attached
Lab10/Lab 10 Instructions(1) x
Liberty University
CSIS 331
Lab 10 Instructions
***Please use the Topology and Instructions below to create a Packet Tracer from scratch. There will not be a Packet Tracer provided for you, you must create it new. If the routers do not have enough interfaces; you will need to go to the physical tab of the router and add the correct interface card to the existing router. Make sure the router is powered down while this is going on. Please reach out to your instructor if you have issues.***
Packet Tracer:
[Adapted from Cisco Networking Academy Routing and Switching 3.2.1.9]
Objectives
Configure and Verify RIPv2 Routing
• Configure RIPv2 on the routers and verify that it is running.
• Configure a passive interface.
• Examine routing tables.
• Disable automatic summarization.
• Configure a default route.
• Verify end-to-end connectivity.
Background / Scenario
RIP version 2 (RIPv2) is used for routing of IPv4 addresses in small networks. RIPv2 is a classless, distance-vector routing protocol, as defined by RFC 1723. Because RIPv2 is a classless routing protocol, subnet masks are included in the routing updates. By default, RIPv2 automatically summarizes networks at major network boundaries. When automatic summarization has been disabled, RIPv2 no longer summarizes networks to their classful address at boundary routers.
In this lab, you will configure the network topology with RIPv2 routing, disable automatic summarization, propagate a default route, and use CLI commands to display and verify RIP routing information.
Configure and Verify RIPv2 Routing
You will now configure RIPv2 routing on all routers in the network and then verify that the routing tables are updated correctly. After RIPv2 has been verified, you will disable automatic summarization, configure a default route, and verify end-to-end connectivity.
PCs are unable to ping each other.
a. Each workstation should be able to ping the attached router. Verify and troubleshoot if necessary.
b. The routers should be able to ping one another.
Step 1: Configure RIPv2 routing.
a. Configure RIPv2 on R1as the routing protocol and advertise the appropriate connected networks.
R1# config t
R1(config)# router rip
R1(config-router)# version 2
R1(config-router)# passive-interface g0/1
R1(config-router)# network 172.30.0.0
R1(config-router)# network 10.0.0.0
The passive-interface command stops routing updates out the specified interface. This process prevents unnecessary routing traffic on the LAN. However, the network that the specified interface belongs to is still advertised in routing updates that are sent out across other interfaces.
b. Configure RIPv2 on R3 and use the network statement to add the appropriate connected networks and prevent routing updates on the LAN interface.
c. Configure RIPv2 on R2 and use the network statements to add the appropriate connected networks. Do not advertise the 209.165.201.0 network.
Note: It is not necessary to make the G0/0 interface passive on R2 because the network associated with this interface is not being advertised.
Step 2: Examine the current state of the network.
a. The status of the two serial links can quickly be verified using the show ip interface brief command on R2.
R2# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 209.165.201.1 YES manual up up
GigabitEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 10.1.1.2 YES manual up up
Serial0/0/1 10.2.2.2 YES manual up up
b. Check connectivity between PCs. List your finding in the ping table.
From PC-A, is it possible to ping PC-B? Why?
From PC-A, is it possible to ping PC-C? Why?
From PC-C, is it possible to ping PC-B? Why?
From PC-C, is it possible to ping PC-A? Why?
c. Verify that RIPv2 is running on the routers.
You can use the debug ip rip, show ip protocols, and show run commands to confirm that RIPv2 is running. The show ip protocols command output for R1 is shown below.
R1# show ip protocols
Routing Protocol is “rip”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 7 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive 2
Interface Send Recv Triggered RIP Key-chain
Serial0/0/0 2 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
172.30.0.0
Passive Interface(s):
GigabitEthernet0/1
Routing Information Sources:
Gateway Distance Last Update
10.1.1.2 120
Distance: (default is 120)
Answer question 1 on the Answer Sheet.
When you are finished observing the debugging outputs, issue the undebug all command at the privileged EXEC prompt.
Answer question 2 on the Answer Sheet.
d. Examine the automatic summarization of routes.
The LANs connected to R1 and R3 are composed of discontiguous networks. R2 displays two equal-cost paths to the 172.30.0.0/16 network in the routing table. R2 displays only the major classful network address of 172.30.0.0 and does not display any of the subnets for this network.
R2# show ip route
Use the debug ip rip command on R2 to determine the routes received in the RIP updates from R3 and list it on Question 3 Answer Sheet.
R3 is not sending any of the 172.30.0.0 subnets, only the summarized route of 172.30.0.0/16, including the subnet mask. Therefore, the routing tables on R1 and R2 do not display the 172.30.0.0 subnets on R3.
Step 3: Disable automatic summarization.
a. The no auto-summary command is used to turn off automatic summarization in RIPv2. Disable auto summarization on all routers. The routers will no longer summarize routes at major classful network boundaries. R1 is shown here as an example.
R1(config)# router rip
R1(config-router)# no auto-summary
b. Issue the clear ip route * command to clear the routing table.
R1(config-router)# end
R1# clear ip route *
c. Examine the routing tables. Remember that it will take some time to converge the routing tables after clearing them.
The LAN subnets connected to R1 and R3 should now be included in all three routing tables.
R2# show ip route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Serial0/0/0
L 10.1.1.2/32 is directly connected, Serial0/0/0
C 10.2.2.0/30 is directly connected, Serial0/0/1
L 10.2.2.2/32 is directly connected, Serial0/0/1
172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
R 172.30.0.0/16 [120/1] via 10.2.2.1, 00:01:01, Serial0/0/1
[120/1] via 10.1.1.1, 00:01:15, Serial0/0/0
R 172.30.10.0/24 [120/1] via 10.1.1.1, 00:00:21, Serial0/0/0
R 172.30.30.0/24 [120/1] via 10.2.2.1, 00:00:04, Serial0/0/1
209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.201.0/24 is directly connected, GigabitEthernet0/0
L 209.165.201.1/32 is directly connected, GigabitEthernet0/0
R1# show ip route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Serial0/0/0
L 10.1.1.1/32 is directly connected, Serial0/0/0
R 10.2.2.0/30 [120/1] via 10.1.1.2, 00:00:12, Serial0/0/0
172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.30.10.0/24 is directly connected, GigabitEthernet0/1
L 172.30.10.1/32 is directly connected, GigabitEthernet0/1
R 172.30.30.0/24 [120/2] via 10.1.1.2, 00:00:12, Serial0/0/0
R3# show ip route
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.2.2.0/30 is directly connected, Serial0/0/1
L 10.2.2.1/32 is directly connected, Serial0/0/1
R 10.1.1.0/30 [120/1] via 10.2.2.2, 00:00:23, Serial0/0/1
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.30.30.0/24 is directly connected, GigabitEthernet0/1
L 172.30.30.1/32 is directly connected, GigabitEthernet0/1
R 172.30.10.0 [120/2] via 10.2.2.2, 00:00:16, Serial0/0/1
d. Use the debug ip rip command on R2 to examine the RIP updates.
R2# debug ip rip
After 60 seconds, issue the no debug ip rip command.
Answer Questions 4 and 5 on the Answer Sheet.
Step 4: Configure and redistribute a default route for Internet access.
a. From R2, create a static route to network 0.0.0.0 0.0.0.0, using the ip route command. This forwards any traffic with an unknown destination address to PC-B at 209.165.201.2, simulating the Internet by setting a Gateway of Last Resort on router R2.
R2(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.2
b. R2 will advertise a route to the other routers if the default-information originate command is added to its RIP configuration.
R2(config)# router rip
R2(config-router)# default-information originate
Step 5: Verify the routing configuration.
a. View the routing table on R1.
R1# show ip route
Gateway of last resort is 10.1.1.2 to network 0.0.0.0
R* 0.0.0.0/0 [120/1] via 10.1.1.2, 00:00:13, Serial0/0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Serial0/0/0
L 10.1.1.1/32 is directly connected, Serial0/0/0
R 10.2.2.0/30 [120/1] via 10.1.1.2, 00:00:13, Serial0/0/0
172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.30.10.0/24 is directly connected, GigabitEthernet0/1
L 172.30.10.1/32 is directly connected, GigabitEthernet0/1
R 172.30.30.0/24 [120/2] via 10.1.1.2, 00:00:13, Serial0/0/0
Answer Question 6 on the Answer Sheet.
b. View the routing table on R2.
Answer Question 7 on the Answer Sheet.
Step 6: Verify connectivity.
a. Simulate sending traffic to the Internet by pinging from PC-A and PC-C to 209.165.201.2.
Answer Question 8 on the Answer Sheet.
b. Verify that hosts within the subnetted network can reach each other by pinging between PC-A and PC-C.
Answer Question 9 on the Answer Sheet.
Note: It may be necessary to disable the PCs firewall.
Answer the Reflection Questions 1 and 2 , Paste R1, R2 and R3 Output onto the Answer Sheet.
__MACOSX/Lab10/._Lab 10 Instructions(1) x
Lab10/Lab 10 Answer Sheet-PLo x
Liberty University
CSIS 331
Lab 10 Answer Sheet
Ping From Device
Ping to Device IP
Possible Y/N
Why?
PC-A
PC-B
PC-A
PC-C
PC-C
PC-B
PC-C
PC-A
1. When issuing the debug ip rip command on R2, what information is provided that confirms RIPv2 is running?
2. When issuing the show run command on R3, what information is provided that confirms RIPv2 is running?
3. Use the debug ip rip command on R2 to determine the routes received in the RIP updates from R3 and list them here.
4. What is the route in the RIP updates that is received from R3?
5. Are the subnet masks included in the routing updates? __ Yes / __ No
6. How can you tell from the routing table that the subnetted network shared by R1 and R3 has a pathway for Internet traffic?
7. How is the pathway for Internet traffic provided in its routing table?
8. Were the pings successful?__ Yes / __ No
9. Were the pings successful?__ __ Yes / __ No
Reflection Questions 1: Why would you turn off automatic summarization for RIPv2?
Reflection Questions 2:How did R1 and R3learn the pathway to the Internet?
Copy and Paste R1 show run Output:
Copy and Paste R2 show run Output:
Copy and Paste R3 show run Output:
__MACOSX/Lab10/._Lab 10 Answer Sheet-PLo x
Lab11/Lab 11 Instructions(1) x
Liberty University
CSIS 331
Lab 11 Instructions
***Please use the Topology and Instructions below to create a Packet Tracer from scratch. There will not be a Packet Tracer provided for you, you must create it new. If the routers do not have enough interfaces; you will need to go to the physical tab of the router and add the correct interface card to the existing router. Make sure the router is powered down while this is going on. Please reach out to your instructor if you have issues.***
Packet Tracer:
[Adapted from Cisco Networking Academy Routing and Switching 5.2.2.9]
Addressing Table
Device
Interface
IP Address
Subnet Mask
Default Gateway
R1
G0/1
172.16.99.1
255.255.255.0
N/A
S1
VLAN 99
172.16.99.11
255.255.255.0
172.16.99.1
PC-A
NIC
172.16.99.3
255.255.255.0
172.16.99.1
Objectives
Part 1: Configure Basic Device Settings and Verify Connectivity
Part 2: Configure and Verify SSH Access on S1
• Configure SSH access.
• Modify SSH parameters.
• Verify the SSH configuration.
Part34: Configure and Verify Security Features on S1
• Configure and verify general security features.
• Configure and verify port security.
Background / Scenario
It is quite common to lock down access and install strong security features on PCs and servers. It is important that your network infrastructure devices, such as switches and routers, are also configured with security features.
In this lab, you will follow some best practices for configuring security features on LAN switches. You will only allow SSH and secure HTTPS sessions. You will also configure and verify port security to lock out any device with a MAC address not recognized by the switch.
Part 1: Configure Basic Device Settings and Verify Connectivity
You will now configure basic settings on the router, switch, and PC. Refer to the Topology and Addressing Table at the beginning of this lab for device names and address information.
Step 1: Configure an IP address on PC-A.
Refer to the Addressing Table for the IP Address information.
Step 2: Configure basic settings on R1.
a. Console into R1 and enter global configuration mode.
b. Copy the following basic configuration and paste it to running-configuration on R1.
no ip domain-lookup
hostname R1
service password-encryption
enable secret class
banner motd #
Unauthorized access is strictly prohibited. #
line con 0
password cisco
login
logging synchronous
line vty 0 4
password cisco
login
interface g0/1
ip address 172.16.99.1 255.255.255.0
no shutdown
end
c. Save the running configuration to startup configuration.
Step 3: Configure basic settings on S1.
a. Console into S1 and enter global configuration mode.
b. Copy the following basic configuration and paste it to running-configuration on S1.
no ip domain-lookup
hostname S1
service password-encryption
enable secret class
banner motd #
Unauthorized access is strictly prohibited. #
line con 0
password cisco
login
logging synchronous
line vty 0 15
password cisco
login
exit
c. Create VLAN 99 on the switch and name it Management.
S1(config)# vlan 99
S1(config-vlan)# name Management
S1(config-vlan)# exit
S1(config)#
d. Configure the VLAN 99 management interface IP address, as shown in the Addressing Table, and enable the interface.
S1(config)# interface vlan 99
S1(config-if)# ip address 172.16.99.11 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# end
S1#
e. Issue the show vlan command on S1. Answer Question 1. On the Answer Sheet.
f. Issue the show ip interface brief command on S1. Answer question 2 and 3 on the Answer Sheet.
g. Assign ports F0/5 and F0/6 to VLAN 99 on the switch.
S1# config t
S1(config)# interface f0/5
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config)# interface f0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# end
h. Save the running configuration to startup configuration.
i. Issue the show ip interface brief command on S1. Answer question 4 on the Answer Sheet.
Note: There may be a delay while the port states converge.
Step 4: Verify connectivity between devices.
Verify connectivity between devices and complete the Ping Table on the Answer Sheet .
a. From PC-A, open a web browser and go to http://172.16.99.11.
If you are prompted for a username and password, leave the username blank and use class for the password. If you are prompted for a secured connection, answer No. Answer question 5 on the Answer Sheet
b. Close the browser.
Note: The non-secure web interface (HTTP server) on a Cisco 2960 switch is enabled by default. A common security measure is to disable this service, as described in Part 3.
Part 2: Configure and Verify SSH Access on S1
Step 1: Configure SSH access on S1.
a. Enable SSH on S1. From global configuration mode, create a domain name of CCNA-Lab.com.
S1(config)# ip domain-name CCNA-Lab.com
b. Create a local user database entry for use when connecting to the switch via SSH. The user should have administrative level access.
Note: The password used here is NOT a strong password. It is merely being used for lab purposes.
S1(config)# username admin privilege 15 secret sshadmin
c. Configure the transport input for the vty lines to allow SSH connections only, and use the local database for authentication.
S1(config)# line vty 0 15
S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exit
d. Generate an RSA crypto key using a modulus of 1024 bits.
S1(config)#crypto key generate rsa
The name for the keys will be: S1.CCNA-Lab.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
S1(config)#
S1(config)# end
e. Verify the SSH configuration.
S1# show ip ssh
Answer question s 6 -8 on the Answer Sheet
Step 2: Modify the SSH configuration on S1.
a. Modify the default SSH configuration.
S1# config t
S1(config)# ip ssh time-out 75
S1(config)# ip ssh authentication-retries 2
Answer question 9 and 10 on the Answer Sheet
b. Verify the SSH configuration on S1.
c. Using the SSH client software on PC-A (such as Tera Term), open an SSH connection to S1. If you receive a message on your SSH client regarding the host key, accept it. Log in with admin for username and sshadmin for the password.
Answer questions 11-13 on the Answer Sheet
c. Type exit to end the SSH session on S1.
Part 3: Configure and Verify Security Features on S1
In Part 3, you will shut down unused ports, turn off certain services running on the switch, and configure port security based on MAC addresses. Switches can be subject to MAC address table overflow attacks, MAC spoofing attacks, and unauthorized connections to switch ports. You will configure port security to limit the number of MAC addresses that can be learned on a switch port and disable the port if that number is exceeded.
Step 1: Configure general security features on S1.
a. Change the message of the day (MOTD) banner on S1 to, “Unauthorized access is strictly prohibited. Violators will be prosecuted to the full extent of the law.”
b. Issue a show ip interface brief command on S1. Answer question 14 on the Answer Sheet
c. Shut down all unused physical ports on the switch. Use the interface range command.
S1(config)# interface range f0/1 – 4
S1(config-if-range)# shutdown
S1(config-if-range)# interface range f0/7 – 24
S1(config-if-range)# shutdown
S1(config-if-range)# interface range g0/1 – 2
S1(config-if-range)# shutdown
S1(config-if-range)# end
S1#
d. Issue the show ip interface brief command on S1. . Answer question 15 on the Answer Sheet
Step 2: Configure and verify port security on S1.
a. Record the R1 G0/1 MAC address on the Answer Sheet Question 16.
From the R1 CLI, use the show interface g0/1 command and record the MAC address of the interface.
R1# show interface g0/1
GigabitEthernet0/1 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 30f7.0da3.1821 (bia 3047.0da3.1821)
b. From the S1 CLI, issue a show mac address-table command from privileged EXEC mode. Find the dynamic entries for ports F0/5 and F0/6. Record them on the Answer Sheet question 17 and 18.
c. Configure basic port security.
Note: This procedure would normally be performed on all access ports on the switch. F0/5 is shown here as an example.
1) From the S1 CLI, enter interface configuration mode for the port that connects to R1.
S1(config)# interface f0/5
2) Shut down the port.
3) Enable port security on F0/5.
S1(config-if)# switchport port-security
Note: Entering the switchport port-security command sets the maximum MAC addresses to 1 and the violation action to shutdown. The switchport port-security maximum and switchport port-security violation commands can be used to change the default behavior.
4). Configure a static entry for the MAC address of R1 G0/1 interface.
S1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx
(xxxx.xxxx.xxxx is the actual MAC address of the router G0/1 interface)
Note: Optionally, you can use the switchport port-security mac-address sticky command to add all the secure MAC addresses that are dynamically learned on a port (up to the maximum set) to the switch running configuration.
5) Enable the switch port.
S1(config-if)# no shutdown
S1(config-if)# end
d. Verify port security on S1 F0/5 by issuing a show port-security interface command.
S1# show port-security interface f0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Answer question 19 on the Answer Sheet
e. From R1 command prompt, ping PC-A to verify connectivity.
R1# ping 172.16.99.3
f. You will now violate security by changing the MAC address on the router interface. Enter interface configuration mode for G0/1 and shut it down.
R1# config t
R1(config)# interface g0/1
R1(config-if)# shutdown
g. Configure a new MAC address for the interface, using aaaa.bbbb.cccc as the address.
R1(config-if)# mac-address aaaa.bbbb.cccc
h. If possible, have a console connection open on S1 at the same time that you do the next two steps. You will eventually see messages displayed on the console connection to S1 indicating a security violation. Enable the G0/1 interface on R1.
R1(config-if)# no shutdown
i. From R1 privileged EXEC mode, ping PC-A. Answer question 20 and 21 on the Answer Sheet
j. On the switch, verify port security with the following commands.
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
——————————————————————–
Fa0/5 1 1 1 Shutdown
———————————————————————-
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) :8192
S1# show port-security interface f0/5
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : aaaa.bbbb.cccc:99
Security Violation Count : 1
S1# show interface f0/5
FastEthernet0/5 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 0cd9.96e2.3d05 (bia 0cd9.96e2.3d05)
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
S1# show port-security address
Secure Mac Address Table
————————————————————————
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
99 30f7.0da3.1821 SecureConfigured Fa0/5 –
———————————————————————–
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) :8192
k. On the router, shut down the G0/1 interface, remove the hard-coded MAC address from the router, and re-enable the G0/1 interface.
R1(config-if)# shutdown
R1(config-if)# no mac-address aaaa.bbbb.cccc
R1(config-if)# no shutdown
R1(config-if)# end
l. From R1, ping PC-A again at 172.16.99.3.Answer question 22 on the Answer Sheet
m. On the switch, issue the show interface f0/5 command to determine the cause of ping failure. Record your findings on the Answer Sheet Question 23.
n. Clear the S1 F0/5 error disabled status.
S1# config t
S1(config)# interface f0/5
S1(config-if)# shutdown
S1(config-if)# no shutdown
Note: There may be a delay while the port states converge.
o. Issue the show interface f0/5 command on S1 to verify F0/5 is no longer in error disabled mode.
S1# show interface f0/5
FastEthernet0/5 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0023.5d59.9185 (bia 0023.5d59.9185)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
p. From the R1 command prompt, ping PC-A again. The ping should be successful.
Answer Reflection Questions 1 & 2 on the Answer Sheet.
__MACOSX/Lab11/._Lab 11 Instructions(1) x
Lab11/Lab 11 Answer Sheet x
Liberty University
CSIS 331
Lab11 Answer Sheet
Part 1 Questions:
1. What is the status of VLAN 99?
2. What is the status and protocol for management interface VLAN 99?
3. Why is the protocol down, even though you issued the no shutdown command for interface VLAN 99?
4. What is the status and protocol showing for interface VLAN 99?
Ping Table
Ping From
Ping To
Successful Y/N
PC-A
R1 Default Gateway
PC-A
S1 Default Gateway
S1
R1 Default Gateway
5. . Were you able to access the web interface on S1? __ Y ___N
Part 2 Questions:
6. What version of SSH is the switch using?
7. How many authentication attempts does SSH allow?
8. What is the default timeout setting for SSH?
9. How many authentication attempts does SSH allow?
10. What is the timeout setting for SSH?
11. Was the connection successful? __ Y ___N
12. What prompt was displayed on S1?
13. Why?
Part 3. Questions:
14. What physical ports are up?
15.. What is the status of ports F0/1 to F0/4?
16. What is the MAC address of the R1 G0/1 interface?
17. F0/5 MAC address:
18. F0/6 MAC address:
19. What is the port status of F0/5?
20.. Was the ping successful? __ Y __N
21. Why or why not?
22. Was the ping successful? __ Y __N
23. What was the cause of the ping failure?
Reflection Question 1. Why would you enable port security on a switch?
Reflection Question 2. Why should unused ports on a switch be disabled?
__MACOSX/Lab11/._Lab 11 Answer Sheet x
Lab12/Lab 12 Instructions x
Liberty University
CSIS 331
Lab 12 Instructions
***Please use the Topology and Instructions below to create a Packet Tracer from scratch. There will not be a Packet Tracer provided for you, you must create it new. If the routers do not have enough interfaces; you will need to go to the physical tab of the router and add the correct interface card to the existing router. Make sure the router is powered down while this is going on. Please reach out to your instructor if you have issues.***
Packet Tracer:
[Adapted from Cisco Networking Academy Routing and Switching 6.2.2.5]
Topology
Addressing Table
Device
Interface
IP Address
Subnet Mask
Default Gateway
S1
VLAN 1
192.168.1.11
255.255.255.0
N/A
S2
VLAN 1
192.168.1.12
255.255.255.0
N/A
PC-A
NIC
192.168.10.3
255.255.255.0
192.168.10.1
PC-B
NIC
192.168.10.4
255.255.255.0
192.168.10.1
PC-C
NIC
192.168.20.3
255.255.255.0
192.168.20.1
Objectives
Part 1: Build the Network and Configure Basic Device Settings
Part 2: Create VLANs and Assign Switch Ports
Part 3: Maintain VLAN Port Assignments and the VLAN Database
Part 4: Configure an 802.1Q Trunk between the Switches
Part 5: Delete the VLAN Database
Background / Scenario
Modern switches use virtual local-area networks (VLANs) to improve network performance by separating large Layer 2 broadcast domains into smaller ones. VLANs can also be used as a security measure by controlling which hosts can communicate. In general, VLANs make it easier to design a network to support the goals of an organization.
VLAN trunks are used to span VLANs across multiple devices. Trunks allow the traffic from multiple VLANS to travel over a single link, while keeping the VLAN identification and segmentation intact.
In this lab, you will create VLANs on both switches in the topology, assign VLANs to switch access ports, verify that VLANs are working as expected, and then create a VLAN trunk between the two switches to allow hosts in the same VLAN to communicate through the trunk, regardless of which switch the host is actually attached to.
.
Part 1: Build the Network and Configure Basic Device Settings
In Part 1, you will set up the network topology and configure basic settings on the PC hosts and switches.
Step 1: Cable the network as shown in the topology.
Attach the devices as shown in the topology diagram, and cable as necessary.
Step 2: Configure basic settings for each switch.
a. Console into the switch and enter global configuration mode.
b. Copy the following basic configuration and paste it to the running-configuration on the switch.
no ip domain-lookup
service password-encryption
enable secret class
banner motd #
Unauthorized access is strictly prohibited. #
line con 0
password cisco
login
logging synchronous
line vty 0 15
password cisco
logging synchronous
login
exit
c. Configure the host name as shown in the topology.
d. Configure the IP address listed in the Addressing Table for VLAN 1 on the switch.
e. Administratively deactivate all unused ports on the switch.
f. Copy the running configuration to the startup configuration.
Step 3: Configure PC hosts.
Refer to the Addressing Table for PC host address information.
Step 4: Test connectivity.
Verify that the PC hosts can ping one another.
Answer Ping Table on Answer Sheet.
Part 2: Create VLANs and Assign Switch Ports
In Part 2, you will create student, faculty, and management VLANs on both switches. You will then assign the VLANs to the appropriate interface. The show vlan command is used to verify your configuration settings.
Step 1: Create VLANs on the switches.
a. Create the VLANs on S1.
S1(config)# vlan 10
S1(config-vlan)# name Student
S1(config-vlan)# vlan 20
S1(config-vlan)# name Faculty
S1(config-vlan)# vlan 99
S1(config-vlan)# name Management
S1(config-vlan)# end
b. Create the same VLANs on S2.
c. Issue the show vlan command to view the list of VLANs on S1.
S1# show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
10 Student active
20 Faculty active
99 Management active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1 enet 100001 1500 – – – – – 0 0
10 enet 100010 1500 – – – – – 0 0
20 enet 100020 1500 – – – – – 0 0
99 enet 100099 1500 – – – – – 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1002 fddi 101002 1500 – – – – – 0 0
1003 tr 101003 1500 – – – – – 0 0
1004 fdnet 101004 1500 – – – ieee – 0 0
1005 trnet 101005 1500 – – – ibm – 0 0
Remote SPAN VLANs
——————————————————————————
Primary Secondary Type Ports
——- ——— —————– ——————————————
Answer Questions 1 and 2 on the answer sheet.
Step 2: Assign VLANs to the correct switch interfaces.
a. Assign VLANs to the interfaces on S1.
1) Assign PC-A to the Student VLAN.
S1(config)# interface f0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
2) Move the switch IP address VLAN 99.
S1(config)# interface vlan 1
S1(config-if)# no ip address
S1(config-if)# interface vlan 99
S1(config-if)# ip address 192.168.1.11 255.255.255.0
S1(config-if)# end
b. Issue the show vlan brief command and verify that the VLANs are assigned to the correct interfaces.
S1# show vlan brief
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
10 Student active Fa0/6
20 Faculty active
99 Management active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
c. Issue the show ip interface brief command.
Answer questions 3 and 4 on the answer sheet.
d. Use the Topology to assign VLANs to the appropriate ports on S2.
e. Remove the IP address for VLAN 1 on S2.
f. Configure an IP address for VLAN 99 on S2 according to the Addressing Table.
g. Use the show vlan brief command to verify that the VLANs are assigned to the correct interfaces.
S2# show vlan brief
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 Student active Fa0/11
20 Faculty active Fa0/18
99 Management active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Answer questions 5 through 8 on the answer sheet.
Part 3: Maintain VLAN Port Assignments and the VLAN Database
In Part 3, you will change VLAN assignments to ports and remove VLANs from the VLAN database.
Step 1: Assign a VLAN to multiple interfaces.
a. On S1, assign interfaces F0/11 – 24 to VLAN 10.
S1(config)# interface range f0/11-24
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 10
S1(config-if-range)# end
b. Issue the show vlan brief command to verify VLAN assignments.
c. Reassign F0/11 and F0/21 to VLAN 20.
d. Verify that VLAN assignments are correct.
Step 2: Remove a VLAN assignment from an interface.
a. Use the no switchport access vlan command to remove the VLAN 10 assignment to F0/24.
S1(config)# interface f0/24
S1(config-if)# no switchport access vlan
S1(config-if)# end
b. Verify that the VLAN change was made.
Answer question 9 in the answer sheet.
Step 3: Remove a VLAN ID from the VLAN database.
a. Add VLAN 30 to interface F0/24 without issuing the VLAN command.
S1(config)# interface f0/24
S1(config-if)# switchport access vlan 30
% Access VLAN does not exist. Creating vlan 30
Note: Current switch technology no longer requires that the vlan command be issued to add a VLAN to the database. By assigning an unknown VLAN to a port, the VLAN adds to the VLAN database.
b. Verify that the new VLAN is displayed in the VLAN table.
S1# show vlan brief
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1, Gi0/2
10 Student active Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/22, Fa0/23
20 Faculty active Fa0/11, Fa0/21
30 VLAN0030 active Fa0/24
99 Management active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Answer question 10 on the Answer Sheet.
c. Use the no vlan 30 command to remove VLAN 30 from the VLAN database.
S1(config)# no vlan 30
S1(config)# end
d. Issue the show vlan brief command. F0/24 was assigned to VLAN 30.
Answer questions 11 and 12 on the Answer Sheet.
S1# show vlan brief
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1, Gi0/2
10 Student active Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/22, Fa0/23
20 Faculty active Fa0/11, Fa0/21
99 Management active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
e. Issue the no switchport access vlan command on interface F0/24.
f. Issue the show vlan brief command to determine the VLAN assignment for F0/24.
Answer questions 13 on the Answer Sheet.
Note: Before removing a VLAN from the database, it is recommended that you reassign all the ports assigned to that VLAN.
Answer question 14 on the Answer Sheet.
Part 4: Configure an 802.1Q Trunk Between the Switches
In Part 4, you will configure interface F0/1 to use the Dynamic Trunking Protocol (DTP) to allow it to negotiate the trunk mode. After this has been accomplished and verified, you will disable DTP on interface F0/1 and manually configure it as a trunk.
Step 1: Use DTP to initiate trunking on F0/1.
The default DTP mode of a 2960 switch port is dynamic auto. This allows the interface to convert the link to a trunk if the neighboring interface is set to trunk or dynamic desirable mode.
a. Set F0/1 on S1 to negotiate trunk mode.
S1(config)# interface f0/1
S1(config-if)# switchport mode dynamic desirable
*Mar 1 05:07:28.746: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 05:07:29.744: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
S1(config-if)#
*Mar 1 05:07:32.772: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
S1(config-if)#
*Mar 1 05:08:01.789: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up
*Mar 1 05:08:01.797: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
You should also receive link status messages on S2.
S2#
*Mar 1 05:07:29.794: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
S2#
*Mar 1 05:07:32.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
S2#
*Mar 1 05:08:01.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up
*Mar 1 05:08:01.850: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
b. Issue the show vlan brief command on S1 and S2. Interface F0/1 is no longer assigned to VLAN 1. Trunked interfaces are not listed in the VLAN table.
S1# show vlan brief
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/24, Gi0/1, Gi0/2
10 Student active Fa0/6, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/22, Fa0/23
20 Faculty active Fa0/11, Fa0/21
99 Management active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
c. Issue the show interfaces trunk command to view trunked interfaces. Notice that the mode on S1 is set to desirable, and the mode on S2 is set to auto.
S1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 desirable 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-4094
Port Vlans allowed and active in management domain
Fa0/1 1,10,20,99
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,20,99
S2# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-4094
Port Vlans allowed and active in management domain
Fa0/1 1,10,20,99
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,20,99
Note: By default, all VLANs are allowed on a trunk. The switchport trunk command allows you to control
what VLANs have access to the trunk. For this lab, keep the default settings which allows all VLANs to traverse F0/1.
d. Verify that VLAN traffic is traveling over trunk interface F0/1. Complete the second ping table on the Answer Sheet.
Step 2: Manually configure trunk interface F0/1.
The switchport mode trunk command is used to manually configure a port as a trunk. This command should be issued on both ends of the link.
a. Change the switchport mode on interface F0/1 to force trunking. Make sure to do this on both switches.
S1(config)# interface f0/1
S1(config-if)# switchport mode trunk
b. Issue the show interfaces trunk command to view the trunk mode. Notice that the mode changed from desirable to on.
S2# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 99
Port Vlans allowed on trunk
Fa0/1 1-4094
Port Vlans allowed and active in management domain
Fa0/1 1,10,20,99
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,20,99
Answer question 15 on the Answer Sheet.
Part 5: Delete the VLAN Database
In Part 5, you will delete the VLAN Database from the switch. It is necessary to do this when initializing a switch back to its default settings.
Step 1: Determine if the VLAN database exists.
Issue the show flash command to determine if a vlan.dat file exists in flash.
S1# show flash
Directory of flash:/
3 -rwx 43032 Mar 1 1993 00:01:24 +00:00 multiple-fs
4 -rwx 5 Mar 1 1993 00:01:24 +00:00 private-config.text
5 -rwx 11607161 Mar 1 1993 02:37:06 +00:00 c2960-lanbasek9-mz.150-2.SE.bin
6 -rwx 736 Mar 1 1993 00:19:41 +00:00 vlan.dat
32514048 bytes total (20858880 bytes free)
Note: If there is a vlan.dat file located in flash, then the VLAN database does not contain its default settings.
Step 2: Delete the VLAN database.
a. Issue the delete vlan.dat command to delete the vlan.dat file from flash and reset the VLAN database back to its default settings. You will be prompted twice to confirm that you want to delete the vlan.dat file. Press Enter both times.
S1# delete vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
S1#
b. Issue the show flash command to verify that the vlan.dat file has been deleted.
S1# show flash
Directory of flash:/
2 -rwx 1285 Mar 1 1993 00:01:24 +00:00 config.text
3 -rwx 43032 Mar 1 1993 00:01:24 +00:00 multiple-fs
4 -rwx 5 Mar 1 1993 00:01:24 +00:00 private-config.text
5 -rwx 11607161 Mar 1 1993 02:37:06 +00:00 c2960-lanbasek9-mz.150-2.SE.bin
32514048 bytes total (20859904 bytes free)
Answer Question 16 and the Reflection Questions on the Answer Sheet.
__MACOSX/Lab12/._Lab 12 Instructions x
Lab12/Lab 12 Answer Sheet-PLo x
Liberty University
CSIS 331
Lab 12 Answer Sheet
Ping From Device
Ping to Device IP
Possible Y/N
If no, Why Not?
PC-A
PC-B
PC-A
PC-C
PC-A
S1
PC-B
PC-C
PC-B
S2
PC-C
S2
S1
S2
1. What is the default VLAN?
2. What ports are assigned to the default VLAN?
3. What is the status of VLAN 99?
4. Why?
5. Is PC-A able to ping PC-B? ____Yes ____No
6. Why?
7. Is S1 able to ping S2? ____Yes ____No
8. Why?
9. Which VLAN is F0/24 now associated with?
10. What is the default name of VLAN 30?
11. After deleting VLAN 30, what VLAN is port F0/24 assigned to?
12. What happens to the traffic destined to the host attached to F0/24?
13. To which VLAN is F0/24 assigned?
14. Why should you reassign a port to another VLAN before removing the VLAN from the VLAN database?
Ping From Device
Ping to Device IP
Possible Y/N
If no, Why Not?
S1
S2
PC-A
PC-B
PC-A
PC-C
PC-A
PC-C
PC-B
PC-C
PC-B
S2
PC-C
S2
15. Why might you want to manually configure an interface to trunk mode instead of using DTP?
16. To initialize a switch back to its default settings, what other commands are needed?
Reflection Questions 1: What is needed to allow hosts on VLAN 10 to communicate to hosts on VLAN 20?
Reflection Questions 2. What are some primary benefits that an organization can receive through effective use of VLANs?
Copy and Paste S1 show run Output:
Copy and Paste S2 show run Output:
__MACOSX/Lab12/._Lab 12 Answer Sheet-PLo x