NETSIM CCNA LAB MANUAL GUIDE

NETSIM FOR CCNA LAB MANUAL
Lab Primer
Lab Primer
Lesson 1: Introduction to the Cisco Router
Command-Line Interface
Modes
User Mode vs. Privileged Mode
User mode is indicated by the > prompt next to the router name. In user mode, you can look at some of the
routers settings. In privileged mode (indicated by the # prompt), you can use the different show commands to
display all of the routers settings.
Router>
Router>enable
Router#
The Enable and Enable Secret Passwords
You can set an enable password to control access to privileged mode. This is a very important password because,
WHENITISCONlGUREDONLYTHOSEWHOKNOWTHEPASSWORDCANMAKECONlGURATIONCHANGESINPRIVILEGEDMODE4O
SETTHEENABLEPASSWORDYOUMUSTlRSTENTERCONlGURATIONMODEBYUSINGTHECONlGURETERMINAL command at
the privileged mode prompt.
Router>
Router>enable
Router#config term
Router(config)#enable password boson
You can securely encrypt an enable password by using the enable secret command.
Router(config)#enable secret cisco
The enable secretCOMMANDDElNESTHEENABLESECRETPASSWORDUSEDTOPROTECTACCESSTOPRIVILEGEDCOMMANDS
The password is case-sensitive. A password set with the enable password command is stored as clear text,
whereas a password set with the enable secretCOMMANDISENCRYPTED&ORSECURITYPURPOSESCONlGURINGTHE
router with an enable secret password is preferred. The enable secret password always takes precedence if both
the enable secret password and the enable password are set.
#ONlGURATION-ODE
&ROMPRIVILEGEDMODEYOUCANENTERCONlGURATIONMODEBYUSINGTHECONlGURETERMINAL command. To exit conlGURATIONMODETYPETHEend command or press the CTRL+Z key combination.
Router#config t
Router(config)#end
Router#
Boson NetSim for CCNA Lab Manual
55

Lab Primer
Accessing Help
To view all commands available from a mode, type ?; you do not have to press the ENTER key after typing the
question mark. This will display a list of all available commands in the current mode. You can also use the
question mark after you have started typing a command. For example, if you want to see all commands that can
be used with the show command, type show ? at the # prompt.
Router#show ?
access-expression List access expression
access-lists
List access lists
backup
Backup status
cdp
CDP information
clock
Display the system clock
cls
DLC user information
compress
Show compression statistics
configuration
Contents of Non-Volatile memory
--More--
The Host Name

4HEROUTERSHOSTNAMEISUSEDFORLOCALIDENTIlCATION7HENYOULOGONTOTHEROUTERYOUSEETHEHOSTNAME4HE
host name is also visible via Cisco Discovery Protocol (CDP). However, the host name is not used for TCP/IP address resolution. The following code demonstrates how to set the host name of a router or switch.
Router>
Router>enable
Router#conf t
Router(config)#hostname Router1
Router1(config)#
2UNNING#ONlGURATION
4HECURRENTLYACTIVECONlGURATIONSCRIPTRUNNINGONTHEROUTERISREFERREDTOASTHERUNNING CONlG in the routers
COMMAND LINEINTERFACE#,) .OTETHATPRIVILEGEDMODEISREQUIREDTODISPLAYTHERUNNINGCONlGURATION4HE
RUNNINGCONlGURATIONSCRIPTISNOTAUTOMATICALLYSAVEDONA#ISCOROUTERANDWILLBELOSTINTHEEVENTOFAPOWER
FAILURE4HERUNNINGCONlGURATIONMUSTBEMANUALLYSAVEDWITHTHECOPYRUNNING CONlGSTARTUP CONlG command.
The following is an example of the type of output you will see when you run the SHOWRUNNING CONlG command.
Router>
Router>enable
Router#show running-config
Building configuration...
Current configuration:
!
version 12.0
!
hostname Router
!
interface Serial0
56

Lab Primer
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
!
interface Ethernet0
no ip address
shutdown
!
line con 0
line aux 0
line vty 0 4
!
end
Router#
3TARTUP#ONlGURATION
4HESTOREDCONlGURATIONUSEDTOBOOTTHEROUTERISREFERREDTOASTHESTARTUP CONlG in the routers CLI. If you
DECIDEYOUWOULDLIKETOSTARTCONlGURINGAROUTERFROMSCRATCHYOUWILLNEEDTORELOADTHEROUTERMAKINGSURE
YOUHAVEDELETEDTHESTARTUP CONlGlLETHATISSTOREDIN.62!-4ODOTHISYOUWILLlRSTNEEDTOUSETHEerase
STARTUP CONlGCOMMANDTOERASETHECONlGURATIONlLESTOREDIN.62!-.EXTYOUWILLNEEDTORELOADTHEROUTER
DONOTSAVETHECONlGURATIONSWHENPROMPTED
Router#erase startup-config
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
Router#reload
Proceed with reload? [confirm]
Lesson 2: Basic Commands

Show Commands
Show Version
The show versionCOMMANDDISPLAYSMUCHMOREINFORMATIONTHANYOUMAYREALIZEATlRST9OUCANUSEshow

version to obtain critical information, such as the router platform type, the operating system revision, the
OPERATINGSYSTEMSLASTBOOTTIMEANDlLELOCATIONTHEAMOUNTOFMEMORYTHENUMBEROFINTERFACESANDTHE
CONlGURATIONREGISTER4HEFOLLOWINGISANEXAMPLEOFTHETYPEOFOUTPUTYOUWILLSEEWHENYOUISSUETHEshow
version command.
57

Lab Primer
Router>show version
Router1 Operating System Software
Router uptime is 2 minutes
System returned to ROM by power-on
System image file is flash:c2500.bin
[output ommitted]
1 Ethernet/IEEE 802.3 interface(s)
1 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
4096K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Show Protocols
4OVIEW,AYERINFORMATIONFORALLINTERFACESCURRENTLYCONlGUREDONTHEROUTERUSETHEshow protocols command.

The following is an example of the type of output you will see when you issue the show protocols command.
Router>show protocols
Global values:
Internet Protocol routing is enabled
BRI0 is administratively down, line protocol is Down
Ethernet0 is administratively down, line protocol is Down
Serial0 is administratively down, line protocol is Down
Show Flash
&LASHMEMORYISASPECIALKINDOFMEMORYTHATCONTAINSTHEOPERATINGSYSTEMIMAGElLES FORTHEROUTER5NLIKE
REGULARROUTERMEMORYmASHMEMORYCONTINUESTOMAINTAINTHElLEIMAGEEVENAFTERPOWERISLOST4HEFOLLOWING
is an example of the type of output you will see when you issue the SHOWmASH command.
Router>show flash
System flash directory:
File Length Name/status
1 3015588 c2500.bin
[3015652 bytes used, 1178652 available, 4194304 total]
4096K bytes of processor board System flash (Read/Write)
Show History
By default, the routers command-line interface (CLI) maintains in memory the last 10 commands you have
entered. This default value can be changed. You can use one of two methods to cycle through previous router
commands entered since the last power loss. To simultaneously view all of the past commands still in router
memory, use the show history command. For single-line retrieval, use either the UP ARROW key or the CTRL+P
key combination to see the previous command, and use either the DOWN ARROW key or the CTRL+N key combination to see the next command.
Router>show history
58

Lab Primer
show version
show protocols
show flash
enable
show running-config
disable
show history
Show Clock
The router keeps its own clock that can be used to synchronize devices. The show clock command displays
the clock.
Router#show clock
*00:38:35.755 UTC Mon Mar 1 1993
Router#
Show Hosts
You can create a list of host names on your router. You can view the entries (if any) by typing show hosts.
Router#show hosts
Default domain is not set
Name/address lookup uses static mappings
Host Flags Age Type Address(es)
Router#
Show Users
The show users command displays users who are connected to the router.
Router#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
Router#
Show Interfaces
The show interfacesCOMMANDDISPLAYSSTATISTICSFORALLINTERFACESCONlGUREDONTHEROUTER

Router#show interfaces
BRI0 is administratively down, line protocol is down
Hardware is BRI
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set
Last input never, output never, output hang never
Last clearing of show interface counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queuing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
59

Lab Primer
Reserved Conversations 0/0 (allocated/max allocated)

5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
--More-Notice the --More-- indicator. This means that more information pertaining to the last command can be
displayed. To view more commands line by line, press the ENTER key. To view more output one screen at a time,
press the SPACEBAR. To exit the output and return to the router prompt, press any letter. (It may be helpful to
remember to press the E key for exit.)
Ping
The ping command allows a user to test basic connectivity. The syntax for the ping command is as follows:
ping ip_address
The pingCOMMANDWILLCAUSETHEROUTERTOSENDOUTlVEECHOREQUESTSTOTHEDESTINATION)0ADDRESS)FTHEROUTER
receives a reply, it will be noted in the CLI with an exclamation mark (!). If no reply is received, it will be noted
with a period (.).
The following shows the output of a successful ping of the 10.1.1.1 IP address:
Router#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/44 ms
Router#
The following shows the output of a failed ping of the 2.2.2.2 IP address:
Router#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#
The ping command is one of the most commonly used test tools. The PING protocol uses Internet Control Message
Protocol (ICMP) to communicate with other routers.
60

Lab Primer
7HENYOUATTEMPTTOPINGDEVICESFORTHElRSTTIMEPINGMAYFAILONTHElRSTTRYIFTHEROUTERHASNOTCOMPLETED
Address Resolution Protocol (ARP) resolution.
You can also use the SHOWRUNNING CONlG command or the show ip interface command on the local router to
view its IP addresses.
,ESSON"ASIC)0#ONlGURATIONAND6ERIlCATION
IP Addressing
)0ADDRESSINGISVERYEASYTOCONlGUREONA#ISCOROUTERALTHOUGHTHECALCULATIONOF)0ADDRESSESANDSUBNET
MASKSCANBERATHERDIFlCULT
The following syntax places an IP address on the interface:
ip address ip_address subnet_mask
'IVENTHEROUTERSBELOWWHATCOMMANDSSHOULDYOUISSUETOCONlGURE)0ADDRESSESON2OUTERAND2OUTER

2OUTER

2OUTER

2OUTER

Remember that /24 denotes a subnet mask of 255.255.255.0. For your convenience, here is a handy table
matching slash notation to the corresponding dotted decimal subnet masks:
Slash Dotted Decimal
/8 255.0.0.0
/16 255.255.0.0
/24 255.255.255.0
/9 255.128.0.0
/17 255.255.128.0
/25 255.255.255.128
/10 255.192.0.0
/18 255.255.192.0
/26 255.255.255.192
/11 255.224.0.0
/19 255.255.224.0
/27 255.255.255.224
/12 255.240.0.0
/20 255.255.240.0
/28 255.255.255.240
/13 255.248.0.0
/21 255.255.248.0
/29 255.255.255.248
/14 255.252.0.0
/22 255.255.252.0
/30 255.255.255.252
/15 255.254.0.0
/23 255.255.254.0
/31 255.255.255.254
61

Lab Primer
2OUTERSHOULDBECONlGUREDASFOLLOWS
Router>
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#int e0
Router1(config-if)#ip address 10.1.1.1 255.255.255.0
Router1(config-if)#no shut
Router1(config-if)#int s0
Router1(config-if)#end
Router1#
You can use sh ip interface brief to view the IP addresses on the interface:
Router1#sh ip interface brief
Interface
IP-Address
OK?
Method
Status
BRI0
unassigned
YES
manual
up
Ethernet0
10.1.1.1
YES
manual
up
Serial0
172.16.10.1
YES
manual
up
Router1#
Protocol
up
up
up
Router>
Router>en
Router#conf t
Router2(config-if)#exit
Router2(config)#exit
Router2#exit
Lesson 4: Router Interfaces

Examining the Interfaces
Routers can have many types of interfaces, such as Token Ring, FDDI, Ethernet, serial, ISDN, and so on. You will
often need to view the status and settings, so you need to know a few important commands. The show interfaces command is one of the more important commands.
Router#show interface
62

Lab Primer
Ethernet0 is administratively down, line protocol is down

Hardware is Lance, address is 0060.5cc4.f445 (bia 0060.5cc4.f445)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
[output omitted]
This command produces output about each interface. In this case, you can see that Ethernet 0 is administratively
down. That means that it has been turned off with the shutdown command.
Ethernet 0 is
Line protocol is
Meaning
administratively
down
down
Indicates that the interface has been turned off with the
shutdown command
up
down
Indicates that the cable is connected, but keepalives are not being received
down
down
Indicates a cabling problem, that no clock rate is set on the DCE,

or that another router interface is shut down
up
up
Indicates that the interface is connected and receiving keepalives
You can view particular interfaces with the show interface SPECIlC?INTERFACEcommand; for instance, you can
issue the show interface serial 0 command. Alternatively, you can use the show ip interface brief command to
quickly display the status of all interfaces.
Router#show ip int brief
Interface
IP-Address
OK?
Method Status
Protocol
Ethernet0
unassigned
YES
not set
administratively down
down
PCbus0
unassigned
YES
not set
administratively down
down
Serial0
unassigned
YES
not set
up
down
Router#
Examining the Controllers

Controllers are the part of the interface that makes the physical connection. The controller of most interest is the
kind of cable that is attached to a serial interface.
A data terminal equipment (DTE) cable is the cable you should typically use. If the local interface is the DTE side
of the connection, the other end of the connection must provide clocking.
Data communications equipment (DCE) means that this device must provide the clocking on the wire.
The show controllers command will allow you to see if an interface is a DCE or DTE.
Router#show controllers serial 0
HD unit 0, idb = 0xA2B58, driver structure at 0xA7020
buffer size 1524 HD unit 0, V.35 DCE cable
cpb = 0x42, eda = 0x2140, cda = 0x2000
63

Lab Primer
#ONlGURINGTHE)NTERFACES
4OBRINGUPANINTERFACETHATISADMINISTRATIVELYDOWNYOUSHOULDENTERINTERFACECONlGURATIONMODEFROMCONlGURATIONMODEANDTHENISSUETHEno shutdown command.
Router#conf t
Router(config)#interface ethernet 0
Router(config-if)#no shutdown
Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router(config-if)#end
Router#
If your interface is the DCE, you must provide clocking using the clock rate command.
Router#config t
Router(config)#interface serial 0
Router(config-if)#clock rate 56000
Router#
It is often helpful to use the description command to add a description of the purpose of the interface.
Router#conf t
Router(config)#int e0
Router(config-if)#description My Connection to the Engineering Hub
Router#
You can use any of the following commands to view your changes:
show running-config
OR
show interfaces
OR
show controllers
Lesson 5: CDP
#ISCO$ISCOVERY0ROTOCOL#$0 ALLOWSDEVICESTOSHAREBASICCONlGURATIONINFORMATIONWITHOUTANYPROTOCOL SPECIlCINFORMATIONBEINGCONlGURED#$0ISENABLEDBYDEFAULTONALLINTERFACES
CDP is a Data Link protocol that operates at Layer 2 of the Open Systems Interconnection (OSI) model. This is
important to understand because CDP is not routable and can only travel to directly connected devices.
64

Lab Primer
CDP allows you to view information such as operating system version, protocol information, and much more. This
information can be very handy for troubleshooting a variety of problems.
#$0CONlGURATIONISENABLEDBYDEFAULTONTHEROUTERANDALLINTERFACES
CDP Commands
The CDP commands are simple. See the following tables.
'LOBAL#ONlGURATION#OMMANDS
no cdp run
cdp run
cdp timer 120
turns off CDP for the entire router

turns on CDP for the entire router (default setting)
CONlGURES#$0TOADVERTISEEVERYSECONDS
)NTERFACE#ONlGURATION#OMMANDS
cdp enable
no cdp enable
Show Commands
show cdp interface
show cdp neighbor
show cdp neighbor detail
show cdp
turns on CDP for the interface (default setting)

turns off CDP for the interface
displays interface settings
displays directly connected neighbors
displays detailed information about neighbors
displays general information
Lesson 6: ARP
ARP Commands
Show arp
The show arp command displays the Address Resolution Protocol (ARP) table, which contains detailed information about interfaces that are learning media access control (MAC) addresses. Looking at the table below, you
can see that the router learned the IP address and MAC address of each Ethernet interface. The Age column
indicates how long the router has had the information, and the Interface column indicates the interface from
which it learned this information. Notice that the age of the 1.1.1.4 address is not indicated because it is the IP
address of the Ethernet port that is connected to the router.
Router#show arp
Protocol Address
Age (min)
Hardware Addr
Type Interface
Internet 1.1.1.2
207
0000.0c32.f57d
ARPA Ethernet0
Internet 1.1.1.4
0060.7062.e040
ARPA Ethernet0
Router#
Clear arp
The information stored in the ARP table can become corrupted occasionally, which causes the router to experience packet-delivery problems. When this happens, the ARP table must be cleared and rebuilt. You must access
65

Lab Primer
privileged mode and issue the clear arp command in order to clear the ARP table. After you have cleared the
ARP table, you can view it again using the show arp command. In this example, notice that all entries, with the
exception of the directly connected interfaces of the router, have disappeared.
Router#show arp
Protocol Address
Age (min)
Hardware Addr
Type Interface
Internet 1.1.1.2
0060.7062.e040
ARPA Ethernet0
Router#
Lesson 7: Routing Protocols

RIP
Routing Information Protocol (RIP) is a standards-based, distance vector, interior gateway protocol (IGP) that
is used by routers to exchange routing information. RIP uses hop count to determine the best path between two
locations. Hop count is the number of routers through which a packet must travel in order to reach the destination network. The maximum allowable number of hops a packet can traverse in an IP network where RIP is
implemented is 15 hops.
In a RIP network, each router broadcasts its entire RIP table to its neighboring routers every 30 seconds. When
a router receives a neighbors RIP table, it uses the information provided to update its own routing table and
then sends the updated table to its neighbors. This procedure is repeated by each router and results in a state
referred to as network convergence, in which all routers have an identical view of the internetwork topology.
Router>en
Router#conf t
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router1(config)#int s0
%LINK-3-UPDOWN: Interface Serial0, changed state to up
%LINK-3-UPDOWN: Interface Serial0, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
Router1(config)#
RIP version 1 is classful, which means it does not include the subnet mask in its routing table updates. RIP
version 2 is classless and does include the subnet information in its routing table updates. RIP version 1 is used
66

Lab Primer
in the example above. In order to use RIP version 2, the version 2 command must be entered after the router rip
command.
To enable RIP as the routing protocol on Router 1, the router rip command must be issued. Notice the new mode
the router has entered.
Router1(config)#router rip
Router1(config-router)#
Once RIP is running on Router 1, network statements must be used to tell the router which networks it is connected to. Every router interface that is directly connected to an active network needs a network number. Some
NETWORKSWILLBECONlGUREDWITHTHESAME)0ADDRESSINGSCHEMESWITHDIFFERENTSUBNETSANDSOMEWILLBECONlGUREDWITHENTIRELYDIFFERENTADDRESSINGSCHEMES4HEDIAGRAMBELOWSHOWSTWODIFFERENTADDRESSINGSCHEMES

2OUTER

2OUTER

2OUTER

Router 1s Ethernet 0 interface has an IP address of 10.1.1.1 with a /24 subnet mask, and its serial 0 interface has
an IP address of 172.16.10.1 with a /16 subnet mask. Because RIP is classful, only the class portions of the adDRESSESMUSTBESPECIlEDINTHENETWORKSTATEMENTS4HUSON2OUTERTHEnetwork 10.0.0.0 statement should be
used for the Ethernet 0 interface, and the network 172.16.0.0 statement should be used for the serial 0 interface.
Router1(config-router)#network 172.16.0.0
Router>en
Router#conf t
00:17:25: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router2(config)#
67

Lab Primer
Now, the RIP information must be added.

Router2(config-router)#exit
Router2#
RIP should now be running on the network between Router 1 and Router 2.
Router>en
Router#conf t
00:20:35: %LINK-3-UPDOWN: Interface Serial0, changed state to up
Router4(config)#
Now, the RIP information must be added.
Router4#
/NCE2)0HASBEENCONlGUREDONTHEENTIRENETWORKshow commands can be used to verify that the routers are
receiving RIP routes. The most commonly used command is show ip route, which displays all entries in the routing table. This command should be issued at the privileged mode prompt on Router 4 to display the routes to the
directly connected Router 1 and to the other routers on the network.
Router4# show ip route
Gateway of last resort is not set
172.16.0.0/16 is subnetted, 1 subnet
C
172.16.10.0 is directly connected, Serial 0
R 10.0.0.0 [120/1] via 172.16.10.1 00:03:18, Serial 0
In the line R 10.0.0.0 [120/1] via 172.16.10.1, 00:00:21, Serial0, the R indicates that this is a RIP route. The
10.0.0.0 portion of the output indicates the destination network. The [120/1] portion of the output indicates that
120 is the administrative distance and that 1 hop is required to reach the destination. RIPs default administrative distance is 120; administrative distance is considered the trustworthiness of the route. If two routing
protocols have the same route, the router will pick the route with the lower administrative distance. The via
172.16.10.1 portion of the output indicates that 172.16.10.1 is the address of the next hop. The Serial0 portion
of the output indicates that this information was learned via the serial 0 interface.
The show ip protocols command displays information about the IP routing protocols that are enabled. The following is example output from the show ip protocols command.
68

Lab Primer
Router4#show ip protocols
Routing Protocol is rip
Sending updates every 30 seconds, next due in 12 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Key-chain
Routing for Networks:
172.16.0.0
Routing Information Sources:
Gateway Distance Last Update
172.16.10.1 120 00:00:09
Distance: (default is 120)
Router4#
The output indicates that updates are being sent every 30 seconds. RIP is a distance vector routing protocol, so
it exchanges its entire routing table every 30 seconds. The 172.16.0.0 network is under the Routing for Networks
area, which indicates that the network statement is working. Notice that the administrative distance is 120,
which is the default.
IGRP
Interior Gateway Routing Protocol (IGRP) is a standards-based, distance vector IGP that is used by routers to
exchange routing information. IGRP uses a composite metric of bandwidth and delay to determine the best path
BETWEENTWOLOCATIONS4HEMETRICCANALSOBEADMINISTRATIVELYCONlGUREDTOFACTORINTHEMAXIMUMTRANSMISSION
unit (MTU), reliability, and load for the link.
In an IGRP network, each router broadcasts its entire IGRP table to its neighboring routers every 90 seconds. When
a router receives a neighbors IGRP table, it uses the information provided to update its own routing table and then
sends the updated table to its neighbors. This procedure is repeated by each router and results in a state referred
to as network convergence, in which all routers have an identical view of the internetwork topology.
Router>en
Router#conf t
69

Lab Primer

00:35:16: %LINEPROTO-5-UPDO WN: Line protocol on Interface Ethernet0, changed state to up
IGRP is classful, which means it does not include the subnet mask in its routing table updates.
To enable IGRP as the routing protocol on Router 1, the router IGRP AS command must be used. The AS paramETERSTANDSFORAUTONOMOUSSYSTEMNUMBER!NAUTONOMOUSSYSTEMISDElNEDASANETWORKUNDERACOMMON
administration with a common routing policy. The same autonomous system number must be used on every
router with which Router 1s routing table should be shared.
In this example, autonomous system number 100 will be used. Notice the new mode the router has entered.
Router1(config)#router IGRP 100
Now that IGRP is running on the router, network statements must be used to tell the router which networks it
is connected to. Every router interface that is directly connected to an active network needs a network number.
Some networks will use the same IP addressing schemes with different subnets, and some will use entirely different addressing schemes. The diagram below shows two different addressing schemes.

2OUTER

2OUTER

2OUTER

Router 1s Ethernet 0 interface has an IP address of 10.1.1.1 with a /24 subnet mask, and its serial 0 interface
has an IP address of 172.16.10.1 with a /16 subnet mask. Because IGRP is classful, only the class portions of
THEADDRESSESMUSTBESPECIlEDINTHENETWORKSTATEMENT4HUSON2OUTERTHEnetwork 10.0.0.0 statement
should be issued for the Ethernet 0 interface, and the network 172.16.0.0 statement should be issued for the
serial 0 interface.
70

Lab Primer
Router>en
Router#conf t
01:23:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up
Router2(config)#
.OW)'20MUSTBECONlGURED
Router2#
IGRP should now be running on the network between Router 1 and Router 2.
Router>en
Router#conf t
Router4(config)#
.OW)'20MUSTBECONlGURED
Router4#
/NCE)'20ISCONlGUREDONTHEENTIRENETWORKshow commands can be used to verify that the routers are receiving
routes. The show ip route command should be issued on Router 4 to display the route to the directly connected Router 1.
Router4#show ip route
Gateway of last resort is not set
71

Lab Primer
172.16.0.0/16 is subnetted, 1 subnet

C
172.16.10.0 is directly connected, Serial 0
I 10.0.0.0 [100/651] via 172.16.10.1 00:03:18, Serial 0
In the line I 10.0.0.0 [100/651] via 172.16.10.1, 00:00:21, Serial0, the I indicates that this is an IGRP route. The
10.0.0.0 portion of the output indicates the destination network. The 100 in the 100/651 notation indicates that
100 is the administrative distance (IGRPs default administrative distance is 100). If two routing protocols with
the same route are available, the router will pick the route with the lower administrative distance. The 651 value
indicates the calculated metric, which is based on bandwidth delay. The via 172.16.10.1 portion of the output
indicates the address of the next hop. The Serial0 portion of the output indicates that this information was
learned via the serial 0 interface.
The show ip protocols command displays information about the IP routing protocols that are enabled.
Router4#show ip protocols
Routing Protocol is igrp 100
Sending updates every 90 seconds, next due in 12 seconds
Invalid after 270 seconds, hold down 280, flushed after 630
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
IGRP maximum hopcount 100
IGRP maximum metric variance 1
Redistributing: igrp 100
Routing for Networks:
172.16.0.0
Routing Information Sources:
Gateway Distance Last Update
172.16.10.1 100 00:00:09
Distance: (default is 100)
Router4#
The output indicates that updates are being sent every 90 seconds. Because IGRP is a distance vector routing
protocol, it exchanges its entire routing table every 90 seconds. The 172.16.0.0 network is under the Routing for
Networks area, which indicates that the network statement is working. Notice that the administrative distance
is 100, which is the default.
OSPF
OSPF is a dynamic link-state, hierarchical IGP that is based on open standards. It was designed as a replacement for RIP and was derived from an early version of Intermediate System to Intermediate System (IS-IS). OSPF
is a robust protocol whose features include least-cost routing, multipath routing, and load balancing. The shortest path through the network is calculated by using the Dijkstra algorithm. Cisco uses its own implementation
of the OSPF standards with additional features that are important for interoperability.
72

Lab Primer
/NCETHEROUTERISCONlGUREDFOR/30&THEROUTERSTARTSTHEPROCESSOFLEARNINGITSENVIRONMENTBYGOINGTHROUGH
a few phases of initialization. First, the router uses hello packets to identify its neighbors and develop adjacencies (relationships for exchanging routing updates) with them. The router then starts the ExStart phase, which
is the initial database exchange. Next is the Exchange phase in which the Designated Router sends the routing
information and receives an acknowledgement (ack) receipt from the new router. During the Loading phase, the
NEWROUTERCOMPILESAROUTINGTABLE/NCETHEROUTERlNISHESITSCALCULATIONSITPROGRESSESINTOITSFULLSTATEIN
which it is an active member of the network.
Router>en
Router#conf t
Router(config-if)#no shut
Router(config-if)#exit
00:15:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up
Next, the router ospf 100 command should be issued to enable OSPF as the routing protocol. The 100 paramETERISAPROCESSIDENTIlCATIONNUMBERANINTEGERFROMTO THATISUSEDTOINITIALIZETHEPROTOCOLONTHE
ROUTER5NLIKETHE)'20AUTONOMOUSSYSTEMNUMBERTHEPROCESSIDENTIlCATIONNUMBERDOESNOTHAVETOBETHE
same for all of the routers within the OSPF area. The networks that are added to the OSPF session make up the
area. Notice the new mode that the router enters once the command is issued.
Router1(config)#router ospf 100
Once OSPF is running on Router 1, network statements must be used to tell the router which networks it is connected to, as well as to assign it its wildcard mask and OSPF area. Every router interface that is directly connectEDTOANACTIVENETWORKNEEDSANETWORKNUMBER3OMENETWORKSWILLBECONlGUREDWITHTHESAME)0ADDRESSING
SCHEMESWITHDIFFERENTSUBNETSANDSOMEWILLBECONlGUREDWITHENTIRELYDIFFERENTADDRESSINGSCHEMES4HE
diagram below shows two different addressing schemes.
73

Lab Primer

2OUTER

2OUTER

2OUTER

Router 1s Ethernet 0 interface has an IP address of 10.1.1.1 with a /24 subnet mask, and its serial 0 interface
has an IP address of 172.16.10.1 with a /16 subnet mask. When the network statements are issued, the class
portions of the addresses, the wildcard masks, and the area IDs (an integer between 0 and 4,294,967,295)
must be provided. Thus, on Router 1, the network 10.0.0.0 0.0.0.255 area 0 command should be issued on the
Ethernet 0 interface, and the network 172.16.0.0 0.0.0.255 area 0 command should be issued on the serial 0
INTERFACE4HEWILDCARDMASKISUSEDFORTROUBLESHOOTINGSPECIlCLINKSBYEITHERADDINGORREMOVINGTHEM
Router1(config-router)#network 10.0.0.0 0.0.0.255 area 0
Router1#
Now, the SHOWRUNNING CONlGCOMMANDSHOULDBEISSUEDTOCONlRMTHATTHE/30&PROCESS)$WASDElNEDAS
100 and that the two networks were added to OSPF area 0.
Router1#show running-config
Router>en
Router#conf t
Router2(config)#
74

Lab Primer
.OWTHE/30&PROCESSIDENTIlCATIONNUMBERANDNETWORKSTATEMENTMUSTBEADDED
Router2#
OSPF should now be running on the network between Router 1 and Router 2.
Router>en
Router#conf t
4HE/30&PROCESSIDENTIlCATIONNUMBERANDNETWORKSTATEMENTMUSTBEADDED
Router4#
OSPF should now be running on all three routers. The ping command can be used to test connectivity between the
routers. From Router 1, Router 4s serial 0 interface and Router 2s Ethernet interface should be pinged.
Router1#ping 172.16.10.2
Next, Router 1 should be pinged from Router 2 and Router 4.
If all pings succeed, the routers are talking to each other in both directions and routing is successful.
Now, the show ip ospf interfaceCOMMANDSHOULDBEUSEDON2OUTERTOVERIFYPROPER/30&INTERFACECONlGURATION
Router1#show ip ospf interface
This is an excellent command for learning all interface information. The output includes the interface IP address, area assignment, process ID, router ID, cost, priority, network type, timer intervals, and adjacent neighbor
information. You can also see the Designated Router (DR)/Backup Designated Router (BDR) information when it
is applied.
Finally, the show ip ospf neighbor command should be issued.
Router1#show ip ospf neighbor
75

Lab Primer
This command displays all of the important information concerning neighbors and the adjacency state. It also
DISPLAYSTHE$2OR"$2INFORMATIONIFITISCONlGURED
Lesson 8: PPP with CHAP Authentication

PPP
Point-to-Point Protocol (PPP) is a protocol for communicating between two computers using a serial interface,
typically a personal computer connected by phone line to a server. For example, your Internet service provider
may supply you a PPP connection so that the providers server can respond to your requests, pass them on to the
Internet, and forward the Internet responses back to you. PPP is typically used with the Internet Protocol (IP).
PPP is sometimes considered a member of the TCP/IP suite of protocols. PPP operates at the Data Link layer
(Layer 2) of the Open Systems Interconnection (OSI) reference model. Essentially, it packages a computers TCP/
IP packets and forwards them to the server where they can actually be put on the Internet.
000ISAFULL DUPLEXPROTOCOLTHATCANBEUSEDONVARIOUSPHYSICALMEDIAINCLUDINGTWISTED PAIRORlBER OPTICLINES
or satellite transmissions. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation.
PPP is usually preferred over the earlier de facto standard, Serial Line Internet Protocol (SLIP), because it can
handle synchronous as well as asynchronous communication. PPP can share a line with other users, and it
includes error detection that SLIP lacks. PPP is preferred over SLIP when possible.
CHAP
Challenge-Handshake Authentication Protocol (CHAP) provides a more secure procedure for connecting to a
system than Password Authentication Protocol (PAP). Heres how CHAP works:
1. After the link is made, the server sends a challenge message to the connection requestor. The requestor
responds with a value obtained by using a one-way hash function.
2. The server checks the response by comparing its own calculation of the expected hash value.
3. If the values match, the authentication is acknowledged; otherwise, the connection is usually terminated.
At any time, the server can request that a new challenge message be sent by the connected party. Because
#(!0IDENTIlERSARECHANGEDFREQUENTLYANDBECAUSEAUTHENTICATIONCANBEREQUESTEDBYTHESERVERATANYTIME
#(!0PROVIDESMORESECURITYTHAN0!02&#DElNESBOTH#(!0AND0!0
#ONlGURING000WITH#(!0ONA#ISCO2OUTER
The following interface command enables PPP:
encapsulation ppp
PPP must be enabled on both ends of the link.
The following interface command must be added in order for authentication to be enabled:
ppp authentication chap
The routers will now require authentication over the link. They will attempt to log in with their host names as
THEIRUSERNAMESANDTHEIRENABLEPASSWORDSASTHEIR#(!0PASSWORDS)NGLOBALCONlGURATIONMODEONEACH
76

Lab Primer
router, an entry that matches the remote routers user name and password must be made:
username Other_Router password Other_enable_pass
3AMPLE#ONlGURATIONSFOR000ON4WO$EVICES
(R1)s0----------s0(R2)
PPP without CHAP
Router 1:
hostname R1
interface serial 0
encapsulation PPP
no shutdown
Router 2:
hostname R2
interface serial 0
encapsulation PPP
no shutdown
PPP with CHAP Default Names and Password

Router 1:
hostname R1
enable secret toast1
username R2 password cool2
interface serial 0
encapsulation PPP
no shutdown
Router 2:
hostname R2
enable secret cool2
username R1 password toast1
interface serial 0
encapsulation PPP
no shutdown
The following is a link where you can read more about PPP/CHAP authentication: http://www.cisco.com/warp/public/471/understanding_ppp_chap.html
77

Lab Primer
Lesson 9: Frame Relay

Frame Relay is a network access protocol similar in principle to X.25. The main difference between Frame Relay
AND8ISDATAINTEGRITYERRORDETECTION ANDNETWORKERRORmOWCONTROLERRORCORRECTION 7HEREAS8PERforms both error detection and error correction, Frame Relay only performs error detection.
X.25 performs data checking and correcting at the network level. Consequently, the network devices on an X.25
network correct the corrupt data or ask for the data to be retransmitted. The cost of such checking and retransmission is network delay.
Frame Relay leaves the task of error correction to the protocols used by intelligent devices at each end of the
network. These intelligent devices provide end-to-end data integrity. Because Frame Relay relies on the devices
ATTHEENDTOPERFORMRETRANSMISSIONANDERRORRECOVERYSIGNIlCANTLYLESSPROCESSINGISREQUIREDFORTHENETWORK
and less delay occurs overall.
The following command can be used to add a description to an interface to help keep track of permanent virtual
circuits (PVCs). An example of a description might be Frame Relay to Boston.
description descriptive_string
4HEFOLLOWINGCOMMANDSPECIlES&RAME2ELAYENCAPSULATION
encapsulation frame-relay [cisco | ietf]
4HEFOLLOWINGCOMMANDASSIGNSA$ATA,INK#ONNECTION)DENTIlER$,#) NUMBERTOTHECORRESPONDING&RAME
Relay subinterface:
frame-relay interface-dlci dlci [broadcast]
A DLCI is assigned by the local Frame Relay provider for every PVC connected to the router. DLCI numbers are not
exchanged between routers. DLCI numbering at one Frame Relay site is mutually exclusive from DLCI numbering
at another site.
The broadcast keyword is optional and should only be included if broadcast packets (e.g., IP, RIP, or IPX RIP/SAP
updates) need to be forwarded out of the subinterface. In static routing examples, routing updates are not
required and the keyword is omitted.
4HEFOLLOWINGCOMMANDCONlGURESTHEROUTERTOEXPECTACERTAIN&RAME2ELAY,OCAL-ANAGEMENT)NTERFACE,-)
type from the Frame Relay provider:
frame-relay lmi-type {ansi | cisco | q933a}
LMI is a Frame Relay control protocol sent to the router from the Frame Relay switch at the service provider and is
not exchanged between routers. The LMI type at one location does not have to match the LMI type at other locations.
Supported LMI Types
78
cisco
default
ansi
ANSI Annex D
q933a
CCITT Q933a

Lab Primer
4HEFOLLOWINGCOMMANDISUSEDINMULTIPOINT&RAME2ELAYEXAMPLESANDDElNESASTATICMAPPINGBETWEENA
protocol address and a Frame Relay DLCI:
frame-relay map-ip ip_address dlci [broadcast]
Again, the broadcast keyword is optional and should only be included if broadcast packets need to be forwarded
out of the subinterface. In static routing examples, routing updates are not required and the keyword is omitted.
4HEFOLLOWINGCOMMANDCREATESALOGICAL&RAME2ELAYSUBINTERFACEANDDElNESITASAPOINT TO POINTORMULTIpoint connection.
interface serial0.subinterface_# [point-to-point | multipoint]
A subinterface is treated as if it were a separate interface dedicated for a PVC to a remote site. Serial0 indicates
that the subinterface belongs to the physical serial 0 interface, and subinterface _# is the unique subinterface
ID number. The subinterface ID number can be any unique value between 0 and 4,294,967,295 and does not have
to be in any particular order (i.e., it is not necessary to begin with 1 and sequentially progress with 2, 3, and so
on). In fact, to reduce confusion, it is good practice to identify a subinterface with the same number as the DLCI
used on that subinterface.
4HEFOLLOWINGCOMMANDCONlGURESANINTERFACEWITHAN)0ADDRESSANDSUBNETMASK
ip address ip_address subnet_mask
Lesson 10: Access Lists

!STHENAMEIMPLIESACCESSLISTSARESEQUENTIALLISTSOFGUIDELINESTHATAREUSEDTOALLOWORPREVENTTHEmOW
of packets within a network based on information provided within the list. Standard IP access lists are very
straightforward because the source IP address of a packet is the only criterion used to determine whether the
packet should be permitted or denied.
Access lists can be used for a variety of reasons, including controlling the propagation and reception of
ROUTINGUPDATESTRAFlCSHAPINGDElNINGTRAFlCTHATWILLALLOWDIALBACKUPCONNECTIVITYANDSECURITY4HE
primary implementation, and the main topic of this lesson, is the implementation of the access list as a security
mechanism.
Implementing Restricted Access

You may choose to implement security policies for a variety of reasons, including, but certainly not limited to, the
PREVENTIONOFOUTSIDEATTACKSONCOMPANYDEVICESISOLATIONOFINTERDEPARTMENTALTRAFlCANDLOADDISTRIBUTION
Without the use of access lists, all packets within a network are allowed without restriction to all parts of the
network.
7HENANACCESSLISTISUSEDASAhlREWALLvROUTERSCANLIMITORRESTRICTACCESSTOTHEINTERNALNETWORKFROM
an outside network such as the Internet. This type of access list is typically placed at the point of connection
between the two networks. When an access list is used for interdepartmental isolation, the access list is typically
placed at strategic locations within the internal network.
79

Lab Primer
The Basics of Standard IP Access Lists

The basic format of the standard IP access list is as follows:
access-list [#] [permit | deny] [source_address | any] [source_mask]
An access list may contain multiple lines, each following the format shown above. The access list may specify
multiple source IP addresses to be evaluated. Each line entry of the access list must maintain the same access list
NUMBERIDENTIlERSOTHEROUTERKNOWSTHATTHEENTITIESMUSTBEGROUPEDINTOTHESAMEACCESSLIST!LWAYSREMEMBER
THATACCESSLISTSAREPROCESSEDFROMTHETOPDOWNWHICHMEANSTHATTHElRSTLINEOFTHEACCESSLISTISCHECKED
THENTHESECONDANDSOON4HEROUTERIMMEDIATELYSTOPSPROCESSINGTHEACCESSLISTUPONTHElRSThMATCHv4HEREfore, the most general statements should be placed at the beginning of the list to avoid extra processing.
6ARIOUSACCESSLISTSCANBEDElNEDBYDIFFERENTPROTOCOLSWITHINAROUTER4HEROUTERWILLKNOWTHETYPEOFACCESS
list based on the access list number that is assigned. The numbering range for standard IP access lists is from
1 through 99. All standard IP access lists must be numbered within this range.
After a number in the appropriate range has been assigned to the access list, the list dictates whether the
packets to be evaluated will be permitted (allowed to pass) or denied (dropped and not allowed to pass). This
is accomplished by using the permit or deny keyword in the access-list command. The keyword instructs the
ROUTERTOALLOWORDENYTHEPACKETBASEDONTHENEXTSPECIlEDPARAMETERWHICHISTHESOURCE)0ADDRESSBEING
permitted or denied.
The standard IP access list allows for a source mask to be applied to the source IP address. Although similar to
the subnet mask that is applied to IP addresses, the source mask is somewhat different. When a source mask
is used with IP access lists, a bit set to 0 means match exactly, and a bit set to 1 means do not care. For
example, if you would like to include all hosts in the Class C network 192.1.1.0, the source address-source
MASKCOMBINATIONWOULDBE4HESOURCEMASKSTIPULATESTHATALLBITSINTHElRST
second, and third octets of the address (192.1.1) must match exactly (indicated by 0.0.0, or all zeros, in the
SOURCEMASKFORTHElRSTSECONDANDTHIRDOCTETS BUTYOUhDONOTCAREvWHICHBITSARESENTINTHEFOURTHOCTET
(indicated by 255, or all ones, in the source mask for the fourth octet). The use of this source address-source
mask combination allows a single line in the access list to include all hosts in the 192.1.1.0 network.
Using the keyword any is the same as using a source address-source mask combination of 0.0.0.0
255.255.255.255. The 255.255.255.255 source mask indicates that you do not care which bits are set in any
OFTHEFOUROCTETS4HEUSEOFTHESOURCEMASKPARAMETERISOPTIONAL)FITISOMITTEDFROMTHECONlGURATIONLINE
the router will, by default, use a source mask of 0.0.0.0 and match exactly the address entered.
After an access list has been created, the Cisco router will assume that any source IP addresses that are not
explicitly permitted in the list will be denied. In other words, at the end of the access list, the router will implicITLYDENYALLREMAININGTRAFlC)FYOURACCESSLISTHASBEENCONlGUREDTOPERMITONLYASINGLESOURCEADDRESSOF
1.1.1.1, all other source addresses will be implicitly denied.
Creating a Simple Standard IP Access List

Now we will discuss creating a standard IP access list using the following format:
access-list [#] [permit | deny] [source_address | any] [source_mask]
!CCESSLISTSARECREATEDINTHEROUTERSGLOBALCONlGURATIONMODE2EMEMBERTHATALLSTANDARD)0ACCESSLISTS
MUSTBENUMBEREDINTHERANGEOFTHROUGH4HEFOLLOWINGCOMMANDSPERMITTRAFlCFROMADDRESS
80

Lab Primer
ANDDENYALLOTHERTRAFlC
Router#conf t
Router(config)#access-list 1 permit host 1.1.1.1
Router(config)#exit
Router#
4HISCONlGURATIONCREATESApermit statement for host address 1.1.1.1. Because the source mask was not specilEDTHEROUTERUSESADEFAULTOFMATCHEXACTLY $ONOTFORGETTHEIMPLICITdeny any statement at the end
OFTHEACCESSLISTTHISAUTOMATICALLYDENIESANYTRAFlCTHATWASNOTEXPLICITLYPERMITTED
Applying the Access List to an Interface

4HEACCESSLISTHASTOBEAPPLIEDTOANINTERFACEINORDERFORTHELISTTOTAKEEFFECT4HEINTERFACECONlGURATION
command for applying a standard IP access list to an interface is as follows:
ip access-group [access_list_number] [in | out]
Access lists can be applied as either outbound or inbound on the router interfaces. When an access list is applied
as an inbound list and the router receives an inbound packet, it checks the source address of the packet against
the access list. The packet is routed to the destination interface if the source address matches a permit statement
in the access list. The packet is discarded if the source address matches a deny statement in the access list.
When an access list is applied as an outbound list and the router receives a packet on an interface, the packet is
routed to the appropriate outbound interface, and the source address of the packet is then checked against the
access list. At this point, the router either permits the packet to exit the interface if its source address matches a
permit statement in the access list or discards the packet if its source address matches a deny statement in the
access list.
The following commands apply access list 1 to interface Ethernet 0 as an inbound access list. Note the in parameter in the ip access-group 1 command.
Router#conf t
Router(config)#int Ethernet 0
Router(config-if)#ip access-group 1 in
Router(config)#exit
Router#
The following commands apply access list 1 to interface Ethernet 0 as an outbound access list. Note the out
parameter in the ip access-group 1 command.
Router#conf t
Router(config)#int Ethernet 0
Router(config-if)#ip access-group 1 out
Router(config)#exit
Router#
81

Lab Primer
Creating a More Advanced Standard IP Access List

In this exercise, we will create access list 2 to meet the following criteria:
Permit all packets originating from network 10.1.1.0 255.255.255.128.
Deny all packets originating from network 10.1.1.128 255.255.255.128.
Deny all packets originating from network 15.1.1.0, except for packets from a single host of 15.1.1.5.
s0ERMITALLOTHERTRAFlCNOTPREVIOUSLYMENTIONED
The following commands will accomplish these goals:
Router#conf t
Router(config)#access-list 2 deny 10.1.1.128 0.0.0.127
Router(config)#access-list 2 permit host 15.1.1.5
Router(config)#access-list 2 deny 15.1.1.0 0.0.0.255
Router(config)#access-list 2 permit any
Router(config)#exit
Router#
/NEOFTHElRSTTHINGSYOUMAYNOTICEABOUTTHECONlGURATIONISTHATTHEREISNOpermit statement for
THENETWORKWHICHTHECRITERIASPECIlEDMUSTBEPERMITTED4HELASTLINEOFTHEACCESSLIST
2OUTERCONlG ACCESS LISTPERMITANY, takes care of this criteria. Review the criteria, and verify that the
necessary tasks have been completed:
Permit all packets originating from network 10.1.1.0 255.255.255.128
The last line of the access list,2OUTERCONlG ACCESS LISTPERMITANY, accomplishes this criterion. It
is not necessary to explicitly permit the 10.1.1.0 255.255.255.128 network in the access list because no
other statements in the access list deny this network.
Deny all packets originating from network 10.1.1.128 255.255.255.128.
4HElRSTLINEOFTHEACCESSLIST2OUTERCONlG ACCESS LISTDENY, accomplishes
THISCRITERION4HESUBNETMASKSPECIlEDFORTHENETWORKWASWHICHSAYSTHElRSTBIT
of the fourth octet has been assigned to the subnet and the last seven bits have been reserved for host
addressing. Thus, the source mask in the deny statement, 0.0.0.127, indicates that you do not care
ABOUTTHElNALSEVENBITSOFTHEFOURTHOCTET
Deny all packets originating from network 15.1.1.0, except for packets from a single host of 15.1.1.5.
This has been accomplished with line two, 2OUTERCONlG ACCESS LISTPERMIT, and line three,
2OUTERCONlG ACCESS LISTDENY, of the access list. Remember that access lists
AREPROCESSEDTOPDOWNANDTHATUPONTHElRSTMATCHPROCESSINGSTOPSANDACTIONISTAKEN4HECRITERIA
stipulated that packets from network 15.1.1.0 be denied and that packets from host 15.1.1.5 be permitted. If lines two and three had been swapped and the entire 15.1.1.0 network was denied prior to permitting host 15.1.1.5, packets with a source address of 15.1.1.5 would match the more general criteria of
deny 15.1.1.0 lRSTTHUSTHEHOSTWOULDHAVEBEENDENIEDBEFOREITCOULDHAVEBEENPERMITTED
82

Lab Primer
s4HElNALCRITERIONISTOPERMITALLOTHERTRAFlCNOTPREVIOUSLYMENTIONED
The last line of the access list, 2OUTERCONlG ACCESS LISTPERMITANY, accomplishes this by permitTINGALLPACKETSTHATWERENOTMATCHEDINTHElRSTTHREELINESOFTHELIST
Bringing It All Together

In general, the process for creating and implementing standard IP access lists is as follows:
1. $ElNETHEGOALSOFTHEACCESSLIST
2. Create the access list with a number in the range of 1 through 99.
3. Apply the access list, either inbound or outbound, to the appropriate interface.
Items 1 and 2 above have been fairly well covered in this lesson. Lastly, the placement of the access list needs to
be discussed. In general, standard IP access lists should be placed nearer to the destination than to the source.
However, this is not an absolute rule; certain exceptions exist. Due to the fact that standard IP access lists only
operate on the source address, detailed granularity is not always possible. Care must be taken to avoid implementing undesirable policies. If a standard access list is placed near the source, it is possible that access will
be impeded to devices other than those intended.
For example, if access list 2, which we created in this lesson, were implemented as an inbound access list on the
Ethernet interface of a router directly connected to the 15.1.1.0 network, the only host that would be allowed off
the local segment would be 15.1.1.5. This access list would most likely be implemented as an outbound access
LISTONTHEREMOTEENDOFTHECONNECTIONWHERETHElLTERINGOFPACKETSISTRULYDESIRED
In the diagram below, assume that Workstation C has the 15.1.1.5 IP address and that Workstation D has the
10.1.1.133 IP address. You want to implement a policy for Workstation A that only allows Workstation C access
from Ethernet C. You also want to implement a policy that will deny any access from Ethernet D. Access list
placement is critical in this situation. If access list 2 from above is implemented as an outbound access list on
2OUTERSSERIALINTERFACEYOUWILLACCOMPLISHTHEDESIREDTASKBUTYOUWILLALSODENYTRAFlCFROM%THERNET$TO
Ethernet B, which is undesired. The same scenario holds true if the access list is implemented as an inbound
access list on Router 1s serial interface. If you place this access list as an outbound access list on Router 1s
Ethernet A interface, the desired policy is intact without any unwanted policy implementations.
83

Lab Primer
"
Access List Cheat Sheet

Wildcard masks have a variety of uses in access lists, but typically you will want to do one of the following:
s-ATCHASPECIlCHOST
Match an entire subnet
Match an IP range
Match every host and any host
Here are some simple examples to accomplish these requirements.
-ATCHA3PECIlC(OST
All wildcard mask bits are zeros. For a standard access list to permit the host 192.168.0.58, you could use the
following command:
access-list 101 permit 192.168.0.58 0.0.0.0
Because standard access lists assume a 0.0.0.0 mask, you could rewrite the command as follows:
access-list 101 permit 192.168.0.58
For an extended access list to permit the same host of 192.168.0.58, you should use one of the following commands:
access-list 101 permit ip 192.168.0.58 0.0.0.0 any
OR
access-list 101 permit ip host 192.168.0.58 any
84

Lab Primer
Match an Entire Subnet
The key to matching an entire subnet is to use the following formula for the wildcard mask:
Wildcard mask = 255.255.255.255 subnet
So, for example, if the current subnet is 255.255.255.0, the mask would be 0.0.0.255, as calculated below:
255.255.255.255
255.255.255.0 0.0.0.255
In this equation, subtract each octet separately since an IP address is not a whole number.
To permit access to the network of 200.0.18.0 with a subnet mask of 255.255.255.0, you should use the following
commands.
Using a standard access list:
Using an extended access list:
To permit access to the network of 10.4.0.0 with a subnet mask of 255.255.0.0, you should use the following
commands.
Match an IP Range
#ONSIDERTHERANGEOFTHROUGH)NORDERTOlNDTHEWILDCARDMASKSUBTRACTTHELOWER)0
address from the higher IP address.
10.3.31.255
10.3.16.0 0.0.15.255
In this case, the wildcard mask for this range is 0.0.15.255.
To permit access to this range, you should use the following commands.
Note that each non-zero value in the mask must be one less than a power of 2 (i.e., 0, 1, 3, 7, 15, 31, 63, 127, 255).
Match Every Host and Any Host
This is the easiest access list to create.
85

Lab Primer

access-list 1 permit any
OR
access-list 1 permit ip any any
Lesson 11: Switches

Switches, which work at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) model, concentrate the point of attachment for workstations, servers, routers, hubs, and other switches. A switch provides a
dedicated point-to-point connection between two networking devices; thus, collisions do not occur.
Switch Components
A switch includes all of the hardware components of a PC, including a CPU, RAM, and an internetwork operating
system (IOS). A switch can be managed the same as a router; you can console into its console port, telnet to its
IP address, and even change the IOS through the use of TFTP.
Switches use some of the same commands that routers use. To check information about the interfaces, you can
use the show interfaces command. To display the IP information for the interfaces, use the show ip interfaces
COMMAND4OlNDINFORMATIONRELATINGTOTHEMODELNUMBEROR)/3VERSIONUSETHEshow version command. To
VIEWTHERUNNINGCONlGURATIONlLEUSETHESHOWRUNNING CONlG command.
The show mac-address-table command displays the MAC table for the switch. The MAC table is the table that
matches all the ports on the switch with the MAC addresses it has learned.
Command-Line Interface
User Mode vs. Privileged Mode
User mode is indicated by the > prompt that follows the switch name. In user mode, you can look at some of the
switchs settings, but you cannot change them. In privileged mode, accessed by using the enable command in
user mode and indicated by the # prompt, you can use the different show commands to view all settings on the
SWITCH&ROMPRIVILEGEDMODEYOUCANACCESSCONlGURATIONMODEBYUSINGTHECONlGTERMINAL command.
Switch>
Switch>enable
Switch#
Accessing Help
To view all commands available from this mode, type ?. This will display a list of all available commands in the
current mode. You can also use the question mark after you have started typing a command. For example if you
want to use a show command but you do not remember which one to use, type show ? to display all commands
that you can use with the show command.
r1#show ?
86

Lab Primer
access-expression List access expression

access-lists List access lists
backup Backup status
cdp CDP information
clock Display the system clock
cls DLC user information
compress Show compression statistics
configuration Contents of Non-Volatile memory
--More--
#ONlGURATION-ODE
&ROMPRIVILEGEDMODEYOUCANENTERCONlGURATIONMODEBYUSINGTHECONlGTERMINAL command. You can exit
CONlGURATIONMODEBYTYPINGend or pressing the CTRL+Z key combination.
Switch#config t
Switch(config)#end
87

NETSIM CCNA LAB MANUAL GUIDE

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

NETSIM CCNA LAB MANUAL GUIDE

Hochgeladen von

Copyright:

Verfügbare Formate

NETSIM FOR CCNA LAB MANUAL

The Enable and Enable Secret Passwords

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

The Host Name

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Lesson 2: Basic Commands

The show versionCOMMANDDISPLAYSMUCHMOREINFORMATIONTHANYOUMAYREALIZEATlRST9OUCANUSEshow

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

4OVIEW,AYERINFORMATIONFORALLINTERFACESCURRENTLYCONlGUREDONTHEROUTER USETHEshow protocols command.

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

The show interfacesCOMMANDDISPLAYSSTATISTICSFORALLINTERFACESCONlGUREDONTHEROUTER

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Reserved Conversations 0/0 (allocated/max allocated)

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Slash Dotted Decimal

Slash Dotted Decimal

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Lesson 4: Router Interfaces

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Ethernet0 is administratively down, line protocol is down

Indicates a cabling problem, that no clock rate is set on the DCE,

Indicates that the interface is connected and receiving keepalives

Examining the Controllers

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

turns off CDP for the entire router

turns on CDP for the interface (default setting)

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Lesson 7: Routing Protocols

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Now, the RIP information must be added.

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Router1(config-if)#ip address 172.16.10.1 255.255.0.0

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

172.16.0.0/16 is subnetted, 1 subnet

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUAL

The show versionCOMMANDDISPLAYSMUCHMOREINFORMATIONTHANYOUMAYREALIZEATlRST9OUCANUSEshow

4OVIEW,AYERINFORMATIONFORALLINTERFACESCURRENTLYCONlGUREDONTHEROUTERUSETHEshow protocols command.

The show interfacesCOMMANDDISPLAYSSTATISTICSFORALLINTERFACESCONlGUREDONTHEROUTER