Enable SSH on S1: From global configuration mode, create a domain name of CCNA-Lab.com:
S1(config)# ip domain-name CCNA-Lab.com


  • Create a local user database entry for use when connecting to the switch via SSH:
The user should have administrative level access.
Note: The password used here is NOT a strong password. It is merely being used for lab purposes.
S1(config)# username admin privilege 15 secret sshadmin


  • Configure the transport input for the vty lines to allow SSH connections only, and use the local database for authentication:
S1(config)# line vty 0 15
S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exit


  • Generate an RSA crypto key using a modulus of 1024 bits:
S1(config)# crypto key generate rsa 

The name for the keys will be: S1.CCNA-Lab.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

S1(config)#
S1(config)# end


  • Verify the SSH configuration:
S1# show ip ssh

SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCKWqCN0g4XLVdJJUOr+9qoJkFqC/g0OuAV1semrR5/
xy0bbUBPywvqhwSPJtucIKxKw/YfrRCeFwY+dc+/jGSeckAHahuv0jJfOdFcgqiKGeeluAu+iQ2drE+k
butnlLTGmtNhdEJMxri/ZeO3BsFcnHpO1hbB6Vsm4XRXGk7OfQ==


  • What version of SSH is the switch using? : 1.99
  • How many authentication attempts does SSH allow? : 3
  • What is the default timeout setting for SSH? : 120 seconds



Step 2 - Modify the SSH configuration on S1

Modify the default SSH configuration.

S1# config t
S1(config)# ip ssh time-out 75
S1(config)# ip ssh authentication-retries 2
S1# show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 75 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCKWqCN0g4XLVdJJUOr+9qoJkFqC/g0OuAV1semrR5/
xy0bbUBPywvqhwSPJtucIKxKw/YfrRCeFwY+dc+/jGSeckAHahuv0jJfOdFcgqiKGeeluAu+iQ2drE+k
butnlLTGmtNhdEJMxri/ZeO3BsFcnHpO1hbB6Vsm4XRXGk7OfQ==
  • How many authentication attempts does SSH allow? : 2
  • What is the timeout setting for SSH? : 75 seconds



Step 3 - Verify the SSH configuration on S1

  • Using the SSH client software on PC-A (use command prompt) open an SSH connection to S1. If you receive a message on your SSH client regarding the host key, accept it. Log in with admin for username and sshadmin for the password:
ssh -l admin 172.16.99.11
Was the connection successful? : Yes
What prompt was displayed on S1? Why? : Unauthorized access is strictly prohibited.
  • S1 is showing the prompt at privileged EXEC mode because the privilege 15 option was used when configuring username and password.
  • Type exit to end the SSH session on S1.



Part 4 - Configure and Verify Security Features on S1

Switches can be subject to MAC address table overflow attacks, MAC spoofing attacks, and unauthorized connections to switch ports.

In this part:

  • You will shut down unused ports and configure port security based on MAC addresses.
  • You will limit the number of MAC addresses that can be learned on a switch port and disable the port if that number is exceeded.



Step 1 - Configure and verify general security features on S1


Change the message of the day -MOTD- banner
  • Change the message of the day (MOTD) banner on S1 to, "Unauthorized access is strictly prohibited. Violators will be prosecuted to the full extent of the law."



Shut down all unused physical ports
  • Issue a show ip interface brief command on S1. What physical ports are up? : Ports G0/1 and G0/2


  • Shut down all unused physical ports on the switch. Use the «interface range» command:
S1(config-if-range)# interface range f0/1 - 24
S1(config-if-range)# shutdown
S1(config-if-range)# end
S1#



Step 2 - Configure and verify port security on S1


Recording MAC addresses
  • Record the R1 G0 1 MAC address:

From the R1 CLI, use the show interface g0/1 command and record the MAC address of the interface:

R1# show interface g0/1

What is the MAC address of the R1 G0/1 interface:


  • Record the S1 G0 1 and G0 2 MAC addresses:

From the S1 CLI, issue a show mac address-table command from privileged EXEC mode. Find the dynamic entries for ports G0/1 and G0/2. Record them below:

G0/1 MAC address : 30f7.0da3.1821
G0/2 MAC address : 00e0.b857.1ccd



Configure basic port security - Enable port security and Lock out any device with a MAC address not recognized by the switch

To lock out any device with a MAC address not recognized by the switch we will configure a static entry for the MAC address of the interface connected to a port.

Note: This procedure would normally be performed on all access ports on the switch. G0/1 is shown here as an example.

  • From the S1 CLI, enter interface configuration mode for the port that connects to R1:
S1(config)# interface G0/1


  • Shut down the port:
S1(config-if)# shutdown


  • Enable port security on G0/1:
S1(config-if)# switchport port-security
Note: Entering the switchport port-security command sets the maximum MAC addresses to 1 and the violation action to shutdown. The switchport port-security maximum and switchport port-security violation commands can be used to change the default behavior.


  • Configure a static entry for the MAC address of the interface (R1 G0/1 interface) connected to S1 G0/1:
S1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx
Note: Optionally, you can use the switchport port-security mac-address sticky command to add all the secure MAC addresses that are dynamically learned on a port (up to the maximum set) to the switch running configuration.


  • Enable the switch port:
S1(config-if)# no shutdown
S1(config-if)# end



Verify port security on S1 G0 1 by issuing the show port-security interface command
S1# show port-security interface g0/1

Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0
  • What is the port status of G0/1? : The status is Secure-up, which indicates that the port is secure, but the status and protocol are up.



You will now violate security by changing the MAC address on the router interface


=Configure a new MAC address for the interface=
  • Enter interface configuration mode for G0/1 and shut it down:
R1# config t
R1(config)# interface g0/1
R1(config-if)# shutdown


  • Configure a new MAC address for the interface, using aaaa.bbbb.cccc as the address:
R1(config-if)# mac-address aaaa.bbbb.cccc


  • Enable the G0/1 interface on R1.
If possible, have a console connection open on S1 at the same time that you do the next two steps. You will eventually see messages displayed on the console connection to S1 indicating a security violation.
R1(config-if)# no shutdown



=Checking connectivity by pinging PCA from R1=
  • From R1 privileged EXEC mode, ping PC-A. Was the ping successful? Why or why not? : No, the G0/1 port on S1 is shut down because of the security violation.



=On the switch - verify port security with the following commands=
S1# show port-security


S1# show port-security interface g0/1


S1# show interface g0/1


S1# show port-security address



=On the router - Remove the hard-coded MAC address configured=
  • Shut down the G0/1 interface
  • Remove the hard-coded MAC address from the router, and
  • Re-enable the G0/1 interface:
R1(config-if)# shutdown
R1(config-if)# no mac-address aaaa.bbbb.cccc
R1(config-if)# no shutdown
R1(config-if)# end
S1# show interface g0/1



=Clear the S1 G0 1 error disabled status=
S1# config t
S1(config)# interface f0/5
S1(config-if)# shutdown
S1(config-if)# no shutdown

Note: There may be a delay while the port states converge.



=Verify that g0 1 is no longer in error disabled mode=

Issue the show interface g0/1 command on S1 to verify g0/1 is no longer in error disabled mode

S1# show interface g0/1



=From the R1 command prompt ping PC-A again=

The ping should be successful.



Reflection


Why would you enable port security on a switch

It would help prevent unauthorized devices from accessing your network if they plugged into a switch on your network.



Why should unused ports on a switch be disabled

One excellent reason is that a user could not connect a device to the switch on an unused port and access the LAN.



Extension task

Investigate the Cisco IOS - Privilege Levels: https://learningnetwork.cisco.com/blogs/community_cafe/2015/10/23/cisco-ios-privilege-levels

Visit the above link and experiment with the different privilege levels as shown on the blog.



Secure Trunks and Access Ports

File:Secure_Trunks_and_Access_Ports-_Layer2_security.pdf


Securing trunk ports can help stop VLAN hopping attacks:

  • The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports except the ones that specifically require trunking.
  • If no trunking is required on an interface, configure the port as an access port. This disables trunking on the interface.
  • On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking.


In this lab we'll configure trunk ports:

  • Change the native VLAN for trunk ports.
  • Verify trunk configuration.
  • Enable storm control for broadcastson the trunk ports.


Topology


Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 Fa0/1 192.168.1.1 255.255.255. N/A S1 FA0/5
S1 VLAN 1 192.168.1.2 255.255.255.0 N/A N/A
S2 VLAN 1 192.168.1.3 255.255.255.0 N/A N/A
PC-A NIC 192.168.1.10 255.255.255.0 192.168.1.1 S1 FA0/6
PC-B NIC 192.168.1.10 255.255.255.0 192.168.1.1 S2FA0/18



Task 1 - Secure Trunk Ports


Step 1 - Configure switch S1 as the root switch

For the purposes of this lab, assume that switch S2 is currently the root bridge and that switch S1 is preferred as the root switch. To force S1 to become the new root bridge, you configure a new priority for it.

  • The default priority for switches S1 and S2 is 32769 (32768 + 1 with System ID Extension). Set S1 priority to 0 so that it becomes the root switch:
S1(config)#spanning-tree vlan 1 priority 0
S1(config)#exit


  • Issue the show spanning-treecommand to verify that S1 is the root bridge and to see the ports in use and their status:
S1#show spanning-tree


  • What is the S1 priority? :
  • What ports are in use and what is their status? :



Step 2 - Configure trunk ports on S1 and S2

  • Configure port Fa0/1 on S1 as a trunk port:
S1(config)#interface FastEthernet 0/1
S1(config-if)#switchport mode trunk


  • Configure port Fa0/1 on S2 as a trunk port:
S2(config)#interface FastEthernet 0/1
S2(config-if)#switchport mode trunk


  • Verify that S1 port Fa0/1 is in trunking mode with the show interfaces trunk command:
S1#show interfaces trunk



Step 3 - Change the native VLAN for the trunk ports on S1 and S2

Changing the native VLAN for trunk ports to an unused VLAN helps prevent VLAN hopping attacks.


  • Check the current native VLAN for the S1 Fa0/1 trunk interface using the show interfaces trunk command:


  • Set the native VLAN on the S1 Fa0/1 trunk interface to an unused VLAN99:
S1(config)#interface Fa0/1
S1(config-if)#switchport trunk native vlan 99
S1(config-if)#end


  • On the main packet tracer interface click to FAST FORWARD TIME. The following message should be displayed after a brief period of time:
02:16:28: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99), with S2 FastEthernet0/1 (1).
  • What does the message mean?


  • Set the native VLAN on the S2 Fa0/1 trunk interface to VLAN99:
S2(config)#interface Fa0/1
S2(config-if)#switchport trunk native vlan 99
S2(config-if)#end



Step 4 - Prevent the use of DTP on S1 and S2

Setting the trunk port to not negotiate also helps to mitigate VLAN hopping by turning off the generation of DTP frames.

S1(config)#interface Fa0/1
S1(config-if)#switchport nonegotiate

S2(config)#interface Fa0/1
S2(config-if)#switchport nonegotiate



Step 5 - Verify the trunking configuration on port Fa0 1

S1#show interfaces trunk

S1#show interface fa0/1 switchport



Step 6 - Enable storm control for broadcasts

Enable storm control for broadcasts on the trunk port with a 50 percent rising suppression level using the storm-control broadcast command:

S1(config)#interface FastEthernet 0/1
S1(config-if)#storm-control broadcast level 50

S2(config)#interface FastEthernet 0/1
S2(config-if)#storm-control broadcast level 50



Step 7 - Verify your configuration with the show run command

Use the show run command to display the running configuration, beginning with the first line that has the text string "0/1" in it.

S1#show run

interface FastEthernet0/1
  switchport trunk native vlan 99
  switchport mode trunk
  switchport nonegotiate
  storm-control broadcast level 50.00



Task 2 - Secure Access Ports

By manipulating the STP root bridge parameters, network attackers hope to spoof their system, or a rogue switch that they add to the network, as the root bridge in the topology. If a port that is configured with PortFast receives a BPDU, STP can put the port into the blocking state by using a feature called BPDU guard.



Step 1 - Disable trunking on access ports

  • On S1, configure Fa0/5, the port to which R1 is connected, as access mode only:
S1(config)#interface FastEthernet 0/5
S1(config-if)#switchport mode access


  • On S1, configure Fa0/6, the port to which PC-A is connected, as access mode only:
S1(config)#interface FastEthernet 0/6
S1(config-if)#switchport mode access


  • On S2, configure Fa0/18, the port to which PC-B is connected, as access mode only:
S2(config)#interface FastEthernet 0/18
S2(config-if)#switchport mode access



Task 3 - Protect Against STP Attacks

The topology has only two switches and no redundant paths, but STP is still active. In this step, you enable some switch security features that can help reduce the possibility of an attacker manipulating switches via STP-related methods.



Step 1 - Enable PortFast on S1 and S2 access ports

PortFast is configured on access ports that connect to a single workstation or server to enable them to become active more quickly.

  • Enable PortFast on the S1 Fa0/5 access port:
S1(config)#interface FastEthernet 0/5
S1(config-if)#spanning-tree portfast

The following Cisco IOS warning message is displayed:

%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION

%Portfast has been configured on FastEthernet0/5but will onlyhave effect when the interface is in a non-trunking mode.


  • Enable PortFast on the S1 Fa0/6 access port:
S1(config)#interface FastEthernet 0/6
S1(config-if)#spanning-tree portfast


  • Enable PortFast on the S2 Fa0/18 access ports:
S2(config)#interface FastEthernet 0/18
S2(config-if)#spanning-tree portfast



Step 2 - Enable BPDU guard on the S1 and S2 access ports

BPDU guard is a feature that can help prevent rogue switches and spoofing on access ports.

  • Enable BPDU guard on the switch ports previously configured as access only:
S1(config)#interface FastEthernet 0/5
S1(config-if)#spanning-tree bpduguard enable

S1(config)#interface FastEthernet 0/6
S1(config-if)#spanning-tree bpduguard enable

S2(config)#interface FastEthernet 0/18
S2(config-if)#spanning-tree bpduguard enable


  • PortFast and BPDU guard can also be enabled globally with the spanning-tree portfast default and spanning-tree portfast bpduguard commands in global configuration mode.
Note: BPDU guard can be enabled on all access ports that have PortFast enabled. These ports should never receive a BPDU. BPDU guard is best deployed on user-facing ports to prevent rogue switch network extensions by an attacker.If a port enabled with BPDU guard receives a BPDU, it is disabled and must be manually re-enabled. An err-disable timeoutcan be configured on the port so that it can recover automatically after a specified time period.



Step 3 - Optional - Enable root guard

Rootguard is another option in helping to prevent rogue switches and spoofing. Root guard can be enabled on all ports on a switch that are not root ports. It is normally enabled only on ports connecting to edge switches where a superior BPDU should never be received. Each switch should have only one root port, which is the best path to the root switch.

  • The following command configures root guard on S2 interface Gi0/1. Normally, this is done if another switch is attached to this port. Root guard is best deployed on ports that connect to switches that should not be the root bridge:
S2(config)#interface Fastethernet 0/24
S2(config-if)#spanning-tree guard root


  • Issue the show run command and navigate to the Gigabit Interfaces section to verify that root guard is configured. :
S2#sh run

Note: The S2 Gi0/1 port is not currently up, so it is not participating in STP. Otherwise, you could use the show spanning-tree interface fa0/24 detail command.


  • If a port that is enabled with BPDU guard receives a superior BPDU, it goes into a root-inconsistent state. Use the show spanning-tree inconsistentports command to determine if there are any ports currently receiving superior BPDUs that should not be.:
S2#show spanning-tree inconsistentports

Note: Root guard allows a connected switch to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. If the superior BPDUs stop, the port returns to the forwarding state.



Task 4 - Configure Port Security and Disable Unused Ports

Switches can also be subject to CAM table overflow, MAC spoofing attacks, and unauthorized connections to switch ports. In this task, you configure port security to limit the number of MAC addresses that can be learned on a switch port and disable the port if that number is exceeded.



Step 1 - Record the R1 Fa0 0 MAC address

  • From the router R1 CLI, use the show interface command and record the MAC address of the interface:
R1#show interface fa0/1
  • What is the MAC address of the R1 Fa0/1 interface? :



Step 2 - Configure basic port security - Enable port security and Lock out devices with a MAC address not recognized by the switch

To lock out any device with a MAC address not recognized by the switch we will configure a static entry for the MAC address of the interface connected to a port.


This procedure should be performed on all access ports that are in use. Switch S1 port Fa0/5 is shown here as an example.


Note: A switch port must be configured as an access port to enable port security.


  • From the switch S1 CLI, enter interface configuration mode for the port that connects to the router (Fast Ethernet 0/5):
S1(config)#interface FastEthernet 0/5


  • Shut down the switch port:
S1(config-if)#shutdown


  • Enable port security on the port:
S1(config-if)#switchport port-security

Note: Entering just the switchport port-security command sets the maximum MAC addresses to 1and the violation action to shutdown. The switchport port-security maximum and switchport port-security violation commands can be used to change the default behavior.


  • Configure a static entry for the MAC address of R1 Fa0/1/ interface recorded in Step 1:
S1(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx
  • xxxx.xxxx.xxxx is the actual MAC address of the router Fast Ethernet 0/1 interface.
  • Note: Optionally, you can use the switchport port-security mac-address stickycommand to add all the secure MAC addresses that are dynamically learned on a port (up to the maximum set) to the switch running configuration


  • Bring up the switch port:
S1(config-if)#no shutdown



Step 3 - Verify port security on S1 Fa0 5

  • On S1, issue the show port-security command to verify that port security has been configured on S1 Fa0/5.:
S1#show port-security interface f0/5
  • What is the status of the Fa0/5 port? :
  • What is the Last Source Address and VLAN? :


  • From the router R1 CLI, ping PC-A to verify connectivity. This also ensures that the R1 Fa0/1 MAC address is learned by the switch:
R1#ping 192.168.1.10



We will now violate security by changing the MAC address on the router interface


=Configure a new MAC address for the router interface=
  • Enter interface configuration mode for the Fast Ethernet 0/1 interface and shut it down:
R1(config)#interface FastEthernet 0/1
R1(config-if)#shutdown
  • Configure a MAC address for the interface, using aaaa.bbbb.cccc as the address:
R1(config-if)#mac-address aaaa.bbbb.cccc
  • Enable the Fast Ethernet 0/1 interface:
R1(config-if)#no shutdown
R1(config-if)#end



=Pinging PCA from the Router=
  • From the router R1 CLI, ping PC-A. Was the ping successful? Why or why not?



=On S1 observe the messages when port Fa0 5 detects the violating MAC address=
  • On switch S1 console, observe the messages when port Fa0/5 detects the violating MAC address:
*Jan 14 01:34:39.750: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/5, putting Fa0/5 in err-disable state
*Jan 14 01:34:39.750: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port FastEthernet0/5.
*Jan 14 01:34:40.756: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to down
*Mar  1 01:34:41.755: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to down
  • On the switch, use the various show port-security commands to verify that port security has been violated:
S1#show port-security

S1#show port-security interface fastethernet0/5

S1#show port-security address



=Remove the hard coded MAC address from the Router=
  • On the router, shut down the Fast Ethernet 0/1 interface, remove the hard-coded MAC address from the router, and re-enable the Fast Ethernet 0/1 interface:
R1(config)#interface FastEthernet 0/1
R1(config-if)#shutdown
R1(config-if)#no mac-address aaaa.bbbb.cccc
R1(config-if)#no shutdown

Note: This will restore the original FastEthernet interface MAC address.



=Pinging PCA again=
  • From R1, try to ping the PC-A again at 192.168.1.10. Was the ping successful? Why or why not?



=Clear the S1 Fa0 5 error disabled status=
  • From the S1 console, clear the error and re-enable the port using the following commands. This will change the port status from Secure-shutdown to Secure-up:
S1(config)#interface FastEthernet 0/5
S1(config-if)#shutdown
S1(config-if)#no shutdown

Note: This assumes the device/interface with the violating MAC address has been removed and replaced with the one originally configured.


  • From R1, ping PC-A again. You should be successful this time:
R1#ping 192.168.1.10



Step 5 - Remove basic port security on S1 Fa0 5

  • From the S1 console, remove port security on Fa0/5. This procedure can also be used to re-enable the port but port security commands will need to be reconfigured:
S1(config)#interface FastEthernet 0/5
S1(config-if)#shutdown
S1(config-if)#no switchport port-security
S1(config-if)#no switchport port-security mac-address 001b.5325.256f
S1(config-if)#no shutdown


  • You can also use the following commands to reset the interface to its default settings:
S1(config)#interface FastEthernet 0/5
S1(config-if)#shutdown
S1(config-if)#exit
S1(config)#default interface fastethernet 0/5
S1(config)#interface FastEthernet 0/5
S1(config-if)#no shutdown

Note: This default interface command also requires you to reconfigure the port as an access port in order to re-enable the security commands.



Step 6 - Optional - Configure port security for VoIP

The following example shows a typical port security configuration for a voice port. Two MAC addresses are allowed, and they are to be learned dynamically. One MAC address is for the IP phone, and the other IP address is for the PC connected to the IP phone. Violations of this policy result in the port being shut down. The aging timeout for the learned MAC addresses is set to two hours.


  • This example is shown for switch S2 port Fa0/18:
S2(config)#interface Fa0/18
S2(config-if)#switchport mode access
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 2
S2(config-if)#switchport port-security violation shutdown
S2(config-if)#switchport port-security mac-address sticky



Step 7 - Disable unused ports on S1 and S2

As a further security measure, disable any ports not being used on the switch.


  • Ports Fa0/1, Fa0/5, and Fa0/6 are used on switch S1. The remaining Fast Ethernet ports and the two Gigabit Ethernet ports will be shutdown:
S1(config)#interface range Fa0/2 - 4
S1(config-if-range)#shutdown
S1(config-if-range)#interface range Fa0/7 - 24
S1(config-if-range)#shutdown
S1(config-if-range)#interface range gigabitethernet0/1 - 2
S1(config-if-range)#shutdown


  • Ports Fa0/18 and Gi0/1 are used on switch S2. The remaining Fast Ethernet ports and the Gigabit Ethernet ports will be shutdown:
S2(config)#interface range Fa0/2 - 17
S2(config-if-range)#shutdown
S2(config-if-range)#interface range Fa0/19 - 24
S2(config-if-range)#shutdown
S2(config-if-range)#exit
S2(config)#interface gigabitethernet0/2
S2(config-if)#shutdown



Step 8 - Move unused ports to an "Invalid" VLAN on S1 and S2

As a further security measure, move any ports not being used on the switch into an invalid VLAN


  • Ports Fa0/1, Fa0/5, and Fa0/6 are used on switch S1. The remaining Fast Ethernet ports and the two Gigabit Ethernet ports will be shutdown:
S1(config)# vlan 100
S1(config-vlan)# name unused
S1(config-vlan)# exit
S1(config)#interface range Fa0/2 - 4
S1(config-if-range)#shutdown
S1(config-if-range)#interface range Fa0/7 - 24
S1(config-if-range)#switchport access vlan 100
S1(config-if-range)#interface range gigabitethernet0/1 - 2
S1(config-if-range)#switchport access vlan 100


  • Ports Fa0/18 and Gi0/1 are used on switch S2. The remaining Fast Ethernet ports and the Gigabit Ethernet ports will be shutdown:
S2(config)# vlan 100
S2(config-vlan)# name unused
S2(config-vlan)# exit
S2(config)#interface range Fa0/2 - 17
S2(config-if-range)#shutdown
S2(config-if-range)#interface range Fa0/19 - 24
S2(config-if-range)#switchport access vlan 100
S2(config-if-range)#interface gigabitethernet 0/2
S2(config-if-range)#switchport access vlan 100



Step 9 - Optional - Move active ports to a VLAN other than the default VLAN 1

As a further security measure, you can move all active end user and router ports to a VLAN other than the default VLAN 1 on both switches.


  • Configure a new VLAN for users on each switch using the following commands:
S1(config)#vlan 20
S1(config-vlan)#name Users

S2(config)#vlan 20
S2(config-vlan)#name Users


  • Add the current active access (non-trunk) ports to the new VLAN:
S1(config)#interface range fa0/5 - 6
S1(config-if)#switchport access vlan 20

S2(config)#interface fa0/18
S2(config-if)#switchport access vlan 20


Note: This will prevent communication between end user hosts and the management VLAN IP address of the switch, which is currently VLAN 1. The switch can still be accessed and configured using the console connection.
If you need to provide Telnet or SSH access to the switch, a specific port can be designated as the management port and added to VLAN 1 with a specific management workstation attached. A more elaborate solution is to create a new VLAN for switch management (or use the existing native trunk VLAN 99) and configure a separate subnet for the management and user VLANs. You would also need to enable trunking with subinterfaces on R1 to route between the management and user VLAN subnets.



Configuring HSRP Topology

File:ConfiguringHSRP.pdf

File:ConfiguringHSRP-Packettracer file.zip



Background / Scenario:

  • Spanning tree provides loop-free redundancy between switches within a LAN. However, it does not provide redundant default gateways for end-user devices within the network if one of the routers fails.
  • First Hop Redundancy Protocols (FHRPs) provide redundant default gateways for end devices with no end-user configuration necessary.
  • In this lab,you will configure Cisco's Hot Standby Routing Protocol (HSRP), a First Hop Redundancy Protocol (FHRP).


Note: The routers used with CCNA hands-on labs are Cisco 1941 Integrated Services Routers (ISRs) with Cisco IOS Release 15.2(4)M3(universalk9 image). The switches used are Cisco Catalyst 2960swith Cisco IOS Release 15.0(2) (lanbasek9 image). Other routers, switches,and Cisco IOS versions can be used. Depending on the modeland Cisco IOS version, the commands available and output produced might vary from what is shown in the labs.Refer to the Router InterfaceSummary Table at the end of thislab for the correct interface identifiers.Note:Make sure that the routers and switches have been erased and have no startup configurations. If you are unsure,contact your instructor


Note: Make sure that the routers and switches have been erased and have no startup configurations. If you are unsure,contact your instructor.



Required Resources:

  • 3Routers(Cisco 1941 with Cisco IOS Release 15.2(4)M3universal image or comparable)
  • 2Switches(Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
  • 2 PCs (Windows 8, 7, or Vista with terminal emulation program, such as Tera Term)
  • Console cablesto configure the Cisco IOS devicesvia the console ports
  • Ethernet and serial cables as shown in the topology



Topoloty:

HSRP Topology.png
ConfiguringHSRP.png



Addressing Table:

Device Interface IP Address Subnet Mask Default Gatewa
R1 G0/1 192.168.1.1 255.255.255.0 N/A
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A
Lo1 209.165.200.225 255.255.255.224 N/A
R3 G0/1 192.168.1.3 255.255.255.0 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
S1 VLAN 1 192.168.1.11 255.255.255.0 192.168.1.1
S3 VLAN 1 192.168.1.13 255.255.255.0 192.168.1.3
PC-A NIC 192.168.1.31 255.255.255.0 192.168.1.1
PC-C NIC 192.168.1.33 255.255.255.0 192.168.1.3



Part 1 - Build the Network and Verify Connectivity

I will only show the most important commands needed to do the basic configurations. You can refer to the other labs for more details about how to perform this configurations.


  • Cable the network as shown inthe topology.
  • Configure PC hosts.
  • Configure basic settings for each router:
# Basic configuration
enable
configure terminal
no ip domain-lookup
hostname R1


# Interface IP address
interface serial 0/0/0
ip address 10.1.1.1  255.255.255.252
clock rate 64000
no shutdown
exit


copy running-config startup-config


  • Configure basic settings for each switch:
# Basic configuration
enable
configure terminal
no ip domain-lookup
hostname S1


# Configure the VLAN 1 interface IP address:
# We don't need to create the VLAN 1 because is the standard VLAN
S1(config)# interface vlan 1
S1(config-if)# ip address 192.168.1.11  255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# exit
S1(config)# ip default-gateway 192.168.1.1
S1(config)# end

S1# show vlan


copy running-config startup-config


  • Verify connectivity between PC-A and PC-C.



Configure the loopback interface

https://linuxtiwary.com/2016/10/25/how-to-configure-loopback-interfaces-on-cisco-router/

Loopback interfaces (lo) are logical interfaces, which means they're virtual, software-only interfaces, not actual, physical router interfaces. Loopback interfaces come in very handy for diagnostic purposes.

interface loopback 1
ip address 209.165.200.225  255.255.255.224
no shut
exit



Configure routing

Configure RIP version 2 on all routers. See the RIPv2 Section for details Network Simulation using PacketTracer#Configuring RIP Routing Protocol and the PDF tutorial provided by Greg: File:ConfiguringRIPv2.pdf


Add all the networks, except 209.165.200.224/27 into the RIP process:

Example R1:

router rip
version 2
network 192.168.1.0
network 10.0.0.0
no auto-summary



Configure and redistribute a default route for Internet access

Configure adefault route on R2 using Lo1 as the exit interface to 209.165.200.224/27 network.

To created a default route, we just need to create a static route to network 0.0.0.0 0.0.0.0, using the ip route command:

R2(config)# ip route 0.0.0.0 0.0.0.0 209.165.200.225


The above configuration forwards any traffic with an unknown destination address to 209.165.200.225


The router will advertise a route to the other routers if the «default-information originate» command is added to its RIP configuration:

R2(config)# router rip
R2(config-router)# default-information originate


Verify connectivity between PC-A/PC-C and all the in terfaces in R1, R2 and R3.



Part 2 - Configure First Hop Redundancy using HSRP

Even though the topology has been designed with some redundancy (two routers and two switches on the same LAN network), both PC-A and PC-C are configured with only one gateway address. PC-A is using R1 and PC-C is using R3. If either of these routers or the interfaces on the routers went down, the PCs could lose its connection to the Internet. In Part 2, you will test how the network behaves both before and after configuring HSRP. To do this, you will determine the path that packets take to the loopback address on R2.



Step 1 - Determine the path for Internet traffic for PC-A and PC-C

From a command prompt on PC-A/PC-C, issue a tracert command to the 209.165.200.225 loopback address of R2.

tracert 209.165.200.225


  • What path didthe packets take from PC-A to 209.165.200.225?
PC-A to R1 to R2
  • What path did the packets take from PC-C to 209.165.200.225?
PC-C to R3 to R2



Step 2 - Start a ping session on PC-A and break the connection between S1 and R1

From the command prompt on PC-A:

ping -t 209.165.200.225

With the -t flag, the pings continue until you press Ctrl+C, or until you close the command prompt.

Make sure you leave the command prompt window open.


As the ping continues, disconnect the Ethernet cable from F0/5 on S1. You can also shut down the S1 F0/5 interface, which creates the same result:


What happened to the ping traffic?

After the cable was disconnected from F0/5 on S1 (or the interface was shut down), pings failed.


If we repeat this procedure on PC-C and S3, the results would be the same as on PC-A. After the Ethernet cable was disconnected from F0/5 on S3, the pings failed.


Reconnect the Ethernet cables to F0/5 or enable the F0/5 interface on both S1 and S3, respectively. Re-issue pings to 209.165.200.225 from both PC-A and PC-C to make sure connectivity is re-stablished.



Step 3 - Configure HSRP on R1 and R3

In this step, you will configure HSRP and change the default gateway address on PC-A, PC-C, S1, and S2 to the virtual IP address for HSRP. R1 becomes the active router via configuration of the HSRP priority command.


  • Configure HSRP on R1:
R1(config)# interface g0/1
R1(config-if)# standby version 2
R1(config-if)# standby 1 ip 192.168.1.254
R1(config-if)# standby 1 priority 150
R1(config-if)# standby 1 preempt


  • Configure HSRP on R3:
R3(config)# interface g0/1
R3(config-if)# standby version 2
R3(config-if)# standby 1 ip 192.168.1.254


  • Verify HSRP by issuing the show standby command on R1 and R3:
R1# show standby
  • Which routeris the active router?
  • R1
  • What is the MAC address for the virtual IP address?
  • 0000.0c9f.f001
  • What is the IP address and priority of the standby router?
  • IP address is 192.168.1.3 and the priority is 100 (the default which is less than that of R1, the active router, with a priority of 150).


  • Use the show standby brief command on R1 and R3 to view an HSRP status summary.
R1# show standby brief


  • Change the default gateway address for PC-A, PC-C, S1, and S3. Which address should you use?
192.168.1.254


  • Verify the new settings. Issue a ping from both PC-A and PC-C to the loopback address of R2. Are the pings successful?
Yes



Step 4 - Start a ping session on PC-A and break the connection between the switch that is connected to the Active HSRP router R1

  • From a command prompt on PC-A, issue a ping -t command to the 209.165.200.225 address on R2. Ensure that you leave the command prompt window open.
  • As the ping continues, disconnect the Ethernet cable from F0/5 on S1 or shut down the F0/5 interface.
  • What happened to the ping traffic?
  • A few packets may be dropped while the Standby router takes over. The ping is successfully.



Step 5 - Verify HSRP settings on R1 and R3

  • Issue the show standby brief command on R1 and R3. Which router is the active router?
R3 is now the active router.
  • Reconnect the cable between the switch and the router or enable interface F0/5. Now which router is the active router? Explain.
R1 became the active router because preemption is enabled and has a higher priority.



Step 6 - Change HSRP priorities

  • Change the HSRP priority to 200 on R3.
  • Which is the active router?
R1
  • Issue the command to change the active router to R3 without changing the priority. What command did you use?
R3(config)# interface g0/1
R3(config-if)# standby 1 preempt
  • Use a show command to verify that R3 is the active router.



Reflection

Why would there be a need for redundancy in a LAN?

In today’s networks, down time can be a critical issue affecting sales, productivity and general connectivity (IP Telephony phones for example).



Configuring EtherChannel

File:Configuring_EtherChannel.pdf


Configuring EtherChannel Topology.png


Objectives:

  • Part 1: Configure Basic Switch Settings
  • Part 2: Configure an EtherChannel with Cisco PAgP
  • Part 3: Configure an 802.3ad LACP EtherChannel
  • Part 4: Configure a Redundant EtherChannel Link


Background:

Three switches have just been installed. There are redundant uplinks between the switches. Usually, only one of these links could be used; otherwise, a bridging loop might occur. However, using only one link utilizes only half of the available bandwidth. EtherChannel allows up to eight redundant links to be bundled together into one logical link. In this lab, you will configure Port Aggregation Protocol (PAgP), a Cisco EtherChannel protocol, and Link Aggregation Control Protocol (LACP), an IEEE 802.3ad open standard version of EtherChannel.



Part 1 - Configure Basic Switch Settings


Assign each switch a hostname according to the topology diagram

hostname S1



Configure all required ports as trunks, depending on the connections between devices

Note: If the ports are configured with dynamic auto mode, and you do not set the mode of the ports to trunk, the links do not form trunks and remain access ports. The default mode on a 2960 switch is dynamic auto.

S1(config)# interface range g0/1 - 2
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# interface range f0/21 - 22
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# end

S2(config)# interface range g0/1 - 2
S2(config-if-range)# switchport mode trunk
S2(config-if-range)# interface range f0/23 - 24
S2(config-if-range)# switchport mode trunk
S2(config-if-range)# end

S3(config)# interface range f0/21 - 24
S3(config-if-range)# switchport mode trunk
S3(config-if-range)# end



Part 2 - Configure an EtherChannel with Cisco PAgP

Note: When configuring EtherChannels, it is recommended to shut down the physical ports being grouped on both devices before configuring them into channel groups. Otherwise, the EtherChannel Misconfig Guard may place these ports into err-disabled state. The ports and port channels can be re-enabled after EtherChannel is configured.



Step 1 - Configure Port Channel 1

  • The first EtherChannel created for this activity aggregates ports F0/22 and F0/21 between S1 and S3.
Use the show interfaces trunk command to ensure that you have an active trunk link for those two links.
show interfaces trunk


  • On both switches, add ports F0/21 and F0/22 to Port Channel 1 with the channel-group 1 mode desirable command. The mode desirable option enables the switch to actively negotiate to form a PAgP link:
S1(config)# interface range f0/21 – 22
S1(config-if-range)# shutdown
S1(config-if-range)# channel-group 1 mode desirable
S1(config-if-range)# no shutdown

S3(config)# interface range f0/21 - 22
S3(config-if-range)# shutdown
S3(config-if-range)# channel-group 1 mode desirable
S3(config-if-range)# no shutdown


  • Configure the logical interface to become a trunk by first entering the interface port-channel number command and then the switchport mode trunk command. Add this configuration to both switches:
S1(config)# interface port-channel 1
S1(config-if)# switchport mode trunk

S3(config)# interface port-channel 1
S3(config-if)# switchport mode trunk



Verify Port Channel 1 status

  • Issue the show etherchannel summary command to verify that EtherChannel is working on both switches. This command displays the type of EtherChannel, the ports utilized, and port states.
S1# show etherchannel summary

S3# show etherchannel summary


  • If the EtherChannel does not come up, shut down the physical interfaces on both ends of the EtherChannel and then bring them back up again. This involves using the shutdown command on those interfaces, followed by a no shutdown command a few seconds later.
  • The show interfaces trunk and show spanning-tree commands also show the port channel as one logical link:
S1# show interfaces trunk

S1# show spanning-tree



Part 3 - Configure an 802.3ad LACP EtherChannel


Step 1 - Configure Port Channel 2

In 2000, the IEEE released 802.3ad, which is an open standard version of EtherChannel. Using the previous commands, configure the link between S1 and S2 on ports G0/1 and G0/2 as an LACP EtherChannel. You must use a different port channel number on S1 than 1, because you already used that in the previous step. To configure a port channel as LACP, use the interface configuration mode channel-group number mode active command. Active mode indicates that the switch actively tries to negotiate that link as LACP, as opposed to PAgP.


S1(config)# interface range g0/1 - 2
S1(config-if-range)# shutdown
S1(config-if-range)# channel-group 2 mode active
S1(config-if-range)# no shutdown
S1(config-if-range)# interface port-channel 2
S1(config-if)# switchport mode trunk

S2(config)# interface range g0/1 - 2
S2(config-if-range)# shutdwon
S2(config-if-range)# channel-group 2 mode active
S2(config-if-range)# no shutdown
S2(config-if-range)# interface port-channel 2
S2(config-if)# switchport mode trunk



Step 2 - Verify Port Channel 2 status

Use the show etherchannel summary commands to verify the status of Port Channel 2. Look for the protocol used by each port:

S1# show etherchannel summary



Part 4 - Configure a Redundant EtherChannel Link


Step 1 - Configure Port Channel 3

There are various ways to enter the channel-group number mode command:

S2(config)# interface range f0/23 - 24
S2(config-if-range)# channel-group 3 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected


  • On switch S2, add ports F0/23 and F0/24 to Port Channel 3 with the channel-group 3 mode passive command. The passive option indicates that you want the switch to use LACP only if another LACP device is detected. Statically configure Port Channel 3 as a trunk interface.
S2(config)# interface range f0/23 - 24
S2(config-if-range)# shutdown
S2(config-if-range)# channel-group 3 mode passive
S2(config-if-range)# no shutdown
S2(config-if-range)# interface port-channel 3
S2(config-if)# switchport mode trunk
  • On switch S3, add ports F0/23 and F0/24 to Port Channel 3 with the channel-group 3 mode active command. The active option indicates that you want the switch to use LACP unconditionally. Statically configure Port Channel 3 as a trunk interface.
S3(config)# interface range f0/23 - 24
S3(config-if-range)# shutdown
S3(config-if-range)# channel-group 3 mode active
S3(config-if-range)# no shutdown
S3(config-if-range)# interface port-channel 3
S3(config-if)# switchport mode trunk



Step 2 - Verify Port Channel 3 status
  • Use the show etherchannel summary commands to verify the status of Port Channel 3. Look for the protocol used by each port:
S2# show etherchannel summary
  • Port Channel 2 is not operative because spanning tree protocol placed some ports into blocking mode. Unfortunately, those ports were Gigabit ports. To restore these ports, configure S1 to be primary root for VLAN 1 or set the priority to 24576:
S1(config)# spanning-tree vlan 1 root primary

# or

S1(config)# spanning-tree vlan 1 priority 24576



Access Control Lists

  • IPv4 ACLs give network engineers the ability to program a filter into a router.
  • Cisco routers can apply ACL logic to packets at the point at which the IP packets enter an interface, or the point at which they exit an interface.


  • ACLs - Big Picture - A list of permit and deny statements:
    • An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs). For example: ACL 1 Pseudocode
    • 1) IF source = 10.1.5.1 permit
    • 2) IF source = 172.30.1.5 Deny
    • 3) IF source = 172.30.0.0/16 Permit
    • ...
  • IMPLICIT DENY (note if a packet doesn’t match any of the items in the ACL, the packet is discarded. The reason is that every IP ACL has a deny all statement implied at the end of the ACL.)


Objectives:

  • Configure standard IPv4 ACLs.
  • Configure extended IPv4 ACLs.
  • Troubleshoot ACLs.



Lab - Configuring Extended ACLs

File:Configuring_Extended_ACLs.pdf

File:Configuring_Extended_ACLs-Packettracer_file.zip

File:Configuring_Extended_ACLs-Scenario2-SOLUTION.pdf


Background / Scenario: Two employees need access to services provided by the server. PC1 only needs FTP access while PC2 only needs web access. Both computers are able to ping the server, but not each other.

Configuring Extended ACLs-topology.png

Equipment to choose in Packet Tracer:

  • Router 2911 (this router provides 3 x Gig ports)
  • Switch 2960 (these switches will provide you with 2 x Gig ports)
  • Generic Server


Addressing table:

Configuring Extended ACLs-Addressing table.png



Basic configurations

  • For each of your routers/switches hostnames insert your student number. E.g. R1: 2017279R1.
enable
#configure terminal

(config)#hostname 2017279R1



Configure all interfaces and test connectivity

Configure all interfaces as shown in the table above. Ensure all devices can ping each other.

(config)#interface gigabitEthernet 0/0
(config-if)#ip address 172.22.34.65 255.255.255.224
(config-if)#no shutdown
(config-if)#exit

.
.
.


  • PC1 can also open a Web browser and access the web server's homepage:
PC1 can also open a Web browser and access the web server homepage.png



Configure, Apply and Verify an Extended Numbered ACL - Part 1


Configure an ACL to permit FTP and ICMP ONLY for LAN where PC1 resides


To permit FTP

a. From global configuration mode on R1, enter the following command to determine the first valid number for an extended access list:

R1(config)# access-list ?
<1-99>    IP standard access list
<100-199> IP extended access list


b. Add 100 to the command, followed by a question mark:

R1(config)# access-list 100 ?
deny   Specify packets to reject
permit Specify packets to forward
remark Access list entry comment


c. To permit FTP traffic, enter permit, followed by a question mark:

R1(config)# access-list 100 permit ?
ahp    Authentication Header Protocol
eigrp  Cisco's EIGRP routing protocol
esp    Encapsulation Security Payload
gre    Cisco's GRE tunneling
icmp   Internet Control Message Protocol
ip     Any Internet Protocol
ospf   OSPF routing protocol
tcp    Transmission Control Protocol
udp    User Datagram Protocol


d. This ACL permits FTP and ICMP. ICMP is listed above, but FTP is not, because FTP uses TCP. So you enter TCP. Enter tcp to further refine the ACL help:

R1(config)# access-list 100 permit tcp ?
A.B.C.D Source address
any     Any source host
host    A single source host


e. Notice that we could filter just for PC1 by using the host keyword or we could allow any host. In our case, we want to allow any device belonging to the 172.22.34.64/27 network. Enter the network address, followed by THE WILDCARD MASK. You will need to calculate this wildcard mask for this network. You will enter the wildcard mask where it shows the ? below:

R1(config)# access-list 100 permit tcp 172.22.34.64 ?


f. Calculate the wildcard mask determining the binary opposite of a subnet mask:

11111111.11111111.11111111.11100000 = 255.255.255.224
00000000.00000000.00000000.00011111 = ?.?.?.?


g. Enter the wildcard mask, followed by a question mark:

R1(config)# access-list 100 permit tcp 172.22.34.64 [Wildcard mask here] ?
A.B.C.D Destination address
any     Any destination host
eq      Match only packets on a given port number
gt      Match only packets with a greater port number
host    A single destination host
lt      Match only packets with a lower port number
neq     Match only packets not on a given port number
range   Match only packets in the range of port numbers


h. Configure the destination address. In this scenario, we are filtering traffic for a single destination, the server. Enter the host keyword followed by the server’s IP address:

R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 ?
dscp         Match packets with given dscp value
eq           Match only packets on a given port number
established  established 
gt           Match only packets with a greater port number
lt           Match only packets with a lower port number
neq          Match only packets not on a given port number
precedence   Match packets with given precedence value
range        Match only packets in the range of port numbers
<cr>


i. Notice that one of the options is <cr> (carriage return). In other words, you can press Enter and the statement would permit all TCP traffic. However, we are only permitting FTP traffic; therefore, enter the eq keyword, followed by a question mark to display the available options. Then, enter ftp and press Enter:

R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ?
<0-65535> Port number
ftp       File Transfer Protocol (21)
pop3      Post Office Protocol v3 (110)
smtp      Simple Mail Transport Protocol (25)
telnet    Telnet (23)
www       World Wide Web (HTTP, 80)
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp



To permit ICMP

Create a second access list statement to permit ICMP (ping, etc.) traffic from PC1 LAN to Server. Note that the access list number remains the same. The wildcard mask again will be for the whole subnet of 172.22.34.64/27:

R1(config)# access-list 100 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62

All other traffic is denied, by default.



Apply the ACL on the correct interface to filter traffic

From R1's perspective, the traffic that ACL 100 applies to is inbound from the network connected to Gigabit Ethernet 0/0 interface. Enter interface configuration mode and apply the ACL:

R1(config)# interface gigabitEthernet [interface port number here]
R1(config-if)# ip access-group 100 [direction]

En nuestro caso:

R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip access-group 100 in



Verify the ACL implementation


Configure, Apply and Verify an Extended Named ACL - Part 2


Configure an ACL to permit HTTP access and ICMP to Server from PC2 s LAN


To permit HTTP access

a. Named ACLs start with the ip keyword. From global configuration mode of R1, enter the following command, followed by a question mark:

R1(config)# ip access-list ?
extended   Extended Access List
standard   Standard Access List


b. You can configure named standard and extended ACLs. This access list filters both source and destination IP addresses; therefore, it must be extended. Enter HTTP_ONLY as the name. (For Packet Tracer scoring, the name is case-sensitive.)

R1(config)# ip access-list extended HTTP_ONLY


c. The prompt changes. You are now in extended named ACL configuration mode. All devices on the PC2 LAN need TCP access. Enter the network address, followed by a question mark. You will now need to calculate a wildcard mask for the network 172.22.34.96/28:

R1(config-ext-nacl)# permit tcp 172.22.34.96 ?
A.B.C.D   Source wildcard bits


d. Finish the statement by specifying the server address as you did in Part 1 and filtering www traffic:

R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www



To permit ICMP access

Create a second access list statement to permit ICMP (ping, etc.) traffic from PC2 LAN to Server.

Note: The wildcard mask again will be for the whole subnet of 172.22.34.96/28. you will need to insert all the information in [] below.

R1(config-ext-nacl)# permit [protocol here] 172.22.34.96 [Wildcard mask here] host [server address here]

En nuestro caso:

R1(config-ext-nacl)# permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62
R1(config-ext-nacl)# exit

All other traffic is denied, by default. Exit out of extended named ACL configuration mode.



Apply the ACL on the correct interface to filter traffic

Similar to what you did in part 1, you will need to apply the ACL. From R1’s perspective, the traffic that access list HTTP_ONLY applies to is inbound from the network connected to Gigabit Ethernet 0/1 interface. Apply this configuration. Enter the interface configuration mode and apply the ACL:

R1(config)# interface gigabitEthernet 0/1
R1(config-if)# ip access-group HTTP_ONLY in



Verify the ACL implementation


CA - Network design for high availability

File:Network_design_for_high_availability-CA_description.pdf

File:Network_design_for_high_availability-PacketTracerFile.zip



Group justification report

File:Network_design_for_high_availability-GroupJustificationReport.pdf


To make the decision of the more suitable network design for the new data center of Dublin Computer School (DCS), we consider the following specification provided in the description of the project:

  • The fact that the business is home grown in Dublin and the organization is expanding rapidly both in Dublin and in many sites around Ireland,
  • The growth expected by the Infrastructure Manager,
  • The need of a new Moodle system and a CRM system for the Marketing department,


We can see that Dublin Computer School (DCS) is, without any doubt, expecting a significant growth for the next years. Therefore, based on this fact, and after evaluating the budget, we decided to go for an ambitious design that ensure not only availability and reliability but also scalability of the network. We have to take into consideration that this data center is going to be used for all the sites around Ireland, where the company is also expecting growing.



Dublin

As we have already mentioned, in the Dublin LAN we are going to place the new data center; but also, this network have to be designed to provided end user devices communication (Wired and Wireless).


In general, our design is based on the concepts described in the «Campus LAN and Wireless LAN Design Guide» of Cisco [\cite]. We built a hierarchical Three-Tier Design: Core, Distribution and Access layers.

At the beginning of the project, we though a Two-Tier Design was the most suitable option, but after consider many factors, the expected growing of the network tipped the scale in favor of the Three-Tier Design (See Figure \ref).


In Figure see we show the design for the Dublin network. Our design is composed by:

  • A layer 3 switch in the core.
  • Two layer 3 distribution switches.
  • Four access switches.



VLANs

We created 4 VLANs:

  • VLAN10 (Student)
  • VLAN20 (Marketing)
  • VLAN30 (HR)
  • VLAN40 (Finance)
  • VLAN99 (Management)


We perform the following settings:

  • We configure the management interface (VLAN99) in every switch with an IP address
  • 802.1Q Trunk Between the Switches (Manually configuration)
  • In the access switches, we configured access ports for the end user devices and server and assigned VLANs to the correct switch interfaces (See Figure XX). The servers interfaces were assigned to the Management VLAN99.



Rapid spanning tree between switches

In our implementation, we made sure root bridge is in a suitable position. To do so, we manually configuring priority to influence the root election:

  • We placed the root bridge in to core of our design for all VLANs
  • We placed the root secondary in the distribution level of the network and configure Load Balancing sharing the root secondary between the 2 distribution switches.
MS1(config)#spanning-tree vlan 1,10,20,30,40,99 root primary

MS2(config)#spanning-tree vlan 1,10,20 root secondary
MS3(config)#spanning-tree vlan 30,40,99 root secondary

With this configuration, RSTP is avoiding redundant by blocking port mostly in the access layer.

Because we did load balancing sharing the root secondary between the 2 distribution switches, and because we are doing «Per-Vlan rapid spanning tree mode», the port blocked would depend on the VLAN. For example, if we consider S4. The rapid spanning tree protocol is blocking the F0/18 port for the VLANs where the root secondary is MS2. However, for the VLANs where the root secondary is MS3, rapid spanning is blocking the Fa0/14 port. That is why all the ports are shown in green in our network (none of the port in blocked for all VLANs) (See Figure XX).



Configuring 802 1Q trunk-based inter-VLAN routing

No key decisions had to be taken in this part, we just configure 802 1Q trunk-based inter-VLAN routing to provide routing for our multiple VLANs. You can verified all IP addresses and interfaces configured in the Addressing table.



Wireless access for a GUEST wifi network

The GUEST wifi network was configured using a wireless rourters attached to one of the access switches. In Figure XX we show the configuration performed. We attached the wireless router to VLAN10 and created a new wifi network. A DHCP server was also enable in the wireless router so the devices were are able to request an IP via DHCP (Figure xx)

Some security configurations were also performed:

  • We configured a passphrase for the GUEST network: duboffice2019
  • Enable encryption.



WAN

We created a WAN network connecting a total of 5 sites: Dublin, Galway, Limerick, Cork and Sligo. You can see the IP addresses in the Addressing table. They corespondent to the 10.0.0.0 network.


We make sure to include redundant paths between Dublin and Galway, which is the main concern of our WAN.


We configured OSPF Routing Protocol. OSPF is a widely used protocols with one of the lower Administrative Distance (110). That is why, in case of multiple routing protocols configured in a router (such as RIP or IS-IS), OSPF would be the defauld one and used to route packets. OSPF is able to determine the shortest path to a destination by adding the costs of each path to reach a destination.



Addressing table

Device Interface IP Address Subnet Mask Default Gateway Comments
Dublin R1 G0/1.1 172.16.1.1 255.255.255.0
G0/1.10 172.16.10.1 255.255.255.0
G0/1.20 172.16.20.1 255.255.255.0
G0/1.30 172.16.30.1 255.255.255.0
G0/1.40 172.16.40.1 255.255.255.0
G0/.1.99 172.16.99.1 255.255.255.0
S0/0/0

DCE

10.16.1.1 255.255.255.252
S0/0/1 10.16.2.1 255.255.255.252
S0/1/0

DCE

10.16.3.1 255.255.255.252
MS1 VLAN 99 172.16.99.11 255.255.255.0 Root primary for all VLANs
MS2 VLAN 99 172.16.99.12 255.255.255.0 Root secondary for VLAN 1, 10, 20
MS3 VLAN 99 172.16.99.13 255.255.255.0 Root secondary for VLAN 30, 40, 99
S1 VLAN 99 172.16.99.21 255.255.255.0
S2 VLAN 99 172.16.99.22 255.255.255.0
S3 VLAN 99 172.16.99.23 255.255.255.0
S4 VLAN 99 172.16.99.24 255.255.255.0
Server1 G0

(vlan99)

172.16.99.80 255.255.255.0 172.16.99.1
G1

(vlan99)

Server2 G0

(vlan99)

172.16.99.82 255.255.255.0 172.16.99.1
G1

(vlan99)

PC1 NIC

(vlan10)

172.16.10.51 255.255.255.0 172.16.10.1
PC2 NIC

(vlan20)

172.16.20.52 255.255.255.0 172.16.20.1
PC3 NIC

(vlan30)

172.16.30.53 255.255.255.0 172.16.30.1
PC4 NIC

(vlan40)

172.16.40.54 255.255.255.0 172.16.40.1
Wireless router0 Internet setup 172.16.10.101 255.255.255.0 172.16.10.1
Network setup 172.16.50.1 255.255.255.0
Laptop1
Laptop2
-
Limerik R2 S/0/0/0 10.16.1.2 255.255.255.252
S/0/0/1

DCE

10.16.4.1 255.255.255.252
G0/0 172.18.1.1 255.255.255.0
PC7 NIC 172.18.1.57 255.255.255.0 172.18.1.1
-
Galway R3 S0/0/1 10.16.4.2 255.255.255.252 Standby router in HSRP

Slow path

S0/1/1 10.16.5.1 255.255.255.252
G0/1 172.17.1.1 255.255.255.0
R4 S0/0/0

DCE

10.16.6.1 255.255.255.252 Active router in HSRP

(Because the other path is slow)

G0/0 172.17.1.2 255.255.255.0
Switch0 VLAN 1 172.17.1.6 255.255.255.0 172.17.1.254 (virtual IP for HSRP) 172.17.1.1
Switch1 VLAN 1 172.17.1.7 255.255.255.0 172.17.1.254 (virtual IP for HSRP) 172.17.1.2
PC5 NIC 172.17.1.55 255.255.255.0 172.17.1.254 (virtual IP for HSRP) 172.17.1.1
PC6 NIC 172.17.1.56 255.255.255.0 172.17.1.254 (virtual IP for HSRP) 172.17.1.2
-
Cork R5 S0/0/0 10.16.6.2 255.255.255.252
S0/0/1

DCE

10.16.2.2 255.255.255.252
G0/0 172.19.1.1 255.255.255.0
PC8 NIC 172.19.1.58 255.255.255.0 172.19.1.1
-
Sligo R6 S0/1/0 10.16.3.2 255.255.255.252
S0/1/1

DCE

10.16.5.2 255.255.255.252
G0/0 172.20.1.1 255.255.255.0 c
PC9 NIC 172.20.1.59 255.255.255.0 172.20.1.1