ccna routing & switching 200-125 · the following publication: ccna 200-125 lab workbook series...

CCNA ROUTING & SWITCHING 200-125

Copyright Commsupport Networks Ltd Page 1

Copyright © 2007-2019 Commsupport Networks Ltd. All rights reserved. The following publication, CCNA 200-125 Lab Workbook series, was developed by Commsupport

Networks Ltd. All rights reserved. No part of this publication may be reproduced or distributed in any

form or by any means without prior written permission from Commsupport Networks Ltd

Cisco, Cisco Systems, the Cisco logo, and CCIE are registered trademarks of Cisco Systems, Inc.

and/or its affiliates in the United States and certain other countries. All other products and company

names mentioned in this workbook are the trademarks, registered trademarks, or service marks of

their respective owners.

Disclaimer

The following publication: CCNA 200-125 Lab Workbook series is designed to assist students in their

preparation for the Cisco Systems CCNA Routing and Switching Exam.

The enclosed material is presented to you on an “as is” basis. Every effort has been taken to ensure

that all material contained in this workbook is complete and accurate. The authors and Commsupport

Networks assume no liability or responsibility to any person or entity with respect to loss or damages

incurred by using theinformation contained in this workbook.

This workbook was developed by Commsupport Networks Ltd and is an original work of the

aforementioned authors.

Any similarities between material presented in this guide and actual CCNA 200-125 Exam or other

material is completely coincidental.



IMPORTANT: Before you Start Step 1: Before beginning go to: https://www.netacad.com/courses/packet-tracer

Create an account, download and install the latest version of Packet Tracer for your operating system

on your local machine.

Step 2: Go to the following link https://commsupportnetworks.co.uk/ hover over “Contact Us” and

select the download link, you will need to download the following compressed files:

1. CCNA 200-125 PACKET TRACER TEMPLATES

2. CCNA 200-125 CONFIGURATION TEMPLATES

3. CCNA 200-125 FAULT FINDING TEMPLATES

NOTE: To download 7zip visit this site: https://www.7-zip.org/download.html

Step 3: Before beginning this section go to: https://www.gns3.com/

Create an account, download and install the latest version of GNS3 for your operating system on your

local machine.

Step 4: To learn how to install GNS3 please watch the following two videos found at the following link

https://commsupportnetworks.co.uk/ hover over “Contact Us” and select the download link, you will

need to watch the following videos:

4. Installing GNS3

5. Improving GNS3 performance

Step 5: Go to https://commsupportnetworks.co.uk/ hover over “Contact Us” and select the download

link, you will need to watch the following video:

6. How to use manual CCNA 200-125 Walk Through Manual

https://www.netacad.com/courses/packet-tracer

https://commsupportnetworks.co.uk/

https://www.gns3.com/





Visit www.commsupportnetworks.co.uk/shop for more great CCNA lab manuals.

This manual is the first part of a three part manual covering the CCNA 200-125

syllabus

The full CCNA 200-125 manuals come with 1 year technical e-mail support and

live on-line revision sessions

http://www.commsupportnetworks.co.uk/shop



Part One

SECTION 1: UNDERSTANDING THE CLI .............................................................................. 11

KNOWLEDGE CHECK QUESTIONS ...................................................................................... 12

KNOWLEDGE CHECK ANSWERS ......................................................................................... 18

LAB 1: SETTING UP THE LAB TOPOLOGY ......................................................................... 22

LAB 2: ROUTER START-UP AND BASIC CLI CONFIGURATION ........................................ 24

LAB 3: COMPLETING COMMANDS USING CONTEXT-SENSITIVE HELP .......................... 37

LAB 4: EDITING AN INCORRECT COMMAND ...................................................................... 46

LAB 5: EXAMINING ROUTER STATUS AND MODIFYING CONFIGURATIONS.................. 51

LAB 6: SWITCH START UP AND BASIC CONFIGURATION ................................................ 65

LAB 7: SETTING UP INITIAL SWITCH PARAMETERS ......................................................... 66

SECTION ANSWERS: ............................................................................................................. 74

END OF SECTION KNOWLEDGE CHECK QUESTIONS ...................................................... 76

END OF SECTION KNOWLEDGE CHECK ANSWERS ......................................................... 81

COMMAND GUIDE: ................................................................................................................. 83

CHALLENGE LAB: BASIC CLI .............................................................................................. 86

CHALLENGE LAB: BASIC CLI SOLUTION ........................................................................... 88

SECTION 2: MAC’S VLANS AND TRUNKING ....................................................................... 92

KNOWLEDGE CHECK QUESTIONS ...................................................................................... 93

KNOWLEDGE CHECK ANSWERS ......................................................................................... 97

LAB 1: BASIC VLAN CONNECTIVITY ................................................................................. 104

LAB 2: CREATING AND ASSIGNING A VLAN .................................................................... 113

LAB 3: SWITCH LAYER 2 MAC TABLES ............................................................................ 121

LAB 4: STATIC MAC ADDRESSESS ................................................................................... 126

LAB 5: VOICE VLAN ............................................................................................................. 130

LAB 6: FAULT FINDING – MIS-CONFIGURED VLAN ASSIGNMENTS .............................. 137

SOLUTION CHALLENGE LAB: CREATE AND ASSIGN VLANS ........................................ 145

LAB 7: MANAGING TRUNK LINKS BETWEEN CISCO SWITCHES ................................... 150



LAB 8: CONFIGURING TRUNKING MODE USING “DYNAMIC DESIRABLE & AUTO” .... 155

LAB 9: CONFIGURING TRUNKING MODE “TRUNK” ........................................................ 161

LAB 10: NATIVE VLAN ......................................................................................................... 163

LAB 11: CONTROLLING VLANS ACROSS THE TRUNK LINKS ........................................ 166

LAB 12: TRUNK MODES ...................................................................................................... 175

LAB 13: SETTING UP THE MANAGEMENT INTERFACES ................................................ 183

LAB 14: CREATING CONFLICTING MANAGEMENT INTERFACES ON SW1 ................... 187

END OF SECTION KNOWLEDGE CHECK QUESTIONS .................................................... 190

END OF SECTION KNOWLEDGE CHECK ANSWERS ....................................................... 195

SECTION 3: VTP CONFIGURATION ........................... ERROR! BOOKMARK NOT DEFINED.

KNOWLEDGE CHECK QUESTIONS ............................ ERROR! BOOKMARK NOT DEFINED.

LAB 1: INITIAL VTP CONFIGURATION ....................... ERROR! BOOKMARK NOT DEFINED.

LAB 2: TWO SWITCH VTP CONFIGURATION ............ ERROR! BOOKMARK NOT DEFINED.

FAULT FINDING VTP .................................................... ERROR! BOOKMARK NOT DEFINED.

SECTION 3: ANSWERS ................................................ ERROR! BOOKMARK NOT DEFINED.

END SECTION KNOWLEDGE CHECK QUESTIONS .. ERROR! BOOKMARK NOT DEFINED.

END SECTION KNOWLEDGE CHECK ANSWERS ..... ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB: VLANS AND VTP .......................... ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB: VLAN’S AND VTP SOLUTION ..... ERROR! BOOKMARK NOT DEFINED.

VLAN AND VTP COMMAND GUIDE ............................ ERROR! BOOKMARK NOT DEFINED.

SECTION 4: SPANNING-TREE .................................... ERROR! BOOKMARK NOT DEFINED.

KNOWLEDGE CHECK QUESTIONS ............................ ERROR! BOOKMARK NOT DEFINED.

END OF SECTION KNOWLEDGE CHECK ANSWERS ERROR! BOOKMARK NOT DEFINED.

LAB 1: BASIC SPANNING TREE – SETTING UP THE TOPOLOGY .... ERROR! BOOKMARK NOT DEFINED.

LAB 2: UNDERSTANDING THE SPANNING TREE OUTPUT ...... ERROR! BOOKMARK NOT DEFINED.

LAB 3: DUAL LINKS BETWEEN SWITCHES .............. ERROR! BOOKMARK NOT DEFINED.



LAB 4: MANIPULATING PATH COSTS ....................... ERROR! BOOKMARK NOT DEFINED.

LAB 5: MANIPULATING PORT PRIORITY .................. ERROR! BOOKMARK NOT DEFINED.

LAB 6: PORT FAST ...................................................... ERROR! BOOKMARK NOT DEFINED.

LAB 7: PORT FAST AND BPDUFILTER ...................... ERROR! BOOKMARK NOT DEFINED.

LAB 8: PORT FAST AND BPDUGUARD ..................... ERROR! BOOKMARK NOT DEFINED.

LAB 9: ROOT GUARD .................................................. ERROR! BOOKMARK NOT DEFINED.

LAB 10: LOOP GUARD ................................................ ERROR! BOOKMARK NOT DEFINED.

LAB 11: UPLINK FAST ................................................. ERROR! BOOKMARK NOT DEFINED.

LAB 12: RAPID SPANNING TREE IEEE 802.1W CONVERGENCE ...... ERROR! BOOKMARK NOT DEFINED.

LAB 13: ENABLING RAPID SPANNING TREE IEEE 802.1W CONVERGENCE ........ ERROR! BOOKMARK NOT DEFINED.

LAB 14: ETHERCHANNEL PAGP ................................ ERROR! BOOKMARK NOT DEFINED.

LAB 15: ETHERCHANNEL LACP ................................ ERROR! BOOKMARK NOT DEFINED.

END OF SECTION KNOWLEDGE CHECK QUESTIONS .............. ERROR! BOOKMARK NOT DEFINED.

END OF SECTION KNOWLEDGE CHECK ANSWERS ERROR! BOOKMARK NOT DEFINED.

COMMAND GUIDE: SPANNING TREE ........................ ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LABS: LAYER 2 TECHNOLOGIES ....... ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB 4.1: BRIDGING AND SWITCHING BASICS .... ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB 4.2: STP BASICS ........................... ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB 4.3: STP BASICS ........................... ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB 4.4: STP PROTECTION ................. ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB 4.5: STP PROTECTION 2 .............. ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB SOLUTION 4.1: BRIDGING AND SWITCHING BASICS .............. ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB SOLUTION 4.2: STP BASICS........ ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB SOLUTION 4.3: STP BASICS........ ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB SOLUTION 4.4: STP PROTECTION ................ ERROR! BOOKMARK NOT DEFINED.

CHALLENGE LAB SOLUTION 4.5: STP PROTECTION 2 ............. ERROR! BOOKMARK NOT DEFINED.



SECTION 5: MAC ADDRESS SECURITY .................... ERROR! BOOKMARK NOT DEFINED.

NETWORK DIAGRAM: MAC ADDRESS SECURITY ... ERROR! BOOKMARK NOT DEFINED.

SECTION 6: IP ADDRESSING ...................................... ERROR! BOOKMARK NOT DEFINED.

IP NETWORKS CHART ................................................ ERROR! BOOKMARK NOT DEFINED.

LAB 1: BASIC BINARY ................................................. ERROR! BOOKMARK NOT DEFINED.

SUBNETTING TUTORIAL ............................................. ERROR! BOOKMARK NOT DEFINED.

LAB 2: WHICH BLOCK DO WE LIVE IN? .................... ERROR! BOOKMARK NOT DEFINED.

LAB 3: FIND THE CLASS AND MASK ......................... ERROR! BOOKMARK NOT DEFINED.

LAB 4: HOW MANY BITS AND MASK ......................... ERROR! BOOKMARK NOT DEFINED.

LAB 5: BASIC SUBNETING ......................................... ERROR! BOOKMARK NOT DEFINED.

LAB 6: BASIC SUBNETTING ....................................... ERROR! BOOKMARK NOT DEFINED.

LAB 7: WHICH NETWORKS DO THE FOLLOWING ADDRESSES BELONG TO? .... ERROR! BOOKMARK NOT DEFINED.


LAB 1: ADDRESSING THE NETWORK ....................... ERROR! BOOKMARK NOT DEFINED.






IP ADDRESSING SOLUTIONS ..................................... ERROR! BOOKMARK NOT DEFINED.

LAB 1: BASIC BINARY ................................................. ERROR! BOOKMARK NOT DEFINED.

LAB 2: WHICH BLOCK DO WE LIVE IN? .................... ERROR! BOOKMARK NOT DEFINED.

LAB 3: FIND THE CLASS AND MASK ......................... ERROR! BOOKMARK NOT DEFINED.

LAB 4: HOW MANY BITS AND MASK ......................... ERROR! BOOKMARK NOT DEFINED.






R1

Fa0/1Fa0/0

Fa0/1

Fa0/2

Fa0/3

Fa0/4

Fa0/5

R2

Fa0/1Fa0/0

R3

Fa0/1Fa0/0

R4

Fa0/1Fa0/0

R5

Fa0/1Fa0/0

Fa0/1

Fa0/2

Fa0/3

Fa0/4

Fa0/5

SW1 SW2



SW2SW1

SW3

Fa0/23 Fa0/23

Fa0/24 Fa0/24

Fa0/19

Fa0/19 Fa0/20

Fa0/20

Fa0/21

Fa0/21

Fa0/22

Fa0/22

Fa0/10

OUTSIDE

CONNECTION

Equipment Used in these labs

Routers: 5 x 1841 12.4 64Mb RAM 128Mb Flash

Switches: 3 x 3560



SW2SW1

SW3

Fa0/23 Fa0/23

Fa0/24 Fa0/24

Fa0/19

Fa0/19 Fa0/20

Fa0/20

Fa0/21

Fa0/21

Fa0/22

Fa0/22

4

5

3

2

1

1 2 23 34 45 5 1

Fa0/1Fa0/0

Fa0/1

Fa0/1

Fa0/1

Fa0/1

Fa0/0

Fa0/0

Fa0/0

Fa0/0



SECTION 1: UNDERSTANDING THE CLI



Knowledge Check Questions

It is advisable to go through all of the questions prior to carrying out the practical labs. You are aiming

for 100% correct answers.

1. What is the command to enter the privileged EXEC mode

a. Router(config)# enable

b. Router> enable

c. Router# enable

d. Router# configure-terminal

2. Which command do you use to enter the Global EXEC mode

a. Router(config)# enable

b. Router# enable

c. Router# config t

d. Router# configuration enable

3. Which command do you use to erase the contents of NVRAM

a. Router(config)# erase startup-configuration

b. Router# delete nvram

c. Router# erase startup-configuration

d. Router# erase nvram

4. Which command do you use to view the system parameters such as IOS name, memory, amount

of on-board RAM and Flash?

a. Router# show version

b. Router(config)# show version

c. Router# show system

d. Router# show parameters



5. Which command do you use to view the current configuration register settings?

a. Router# show config-reg

b. Router(config)# show version

c. Router# show registers

d. Router# show version

6. Which command do you use to view which interfaces are present on the router?

a. Router(config)# show version

b. Router# show system

c. Router# show parameters

d. Router# show version

7. What is the default configuration-register setting?

a. 0x2142

b. 0x2124

c. 0x2120

d. 0x2102

8. Which command do you use to view the contents of the running-configuration in RAM?

a. Router(config)# show running-config

b. Router# show running-config

c. Router# show config

d. Router# show startup-config

9. Which command do you use to view the contents of the startup-configuration in NVRAM?

a. Router(config)# show startup-config

b. Router# show startup -config

c. Router# show config

d. Router# show running-config



10. Which key do you use to auto-complete a command?

a. space

b. shift

c. tab

d. return

11. Which key sequence do you use to return the cursor to the start of the command line?

a. Ctrl + 1

b. Shift+ A

c. Tab + A

d. Ctrl + A

12. Which key sequence do you use to send the cursor to the end of the command line?

a. Space + E

b. Ctrl + E

c. Tab + F

d. Ctrl + F

13. Which key sequence do you use to move the cursor back one letter?

a. Space + B

b. Ctrl + D

c. Ctrl + B

d. Tab + D

14. Which key sequence do you use to move the cursor back one word?

a. Esc + A

b. Esc + B

c. Esc + D

d. Esc + F



15. Which command do you use to view the last 10 command entries for a current session?

a. Router(config)# show commands

b. Router# show history

c. Router# show buffer

d. Router# show last

16. Which prompt indicates the console is now in the interface configuration mode?

a. Router(config-it)#

b. Router(interface)#

c. Router(config-int)#

d. Router(config-if)#

17. Which command sets the enable secret to COMMSUPPORT?

a. Router(config)# enable password COMMSUPPORT

b. Router(config)# password COMMSUPPORT enable

c. Router(config)# enable secret COMMSUPPORT

d. Router(config)# secret enable COMMSUPPORT

18. Which command disables automatic DNS resolution?

a. Router(config)# ip domain-lookup

b. Router(config)# no ip domain-lookup

c. Router(config)# no dns-lookup

d. Router(config)# dn-dns-lookup



19. Which command sequence will set the password of COMMSUPPORT to the telnet lines?

a.

Router(config)#line vty 0 4

Router(config-line)# password COMMSUPPORT

b.

Router(config)#line telnet 0 4


Router(config-line)# login

c.

Router(config)#line vty



d.




20. Which command sequence prevents the console session from timing out.

a.

Router(config)# line console 0

Router(config-line)#timeout 0 0

b.


Router(config-line)#exec-timeout 0 0



c.


Router(config-line)# no exec

d.


Router(config-line)#exec-timeout



Knowledge Check Answers

1. What is the command to enter the privileged EXEC mode?

B. Router> enable

2. Which command do you use to enter the Global EXEC mode?

C. Router# config t

3. Which command do you use to erase the contents of NVRAM?

C. Router# erase startup-configuration

4. Which command do you use to view the system parameters such as IOS name, memory, amount

of on-board RAM and Flash?

A. Router# show version

5. Which command do you use to view the current configuration register settings?

D. Router# show version

6. Which command do you use to view which interfaces are present on the router?

D. Router# show version

7. What is the default configuration-register setting?

D. 0x2102

8. Which command do you use to view the contents of the running-configuration in RAM?

B. Router# show running-config



9. Which command do you use to view the contents of the startup-configuration in NVRAM?

B. Router# show startup -config

10. Which key do you use to auto-complete a command?

C. tab

11. Which key sequence do you use to return the cursor to the start of the command line?

D. Ctrl + A

12. Which key sequence do you use to send the cursor to the end of the command line?

B. Ctrl + E

13. Which key sequence do you use to move the cursor back one letter?

C. Ctrl + B

14. Which key sequence do you use to move the cursor back one word?

B. Esc + B

15. Which command do you use to view the last 10 command entries for a current session?

B. Router# show history

16. Which prompt indicates the console is now in the interface configuration mode?

D. Router(config-if)#

17. Which command sets the enable secret to COMMSUPPORT?

C. Router(config)# enable secret COMMSUPPORT

18. Which command disables automatic DNS resolution?

B. Router(config)# no ip domain-lookup



19. Which command sequence will set the password of COMMSUPPORT to the telnet lines?

B.

Router(config)#line telnet 0 4



20. Which command sequence prevents the console session from timing out.

B.





Network Diagram: Understanding the CLI

Fa0/2

Fa0/10

Laptop

Ethernet Cable

Fastethernet0/0 10.1.1.1 255.255.255.0

Fa0/1

SWITCH 1

ROUTER 1

Interface Vlan 1

10.1.1.2 255.255.255.0



Lab 1: Setting up the lab topology

Network Simulator: Packet Tracer

Packet Tracer Topology: PART 1 - SECTION 1 - CLI

Configuration Template: None – This Lab is manually configured

Step 1: Before beginning this section go to: https://www.netacad.com/courses/packet-tracer

Create an account, download and install the latest version of Packet Tracer for your operating system

on your local machine.

Step 2: Go to the following link https://commsupportnetworks.co.uk/ hover over “Contact Us” and

select the download link, you will need to download the following file called “CCNA 200-125 PACKET

TRACER TEMPLATES” This will be zipped using a program called 7zip which is a free file

compression program.

Once the file has been decompressed, find the template called “SECTION 1 CLI” double click the

template and Packet Tracer will open (Presuming Packet Tracer has been installed) and the following

topology will be displayed.

Network Simulator Topology View

https://www.netacad.com/courses/packet-tracer




NOTE: When the template is first opened the “Link” lights may all be red, the lights between the PC

and SWITCH ONE will turn GREEN. The link lights between SWITCH ONE and ROUTER ONE will

remain RED

END OF LAB 1: Continue to the next lab



Lab 2: Router Start-up and basic CLI configuration

In this lab you will complete the following tasks on the Router (ROUTER ONE)

• Perform the initial start-up for the router

• Observe the router’s initial start-up displays

• Review the routers initial configuration messages on the console

• Enter a minimum initial configuration using CLI

The Cisco Internetwork Operating System (IOS) on the routers and most switches is the operating

system that allocates resources and manages things such as routing, switching, security, voice

basically everything that the router or switch supports, with out it the router and switch as just

toasters.

To be a good network engineer you must know your CLI, to be a great network engineer you must

know your protocols, combine the two and you have an exceptional network engineer and this is you

one sole aim as much as it is ours over the course of these labs, tutorials, video lessons and even

classroom sessions is to make you into an exceptional network engineer.

This lab will guide you through the Cisco IOS and how to configure a Cisco router using the

command-line interface (CLI).



Login into the router Complete the following steps to log into ROUTER ONE Step 1: Double Click on the router device

Figure: 1.1

The following screen will appear and click on the “CLI” tab

Figure: 1.2



Step 2: Once the “CLI” has been chosen the following screen will appear.

At the prompt: “Continue with configuration dialog? [yes/no]” type in “no”

Figure: 1.3

Step 2: The console will now prompt you to “Press RETURN to get started!”

Press the return key on your keyboard

Figure: 1.4



Step 3: Erasing the existing configuration from the router

If the router powers on with a previous configuration you will need to go through the steps to set the

device to factory defaults. This is always a good idea, rather than having to over write an existing

configuration.

Figure: 1.5

Follow the steps below to factory default the router: Command: The router may present you with this prompt. This is the routers hostname from a

previous class. You need to return the configuration to default.

router>

Command: Type the command “enable” without the speech marks and then press the return key.

router >enable

Command: Once you have entered the correct password the prompt will change and rather than

seeing the “>” you will see the “#”, this means the router is now in “privileged” mode also known as

“enable mode”

router #



Command: The command “erase startup-config” instructs the router to erase the contents of

NVRAM. Once it has done this the router will still continue to operate since the config it is using is still

in RAM. Follow this command with the return key

router# erase startup-config Command: Once you have erased the router config from NVRAM you are required to power cycle

the device “turn off, turn on”, this MUST be done using the reload command and never by pulling the

power lead or flicking the power switch.

Reloading will erase the contents of RAM and the router will come back with no configuration

Device#reload

Router boot process output

Step 4: When the router boots it will run a program called the POST (Power On Self Test). The POST

is run to ensure that all the physical components are working as they should be it then tells the router

how to load.

By default the normal boot process will load the first IOS (internetwork Operatiing System) image the

POST finds in flash.memory, if there is no IOS in flash memory the router can be configured to boot

from alternative sources such as another router’s IOS or a TFTP server (These options need to be

pre-configured onto the router). It also lists the amount of RAM in the router.

The next part shows us that the IOS is being decompressed into RAM:

The “###################” is the decompression occurring.



Figure: 1.6

The pound (Hash #) signs are telling us that the IOS is being loaded into RAM. After it is

decompressed into RAM, the IOS is loaded and starts running the router.

Step 6: When the router has reloaded, type in “no” at the prompt: “Continue with configuration

dialog? [yes/no]”

Figure: 1.7

Below is the output of a command called “show version”, go ahead and run the command on your

router, what do you see in your output..

In the output of the command below we can see that there are two Fastethernet interfaces, the

amount of RAM, NVRAM, and flash that this router supports are also displayed. The router output

shows us that this router has 256MB of RAM, 191K of NVRAM, and 64MB of flash, has been live for

4 week and 1 day.



NOTE: The output below was taken from one of our physical routers in the class. Your output maybe

slightly different but the meaning will be the same

Figure: 1.8

router> show version

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(24)T2,

RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Mon 19-Oct-09 16:16 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

router uptime is 4 weeks, 1 day, 21 hours, 48 minutes

System returned to ROM by power-on

System image file is "flash:c1841-advsecurityk9-mz.124-24.T2.bin" <- IOS image

Cisco 1841 (revision 6.0) with 237568K/24576K bytes of memory <- Amount of RAM Processor board ID FCZ103222UE

2 FastEthernet interfaces <- Number of Physical Interfaces 1 ATM interface

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM. <- Amount of NVRAM



62720K bytes of ATA CompactFlash (Read/Write) <- Amount of Flash

Configuration register is 0x2102

Step 7: When the IOS is loaded into RAM, the system will attempt to find a valid configuration that

can used to run, this configuration will include all of the settings required to make the router a router

such as addressing information, routes, access control commands, this file is called the startup-

config and once located will be loaded from NVRAM into RAM, once the file is in RAM it will be

referred to as the running-configuration.

If there is no valid startup-config configuration in NVRAM, the router will broadcast out of it’s live

interfaces looking for a valid start-up configuration file which maybe on a TFTP host.

NOTE: The broadcast for the TFTP host can only happen if it has a live interface, a live interface is

an interface which is not in the shutdown state. This can only happen if the router senses carrier

detect, or CD, on any interface.

If the broadcast fails, and it is normal for it to do so the router will then go into what is called “setup

mode” which is a step-by-step process to help you configure the router. Figure:1.9 displays the

router prompting the user if they wish to enter the configuration dialogue

Figure: 1.9

NOTE: You can also enter setup mode at any time from the command line by typing the command



Setup mode covers only some global commands and is generally ignored by everyone so it is normal

to answer with a “no” when prompted if we want to “Continue with configuration dialog?”



Entering the CLI

Step 8: The “Router>” is called the user exec mode (user mode), and it’s mostly used to view

statistics, we will hardly spend any time here since there is not much we can do in the way of

configuring the router.

We of course want to start plugging away at this router therefore we need to be in the correct prompt

that gives us complete control of the router and you can only do that in the command prompt known

as “privileged exec mode” here in this mode you can view, change delete, destroy the configuration

of a Cisco router, you are all powerful in this mode.

To go from user mode to privileged mode you enter with the command “enable” command.

Router> enable

Router#

Figure: 1.10

You are now in the privileged exec mode, you can see that because of the “Router#” prompt, which

indicates that you’re in privileged mode, where you can you can view, change delete, destroy the



configuration. You can go back from privileged mode into user mode by using the “disable”

command:

Figure: 1.11

Router# disable

Router>



Step 9: Now once more at the Router prompt, enter the command “show version”, this command is

usually issued to view the type of device, software version, interfaces recognised by the router

amongst other important info, you can fill in the blanks, this is a very common command to run on

your routers to determine the version of operating system mainly along with figuring out how much

memory the router has


Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(24)T2,

RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Mon 19-Oct-09 16:16 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1) router uptime is 4 weeks, 1 day, 21 hours, 48 minutes System returned to ROM by power-on System image file is "_______________________" <-1.Version of IOS on the router

2. How the Router Booted. Where the router got the IOS from

3. Platform type 4. System RAM

__________ (revision 6.0) with ______________ bytes of memory. Processor board ID FCZ103222UE ___________________________ ___________________________ 5. Interfaces available on the router 1 ATM interface 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity disabled. 191K bytes of NVRAM. _______bytes of ATA CompactFlash (Read/Write) <-6. Flash memory on the router

Configuration register is 0x2102 7. Configuration register tells the router how to boot and where to boot from, by default the configuration register is set to 0x2102 which means “normal boot”



Examine the output from your router from the when you issued the “show version” command and

answer the questions below:

Question 1: What is the Cisco IOS software version running on your router?

Answer 1: ___________________________________________________

Question 2: What interfaces are available on your router?

Answer 2: ___________________________________________________

Question 3: How much flash does your router have?

Answer 3: ___________________________________________________ Question 4: How much RAM does your router have?

Answer 4: ___________________________________________________

Question 5: What is the platform type of your router?

Answer 5: ___________________________________________________

Question 6: Where did the router load the IOS software from?

Answer 6: ___________________________________________________

Answers provided at the end of this lab



Lab 3: Completing Commands Using Context-Sensitive Help

When Cisco created the CLI (Command Line Interface) they made it as user friendly as possible,

some people take to it straight away and some take a little longer to become comfortable with the

commands, either way you have to make sure that you remember your CLI command for the CCNA

exam.

There are 1,000’s of commands in the IOS’s, you do not not need to learn all of them, but it is a good

idea that as you work through the labs that you make notes of the commands. So we begin the task

of learning the first of many CLI commands you will encounter in your journey to the top of the Cisco

tree, remember this moment!

Objective of Lab: In this lab you will use context-sensitive help in both user “Router>” and privileged

EXEC “Router#” modes to locate commands and complete command syntax, you are going to see

the difference in the commands that you can enter between the two prompts

NOTE: From this point the command you enter into the router will be indented, and the command you

are expected to enter will follow the prompt, in the example below, the prompt is “Router>” and the

command you are expected to enter is “xyz”

Command: EXAMPLE ONLY! DO NOT EXECUTE THIS COMMAND

Router> xyz



Let our journey begin……..

Step 1: When you initially log into the router you will be placed into a CLI prompt known as “user

EXEC mode”. The user EXEC mode, this mod is sometimes called user mode. This mode allows

the user to look around the router but not break anything. The “EXEC mode” part of the name refers

to the fact that in this mode, when you enter a command, the router executes the command.

Enter the help command “?” at the user EXEC prompt. Command: At the “router>” prompt, type “?”

Router> ?

The router will present you with a list of commands, these commands are the words on the left hand

column, each command also has a brief explanation of it’s purpose on the right hand side. The

purpose on the right handside is not exactly “war and peace” but it is enough to get the gist of the

command if you are even vaguely familiar with what it is you are trying to accomplish.

When you press enter at this prompt you will see all the commands that are available here at this

particular prompt. The commands are listed on the left with a brief description on the right.

Router> ?

Exec commands:

<1-99> Session number to resume

connect Open a terminal connection

disconnect Disconnect an existing network connection

enable Turn on privileged commands

exit Exit from the EXEC

logout Exit from the EXEC

ping Send echo messages

show Show running system information

telnet Open a telnet connection

-------More—----



At the bottom of the screen do you see the “------more-------“, this indicates that there are further

commands available, the router has only shown you one page of possible commands, if you want to

see more commands you have two choices, if you either hit the “return” key to reveal one additional

command at a time which might take you some time to work through all of the possible commands at

this prompt or if you can hit the “space bar” and the router will reveal a page at a time and the

commands will whizz by, but you can scroll up on the Terminal software..

Question 7: Now press the “Return” key a few times. What happened?, did the router present

you with one extra command at a time?

Answer 7: _________________________________________________________

Question 8: Now press the “space bar”. What happened, did the router present a whole page

at a time?

Answer 8: _________________________________________________________


Step 2: The CLI the more powerful EXEC mode that is called enable mode (also known as privileged

EXEC mode). Enable mode is so named because the “enable” command is used to reach this mode.

Remember that the privileged mode allows you to play God with the device. For example, you can

use the “reload” command, which tells the router to reinitialise or reboot the Cisco IOS, only from the

enable mode or you can type in the command “erase startup” and delete the configuration

Enter the Privileged mode.

Router>

Router> enable

Router#

Joe Says: At the “ Router> ” you type the command “enable” to get to the privileged mode which

gives the “ Router# “ prompt which is also referred to as the “enable mode”



Step 3: Enter the help (?) command at the privileged EXEC mode prompt. Command: At the “router#” prompt, type in “?”, followed by return key

Router# ?

When you type in the “?” at the “ Router# ” prompt you are asking the router to display all possible

commands down the left hand side and to the right of each command a brief explanation of what

each command can achieve once again not the most descriptive but it is what it is.

Don’t worry too much about all the commands, no one is expecting you to remember all the

commands, a competent network engineer will have their notebook where they will note down in

detail all their configurations in such a way that they are able to simple turn to that any configuration

they did previously and use it. We suggest you do the same.



Table 1 summarises the command help options available at the CLI. Note that, in the first column,

command represents any command, likewise the param represents a commands parameter. For

instance, the third row lists command ? , which means that the commands such as show ? and

copy ? would list help for the show and copy commands respectively.

Table 1

What you type The help you get

? Help for all commands available in this mode

help

Text describing how to get help. No actual command help is given

Command ?

Text help describing all the first parameter options for the command

Com?

A list of commands that start with “com”

Command parm?

This style of help lists all parameters beginning with “parm” (Notice that no spaces exist between parm and the ?)

Command parm<Tab>

If you press the TAB key midword, the CLI either spells the rest of the parameter at the command line or does nothing. If the CLI does nothing, it means that this string of characters represents more than one possible next parameter, so the CLI does not know which to spell out.

Command parm1 ? If a space is inserted before the question mark, the CLI lists all the next parameters and gives a brief explanation of each.



In this next lab you use context-sensitive help in both user and privileged EXEC modes to locate

commands and complete command syntax:

Step 5: Setting the System clock on the router

A. Enter the “cl” command followed by pressing the return key. Router# cl Did you get the following output from the router? Router# cl

% Ambiguous command: "cl"

“% Ambiguous command:” This means that there is more than one command that begins with the

letters “cl” and that you have to enter more letters in your configuration to be clear to the router as to

which command you really want to use

B. Enter the “cl?” command followed by the return key Router# cl?

What is the system response? Did you get the following output from the router

Router# cl?

clear clock

“clear clock” This means that there are two command here that begin with the letters “cl”, the

commands that the router knows of that begin with the letters “cl” are “clock” and “clear”

C. Enter the “clock” command. Router# clock



What is the system response? Did you get the following output from the router Router# clock

% Incomplete command.

“%Incomplete command” means that the “clock” command is recognised by the router but requires

more command parameters to complete the command

D. Enter the command “clock ?“ command again, but this time with the “?” Router# clock ?

What is the system response? Did you get presented with the following command option which ought

to be “set”

Step 6: TEST: Following the system prompts given to you by the router attempt to set the system

clock to the current time and date.

NOTE: Use the context-sensitive help i.e. the “?”, the tab key along with the “up arrow”



SOLUTION TO STEP 6 TEST: The Commands below are used to set the clock on the system

Router# clock set 20:20:00 11 march 2011

NOTE: The month must be written in words not numbers

When a command is executed by entering the return key it is accepted by the Cisco device. (if

correct), very few commands will trigger the router to prompt you for a confirmation, the router will just

simply take the command and run with it, there is generally no notification of “success”, the Cisco

device will simply just present the command prompt back to you unless you manage to cut your self

off from the router

Once you have set the clock enter the show clock command at the “Router# ” prompt

Question 9: What is displayed on your terminal screen?

Answer 9: _________________________________________________

Step 7: Once you have set the clock, Enter the following command “sh?” at the “Router#” prompt

Router# sh?

Question 10: What command was returned as a result of this action?

Answer 10: ________________________________________________




Step 8: At the below command press the Tab key, what will happen is that the router will either auto

complete the command if there are no other possible commands that can with “sh”, if there is more

than one command that begins with “sh” the router will return the error “% Ambiguous command: "sh"

Router# sh

% Ambiguous command: "sh"

Your prompt will now look like the command above, now enter the help command (?), The “sh ? ” command at the enable prompt will display a complete list of all possible commands that

can be executed at this prompt What happened?

Router#show ?



Lab 4: Editing an Incorrect command

In this lab you will use the CLI enhanced editing features to correct command-line errors it is

important that you learn these editing features since they will assist you to configure the router much

quicker in the Labs, exam and real life.

Step 1: We are going to jump the gun a little here but disabling a very annoying feature of the Cisco

devices. By default whenever you make type in a command and make a spelling mistake

at the “Router#” prompt the router will believe that the sequence of letters that you have typed in is

the name of another device and the router will try to resolve your typo by broadcasting to a DNS

server (Domain Name Server) for the IP address of this typo, this broadcast will be attempted 3 times

and all the while you will not have access to the console.

Type the letters “abc” into the command prompt and see what happens

Router# abc

Translating "abc"...domain server (255.255.255.255

% Unknown command or computer name, or unable to find computer address

Above the CLI displays the message “% Unknown command or computer name, or unable to find

computer address“ and the device will begin “broadcasting” for any machine with the name of abc

We want to turn this feature off since it is very annoying and time consuming in the real world and the

lab.

Command: The “no ip domain-lookup” command stops the router from broadcasting out to a DNS server and locking up your console for up to 90 secs

Router# configure terminal

Router(config)# no ip domain-lookup

Router(config)# exit



Once again type the following letters into the command prompt and see what happens

Router# abc

% Unknown command or computer name, or unable to find computer address

From this point the router only checks it own internal “ip host” table for a device called “abc” since it

will not find one it will return the prompt right away.

NOTE: An exclamation mark “ ! “ before the text line indicates to the router that the line being entered

is a comment so that when you hit the return key the text will not be executed as a command

Complete the following steps

Step 2: Enter the sentence below at the “Router#“ prompt without the exclamation mark “!” will cause

the router to return an error

Router# This command changes the clock speed for the router

The CLI ought to have returned an error indicated at the beginning of the sentence due to the fact

that the router does not understand the sentence “This command changes the clock speed for the

router“, the error would have would have resembled the output below.

Router# This command changes the clock speed for the router

^

% Invalid input detected at ' '̂ marker.

NOTE: In the network simulator the ^ may appear beneath the “C” of “command”



The ^ indicates where the IOS believes first error to be. The IOS will stop at the first error and not

parse the line any further, the error is under the “h” of “This” since the router is not aware of any

commands that begin with “th” at this prompt.

The “% Invalid input detected at '^' marker” output to marks exactly where the error is, the “^”

indicates that the error is in the command above, not before. The IOS will always read the command

from left to right and alerts you to the first error and stop there, there may be further errors down the

command by the IOS is expecting you to fix the first fault then it will re-read the command string once

again if it encounters another error further down it will alert you with another “% Invalid input

detected at '^' marker

EDITING AN INCORRECT LINE

Enter the sentence below complete with all the spelling errors, but this time make sure you start the

sentence with the “ ! “, do not execute the command

Router# ! Ths comand changuw the clck sped for the rotter NOTE: If you mistakingly hit return on the CLI whilest carrying out the steps below simply recall the

command by using either “CTL+P” or press the up arrow on your keyboard to recall the command.

Step 3: With the line still in the command prompt, use the key sequence “Ctl + A”, the cursor will

move to the beginning of the line.

Step 4: With the line still in the command prompt, use the key sequence “Ctl + E”, the cursor will

move to the end of the line.

Step 5: With the line still in the command prompt, use the key sequence “Ctl + B”, the cursor will

move back one letter.

Step 6: With the line still in the command prompt, use the key sequence “Ctl + F”, the cursor will

move forward one letter.



Step 7: TEST Use the short cut commands in table 2 to correct the sentence, so that it reads “This

command changes the clock speed for the router”

Router# ! Ths comand changuw the clck sped for the rotter Table 2

Keyboard Command What happens

Up Arrow or Ctrl-p

This displays the most recently used command. If you press it again the next most recent command appears, until the history buffer is exhausted (p stands for previous)

Down Arrow or Ctrl-n

If you have gone back too far into the history buffer, there keys take you forward to the more recent entered commands (The n stands for next)

Left Arrow or Ctrl-b

This moves the cursor backward in the currently displayed command without Deleting the characters (The b stands for back)

Right Arrow or Ctrl-f

This moves the cursor forward in the currently displayed command without Deleting the characters (The f stands for forward)

Backspace

This moves the cursor backwards in the currently displayed command Deleting the characters

Ctrl-a

This moves the cursor directly to the first character of the currently displayed command

Ctrl-e

This moves the cursor directly to the last character of the currently displayed Command

Ctrl-r This redisplays the command line with all the characters. It’s useful when messages clutter the screen.

Ctrl-d Deletes a single character

Esc-b This moves the cursor back one word

Esc-f This moves the cursor forward one word



The IOS stores the commands that you enter in a history buffer. The history buffer will store the last

10 commands by default. The CLI allows you to move backward and forward in the historical list of

commands and then edit the command before reissuing it. These key sequences can help you use

the CLI more quickly on the exams.

Step 8: Enter the “show history” command at the router# prompt. The show history command

will be default display up to ten of the last commands entered at this prompt, the command history

buffer size can be increased to remember up to 256, if you are curious the command to increase the

command history buffer is “terminal history size 256”, bear in mind that the command history buffer

is session dependant therefore if you logout of the console session the commands will be flushed

from the buffer.

When the command “show history” is entered at the enable prompt the router will display the last 10

commands entered

Router# show history

Try pressing Ctrl-P several times will scroll down the history buffer to previously entered commands Try pressing Ctrl-N, several times will scroll up the history buffer to recently entered commands Step 9: Entering disable at the privileged EXEC mode prompt, will cause the router to log out of the

console session, try it now

Router# disable

Step 10: Press return a couple of times and the enter enable at the user EXEC mode prompt, this will

log the router back into the command prompt, try it now

Router> enable

Router#



Lab 5: Examining router status and modifying configurations

In this lab you issue show commands to observe and verify the status of the router and learn how to

save configurations.

Step 1: Enter the show interfaces command, this command is very useful for viewing the

interface state, counters, MAC address, at the moment we are only interested in a few of the fields

Router# show interface Fastethernet 0/0 1. The line below Identifies the state of the physical layer FastEthernet0/0 is ___________________, line protocol is _______ 2. Hardware Address = BIA means Burned in Address Hardware is AmdP2, address is ___________________ (bia 0007.85ba.dac0) MTU 1500 BW 100000Kbit, DLY 1000 usec, reliability 249/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:04:17, output 00:03:50, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 900 packets input, 168693 bytes, 0 no buffer Received 899 broadcasts, 0 runts, 0 giants, 0 throttles

Step 2: To make changes to the router via the CLI you will need to change to another prompt by

typing “Configure Terminal” or “config t”. Typing these two commanfs changes the prompt into a

mode referred to as “global configuration” mode.

A global command is a command run from global config is set only once and affects the entire router.



Type “config” from the privileged-mode prompt and then take the default of terminal, as seen here:

Router# config

Configuring from terminal, memory, or network [terminal]? [press enter]

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#

In this global prompt the commands which you enter will make changes that will affect the router as a

whole. Any commands entered here will be placed into the running-configuration and executed

immediately.

To change the startup-config which is stored in NVRAM use the command “configure memory” or

“confg mem”, which merges the startup-config file into the running-config file in RAM. If you want to

change a router configuration stored on a TFTP host you use the configure network command (or

config net for short), which also merges the file with the running-config file in RAM.

The configure terminal, configure memory, and configure network commands are all used to

configure information into RAM on a router; typically only the configure terminal command is used. It

is possible, though, that the commands config mem and config net can be useful if you mess up your

running-config file and don’t want to reboot your router.

Now enter global configuration mode and specify that configuration commands will originate from the

terminal.

Command: The “configure terminal” command takes you from the privileged prompt to the global

configuration prompt indicated by: Router(config)#


Router(config)#



Step 3: It is important that when anybody logs into the router it is important that they are presented

with a message which warns them that any unauthorised access is logged, and they should log off

immediately.

Create an MOTD banner. Use context context-sensitive help to guide you through the process.

Command: The command “banner motd” is follow by a character called the “delimiting character”,

this can be any character you like, but it cannot be repeated until the end of the message, this case

we use the “#” to close the message

outer(config)# banner motd #

Enter TEXT message. End with the character '#'.

=================================================

THIS IS A SECURE ROUTER, DO NOT ATTEMPT TO LOG IN

=================================================

#

Command: Until now all the work that you have carried out on the router has been entered into RAM

and therefore if you power the router down all your work will be lost therefore you need to save your

configuration by typing in “copy running-config startup-config”

Router(config)# exit

Router# copy running-config startup-config

Command: The router will ask you if you would like to retain the default file name when the

configuration is copied into NVRAM, the default file name in this case and every case is “startup-

config” as indicated by the [ ] brackets, once you hit return the file will be saved

Destination filename [startup-config]? <CR>

Building configuration...

[OK]

Router# logout



Now log back into the router by hitting return a few times, do you see the MOTD that you created in

this step presented to you?

Configuring Interfaces

Step 4: Define an interface description for interface Fastethernet 0/0 using the following description.

Descriptions are always useful to determine at a glance exactly what the interface is being used for

and where it is leading to. Only important interfaces need descriptions, no point in placing a

description on every switch port if they are only going to a P.C

Router> enable


Router(config)# interface Fastethernet 0/0

Router(config-if)# Description Fastethernet connected to switch

Did you notice that the prompt changed to Router(config-if)# This tells you that you’re in interface

configuration mode. And wouldn’t it be nice if the prompt also gave you an indication of what interface

you were configuring? Well, at least for now we’ll have to live without the prompt information, because

it doesn’t. One thing is for sure: You really have to pay attention when configuring a router!

Subinterfaces

Subinterfaces allow you to create logical interfaces within the router. The prompt then changes to

Router(config-subif)#:

Router (config-if)# interface fastethethenet0/0.20

Router(config-subif)# exit

Step 5: Return to the global configuration mode

Router(config-if)# exit

To exit the interface prompt type in “exit” to take you back one step, to exit all the way to the enable prompt use “Ctl-c”



NOTE: Subinterfaces will be covered in more detail when we get to the routing labs

Setting Passwords

There are no passwords set by default to secure access to the router, anyone can access the router

via the console lead and gain access to the command prompt. Cisco routers can have up to five

passwords:

1. console

2. auxiliary

3. telnet (VTY)

4. enable password

5. enable secret.

The enable secret and enable password are used to set the password that’s used to secure privileged

mode. That is going from the “>” to the “#” prompt

If the enable secret or enable password are both set then the IOS will prompt a user for the

secret/password when the enable command is used.

The other three password are used when:

1. console = Used when accessing the device via the console port

2. auxiliary = Used when accessing the device via the Auxiliary port

3. telnet (VTY) = Used when accessing the device via Telnet

Let’s take a look at each of these now.



Step 6: It is important to protect configuration access to the router so that only those authorised

To have access will have access to the command line interface. We need to set a type of passwords

called an “enable secret” Set the enable secret to Cisco

Router(config)# enable ?

last-resort Define enable action if no TACACS servers respond

password Assign the privileged level password

secret Assign the privileged level secret

use-tacacs Use TACACS to check enable passwords

The following points describe the enable password parameters: last-resort: Allows you to still enter the router if you set up authentication through a

TACACS server and it’s not available. This password is not used if the TACACS server is working.

Password: Sets the enable password on older, pre-10.3 systems, and isn’t ever used if an

enable secret is set.

Secret: This is the newer, encrypted password that overrides the enable password if it’s set.

use-tacacs: This allows authentication through a TACACS server. It’s convenient

if you have lots of routers Use TACACS server and you only have to change the password once

Command: The enable secret protects enable mode, it a very secure method of protection, protects

going from the “>” to the “#”, in this lab the word “cisco” is the secret

Router(config)# enable secret cisco



Step 7: Before there was the “enable secret” the transition from “>” to “#” was protected by a very

weak password called the “enable password”, this password could easily be reversed, hence is was

replaced by the enable secret. If both the enable secret and the enable password are both set the

enable secret will take priority and the enable password will not be accepted

Set the enable password to sanfran

Router(config)# enable password sanfran

Note: The enable password protects enable mode, it a very weak method of protection, protects

going from the “>” to the “#”, in this lab the word “sanfran” is the secret

Step 8: Configuring the Telnet Parameters on the router

Most of the time when you need to configure the router in the real world you will do it remotely by

using the “telnet” protocol.

To set the user-mode password for Telnet access into the router, use the line vty command.

Routers which are not aren’t running the Enterprise edition of the Cisco IOS will default to only five

VTY lines, 0 through to 4, although if the router is running Enterprise edition of the IOS it will have

many more VTY lines.

Cisco Routers and switches have virtual telnet ports called “VTY” ports, VTY stands for virtual

terminal. Since they are virtual and not physical there are more than one, each of these ports needs

to be protected by a password.

Set a login password for your VTY lines, Set the vty password to Cisco


The 0 4 indicates a range of virtual telnet ports. To find out the number of virtual ports on your router

type in Router(config)line vty 0 ? The highest number indicates the top end virtual port number.



Router(config-line)# password cisco


Router(config-line)# exec-timeout 0 0

Commands explained:

The password you enter is “cisco”, the second line:


Tells the router that when a user telnets into the router prompt for a password

Router(config-line)# exec-timeout 0 0

Tells the router never to timeout a telnet session, the 1st 0 = mins, 2nd 0 = secs

0 0, mean never timeout

It’s important to remember the login command or the port won’t prompt for authentication.

Cisco has begun this process of not letting you set the login command before a password is set on a

line because if you set the login command under a line and then don’t set a password, the line won’t

be usable. And it will prompt for a password that doesn’t exist.



Configuring Console Line parameters

Figure: 1.12

The router in figure 1.12 above is a 1921 with two gigabitethernet ports, the console port and Auxiliary

ports are labelled.

Step 9: The router can being configured via the physical console as shown in figure 1.12 it is

important to understand that there are some parameters on this port can be configured and really

should be configured. Three of the most important commands that you need to configure are:

1. The password that protects access into the console

2. The default timer on the console to timeout and logout you out due to inactivity is 5 mins

3. The command that stops messages interrupting your commands

Command: The command to enter the console port parameters is “line console 0”

Cisco always call the 1st port on the router as “0”, why?, answers on a postcard please.




Command: The “logging synchronous” command prevents event messages on the console from

interrupting your typing, without it any event message will cut any command you may be typing in

half. With it enabled any command you maybe typing will be dropped to the next prompt

Router(config-line)#logging synchronous Command: By default the console continues to present the commands line interface so long as there

is activity. Such as your typing, if you stop entering commands for 5 mins the consoles will log you

out, the “exec-time 0 0” tells the router not to timeout the first “0” is minutes, the second “0”

represents seconds

Router(config-line)#exec-timeout 0 0 Command: The password you enter is “cisco”, the second line:

Router(config-line)#login

Tells the router that when a user connect to the device via telnet to prompt for a password

Router(config-line)# password cisco


Router(config-line)# exit



Encrypting the Passwords

Run the “show run” command on the router. The passwords just entered under the VTY, Console

and enable prompts are all in clear text. These must at the very least be protected using some form

encryption. The encryption method used to encrypt these password can be reversed using easily

obtainable password crackers on the internet but even so they do prevent the casual observer from

seeing the passwords.

Router(config)# service password-encryption

The command “service=password-encryption” we encrypt the vty, console and enable passwords.

Use the “show run” command once again, this time the output of the passwords will be encrypted.

Running the command “no service password-encryption” will not remove the encryption of the current

passwords, although if the passwords are changed the new passwords will be displayed in clear text.

Router(config)# no service password-encryption

Step 10: It is very important that you set every device with a name that is used by you to identify

Which device you are configuring, never forget to do this Router(config)# hostname R1

R1(config)#

Research the following: What do the following commands do?

1. exec-timeout 0 0

2. logging synchronous

3. no ip domain-lookup



Step 11: Enter the show running-config command to verify your new configuration. The command “show running-config” which can also be abbreviated to “show run” is used to display

file in RAM called “running-config” this file contains the commands that the router uses as its

configuration

R1# show running-config

Look at the entire output of the running-config, you may have to hit space bar a few times to see the

entire output you ought to see that you have the following set in the running configuration:

There should be an encrypted secret password an enable password, interface Fastethernet 0/0

displays a description, an MOTD banner ought to be set along with the EXEC timeout on the console

which also ought to have a password so should the vty line

Saving your work from RAM to NVRAM Step 12: Enter the show startup-config command, why would the output be blank?, it might be

blank due to the fact that up until this point you have not been instructed to save your work that is

currently all stored in RAM save it NVRAM

Step 13: To save your routers operational configuration from RAM to NVRAM, so if this router loses

power for any reason the configuration will not be lost. The copy running-config startup-config

executed at the privileged mode prompt command, this command is used to save your work from

RAM to NVRAM.

Enter the copy running-config startup-config at the privileged mode prompt “router#”, the

command can be abbreviated to “copy run start” or even “cop r s”



Step 14: When you type the show startup-config command you are looking at the settings that the

router is currently using is operate. The running configuration is stored and executed from NVRAM, is

the output different to the contents of RAM?, is there anything there?, if there is nothing in this file it

will be due to the fact that since this lab was started you have not saved your work.

Enter the show startup-config command, do you see the following

1. Is there an encrypted secret password?

2. Enable password?

3. Does interface serial 0/0 display a description?

4. Is there an MOTD banner?

5. Is EXEC timeout set for the console?

6. Console-line login password?

7. VTY line login password?

Is the startup-config different from the running-config?, If you do not see any of the above set in the

output of the “show startup-config” command it is due to the running-config never having been

saved

Step 15: Enter the correct ip address on the routers Fastethernet 0/0 interface

The first action you need to do is to enter the interface configuration mode. Do enter the interface

configuration mode you need to go to “global configuration”

Followed by entering the command “interface” and then by the type of interface you want to

configure, in this case we are going to configure the Fastethernet interface on the router so the type

of interface is “Fastethernet”, the Fastethernet interface on the router sits on an internal module

numbered “0” and is the first of the two Fastethernet ports this particular router has and it therefore

numbered port “0”, hence the interface is referred to as “Fastethernet 0/0” , the first “0” is the module

and the second “0” is the port numer.



Command: The command is known as the “Interface command prompt”, the type is “Fastethernet”

the module number is “0” and the interface number is “0”

R1# configure terminal

R1 (conf)#interface Fastethernet 0/0

By default, all interfaces on the router (with the exception of the console and auxiliary lines) are in the

shut down state, it is important that you instruct the router to bring the interface up by typing in the

command “no shutdown”, this command can be abbreviated to “no shut”

Ping the address from the router console “router#ping 10.1.1.1”

R1 (conf-if)# ip address 10.1.1.1 255.255.255.0

Note: The command to enter an IP address on an interface, regardless of type is always the same “ip

address address mask” To erase this command type in “no ip address address mask”

R1 (config-if)# no shutdown

R1 (config-if)# end

Step 16: Save your configuration. It is important that you get into the habit of regularly saving your

configuration to NVRAM. During these labs the instructions will not always prompt to save the

configuration; you are expected to remember to save the configuration as you progress through the

labs.

When saving the configuration the “running-config” file in RAM is saved into NVRAM and is renamed

as “startup-config”

R1# copy running-config startup-config

Destination filename [startup-config]?


[OK]



Lab 6: Switch Start up and Basic configuration

Setup: There is a single switch in this lab, it will be referred to as “SW1”

Erasing the existing configuration from the Switch

If the switch powers on with a previous configuration you will need to go through the steps to set the

device to factory defaults. This is always a good idea, rather than having to over write an existing

configuration.

Follow the steps below:

Command: The switch may present you with this prompt. The hostname is a name that we use to

identify the equipment.

Device>

Device>enable

Device>enable Once you have entered the correct password the prompt will change and rather than seeing the “>”

you will see the “#”, this means the router is now in “privileged” mode also known as “enable mode”

Device#

Device# erase startup-config

Device# reload

Once you have erased the switch startup-config from NVRAM you are required to power cycle the

device, this MUST be done using the reload command and not by pulling the power lead or flicking

the power switch.



Lab 7: Setting up initial switch parameters

Complete the following steps to setup initial switch parameters, click on the following device in the

network simulator:

Figure: 1.13

Step 1: The following screen will appear and click on the “CLI” tab

Figure: 1.14



This next screen ought to appear

Figure: 1.15

Step 2: The switch configuration commands are very similar to those of the router. From the

prompt, enter the enable command The prompt changes to #

Switch> enable

Switch# configure terminal

Step 3: From the “switch#” prompt, enter the config term command

Switch# config term

Switch(config)#

Step 4: The switch is layer 2 only, which means it can only make forwarding decisions based on

layer 2 information which in ethernet is the MAC address.

NOTE: Layer 2 switches cannot route traffic based on IP addresses..

.



Having said that, the layer 2 switch still requires an IP address for itself so that it can be managed

remotely via telnet. The management IP address must go onto the management interface called

“interface vlan 1“

Command: Layer 2 switches only ever have one Layer 3 interface known as “interface vlan1”.

This interface is for management only.

Switch(config)# interface vlan 1

Step 5: Once you have entered the “interface vlan 1” configuration you will note that the prompt

changes from “switch(config)#” to ““switch(config-if)#”. The “if” (Interface) is just like you saw on the

router when you configured the Ethernet or the serial interfaces, you treat “interface vlan 1” on any

switch regardless of if it is a layer 2 or layer 3 just like a physical interface, it cannot be deleted and it

is in the “administratively shutdown” state and therefore you must issue the “no shutdown” command

under the “interface vlan 1” prompt.

From the (config-if)# prompt, enter the correct ip address 10.1.1.2 255.255.255.0 command, press

the return key to accept the command and then make the interface live by typing “no shutdown”

Command: Enter the correct IP address for interface vlan 1.

Switch(config-if)# ip address 10.1.1.2 255.255.255.0

Command: Inteface vlan 1 is treated like a physical interface even though it is a logical interface.

Even so it must be set to active in the same way you would with a router interface

Switch(config-if)# no shutdown

Switch(config-if)# exit

Switch#



Step 6: Next you will need to set the hostname on the switch. To set the switch hostname. You must

be at the (config)# prompt and enter the hostname SW1 command

Switch# configure terminal

Switch(config)# hostname SW1

Step 7: From SW1(config)# prompt, enter the exit command.

SW1(config)# exit The prompt now will change to the following

SW1# Step 8: Enter the Show ip interface vlan 1 command to verify your switch IP address.

The output of the “show interface vlan 1” displays your IP address and the state of the interface, it

ought to read “Vlan1 is up, line protocol is up”

SW1#show ip interface vlan 1

Vlan1 is up, line protocol is up

Internet address is 10.1.1.2/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

<Output omitted for brevity>

Step 9: Setting an enable secret on the switch is the same as for the router, you will need to go

to the global configuration prompt to do this.

SW1# configure terminal

SW1(config)# enable secret cisco



Step 10: You are currently configuring the switch via the console lead. The port on the switch that

you are connecting to is called “console”. There are some parameters on this port can be configured.

Three of the most important commands that you need to configure are:

1. The password that protects access into the console

2. The default timer on the console to timeout and logout you out due to inactivity is 5 mins

3. The command that stops messages interrupting your commands

Command: The command to enter the console port parameters is “line console 0”

Cisco always call the 1st port on the router as “0”

SW1(config)# line console 0 Command: This command prevents event messages on the console from interrupting your typing,

without it any event message will cut any command you may be typing in half. With it enabled any

command you maybe typing will be dropped to the next prompt

SW1(config-line)# logging synchronous

Command: By default the console continues to present the commands line interface so long as there

is activity. The “exec-time 0 0” tells the switch not to timeout the first “0” is minutes, the second “0”

represents seconds

SW1(config-line)#exec-timeout 0 0

Command: The password you enter is “cisco”, the second line:


Tells the switch that when a user telnets into the router prompt for a password

SW1(config-line)# password cisco

SW1(config-line)# login

SW1(config-line)# exit



Step 11: By default whenever you make type in a command and make a spelling mistake at the

“SW1” prompt the switch will believe that the sequence of letters that you have typed in is the name

of another device and the switch will try to resolve your typo by broadcasting to a DNS server

(Domain Name Server) for the IP address of this typo, this broadcast will be attempted 3 times and all

the while you will not have access to the console. We want to turn this feature off

SW1 (config)#no ip domain-lookup

Step 12: Save your configuration. Up to this point every command that you have entered has

gone into RAM which is volatile in the sense that if you power the switch down all your configuration

will be lost. It is important that you save your configuration regularly.

When you save your configuration the “running-config” file in RAM is saved into NVRAM and is

renamed as “startup-config”

SW1#copy running-config startup-config



[OK]

The command “copy running-config startup-config” is an exec level prompt and as such can only

be entered at the “exec-level-enable prompt”

When you type this command and after you hit return the switch will ask you if you want to change

the destination file name from its default name of “startup-config”, the default name is in square

brackets, you do NOT want to change this name so accept the default by hitting the return key.

The system is now copying the file from RAM to NVRAM



Physical switch POST LED’s: Starting the Switch and checking the POST LED

display

This Section can be performed if you have access to a physical switch

Step 1: Plug the kettle lead power cable that is connected to a power source into the switch power.

You will find this power connector on the rear of the switch. There is no on/off button on the switch

Step 2: Look at the following LEDS. They indicate the state of the switch and switchports. After the

switch successfully boots, the status of the System LED ought to be “green”. LED’s with your work

group router and P.C attached ought to be “green”

Step 3: There is a button on the left hand side of the switch called the mode button. Above that

there are 4 LED’s.

1. The STAT “Status”. This led indicates the status of all the physical ports on the switch, if a

port has a device attached and the port is active the port light will appear green, if all

physical ports are active and without fault the “STAT” light will also appear green. If the

physical port that has a device attached but has a fault the “STAT” light will appear amber

and so will the system LED

2. The UTIL “Utilsation” This led when scrolled to using the Mode button indicates the CPU

utilisation of the switch by laminating a series of port leds, the more that light up would

indicate a higher switch CPU usage. The normal CPU usage on the 2950’s and 3550’s is

around 25%

3. The DUP “Duplex” led when scrolled to using the Mode button indicates the duplex

operating mode of the port.

If the port is green this indicates that the port is operating in full duplex If the port is off this indicates that the port is operating in half duplex



4. The Speed “Speed” led when scrolled to using the Mode button indicates the speed

operating mode of the port.

If the port is green this indicates that the port is operating in 100Mbps If the port is off this indicates that the port is operating in 10Mbps

To scroll the LED’s from STAT to the other modes you need to push the mode button on the front of

the switch.

Configuration Register Setting

Router Behavior

0x102 Ignores break - 9600 console baud

0x1202 1200 baud rate

0x2101 Boots into bootstrap - Ignores break - Boots into ROM if initial boot fails - 9600 console baud rate

0x2102 Ignores break - Boots into ROM if initial boot fails - 9600 console baud rate default value for most platforms

0x2120 Boots into ROMmon - 19200 console speed

0x2122 Ignores break - Boots into ROM if initial boot fails - 19200 console baud rate

0x2124 NetBoot - Ignores break - Boots into ROM if initial boot fails - 19200 console speed

0x2142 Ignores break - Boots into ROM if initial boot fails - 9600 console baud rate - Ignores NVRAM (ignores configuration)








Section Answers:

Question 1: What is the Cisco IOS software version running on your router?

Answer 1: the IOS software is shown in the output of the show version command as indicated

by bubble 1

Question 2: What interfaces are available on your router?

Answer 2: The interface recognised by your router are indicated by bubble 5

Question 3: How much flash does your router have?

Answer 3: The amount of flash that your router has is indicated by bubble 6 Question 4: How much RAM does your router have?

Answer 4: The amount of RAM your router has is indicated by bubble 4

Question 5: What is the platform type of your router?

Answer 5: The router platform is indicated by bubble 3

Question 6: Where did the router load the IOS software from?

Answer 6: Your router loaded it’s IOS from the position indicated by bubble 2

Question 7: Now press the “Return” key a few times. What happened?, did the router present

you with one extra command at a time?

Answer 7: The command prompt presented single commands each time



Question 8: Now press the “space bar”. What happened, did the router present a whole page

at a time?

Answer 8: A whole page of possible commands was presented

Question 9: What is displayed on your terminal screen?

Answer 9: the “show clock” command ought to show the current time as the router knows it.

Question 10: What command was returned as a result of this action?

Answer 10: The show command at the enable prompt will display a complete list of all

possible commands that can be executed at this prompt



End of Section Knowledge Check Questions

1. From which location does the router normally load the operating system ?

a. NVRAM

b. FLASH

c. TFTP

d. RAM

2. Which output below means that there is more than one command which begins with the same

characters “cl”?

a. % Ambiguous command: "cl"

b. % Incomplete command. “cl”

c. % Unrecognised command. ”cl”

d. % Complete command. “cl”

3. Which output below means that the router needs more command parameters to complete the

command?

a. % Ambiguous command.

b. % Incomplete command.

c. % Unrecognised command.

d. % Complete command.

4. Which output below sets the correct clock on the router ?

a. Router# clock set 20:20:00 11 3 2011

b. Router# clock set 20:20:00 11 march 2011

c. Router# set clock 20:20:00 11 march 2011

d. Router# clock 20:20:00 11 march 2011



5. Which output below sets the motd to COMMSUPPORT ROUTER ?

a. Router# banner motd #

COMMSUPPORT ROUTER

#

b. Router# banner #

COMMSUPPORT ROUTER

#

c. Router# banner motd COMMSUPPORT ROUTER

d. Router# motd banner #

COMMSUPPORT ROUTER

#

6. Which output below saves the contents of RAM to NVRAM

a. Router# copy ram-config startup-config

b. Router# copy running-config nvram-config

c. Router# copy running-config nvram-config

d. Router# copy running-config startup-config

7. Which command sequence is used to place the description COMMSUPPORT on an interface?

a.



b.


Router(config-if)# COMMSUPPORT Description



c.

Router(config)# Description COMMSUPPORT interface Fastethernet 0/0

d.

Router(config)# interface Fastethernet 0/0 Description COMMSUPPORT

8. Which command sequence is used prevent console messages from interrupting command inputs? a.


Router(config-line)# no logging synchronous

b.


Router(config-line)# synchronous logging

c.


Router(config-line)# logging synchronous

9. Which command is used to encrypt the Vty, console and enable passwords?

a. Router(config)# no service password-encryption

b. Router(config)# password-encryption service

c. Router(config)# service password-encryption

d. Router(config)# no service encryption-password



10. Which command sequence is used to place the ip address of 192.168.10.1 255.255.255.0 on a

router Fasthethernet 0/0 interface?

a.


Router(config-if)# address 192.168.10.1 255.255.255.0

Router(config-if)# no shutdown

b.


Router(config-if)# ip 192.168.10.1 255.255.255.0


c.


Router(config-if)# ip address 192.168.10.1 255.255.255.0


d.


Router(config-if)# ip address 192.168.10.1





switch Vlan 1 interface?

a.

switch(config)# interface vlan 1

switch (config-if)# ip address 192.168.10.1 255.255.255.0

switch (config-if)# no shutdown

b.

switch (config)# interface vlan 1

switch (config-if)# ip 192.168.10.2 255.255.255.0


c.




d.


switch (config-if)# ip address 192.168.10.2




End of Section Knowledge Check Answers

1. From which location does the router normally load the operating system?

B. FLASH

2. Which output below means that there is more than one command which begins with the same

characters “cl”?

A. % Ambiguous command: "cl"

3. Which output below means that the router needs more command parameters to complete the

command?

B. % Incomplete command.

4. Which output below sets the correct clock on the router?

B. Router# clock set 20:20:00 11 march 2011

5. Which output below sets the motd to COMMSUPPORT ROUTER ?

A. Router# banner motd # COMMSUPPORT ROUTER #

6. Which output below saves the contents of RAM to NVRAM

D. Router# copy running-config startup-config



7. Which command sequence is used to place the description COMMSUPPORT on an interface?

A.



8. Which command sequence is used prevent console messages from interrupting command inputs?

C. Router(config)# line console 0

Router(config-line)# logging synchronous

9. Which command is used to encrypt the Vty, console and enable passwords?

C. Router(config)# service password-encryption


router Fasthethernet 0/0 interface?

C.


Router(config-if)# ip address 192.168.10.1 255.255.255.0



switch Vlan 1 interface?

C.






Command Guide:

Logging into and out of a Cisco Device

Router> enable

Router#

Router# disable

Router>

Setting the Clock

Router#clock set 20:20:00 11 march 2011

Useful show commands

Router# show running-config

Router# show history

Router# show interface Fastethernet 0/0

Router# sho int fa0/0 | section bia

Router(conf)# do show run


Going from Enable to Global Mode


Router(config)#

Seting the MOTD banner

Router(config)# banner motd #

Saving the Configuration and logging out

Router#copy running-config startup-config

Router#logout



Logging into the Router and setting a description to an interface

Router> enable

Router#configure terminal

Router(config)#interface Fastethernet 0/0

Router(config-if)#description CONNECTS_TO_SWITCH

Setting passwords and secrets

Router(config)#enable secret Cisco

Router(config)#enable password sanfran

Setting Telnet password and house keeping


Router(config-line)#logging synchronous

Router(config-line)#password Cisco



Setting Console password and house keeping


Router(config-line)#logging synchronous


Router(config-line)#password Cisco


Router(config-line)#exit

Turning on/off Password Encryption

Router(config)# service password-encryption

Router(config)# no service password-encryption



Setting Hostname

Router(config)# hostname R1

Setting an IP address on the Switch

Switch(config)#interface vlan 1

Switch(config-if)# ip address 10.1.1.2 255.255.255.0

Switch(config-if)# no shutdown

Viewing the state of Interface vlan 1

SW_1#show ip interface vlan 1

Preventing name lookups on the device

SW_1 (config)#no ip domain-lookup



Challenge Lab: Basic CLI

Fa0/2

Fa0/10

Laptop

Ethernet Cable

Fastethernet0/0 192.168.10.10 255.255.255.0

Fa0/1

SWITCH 1

ROUTER 1

Interface Vlan 1

192.168.10.20 255.255.255.0

Cable the topology as above

Step 1: Erase the running configuration from the router and the switch and reload

Step 2: Once the devices have reload enter the following hostnames on the router and switch

a. On the router = R1

b. On the switch = SW1

Step 3: On both devices enter time of 12:00:00 1st Jan 2010

Step 4: On both devices enter the command to prevent the device from broadcasting for an IP

address for typos



Step 5: On both devices configure the console line never to time out and for the console to

synchronise messages with your typing

Step 6: Configure both devices with enable passwords of “cisco” and vty, console passwords of

“cisco”, also ensure that the configuration prompts the user for the password when they login.

Step 7: Encrypt all passwords on both devices.

Step 8: Apply the IP address of “192.168.10.10 255.255.255.0” on Fastethernet 0/0 on the router

Step 9: Apply the IP address of “192.168.10.20 255.255.255.0” on interface vlan 1 on the switch

Step 10: On the router create a MOTD banner on the router which reads “This is a test message”

Step 11: Save the configuration on both devices

Step 12: Run the command to view the running configuration

Write the command here:________________________

Step 13: Run the command on the router to view the devices memory, uptime, interface count, IOS


Step 14: Run the command on the switch to view the interface counters on Fastethernet 0/1


Step 15: Run the command to view all interfaces on the router along with the status and ip addresses




Challenge Lab: Basic CLI Solution

Step 1: Erase the running configuration from the router and the switch and reload

Device# erase startup-config

Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]

[OK]

Erase of nvram: complete

%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram

Device# reload

System configuration has been modified. Save? [yes/no]: no

Proceed with reload? [confirm]

Step 2: Once the devices have reload enter the following hostnames on the router and switch

a. On the router = R1

b. On the switch = SW1

On the Router

Router(config)# hostname R1

On the Switch


Step 3: On both devices enter time of 12:00:00 1st Jan 2010

On the Router (The switch command is identical)

R1# clock set 12:00:00 1 january 2010



Step 4: On both devices enter the command to prevent the device from broadcasting for an IP

address for typos


R1(config)# no ip domain-lookup

Step 5: On both devices configure the console line never to time out and for the console to

synchronise messages with your typing


R1(config)# line console 0

R1(config-line)# exec-time 0 0

R1(config-line)# logging synchronous

Step 6: Configure both devices with enable passwords of “cisco” and vty, console passwords of

“cisco”, also ensure that the configuration prompts the user for the password when they login.


R1(config)# enable password cisco

R1(config)# line console 0

R1(config-line)# password cisco

R1(config-line)# login

R1(config-line)# exit

R1(config)# line vty 0 15

R1(config-line)# password cisco

R1(config-line)# login



Step 7: Encrypt all passwords on both devices.


R1(config)# service password-encryption

Step 8: Apply the IP address of “192.168.10.10 255.255.255.0” on Fastethernet 0/0 on the router

R1(config)# interface fastethernet 0/0

R1(config-if)# ip address 192.168.10.10 255.255.255.0

R1(config-if)# no shut

Step 9: Apply the IP address of “192.168.10.20 255.255.255.0” on interface vlan 1 on the switch

SW1(config)# interface vlan 1

SW1(config-if)# ip address 192.168.10.20 255.255.255.0

SW1(config-if)# no shut

Step 10: On the router create an MOTD banner which reads “This is a test message”

R1(config)# banner MOTD #

Enter TEXT message. End with the character '#'

This is a test message

#

R1(config)#



Step 11: Save the configuration on both devices

R1# copy running-config startup-config



[OK]

R1#

Step 12: Run the command to view the running configuration

Write the command here: show run

Step 13: Run the command on the router to view the devices memory, uptime, interface count, IOS

Write the command here: show version

Step 14: Run the command on the switch to view the interface counters on Fastethernet 0/1

Write the command here: show interface fastethernet 0/1

Step 15: Run the command to view all interfaces on the router along with the status and ip addresses

Write the command here: show ip interface brief



Section 2: MAC’s VLANs and Trunking



Knowledge Check Questions

It is advisable to go through all of the questions prior to carrying out the practical labs. You are aiming

for 100% correct answers.

1. What is the command sequence to create VLAN 10 and assign it to interface Fa0/1?

a.

Switch(config)# vlan 10

Switch(config)# interface fa0/1

Switch(config-if)# switchport vlan 10

b.



Switch(config-if)# switchport access vlan 10

c.



Switch(config-if)# switchport vlan access 10

d.



Switch(config-if)# vlan switchport access 10



2. Which command to view current VLANs on a switch?

a. Switch# show vlan

b. Switch(config)# show vlan

c. Switch# vlan brief

d. Switch(config)# show vlan brief

3. True or False: Vlan 1 can be deleted?

a. True

b. False

4. Which VLANs are by default considered to be reserved on a Cisco switch?

a. 0, 4095, 1001-1005 b. 0, 4096, 1002-1005 c. 0, 4095, 1002-1005 d. 0, 4095, 1002-1006

5. Which command is used to display the MAC address table on a Cisco switch?

a. Switch# show mac-table

b. Switch(config)# show mac address-table

c. Switch# show mac address-table

d. Switch(config)# show mac-table



6. What is the command sequence to create VLAN 20 and assign it to interface Fa0/1 as a voice

vlan?

a.



Switch(config-if)# switchport vlan voice 20

b.



Switch(config-if)# voice access vlan 20

c.



Switch(config-if)# switchport voice vlan 20

d.




7. By default traffic from which VLANs will be carried over a trunk link?

a. none

b. all

c. VLAN 1 only

d. Reserved system VLAN’s only



8. Which method is open standards for marking frames traversing a trunk link

a. ISL

b. 802.1Q

c. 802.1D

d. 802.1W

9. What are the different trunk modes a Cisco switch port can assume. Choose 2 a. Active b. passive c. desirable d. auto e. manual

10. Which method is CIsco standards for marking frames traversing a trunk link

a. ISL

b. 802.1Q

c. 802.1D

d. 802.1W



Knowledge Check Answers

1. What is the command sequence to create VLAN 10 and assign it to interface Fa0/1?

B.




2. Which command to view current VLANs on a switch?

A. Switch# show vlan

3. True or False: Vlan 1 can be deleted?

B. False

4. Which VLANs are by default considered to be reserved on a Cisco switch?

B. 0, 4096, 1002-1005

5. Which command is used to display the MAC address table on a Cisco switch?

C. Switch# show mac address-table



6. What is the command sequence to create VLAN 20 and assign it to interface Fa0/1 as a voice

vlan?

C.



Switch(config-if)# switchport voice vlan 20

7. By default traffic from which VLANs will be carried over a trunk link?

B. all

9. Which method is open standard for marking frames traversing a trunk link

B. 802.1Q

9. What are the different trunk modes a Cisco switch port can assume. Choose 2

C. desirable

D. auto

10. Which method is CIsco standard for marking frames traversing a trunk link

A. ISL



Start of Lab

Step 1: Load the following Topology and any corresponding configuration templates into the devices

Network Simulator: Packet Tracer

Topology: PART 1 - SECTION 2 BASIC VLANS

Configuration Template: None – This Lab is manually configured

Network Simulator Topology View

Figure 2.1



Step 1: Erasing the existing configuration from the switches

Your devices may power on with a previous configuration. You will need to go through the following

steps to set the devices to their factory defaults.

Follow the steps below on SW1, SW2

Command: The switch may present you with this prompt. This prompt is the switches’ hostname

from a previous class. Type the command “enable” without the speech marks and then press the

return key.

device >

device > enable

Command: Once you have entered the correct password the prompt will change and rather than

seeing the “>” you will see the “#”, this means the switch is now in “privileged” mode also known as

“enable mode”

device #

Command: The command “erase startup-config” instructs the switch to erase the contents of

NVRAM. Once it has done this the switch will still continue to operate since the config it is using is still

in RAM. Follow this command with the return key

device# erase startup-config



Step 2: Erasing the vlan.dat file on both of the switches

After you have erased the vlan.dat file and then reloaded the switches they will not have any

knowledge of user defined vlan’s or any user defined configuration, i.e the devices will have been

returned to the factory default.

Erase VTP / VLAN configuration on both of the switches by entering the “delete vlan.dat” command

below.

The switches on the network simulator may not have the vlan.dat file present, therefore it will return

the message “%Error deleting flash:/vlan.dat (No such file or directory)”, this is fine, this simply means

the switch has either already been wiped or it was never configured with any vlans or VTP.

Figure 2.2

Joe says: Before connecting a Cisco switch to a Cisco switched network it is strongly advised that

the vlan.dat file is removed and the switch placed into VTP mode transparent. More on VTP later.

The file called “vlan.dat” stores all vlan and vtp info. It is important to delete this file prior to adding

any switch to your network. Press return multiple times to accept the defaults

device # delete vlan.dat

Delete filename [vlan.dat]?

Delete flash:vlan.dat? [confirm]

device# reload



Once you have erased the switches configuration from NVRAM you are required to power cycle the

device “turn off, turn on”, this MUST be done using the reload command and never by pulling the

power lead. Reloading will erase the contents of RAM and the router will come back with no

configuration

At the reload command press return to execute the command and cause the devices to reload, since

you have cleared the contents of nvram when the switches and router power up they will not find any

configuration in NVRAM.

Step 3: Entering initial basic configuration on the switches

In this step the correct hostnames will be entered on both of the switches. The identity of the switch is

set using the hostname command. The hostname is only locally significant, which means that it has

no bearing on how the switches perform.

NOTE: The switches in this lab will be referred to as “SW_1” and “SW_2”

At the prompt, enter the command “enable” followed by return, followed by one command per line

followed by the return key to execute the command

Enter the following housekeeping commands on both switches:

Switch> enable

Switch # conf t

Switch(config)# no ip domain-lookup

Switch(config)# line con 0

Switch(config-line)# logg sync

Switch(config-line)# exec-timeout 0 0

Switch (config-line)# exit



For the Switch One use hostname SW_1 For the Switch Two use hostname SW_2

Switch (config)# hostname “ENTER THE HOSTNAME HERE”

SW_X(config)# end

SW_X# copy run start

NOTE: When you see the hostname expressed as “SW_X” the X refers to all devices, in this case

both SW_1 and SW_2



Lab 1: Basic Vlan Connectivity

Figure 2.3

Logical Representation of the network

Vlan 1

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1 SW_2Trunk

Fa0/1 Fa0/2

Topology 1

F0 F0

Fa0/24Fa0/24

Figure 2.4



TIP: When working with vlans it is always a good idea to try and visualise how the vlans span the

switch or switches

Configuring the PC’s

Topology 1 above outlines the way in which PC A and PC B are connected physically to SW1 and

how they are logically connected via VLAN 1. PC-A and PC-B will have connectivity to one another

since they are on the same vlan. The objective here is to establish communications between the two

PC’s

NOTE: Being connected to the same physical switch is not a guarantee of connectivity.

.

Step 1: Configuring SW1 Port Status. It is now important to build the correct topology by only

enabling the ports which have PC A and PC B connected also Fa0/24 which connects to SW_2

In this step you will shut down all ports and make only Ports 1, 2 and 24 live.

NOTE: If the range command is not supported on your equipment you will have to manually disable

each port individually. Also note that there is a space either side of the hypen separating the port

numbers.

Figure 2.3



Vlan 1

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1 SW_2Trunk

Fa0/1 Fa0/2

Topology 1

Fa0 Fa0

Fa0/24Fa0/24

Make Live

Fa0/2

Figure 2.5

1. Fa0/1 Leads to PC A = ACCESS LINK

2. Fa0/2 Leads to PC B = ACCESS LINK

3. Fa0/24 Leads to SW_2 = TRUNK LINK

SW_1 # config t

SW_1 (config)# interface range fastethernet 0/1 - 24

SW_1(config-if-range)# shut

SW_1(config-if-range)# exit

SW_1(config)# int fa0/1

SW_1(config-if)# no shut

SW_1(config-if)# description TO_PCA

SW_1(config-if)# exit



SW_1(config-if)# description TO_PCB



SW_1(config-if)# exit



SW_1(config-if)# description TO_SW2

SW_1(config-if)# end

SW_1# wri mem

You may be wondering why we shuting down interfaces on the switch, well for the sake of keeping

the outputs clean we shut down any interfaces we do not need, also in the real world shutting down

interface you do not need increases security.



Step 2: Setting up the PCA in Topology 1:

Log into PCA and enter the following commands to prepare it for the lab.

NOTE: F0 interface of the PCA is connected to the fa0/1 port on SW_1.

Vlan 1

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1 SW_2Trunk

Fa0/1 Fa0/2

Topology 1

Fa0 Fa0

Fa0/24Fa0/24

Fa0/2

Configure this

device

Figure 2.6 Click on PCA, select the Desktop tab followed by IP Configuration

Figure 2.7



Apply the correct address to PC A’s F0 interface

IP Address: 192.168.1.10

Subnet Mask: 255.255.255.0

Figure 2.8

Close the screen by clicking the X on the top right hand side



Step 4: Setting up the PC B in Topology 1

Vlan 1

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1 SW_2Trunk

Fa0/1 Fa0/2

Topology 1

Fa0 Fa0

Fa0/24Fa0/24

Configure this

device

Figure 2.9 Click on PC_B, select the Desktop tab followed by IP Configuration

Figure 2.10



Apply the correct address to PC_A’s F0 interface

IP Address: 192.168.1.20

Subnet Mask: 255.255.255.0

Figure 2.11 Close the screen by clicking the X on the top right hand side

Step 5: From PC_A issue a ping to PC_B and vice versa, these pings ought to be successful. These

are successful due to both PC’s being in the same vlan on SW_1 as shown in the output below; in

this scenario both the devices are in Vlan 1.

On PC_B bring up the command prompt and issue a ping to PC_A and vice versa.

Click on PC_B, select the “Desktop” tab followed by clicking on “Command Prompt”

Figure 2.12



In the command prompt screen type in the command “ping 192.168.1.10”, then hit return, the

command prompt will send out 4 pings, these pings ought to be successful. I.e. 0% Loss (On real

physical equipment one or two pings may be lost)

Figure 2.13

Congratulations, your very first network!! ☺



Lab 2: Creating and assigning a Vlan

In this lab you will configure a new Vlan called Vlan 10 and place Fa0/1 and Fa0/2 into Vlan 10.

The topology is as diagram 1-2

When the two switchports (Fa0/1 and Fa0/2) have been made members of Vlan 10 you will test

connectivity by issuing a ping from one PC to the other.

.

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1

Fa0/1 Fa0/2

Topology 1-2

Fa0 Fa0

Vlan 10

Figure 2.14



Step 1: Log into SW1 and follow the commands below. The commands below will create a single

vlan called vlan 10.

The command to create a vlan is “vlan n” were “n” is a number between 2-1001, 1006-4094

This command is executed in Global configuration mode

SW1# conf t

SW1(config)# vlan 10

SW1(config-vlan)# end

JOE SAYS: Make a note of all these commands in a sturdy notebook and keep it with you!

Step 2: When ever you configure anything on the Cisco devices it is a good idea to always verify the

configuration. When you create a vlan you must make it a habit to check that the vlan has been

created and is in the switches vlan database

The command to view the vlan database is “show vlan brief”

Figure 2.15

Vlan 10 is in the table, and is showing as active. It is showing as active since vlans numbered

between 2-1001, 1006-4094 are Ethernet vlans and this is an Ethernet switch.



Note: Vlans numbered between 1002 through to 1005 are default vlans. These vlans on physical

switches will appear as “act/unsup” as they are not Ethernet vlans, although in the network simulator

these vlans may simply appear as “active”.

It is possible to create any vlan number you wish to create on a switch provided the number is

between 2-1001 and 1006-4094. The actual amount of vlans you can create is dependant on the

switch model.

It is not possible to delete Vlan 1 or vlans 1002-1005, you can try but you will receive this message.

SW1# conf t

SW1(config)# no vlan 1

Default VLAN 1 may not be deleted.

All interfaces are by default members of the default native vlan called “vlan 1”

If you were to plug into this switch 24 P.C’s they will all beable to see each others broadcast (and

Multicast) traffic.

Figure 2.16

Vlan 1 has the default name of “default”, it is not possible to change the name of this vlan (At time of

writing)



SW1# conf t

SW1(config)# vlan 1

SW1(config-vlan)# name ADMIN

Default VLAN 1 may not have its name changed.


Even though vlan 1 cannot have its name changed it is possible to change the name of any user

defined vlan i.e. those which the administrator creates.

Step 3: Go ahead and change the name of Vlan 10 to “DATA_FLR_ONE”

SW1# conf t


SW1(config-vlan)# name DATA_FLR_ONE


Step 4: Remember!! When ever you configure anything on the Cisco devices always verify the

configuration. The command to view the vlan database is “show vlan brief”

Figure 2.17 The name has been changed. It is a good idea to name your vlans with a descriptive label.



Step 5: Next you will assign vlan 10 to Fa0/1 and Fa0/2. These are the interfaces that PC_A and

PC_B are connected to respectively.

Below is a logical representation of the impending configuration.

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1

Fa0/1 Fa0/2

Topology 1-2

Fa0 Fa0

Vlan 10

Figure 2.18 To assign a vlan to an interface you have to be in the interface mode.

SW1# conf t

SW1(config)# interface fastethernet 0/1

SW1(config-if)# switchport access vlan 10

SW1(config-if)#exit



SW1(config-if)# end

In the command sequence above we entered the interface mode and assigned the vlan to the

interface using the command “switchport access vlan n” In the command sequence above we



exited the interface prompt and went back in to configure Fa0/2, this is not messessary, can jump

between interfaces without exiting.

Step 6: Remember!! When ever you configure anything on the Cisco devices always verify the


Figure: 2.19

JOE SAYS: An access port can only be a member of a single native vlan, the key terms here

are “access” and “native”



Interface Fa0/1 and Fa0/2 are now members of Vlan 10. Also notice that the interfaces are not listed

as being members of Vlan 1.

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1

Fa0/1 Fa0/2

Topology 1-2R1 R2

Fa0/0 Fa0/0

Vlan 10

Figure: 2.18

The topology now looks like Figure 2-18

Step 7: Next you will test basic connectivity by issuing a ping from PC A to PC B.

On PC_A send a ping to 192.168.1.20

PC_A# ping 192.168.1.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.20, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1004 ms

JOE SAYS: If the first ping fails it is due to the interface sending and ARP (Address Resolution

Protocol) to discover the layer 2 address for 192.168.1.20. If you run the ping again you will

find that the success rate is 100%



Conclusion to Lab 2: In this lab you practiced creating a vlan abd assigning the vlan to interfaces. It

is also possible to assign vlans dynamically to switchport using the MAC address of the attached

device i.e the PC and a process on the switch called VMPS (Vlan Membership Policy Server) VMPS

will match the MAC address to a Vlan and tell the switch which Vlan a device ought to be a member

of based on the MAC of the Device. This method is seldom used.

End of lab 2



Lab 3: Switch Layer 2 MAC tables

All Switches store in RAM the Source L2 addresses of frames which they receive in a local table

called the “MAC Address Table”, this table is also referred to as the “CAM Table” which means

Content Addressable Memory.

When frames arrive inbound or to use the correct term “ingress” the switch port the switch will take

the source L2 address of the frame and store the address in it’s MAC Table and set a timer of 300sec

(5 Mins). If the switch does not receive any further frames with this particular source address the

timer will expire and the entry is removed from the MAC Table thus freeing up space for new current

address.

If the entry already exists in the MAC table the switch will simply reset the timer to 300sec each time

the L2 address is received as source.

In this lab you will examine SW1’s MAC Table. So that PC A and PC B address are easily

recognisable in the MAC table you will manually set your own MAC addresses on PC A and PC B.

Step 1: Double click on PC_A, go to:

1. “Config” tab

2. Left hand side, click on the button labelled “Fastethernet”

3. In the “MAC Address” field enter the MAC address of 0000.1111.1111



Figure: 2.19

Repeat these steps on PC_B

Figure: 2.20

NOTE: If you are using a physical router to emulate PC_A use the commands below.

PC_A# conf t

PC_A(config)# int fa0/0

PC_A(config-if)# mac-address 0000.1111.1111

PC_A(config-if)# end



NOTE: If you are using a physical router to emulate PC_B use the commands below.

PC_B# conf t

PC_Bconfig)# interface fastethernet 0/0

PC_B(config-if)# mac-address 0000.2222.2222

PC_B(config-if)#end

PC_B#



Step 2: From PC_B Ping 192.168.1.10

On PC_B bring up the command prompt and issue a ping to PC_A and vice versa.

Click on PC_B, select the “Desktop” tab followed by clicking on “Command Prompt”

Figure: 2.21

In the command prompt screen type in the command “ping 192.168.1.10”, then hit return, the

command prompt will send out 4 pings, these pings ought to be successful.

Figure: 2.22

Congratulations, your very first Vlan’ed network!! ☺



Step 3: Next let’s take a look at the MAC address table on SW1.

The command to view the MAC address table on the switch is “show mac-address-table”. If you run

this command you will see a whole list of mac addresses which are assigned to the switch ports

themselves. (These switch port L2 address are of no concern to us at this moment.

We are concerned only with addresses that the switch has dynamically learned from incoming frame

To view only the dynamically learned addresses run the command “show mac-address-table

dynamic”

Figure: 2.23

NOTE: In your output there may be an entry for Fa0/24, this is the MAC address of SW2, this may be

ignored.

In the output above you can see our two PC MAC addresses have been learnt by SW1 and mapped

to the ingress ports with the vlan to which the interfaces are members.

End of Lab 3.



Lab 4: Static MAC Addressess

MAC addresses are stored in the table so long as the timer has not expired and the interface on

which the address is mapped against is in the up/up state. It is sometimes desirable to statically

associate a MAC address to an interface. In this lab you will configure SW1 to store PC_A MAC

address to VLAN/Interface association permanently.

Step 1: View the MAC address table once again on SW1

Figure: 2.24



The address 0000.1111.1111 mapped to Fa0/1 has been learnt dynamically. Go to SW1 and shut

down interface Fa0/1

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1

Fa0/1 Fa0/2

Topology 1-4

Fa0 Fa0

Vlan 10

Shut down interface

Fa0/1

Figure: 2.25



Step 2: Enter the following command on SW1. Recall that commands may be abbreviated

SW1# conf t

SW1(config)# interface fa0/1

SW1(config-if)# shut

SW1(config-if)#end

Step 3: Still on SW1 view the MAC address table, the entry for 0000.1111.111, this entry should now

be absent. We only see the entry for PC_B’s MAC address.

Figure: 2.26

Step 4: On SW1 run the following command to statically assign the MAC address of 0000.1111.1111

to Fa0/1 and Vlan 10

SW1(config)# mac address-table static 0000.1111.1111 vlan 10 interface fa0/1

Step 5: Once more you have to verify the configuration on the switch, what do you think the

command could be to see the static MAC address in the MAC address table?

(The answer is on the top of the next page ☺ )



Here is the answer. You could also have used the commands:

1. show mac adddress-table static

2. show mac address-table vlan 10

Figure: 2.26

Notice that the address 0000.1111.1111 is now static,

Command Challenge: Now on SW1 and unshut interface Fa0/1 wait around 30 secs then shut it

down again, is the MAC address 0000.1111.1111 still in the MAC table?

JOE SAYS: Shutting then unshutting in quick succession is called “Bouncing the interface”

Step 6: End of Lab clean up

SW1# conf t.

SW1(config)# inter fa0/1


SW1(config-if)# exit

SW1(config)#no mac-address-table static 0000.1111.1111 vlan 10 interface fa0/1

Packet Tracer

End of Lab 4



Lab 5: Voice VLAN

An access port is one into which you would plug end point devices, i.e P.C, Printers, IP Phones,

Routers, Firewalls.

Generally an Access port is a member of a single vlan, this vlan is generally referred to as the

“Native Vlan” by default the native vlan is vlan 1, and is generally referred to as the “Default Native

Vlan”

In Vlan Lab 2 you created and assigned Vlan 10 to interface Fa0/1 and Fa0/2, when you did that the

current native vlan (Vlan 1) would have been removed and a new native vlan would have been

associated to the two interfaces. What this means is that all “untagged” frames now being received

inbound “ingress” into the port will become members of vlan 10. An untagged frame is one which

does not carry any vlan identification. Frame tagging will be covered in more detail later.

It is very common to host a P.C and an IP Phone two to a single physical switchport.



The IP Phone has a mini 3 port switch built into the chassis. Two of the ports are visible in the image

below, the third port is internal and is the port the phone uses when sending it’s frames

Figure: 2.28

Diagram 1-5 shows a logical representation of how the IP Phone, P.C and Switch all fit together onto

a single physical switch port

PC PC

SWITCH

Fa0/1 Fa0/2

Logical

Representation

Topology 1-5

Mini

Switch

Mini

Switch

Figure: 2.29



In the diagram above it looks like the phones and the P.C;’s are connected to another switch that is

connected into the main switch, this “Mini Switch” is the integrated 3 port switch in the IP Phone

chassis.

The physical representation is shown in Diagram1-6 below.

PC PC

SWITCH

Fa0/1 Fa0/2

Physical

Representation

Topology 1-6

Figure: 2.30

So why would you want to connect two devices into a single port? Simple, it is more cost effective

otherwise you would have to have to support double the number of switchports, double amount of

power, double the amount of rack space, double the maintenance.

Depite all the obvious advantages of saving money, space and time there are considerations that

must be taken into account when setting a network up in this manner.

Voice traffic is very sensitive to delay. When the IP Phone presents voice traffic to the switch port you

want the switch to recognise this traffic as being voice traffic and treat it in a special way i.e make

sure that it is prioritised ahead of data traffic.



How does the switch port tell the difference between which traffic it is receiving ingress into a port as

to which traffic is from the IP Phone and which is from the P.C behind the IP Phone?

Simple the IP Phone with mark each of the Layer 2 frames with the Vlan that it is a member, when the

switch port receives the frames from the IP Phone it looks inside the Frame reads the Vlan number

and is able to perform any prioritisation on the frame.

To do this the switch port has to be a member of two Vlans:

1. The Native Vlan = All unmarked frames i.e from the P.C go into this Vlan.

2. The Voice Vlan = All marked frames i.e from the IP Phone go into this Vlan.

PC

SWITCH

Fa0/1

SRC MAC

DST MAC

VLAN ID:

20

SRC MAC

DST MAC

Vlan

10

Vlan

20

(Tag

ged)

Figure: 2.31

In the diagram above two devices are sending their frames into the same port. The IP Phone is

marking the frames which it generates with a tag detailing the Vlan of which it is a member.

When the switchport receives the two frames it will place the frame with the Vlan Id into it’s vlan (The

Vlan Id in the frame and that of the Voice Vlan must match or the frame will be rejected) and the

unmarked frames from the P.C behind the IP Phone will go into the Native vlan of the interface.



The figure on the next page is how the IP Phone tags the Ethernet Frame, it will insert a 4 byte tag

into the frame immeadiately after the source L2 address. This frame tagging and marking will be

covered in more details during the trunking labs later on.

DESTINATION

ADDRESS

SOURCE

ADDRESS

TYPE/

LENGTH

FRAME

CHECK

SEQUENCE

ETHERTYPE

0x8100

2 Bytes

PRIORITY

FIELD

3 Bits

CFI

1 BitVlan ID

12 Bits

802.1Q

TAG

4 Bytes

Figure: 2.31 802.1Q Frame Tagging

Step 1: On SW1 you will configure a new Vlan 20 and assign Vlan 20 as a Voice vlan to Fa0/1 and

Fa0/2, once this is done you will verify the configuration.

Command Challenge: Create Vlan 20 on SW1 and name it VOICE



Step 2: Verify the configuration running the command “show run” and press return until you can see

interfaces Fa0/1 and Fa0/2 .

Figure: 2.32

In the output above Fa0/1 and Fa0/2 are members of two vlans

Step 3: From PC_A send a ping to PC_B, the traffic from the PC’s is received by the switchport on

the phone and sent to SW1 untagged, this untagged vlan is placed into vlan 10

Ok, so we know that an IP Phone can mark its own traffic, and we know that the switchport can read

the Vlan ID in the tagged field inside the frame but how does the IP Phone know what Vlan ID to

insert into the Vlan ID of the frames it generates? The answer is simple, when you configured the

command “switchport voice vlan n” it inserted a new field in CDP called the “Voip Vlan” this field

carries the Voice Vlan number



Step 4: Investigate vlan assignments using other commands, here is another really useful

command that you will be using quite a bit when fault finding.

SW1# show interface fa0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: dynamic desirable

Operational Mode: static access

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Access Mode VLAN: 10 (VLAN0010) <- Native Vlan

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: 20 (VOICE) <- Voice Vlan

Administrative private-vlan host-association: none

The command “show interface fa0/1 switchport” gives you a lot of detail regarding the setup of the

interface, right now we are only interested in the native vlan and the voice vlan.

JOE SAYS: Learn that there are many many commands available on the Cisco IOS, your job is

to know which ones to use to solve your issues.

Step 5: Remove Voice Vlan from SW1

SW1(config)# int range fa0/1 - 2

SW1(config-if-range)# no switchport voice vlan 20

Note: ATTENTION: Make sure these vlans are removed from the interfaces before continuing

End of Lab 5



Lab 6: Fault Finding – Mis-configured Vlan assignments

In this lab you will configure a new Vlan called Vlan 20 and place Fa0/2 into Vlan 20.

Doing this you will break the connectivity between PC A and PC B.

You will then go through the various fault finding steps to resolve the problem.

The topology is as diagram 1-3

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1

Fa0/1 Fa0/2

Topology 1-3

Fa0 Fa0

Vlan 10 Vlan 20

Figure: 2.34

Step 1: In this step you will configure Vlan 20 and Assign the name of “DATA_FLR_TWO”.

SW1# conf t


SW1(config-vlan)# name DATA_FLR_TWO




Step 2: Next assign vlan 20 to Fa0/2

SW1# conf t

SW1(config)# inter fast0/2


SW1(config-if)# end

SW1#

Step 3: Remember When ever you configure anything on the Cisco devices always verify the


Figure: 2.35

You can see from the output above that Interface Fa0/1 is in Vlan 10 and Interface Fa0/2 is in Vlan 20

These two PC’s will not be able to communicate with out another.

JOE SAYS: To move traffic between Vlans you need to use a L3 device like a router or a Layer

3 Switch which we cover later in the course.



Step 4: To prove there is no connectivity between the two PC’s you will once more ping from PC A to

PC B

Figure: 2.36

“Request timed out” means that PC_A sent 4 ICMP (Internet Control Message Protocol ) packets

and got nothing in return, the interface timed the packets out.

Step 5: When this happens you need to look for the obvious faults:

1. Are the any of the Interfaces in the shut down state.

2. Have Incorrect IP Addresses been assigned

3. Incorrect Vlan assignment on the switch interfaces



Are the Interfaces are shut down and Have Incorrect IP Addresses been assigned

Let’s check the interfaces on PC_A by looking on PC_A’s IP address settings

Click on PC_A, select tab named “Desktop”, and choose “IP Configuration”

Figure: 2.37

From this output you can also see that the interface address is correct as per your network diagram.



Step 6: Next you would go to the switch to which the PC’s are connected to and view the vlans the

connected interfaces are members.

Do you recall the command you use to view the vlan database?

Figure: 2.38

Here we can see that the interfaces we are interested in are in two separate vlans.

Step 7: You need to fix this problem. Place Fa0/2 into vlan 10. Do you recall the commands to make

and interface a member of a particular vlan?

SW1# conf t.


SW1(config-if)# What is the command to assign the native vlan?

SW1(config-if)# end

SW1#



Step 8: Once you have set interface Fa0/2 to be a member of vlan 10 check the configuration and

then ping once more from PC_A to PC_B (There may be a delay of up to 30 seconds from when the

vlan is changed to receiving a reply to the pings)

Figure: 2.39

And also don’t forget to check the vlan database too, once again do you remember the command to

view the vlan database?

Figure: 2.40

End of Lab 6



Challenge Lab: Create and Assign Vlans

SW_1

Fa0/1 – 2

VLAN 10

Vlan Challenge Lab 1

Fa0/3-4

VLAN 20

Fa0/5 - 6

VLAN 30

Step 1: Erase Start SW1

Step 2: Reload SW1

Step 3: Apply the basic housing keeping

Step 4: Shut down all interfaces from 1 through to 24 then unshut ports 1 through to 6

Step 5: Create Vlan 10, Vlan 20, Vlan 30

Step 6: Assign Vlan 10 to interface 1 to 2



Step 9: Name Vlan 10 “DATA_10”



Step 12: The Vlan database ought to resemble the following output



Solution Challenge Lab: Create and Assign Vlans

SW_1

Fa0/1 – 2

VLAN 10

Vlan Challenge Lab 1

Fa0/3-4

VLAN 20

Fa0/5 - 6

VLAN 30

Step 1: Erase Start SW1 and delete the vlan database

SW1# erase startup-config


[OK]


SW1# delete vlan.dat





Step 2: Reload SW1

SW1# reload



Step 3: Apply the basic housing keeping

switch> enable

switch# conf t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)# line con 0

switch(config-line)# exec-timeout 0 0

switch(config-line)# logging sync

switch(config-line)# exit

switch(config)# host SW1

SW1(config)# no ip domain-lookup

SW1(config)#end

SW1#copy run start



[OK]

SW1#



Step 4: Shut down all interfaces from 1 through to 24 then unshut ports 1 through to 6

SW1# conf t

SW1(config)# interface range fa0/1 - 6

SW1(config-if-range)# no shut

SW1(config-if-range)#end

SW1#

Step 5: Create Vlan 10, Vlan 20, Vlan 30

SW1#conf t

SW1(config)# vlan 10,20,30

SW1(config-vlan)# exit



SW1(config-if-range)# switchport access vlan 10

SW1(config-if-range)# exit













SW1(config-vlan)# name DATA_10












View the Vlan database

End of Vlan Challenge lab: Erase your SW1 nvram and reload the switch before moving onto the

next section.

SW1# erase startup-config


[OK]


SW1# reload



Lab 7: Managing Trunk links between Cisco Switches

Load template: Section 2 – Trunks

Step 1: Load the network template named “SECTION2 – TRUNKS” into the network simulator

Figure: 2.41

Both SW1 and SW2 ought to be in their default states if not please erase the NVRAM and reload the

switches:

SW# erase startup-up

SW# reload

When SW1 and SW2 reload enter the following housekeeping commands.

Apply the basic housing keeping (Copy these commands into Notepad so you can paste them into

the command prompt when you are asked to enter the housekeeping commands

switch# conf t

switch(config)# line con 0

switch(config-line)# exec-timeout 0 0

switch(config-line)# logging sync

switch(config-line)# exit

switch(config)# host SW1

SWX(config)# no ip domain-lookup

SWX(config)# end

SWX# copy run start



In Lab 6 you will configure SW1 and SW2 to connect to each other and pass data between PC A and

PC_B.

In this task you see how vlan 1 traffic is carried across a trunk link connecting two switches together

PC_B is now connected to SW2 using PC_B Fa0 interface as per Topology 1-6.

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1Trunk

Fa0/1 Fa0/2

Topology 1- 6

Vlan 1

Fa0/24 Fa0/24 SW_2

Fa0Fa0

Figure: 2.42

From PC_A bring up the command prompt and issue a ping to PC_B and vice versa.

NOTE: It is possible that one or possibly 2 pings may timeout, this is due to the ARP’ing process. If

you execute the same ping once more you will find that all pings are successful

Figure: 2.43 These pings ought to be successful.



The traffic is delivered due to both PC’s being in the same vlan on both switches, the trunk link

connecting the two switches together will carry the traffic to and from vlan 1 without any further

configuration.

Step 2: Cisco Dynamic Trunking Protocol (DTP) can be set in one of two modes “Dynamic Desirable”

or “Dynamic Auto”. The switches in your lab may have the DTP mode set to “Dynamic Auto”, so that a

trunk link is established between SW1 and SW2 at least one side of the link must be set to “Dynamic

Desirable” Set and verify the configuration of the trunk link on SW1 run the following commands.

NOTE: Focus on the details being referred to, do not worry about any of the other details in the output

below

SW1(config)# int fa0/24

SW1(config-if)# switchport mode dynamic desirable

SW1(config-if)# end

SW1# show inter trunk Vlan 1 is the native vlan Port Mode Encapsulation Status Native vlan Fa0/24 desirable n-802.1q trunking 1 Port Vlans allowed on trunk Fa0/24 1-4094 <- All vlans are carried across the trunk link

================output omitted for brevity=======================

The two PC’s are able to communicate across the trunk link since both sides of the trunk link are

configured to carry vlan 1 traffic by default.



The IEEE 802.1Q standard defines the vlan traffic that is carried across the 802.1Q trunk without the

need of any identifier traffic as the “Native Vlan”. Any vlan can be defined as the native vlan provided

the same native vlan number is chosen on both sides of the trunk link.



Cisco have their own proprietary frame encapsulation method called ISL (Inter Switch Link) all frames

carried across the trunk from all vlans including Vlan 1 are encapsulated with a header and a tail.



Lab 8: Configuring trunking mode using “Dynamic Desirable & Auto”

Continue from Lab 7

When two switches are linked together those ports that connect the switches need to be configured

as “trunk” links.

Trunk links are used to carry traffic from multiple vlans, if the ports are not manually configured as

trunks they may dynamically auto configure as trunks.

Even though trunk links may configure automatically as trunks it is always good practice manually set

these links to be static “trunks” and to disable any dynamic negotiation. (DTP)

NOTE: If you do not to configure the trunk links as “static trunks” then the two switch ports will

attempt use the Cisco proprietary protocol called “DTP” (Dynamic trunking protocol) to dynamically

create the trunk.

In this Lab you will investigate DTP in Dynamic Desirable Mode Step 1: When faulting finding it is always advisable to understand how the interfaces are setup. To

find out how the interfaces haVe been set up use the following command “show interface fa0/x

switchport” where x is the interface number.SW1 and SW2 are connected using Fa0/24.

SW1# show interfaces fastEthernet 0/24 switchport

Name: Fa0/24

Switchport: Enabled

Administrative Mode: dynamic “AUTO/DESIRABLE”

Operational Mode: trunk


Operational Trunking Encapsulation: isl <-Encapsulation Choosen


Access Mode VLAN: 1 (default)




Step 2: in this step you will configure SW2 Fa0/24 to be “Dynamic Auto”. In Dynamic Auto state the

interface will only agree to form a trunk if receives a DTP frame from the other side, so you can say

that Dynamic Auto is “Passive”



On SW2 configure Fa0/24 to be Dynamic Auto

SW2# conf t


SW2(config-if)# switchport mode dynamic auto

SW2(config-if)# end

Step 3: Verify the configuration on SW2. This interface is now Dynamic Auto, meaning it is in passive

mode. It will only negociate if it receives a DTP from Dynamic desirable interface

SW2# show inter fas 0/24 switchport

Name: Fa0/24

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: trunk


Operational Trunking Encapsulation: isl




Administrative Native VLAN tagging: enabled

Voice VLAN: none



Step 4: In this step you will set both sides to “Dynamic Auto”, the result will be that neither interface

will initiate the negociatation to form a trunk, this will result in both sides becoming “Static Access”

Set SW1 Fa0/24 to Dynamic Auto then view the interface status.

SW1# conf t

SW1(config)# inter fas 0/24


SW1(config-if)# end

Now verify the state of Fa0/24 on SW1 and SW2, do you recall the command to view the interface

settings?

SW1# what is the command to view this output?

Name: Fa0/24

Switchport: Enabled


Operational Mode: static access <- now changed to static access





And SW2, once again what is the command to view the output of the interface settings

SW2# what is the command to view this output?

Name: Fa0/24

Switchport: Enabled


Operational Mode: static access <- has now changed to static access port






If right now you were to ping from PC A to PC B the pings would still work due to the fact that the two

Fa0/24 ports failed to negociate to become trunks and instead became static access ports. Static

access ports will unless modified will be members of default native vlan which is Vlan 1.



Dynamic Desirable and End-User devices If you plug end-user devices into a switchport that is configured as a dynamic Desirable port then the

Dynamic Desirable port will attempt to negociate with the end-user devices, it does not know any

better. Since typically the end user devices have no idea what DTP is they ignore the request to

become a trunk and subsequently the Dynamic Desirable port will settle to become a static access

interface.

JOE SAYS: It is not advisable to leave the ports which will be used to connect to end users as

either Dynamic Desirable or even Dynamic Auto



Lab 9: Configuring Trunking Mode “Trunk”

Continue from Lab 8

As we already know Trunk links are used to carry traffic between switches, as the frames are sent

from one switch to another they will be marked based on their vlan membership.

Even though trunk links may configure automatically as trunks using DTP it is always good practice

manually set these links to be static “trunks” and to disable any dynamic negotiation. (DTP)

REMINDER: If you do not to configure the trunk links as “static trunks” then the two switch ports will

attempt use the Cisco proprietary protocol called “DTP” (Dynamic trunking protocol) to dynamically

create the trunk.

Complete the following steps to configure the uplink between your two switches to trunking mode and

to disable DTP:

Step 1: Configure Fastethernet 0/24 ports on both of your SW_1 and SW_2 to static trunk mode,

some switches only support the 802.1Q vlan tagging method and therefore do not require an

additional command to set the encapsulation command which on some switches needs to be done for

example SW_1 and SW_2 support ISL and 802.1q and therefore will negotiate which encapsulation

to use

NOTE: The “switchport trunk encap dot1q” command is only required if your switch supports both

802.1Q tagging and ISL encapsulation.



SW1(config-if)# switchport trunk encap dot1q

SW1(config-if)# switchport mode trunk

SW1(config-if)# switchport nonegotiate



And on SW2 …






Step 2: View the state of your trunk link on SW_2. Since you typed “Switchport mode trunk” the

interface mode is now showing “on

SW_2# show inter trunk Port Mode Encapsulation Status Native vlan Fa0/24 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/24 1-4094

============Output omitted for Brevity================



Lab 10: Native VLAN

Continue from Lab 9 The Native Vlan on the trunk link is a legacy concept. Back in the old days is was not uncommon to

connect switches together via a hub during migrations i.e changing from a totally hub enabled

network to an entrirly switch based network.

Im the diagram below the two switches are connected via a hub, the P.C’s connected to the Hub will

send their frame as normal, the Hub will receive the frames and flood them out of all ports, but the

hub cannot mark the frames with any type of Vlan identifier therefore when the frames arrive at the

switchports without any Vlan Id the switch port will have to decide which vlan to put the frames into.

This is where the “Native Vlan” comes into play. All unmarked frames will go into the “Native Vlan”.

The concept of the Native Vlan on a trunk interface is 802.1Q only.



The native vlan ought to set the same on both sides of the trunk link. You will know if there is a native

vlan mismatch as the switches will log a console message on your console screen.

By default, an 802.1Q trunk uses VLAN 1 as the native VLAN. In the case of an ISL trunk, using this

command has no effect because ISL doesn’t support an untagged VLAN, on an ISL trunk all frame

from all vlans are encapsulated.

Expected Result: In this step you change the Native vlan on Fa0/24 whilst sending traffic from PC_A

to PC_B. When the native vlan is changed from 1 to 100 the traffic will fail.

Step 1: Go to SW_1 and change the default Native Vlan from 1 to 100 then send from PC_A pings to

PC_B do your pings fail?

NOTE: SW_2 will start complaining about a native Vlan mismatch. You may have to wait 60sec

before you receive this message on the console

SW1(config)# int fas 0/24

SW1(config-if)# switchport trunk native vlan 100



The console message alerting you to the fact that the native vlan’s on either side of the trunk link are

not the same. Check the pings on PC_A they ought to have failed. Pings are not leaving SW1.

Step 2: Reset the Native Vlan back to vlan 1 on switch 1

SW1(config-if)# switchport trunk native vlan 1

Your pings ought to now be restored between your PCs after around a 30 sec delay. Remember that

at the moment both PC_A and PC_B are connected to ports that are members of Vlan 1. The Native

Vlan on both trunk interfaces is Vlan 1. To view the Native Vlan of a trunk run the following command:

SW2#show inter trunk Port Mode Encapsulation Status Native vlan Fa0/24 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/24 1-4094 ============Output omitted for Brevity================



Lab 11: Controlling VLANs across the trunk links

Continue from Lab 10

In this lab you will see how you can control which vlans are allowed across a trunk link by excluding

them from the allowed list on one side or both sides.

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1Trunk

Fa0/1 Fa0/2

Topology 3

Vlan 1

Fa0/24 Fa0/24 SW_2

Fa0Fa0

Figure: 2.55

It is possible to control exactly which vlans are allowed to be carried across your trunk link by using

the command, “switchport trunk allowed vlan”, this command allows you to defines which VLANs

can be trunked over the link. By default, a switch transports all active VLANs (1 to 4094) over a trunk

link.

You can tailor the list of allowed VLANs on the trunk by using the switchport trunk allowed vlan

command with one of the following:



a. switchport trunk allowed vlan vlan-list = This permits you to draw up a list of VLAN

numbers, separated by commas or dashes. i.e switchport trunk allowed vlan 1- 20 will allow

vlan only vlans 1 through to 20 across the trunk link

b. switchport trunk allowed vlan all = All active VLANs (1 to 4094) will be allowed across the

trunk link, although bear in mind the command ought to be repeated on both sides of the link.

c. switchport trunk allowed vlan add vlan-list = it is possible to add to a list of VLAN numbers

of the current vlan list. i.e switchport trunk allowed vlan add 6,10,14 will add vlans 6,10 an

14 to the allowed vlans list on the trunk link.

d. switchport trunk allowed vlan except vlan-list = by default all VLANs (1 to 4094) are allowed

over a trunk link, you can remove vlans from the allowed list by using the command. i.e

switchport trunk allowed vlan except 9-14 will allow vlans expect 9 through to 14 in the

allowed vlans list on the trunk link. This command only needs to executed on one side for it to

have effect although it is good practice to perform the command on both sides of the trunk.

e. switchport trunk allowed vlan remove vlan-list—A list of VLAN numbers will be removed

from the already configured list. i.e switchport trunk allowed vlan remove 20-30 will remove

vlans 20 through to 30 from the allowed vlans list on the trunk link.

Step 1: Configuring the Trunks to exclude vlan 100 traffic.

Create vlan 100 and place both of your PCs into this new vlan 100, once this is done test

connectively by pinging between the two devices, i.e pings will be successful.

NOTE: It may take up to 30 secs for the connection to be restored

On Switch 1




SW1(config-if)# what command assigns vlan 100 to this interface?



and…

On Switch 2




SW2(config-if)# what command assigns vlan 100 to this interface?

NOTE: An active VLAN is one that has been defined on the switch and has ports assigned to carry it.

Step 2: Next on SW2 you will configure the trunk link on port Fastethernet 0/24 to prevent traffic for

vlan 100 going across the link.

Expected Result: Pings between PC_A and PC_B will fail.


SW2(config-if)# switchport trunk allowed vlan except 100



Trunk links will by default carry all vlans, in the digram above what we have configured is for a trunk

link to reject all ingress (And Egress) frames labelled as vlan 100.

Step 3: Run the command to verify which vlans are being carried across the trunk link, you should

see that vlan 100 is not included in the list of vlans that are allowed across the trunk link.

SW_2#show inter trunk Port Mode Encapsulation Status Native vlan Fa0/24 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/24 1-99,101-4094 <- Vlan 100 is not in the list to be carried across the trunk link

Port Vlans allowed and active in management domain Fa0/24 1 Port Vlans in spanning tree forwarding state and not pruned Fa0/24 1

Step 4: View the pings on your PC’s. the Pings ought to be failing due to the traffic to and from Vlan

100 being dropped by SW_2 on port fastethernet 0/24

Why would you do this?, there might be times when the trunk link should not carry all VLANs. For

example, broadcasts are forwarded to every switch port on a VLAN—including the trunk link because

it, too, is a member of the VLAN.

NOTE: If the VLAN does not extend past the far end of the trunk link then propagating broadcasts

across the trunk makes no sense.



Step 5: Restore vlan 100 connectivity across the trunk links in SW1 and SW2.

The following series of commands with potentially break connectivity therefore use with caution in a

production network.


SW1(config-if)# switchport trunk allowed vlan 100

And


SW2(config-if)# switchport trunk allowed vlan 100

Once you have executed these commands the pings ought to have been restored, but there is a

problem with this command.

WARNING:: The command “switchport trunk allowed vlan 100” has expressly configured the trunk

that it will only carry vlan 100 and only vlan 100, the trunk link will not carry any other vlan traffic.

NOTE: It is best that the commands are issued on both sides of the link or traffic will be carried

across a trunk link only to be discarded



Run the “show inter trunk” command again on SW_2

SW2#show inter trunk Port Mode Encapsulation Status Native vlan Fa0/24 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/24 100 <- Vlan 100 is the only vlan to be carried across the trunk link Port Vlans allowed and active in management domain Fa0/24 100

==================output omitted for brevity============

Step 6: To prove that the trunk link in the current state will not carry any other vlan traffic you will

create vlan 200 and then place both PC’s into vlan 200 and see if the pings are successful across the

trunk link.

Expected Resutls: Pings between PC_A and PC_B will fail. That traffic will not be carried across the

trunk. Examine Topology 4 on the next page to see a visualisation of this.






And…








192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1 SW_2Trunk

Fa0/1

Fa0

Topology 4

Vlan 200

Fa0/24 Fa0/24

Vlan 100

Vla

n 2

00

Fa0

Fa0/2

Figure: 2.58

In the topology 4 diagram you can visualise that vlan 200 “pipe” is broken across the trunk link but the

vlan 100 “pipe” is still functioning although there are currently no members of vlan 100.

Now verify the pings on your PC’s; are they successful or are they failing, they ought to be failing due

to the trunk link only carrying vlan 100.

Vlan 200 is broken across the trunk link



Step 7: To fix this connectivity issue on SW1 and SW2 by allowing vlan 200 across the trunk link

along with vlan 100, this is done by using the “add” key word in the instruction to add vlan 200 to the

existing list of allowed vlans; if you omit the “add” key word you are instructing the trunk link to only

carry vlan 200

SW1(config)# interface fastEthernet 0/24

SW1(config-if)# switchport trunk allowed vlan add 200

And…

SW2(config)# interface fastEthernet 0/24

SW2(config-if)# switchport trunk allowed vlan add 200

Now verify the pings on your PC’s are they successful?, they ought to be due to the trunk link now

carrying vlan 200 traffic along with Vlan 100 traffic.

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1 SW_2Trunk

Fa0/1 Fa0/2

Topology 5

Vlan 200

Fa0/24 Fa0/24Vlan 100

Fa0/1Fa0/0

Figure: 2.60



Verify your trunk link on Switch 2 by running the “show inter trunk” command again on SW_2

SW_2# show inter trunk Port Mode Encapsulation Status Native vlan Fa0/24 on 802.1q trunking 1 Port Vlans allowed on trunk

Fa0/24 100, 200 <- Vlan 100 & 200 are the only vlans to be carried over the trunk link

Port Vlans allowed and active in management domain

Fa0/24 100, 200

==================output omitted for brevity=============

Step 9: Restore full connectivity to the trunk links on both sides and verify

SW(config)# interface fastEthernet 0/24

SW(config-if)# switchport trunk allowed vlan all

SW(config-if)# end

SW# show inter trunk Port Mode Encapsulation Status Native vlan Fa0/24 on 802.1q trunking 1 Port Vlans allowed on trunk

Fa0/24 1-4094 <- Now all vlan’s are allowed across the trunk link

Port Vlans allowed and active in management domain

Fa0/24 1,100,200 <- Vlan 1, 100 and vlan 200 are the only vlan on the switch

==================output omitted for brevity=============

End of Lab 11



Lab 12: Trunk Modes

Load Network Template: Section2 - TRUNKS

NOTE: Before you continue with this part please erase start, delete the vlan.dat and reload

both switches

SW_x# erase startup-config


[OK]


SW_x# delete vlan.dat



SW_x# reload



When the switches come back on-line do the following on SW_1

Switch> en

Switch# conf t



Switch(config-line)# logg sync HOUSE KEEPING


Switch(config-line)# exit


SW1(config)# Exit



Step 2: NOTE: If the range command is not supported on your equipment you will have to manually

disable each port individually. Also note that there are space either side of the hyphen separating the

port numbers.

1. Fa0/1 Leads to R1 = ACCESS LINK


SW1 # config t

SW1 (config)# interface range fastethernet 0/1 - 24

SW1(config-if-range)# shut < Shut down all ports




SW1(config-if)# description TO_R1


SW1(config)# int fa0/24 <-Trunk link



SW1(config-if)# description TO_SW2

SW1(config-if)# end

SW1# wri mem



Step 3: Configuring SW2 Port Status. It is now important to build the correct topology by only

enabling the ports which has R2 connected and Fa0/24

NOTE: If the range command is not supported on your equipment you will have to manually disable

each port individually. Also note that there are space either side of the hyphen separating the port

numbers.

1. Fa0/2 Leads to R2 = ACCESS LINK


Switch> en

Switch# conf t



Switch(config-line)# logg sync HOUSE KEEPING


Switch(config-line)# exit


SW2(config)# exit

SW2 (config)# interface range fastethernet 0/1 - 24

SW2(config-if-range)# shut




SW2(config-if)# description TO_R2


SW2(config)# int fa0/24 < Trunk Link



SW2(config-if)# description TO_SW1

SW2(config-if)# end



On a Cisco switch using the switchport mode command, you can set the trunking mode to any of

the following:

■ trunk = This setting places the port in permanent trunking mode.

It is important to understand that DTP is still operational, so if the far-end switch port is configured to

either trunk, dynamic desirable, or dynamic auto mode, trunking will still be negotiated successfully.

■ dynamic desirable = The port will actively attempt to negotiate the link into a trunk, it “requests”

the far-end port to bring up a trunk. If the far-end port is configured to trunk, dynamic desirable, or

dynamic auto mode, trunking is negotiated successfully.

■ dynamic auto = The port can be converted into a trunk link, but only if the far-end port actively

requests it, if the far-end port is configured to trunk or dynamic desirable mode, trunking is negotiated.

Dynamic Auto is passive, and due to this passive behaviour, the link never becomes a trunk if both

ends of the link are left to the dynamic auto default.



Step 1: In this part of the lab you will see what happens when mis-configure trunk mode settings.

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1 SW_2

Trunk

MODE: Desirable

Negotiation: ON

Fa0/1 Fa0/2

Topology 6

Vlan 200

Fa0/24 Fa0/24

Vla

n 2

00

Trunk

MODE: Trunk

Negotiation: OFF

Fa0 Fa0

Figure: 2.61

Step 2: Create vlan 200 on SW1 and SW2 and associate Fastethernet 0/1 on SW_1 to vlan 200 and

Fastethernet 0/2 on SW_2 to vlan 200. Once you have done this set up a continuous ping from one

PC to the other and keep it running. We will use the same ip addresses on the PC’s from the previous

part of this lab



SW1(config)# inter fastethernet 0/1


SW1(config-if)# spanning-tree portfast <-Brings port up quickly, no spanning tree delay

And…



SW2(config)# inter fastethernet 0/2


SW2(config-if)# spanning-tree portfast



Step 3: Verify the state of the trunk link on SW1, a very good command to do this is the “show inter

fas 0/24 switchport”

SW1# show inter fas 0/24 switchport

Name: Fa0/24

Switchport: Enabled


Operational Mode: trunk <-if this says down means no cable is inserted in the port

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q




=================output omitted for brevity==============

Step 4: On SW1 you will make Fa0/24 the trunk link into a static trunk and turn off DTP. The

command to turn DTP off is “switchport nonegotiate”

SW1# conf t

SW1(config)# inter fast 0/24




SW1(config-if)# end



Step 5: Verify the trunk status on SW2, it ought to see be showing as a trunk link and your pings

should still be successful even though you set the other side not to negotiate

SW2# show interface fastEthernet 0/24 switchport

Name: Fa0/24

Switchport: Enabled


Operational Mode: trunk <- Still showing trunk link


Operational Trunking Encapsulation: dot1q




Voice VLAN: none

If you leave port Fastethernet 0/24 long enough, say around 5mins and run the “show interface

fastEthernet 0/24 switchport” command once again you ought to see the following below and your

pings will fail. Or you alternatively you can simply shut and unshut port Fa0/24.

SW2# show interface fastEthernet 0/24 switchport

Name: Fa0/24

Switchport: Enabled


Operational Mode: static access <-Now showing as a static access link






Voice VLAN: none



Step 6: Restore connectivity between the two switches by making SW2 port fastethernet 0/24 a static

trunk with no negotiation.

SW2# conf t

SW2(config)# int fas 0/24




SW2(config-if)# end

Verify the trunk status on SW2, it ought to see be showing as a trunk link and your pings should still

be successful

Conclusion: Dynamic Trunking Protocol is on all Cisco switch ports on most models of Cisco

Switches. If it is turned off the interface will not be able to negotiate the mode that it may need to

operate in and will settle as a “static access” mode, this is not a good setup for links between

switches. If you do decide to statically configure your trunk links and turn DTP off then it must be

done on both sides of the link.

Question 1: What is the administrative mode of FastEthernet 0/24 Answer 1: The administrative mode ought to be “trunking”. The link was statically configured to this

mode.

Question 2: What is the trunking encapsulation of fastethernet 0/24

Answer 2: The encapsulation on the trunk ought to be 802.1Q Question 3: For which VLANs is FastEthernet 0/24 trunking for? Answer 3: Fastethernet 0/24 are trunks and therefore will carry all vlans



Lab 13: Setting up the management interfaces

Continue from lab 12

Video Lecture: LAN Switch - Management VLAN

All switches will need configuration, and in some cases you may need to configure the switch

remotely via telnet or SSH, to do this the switch will need an IP address.

It is normal to assign the management IP address on a virtual interface inside the switch known as

“Interface vlan 1”

This virtual “interface vlan 1” is referred to as the management interface and is used by network

administrators as the interface on which they place the IP address that will be used to manage the

switch via a remote IP session such as Telnet or SSH.

NOTE: The difference between saying “vlan 1” and “interface vlan 1” is that “vlan 1” refers to the

layer 2 entity and that “interface vlan 1” refers to the layer 3 entity

WARNING: On Layer 2 switches there can only ever be one active layer 3 interface at any one time.



Step 1: To view the current state of the management interface on SW_1 run the show run command

and scroll to the bottom of the output

SW1# sho run


!

===output omitted for brevity===

!

interface Vlan1

no ip address <-No IP address on the management interface

no ip route-cache

shutdown

Step 2: Another command you can run to view the state of your interface, physical and logical is the

“show ip interface brief” command

Interface vlan 1 does not have an IP address and is administratively down, which means it is shut

down

SW1#show ip int brief

Interface IP-Address OK? Method Status Protocol

Vlan1<No IP & Down>unassigned YES NVRAM administratively down down

FastEthernet0/1 unassigned YES unset down down





===========output omitted for brevity============



Step 3: In this step you will default all of the interfaces on both switches to return them back to be

members of vlan 1

SW1# conf t


SW1(config-if-range)# switchport mode access


And….

SW2# conf t


SW2(config-if-range)# switchport mode access


Step 4: In this step you will assign an IP address to Interface Vlan 1 on SW1


SW1(config)# interface vlan 1

SW1(config-if)# ip address 192.168.1.100 255.255.255.0


SW1(config-if)# end

SW1# Message below indicates that the interfaces is coming up live 01:06:44: %LINK-3-UPDOWN: Interface Vlan1, changed state to up

01:06:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

SW1# ping 192.168.1.100 <- Now from the SW1 ping itself to test Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/201/1000 ms



Step 5: In this step you will assign a password to the enable prompt and to the vty (Virtual Teletype)

interfaces so that you can telnet to SW_1 from either laptop.

SW1# conf t

SW1(config)# enable secret cisco

SW1(config)# line vty 0 15

SW1(config-line)# password cisco

SW1(config-line)# login

SW1(config-line)# exit

NOTE: The above commands can be used to configure telnet access on your switches and routers

Step 6: Now from your PC_B:

1. Telnet to IP address: 192.168.1.100

2. Enter the vty password: cisco

3. Enter the enable secret: cisco

Figure: 2.63



OPTIONAL PART – YOU MAY PROCEED TO VTP

Lab 14: Creating Conflicting Management interfaces on SW1

In this step you will configure your SW1 with another new additional layer 3 interface to prove that

only one Layer 3 management interface is allowed to be active at any particular instance on a Layer 2

switch

When you create this new Layer 3 management interface on a layer 2 switch it will assume that you

want to use this new layer 3 interface as your management interface.

When your Layer 2 switch sees this new Layer 3 management interface go live due to the no shut

command being issued it will go ahead and shut the existing management interface which in our case

in this current lab is Interface vlan 1

When your Layer 2 switch shuts the management interface down to which you may have been

connected to you will obviously be cut off, this is not good!

Step 5: On SW1 create two new elements. Firstly create a new layer 2 vlan and then create the new

layer 3 management interface that you will make live. The reason that you have to create a

corresponding layer 2 vlan is so that the Layer 3 management interface vlan can go into the up/up

state otherwise it will remain in the up/down state.

SW_1# configure terminal

SW_1(config)# vlan 300 <-Layer 2

SW_1(config-vlan)# exit

SW_1(config)# interface vlan 300 <-Layer 3


SW_1(config-if)# end



Notice how that creating a new L_3 interface on the L_2 switch caused the original L_3 interface to

shut down

%LINK-5-CHANGED: Interface Vlan300, changed state to up

%LINK-5-CHANGED: Interface Vlan1, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan300, changed state to up

Step 6: Now try to ping the address 192.168.x.1x from either PC’s, if you recall both PC’s are still in

vlan 1, this was the address which was assigned to Interface vlan 1, the pings ought to fail.

Notice how Interface Vlan 300 on SW_1 in the diagram below is now isolated and unreachable from

devices in Vlan 1

192.168.1.10/24 192.168.1.20/24

PC A PC B

SW_1 SW_2

Fa0/1 Fa0/1

Topology 8

Vlan 1

Fa0/24 Fa0/24

Vla

n 1

Interface Vlan 1Interface Vlan 300

Ip address 192.168.1.100

PC B Is a Router Configured

to Behave as a Host

Figure: 2.64

The reason that the pings from either PC to the SW1 address of 192.168.1.100 are failing is that

when you made Interface Vlan 300 live on the switch it will logically take the IP address from currently

active management which in this case was Interface Vlan 1 and places it against Interface Vlan 300.



The PC is in Vlan 1 and the IP address on Vlan 300, they are in two different separate broadcast

domains with no routing between them, refer to Topology 8 diagram.

Step 7: Enter the command “show run” right at the end of the output you will see the following output

Interface vlan 1 is in the shutdown state and is without it’s original IP address, and that Interface vlan

300 is now live and that it has taken the ip address from interface vlan 1

interface Vlan1

no ip address

shutdown

interface Vlan300

ip address 192.168.1.100 255.255.255.0

Step 8: In this step you will restore Interface Vlan 1 as the management interface by firstly deleting

vlan 300 and deleting interface vlan 300.

SW_1# configure terminal

SW_1(config)# no vlan 300

SW_1(config)# no interface vlan 300

SW_1(config)# interface vlan 1

SW_1(config-if)# ip address 192.168.1.100 255.255.255.0


Conclusion: A layer 2 switch can only have one and only one active Layer 3 management interface

which is commonly Interface vlan 1.

A common mistake for students to make is that when creating a layer 2 user vlan they create a

corresponding Layer 3 interface vlan. Do not do this!



End of Section Knowledge Check Questions

1. Which command is used to assign a static MAC address to an interface on a Cisco switch?

a. Switch# mac-address-table static 0000.1111.1111 interface fa0/1

b. Switch# mac-address-table static 0000.1111.1111 vlan 10 interface fa0/1

c. Switch# mac-address-table static 0000.1111.1111 interface fa0/1 vlan 10

d. Switch# mac-address-table 0000.1111.1111 vlan 10 interface fa0/1 static

2. Which command sequences can be used to create a trunk link. Choose 2

a.


SW1(config-if)# switchport mode desirable

and


SW2(config-if)# switchport mode desirable

b.



and



c.



and





d.


SW1(config-if)# switchport dynamic desirable

and


SW2(config-if)# switchport dynamic desirable

3. What is the purpose of this command:

“SW1(config-if)# switchport trunk allowed vlan except 10”

a. Allows only VLAN 10 across the trunk link

b. Allows all VLANs except VLAN 10 across the trunk link

c. Allows all VLANs across the trunk link since all VLANs are allowed across the trunk link

d. Command is incorrect

4. The command sequence below disables DTP on a trunk interface, True or False



a. True

b. False



5. When viewing the output of the command “show vlan brief” what does “act/unsup” mean

a. VLAN is not associated to any interface

b. VLAN is not associated to any interface

c. VLAN is associated to an interface which is shutdown

d. Media type is not supported by the switch

6. Which command would you use to view if an interface has become a trunk link? Choose 2.

a. SW1# show interface trunk

b. SW1# show trunk interface

c. SW1# show interface fa0/1 switchport

d. SW1# show switchport trunk

7. Which single command will disable DTP on an access link?

a. SW1(config)# interface fa0/1


b. SW1(config)# interface fa0/1

SW1(config-if)# switchport mode access

c. SW1(config)# interface fa0/1


d. SW1(config)# interface fa0/1

SW1(config-if)# switchport access mode



7. Which command would you use to view if an interface has become a trunk link? Choose 2.

a. SW1# show interface trunk

b. SW1# show trunk interface

c. SW1# show interface fa0/1 switchport

d. SW1# show switchport trunk

8. Which command sequence would you use to create a static trunk link and disable DTP?

a. SW1(config)# interface fa0/1


SW1(config-if)# no switchport mode desirable

SW1(config-if)# switchport trunk encapsulation dot1q

b. SW1(config)# interface fa0/1




c. SW1(config)# interface fa0/1




d. SW1(config)# interface fa0/1






9. By default frame from which VLAN are allowed to traverse the trunk link untagged.

a. None

b. All

c. Management

d. Native VLAN



End of Section Knowledge Check Answers

1. Which command is used to assign a static MAC address to an interface on a Cisco switch?

B. Switch# mac-address-table static 0000.1111.1111 vlan 10 interface fa0/1

2. Which command sequences can be used to create a trunk link? Choose 2

B.



and



C.



and



3. What is the purpose of this command:

“SW1(config-if)# switchport trunk allowed vlan except 10”

B. Allows all VLANs except VLAN 10 across the trunk link



4. The command sequence below disables DTP on a trunk interface? True or False



B. False

5. When viewing the output of the command “show vlan brief” what does “act/unsup” mean

D. Media type is not supported by the switch

6. Which command would you use to view if an interface has become a trunk link? Choose 2

A. SW1# show interface trunk

C. SW1# show interface fa0/1 switchport

7. Which single command will disable DTP on an access link.

B. SW1(config)# interface fa0/1

SW1(config-if)# switchport mode access

8. Which command sequence would you use to create a static trunk link and disable DTP?

C. SW1(config)# interface fa0/1






9. By default frame from which VLANs are allowed to traverse the trunk link untagged.

D. Native VLAN

ccna routing & switching 200-125 · the following publication: ccna 200-125 lab workbook series...

Documents