CCNA - Day School 2

T216 Cisco networking (CCNA)

Day School 2: Practical Resource Pack

This pack is a take-home study to complement the day schools that are part of T216

Cisco networking. All of the material can be repeated in many settings, applied in a

professional context or practised using Packet Tracer or the NetLab+ system if you

are taking the ALE.

1 Command reference 2

2 Router configuration 5

2.1 Basic router configuration 5

3 Redistribution, NAT, DHCP and VLANs 10

3.1 Redistribution from a static route to a dynamic routing protocol 10

3.2 Adding NAT and DHCP 12

3.3 To check DHCP 14

3.4 To check NAT 17

3.5 Adding VLANs 17

4 Open Shortest Path First (OSPF) and Access Control Lists (ACLs) 21

4.1 OSPF configuration 21

4.2 ACL configuration 23

5 Answers to questions 25


Day School 2: Practical Resource Pack for CCNA v5 | 2

1 Command reference Table 1 gives a list of some of the most important commands, in no particular order,

and the results they generate.

Table 1 List of commands

Command Result

enable enter Privilege mode

configure terminal does what it says on the label

copy running-config startup-

config

copies RAM to Flash for a restart

erase startup-config erases Flash

reload restarts router (warm)

show interfaces lists all interfaces

show ip route displays RIP and IGRP discovered

routers

show CDP neighbors (detail) displays discovered and associated

Cisco devices not necessarily using a

routing protocol

ping can send echoes to routers and hosts

(can vary packet size and number of

hits)

telnet Connects remotely to another router

interface? selects the interface to configure

ip address x.x.x.x s.s.s.s issues an interface with IP address x

and subnet mask s

shutdown terminates the operation of an

interface

no reverses the operation of a command

ip host X y.y.y.y z.z.z.z creates a host table entry X with

associated addresses y and z etc.

router

sets the routing protocol

network x.x.x.x (w.w.w.w

area x)

declares the adjacent networks

clock rate 56000 must be applied to the DCE on a

serial link

enable secret class sets Privilege mode password

hostname X sets the hostname to X

line con 0 sets the console exec mode

password x have a guess

line vty 0 4 sets the telnet password

login enables remote access

? help!

show interface e0/s0/s1 can show specifics for a given

interface



show ip interface e0/s0/s1 can show IP specifics for a given

interface

show sessions/users shows who is connected to your

router via console or telnet

end/exit terminates session or configuration

show version displays IOS version and memory

details

show arp lists Ethernet MAC addresses learnt

from an adjoined network

show clock time as always

show flash shows non-volatile memory size

show protocol IP settings along with other protocols

show ip protocol IP and routing settings

show history lists commands

traceroute x.x.x.x shows hops from router to address x

clear counters resets the interface counters for

packets

banner motd enables a message to be displayed at

log-in

description like a remark to be placed on an

interface

ip http server enables web-based interface on

router

config-register selects the boot source

clear arp clears the current ARP table

ip route x.x.x.x s.s.s.s x.x.x.x creates a static entry in the routing

table ip route x.x.x.x s.s.s.s exit-

interface

redistribute static passes static route information across

the routed protocol

default-information originate passes default route information

across the routed protocol

router ospf process-id (global

configuration command)

configures an OSPF routing process;

the no form terminates an OSPF routing process

network address wildcard-

mask area area-id (router


defines the interfaces on which OSPF

runs and the area ID for those

interfaces

ip ospf priority number

(interface configuration

command)

sets the router priority, which helps to

determine the designated router for

this network; the no form returns to the default value

show ip ospf interface [type

number] (EXEC command)

displays OSPF-related interface

information

ip ospf authentication-key

password (interface


assigns a password to be used by

neighbouring routers that are using

OSPFs simple password



authentication; the no form removes a previously assigned OSPF

password

area area-number

authentication [message-

digest] (router configuration

command)

configures area parameters such as

authentication and summarisation

ip ospf message-digest-key

key-id md5 key (interface


enables OSPF Message Digest 5

(MD5) authentication; the no form removes an old MD5 key

ip ospf hello-interval seconds


command)

specifies the interval between hello packets that the Cisco IOS software

sends on the interface

ip ospf dead-interval seconds


command)

specifies how long hello packets must not have been seen before its

neighbours declare the router down

default-information originate

(router configuration

command)

generates a default route into OSPF;

the no form disables this feature

show ip ospf (EXEC

command)

displays general information about

OSPF routing processes

show ip ospf neighbor detail

(EXEC command)

displays OSPF-neighbour information

on a per-interface basis

debug ip ospf adj (privileged

EXEC command)

displays all OSPF adjacency events

debug ip ospf events

(privileged EXEC command)

displays all OSPF events



2 Router configuration

2.1 Basic router configuration

Before you start any exercise you will need to repeat this task from Day School 1. In

teams this can be accomplished in 20 minutes.

Figure 1 shows the correct interface identities for a 2600-series router. If you have a

2500-series router, the interfaces should read e0, s0 and s1; if you have a 2800-series

router the interface identities are Gi0/0, s0/0/0, and so on. Later in the day you will

also be using the switches shown in this diagram. For the time being, please

concentrate on R1, R2 and R3 shown in Figure 2.

Tip: when you get the system started, there is a command show ip interfaces brief which will always list all interfaces and all identifiers. Also, many routers have the

interface id printed on the side, in small type.

If you are working on a NetLab system for the ALE, all this will already have been

done for you.

Figure 1



Figure 2

The console port (shown in Figure 3) is a direct serial connection between your

computer and the router. This will enable you to configure the device.

The computer will need a DB9 adapter, and the connection is accomplished with a

rollover cable.

Figure 3

Tip: you can complete the two labs for Day School 2 see sections 3 and 4 in

whichever order you like.

You may find that copying the relevant commands into a text-editor file (e.g. Notepad)

for continued reuse will speed up the reconfiguration process after each exercise. If

you are completing the alternative learning experience (ALE), Netlab+ has a copy-

and-paste clipboard feature that enables you to insert commands from your own

computer in a similar manner.

To access the router from the personal computer you will need to use a terminal

emulator.

Tera Term is a popular application that is easily found on the internet. Alternatively,

you can use HyperTerminal, which is installed by default on all Windows versions.



You will need to create a connection. You can use the com1 port which is usual or any other port available on your computer. Figure 4 shows you how to create a

connection.

Figure 4

Cable up the routers, connect them to the computers and start them (using the switch

at the back).

The purpose of this practical exercise will be to configure this three-router network

with three LANs and three WANs, IP addresses and subnets. Figure 5 shows the final

configuration.

Figure 5



Table 2 gives the command configuration sequence.

Table 2 Command configuration sequence

Router Command Purpose (student to complete)

All Enable

All configure terminal

R1 hostname cornwall

R2 hostname somerset

R3 hostname devon

All interface s0 (or s0/0 or

s0/0/0) [remember you need

to check]

Only DCE! end clock rate 56000

All read plan

seen in Fig. 5

ip address x.x.x.x s.s.s.s

Hint: x.x.x.x is the ip address;

s.s.s.s is the subnet mask, /24

is 255.255.255.0

All no shutdown

All interface s1 (or s0/1 or

s0/0/1)

Only DCE! clock rate 56000

All read plan ip address x.x.x.x s.s.s.s

All no shutdown

All interface e0 (or fa0/0 or

Gi0/0)

All ip address x.x.x.x s.s.s.s

All no shutdown

All interface e1 (or fa0/1 or

Gi0/1)

All ip address x.x.x.x s.s.s.s

All no keepalive Note: that there must be nothing

connected to this port for this

command to be valid device connected.

All no shutdown

All end

All copy run start Tip: you could also try ... wr



To test

All show ip interface brief

All ping x.x.x.x (must be adjacent router IP

address)

Do not progress until adjacent

routers can ping each other,

they will not be able to ping afar yet.

Notes:



3 Redistribution, NAT, DHCP and VLANs

3.1 Redistribution from a static route to a dynamic

routing protocol Many networks will have a combination of static and dynamic routing taking place; this

is commonplace when you have a stub (out on a limb) system connected to the main

network infrastructure.

Tip: before commencing, you will need to ensure that the system is back to the basic

configuration found in section 2.

Netlab+ tip: if you are using Netlab+, you may wish to use a basic router pod or the MAP system. Note that he serial link between R1 and R3 is not being used; you may need to shut down these interfaces. In addition for the MAP system, ports fa0/5 and 6 on S1 need to be in shut mode and interface gi0/1 on s1 needs no keep alive command to enable pings to it.

If you are at a day school, ignore the Netlab+ advice.

This exercise is an adaptation of the standard structure used in T216, and assumes

the core structure is already configured (Figure 6).

Figure 6



Table 3 shows the necessary command sequence for redistribution from static to

dynamic routing.

Table 3 Command sequence for redistribution from static to dynamic routing



Cornwall router eigrp 123

network 1.0.0.0

network 192.168.1.0

network 192.168.2.0

Somerset router eigrp 123

redistribute static

Network 1.0.0.0

Network 10.0.0.0

ip route 172.16.0.0

255.255.255.0 2.0.0.2

Devon ip route 0.0.0.0 0.0.0.0

Serial1 (or s0/1 or s0/0/1)

Compare routing tables by using the show ip route command. Try pinging from Devon to a LAN on Cornwall. Also try pinging from the 10.1.1.0 LAN on Somerset to

Devon and Cornwall.

Why can you not ping from Somerset or Cornwall to the 172.17.0.0 network on

Devon? What do you need to do to rectify this?

Netlab+ tip: if you are using Netlab+ you will need to configure and use PCs A, B and

C.

If you are at a day school, ignore the Netlab+ advice.



3.2 Adding NAT and DHCP Before you commence, refer back to Figure 1: PCA and PCC will need to be

connected to the E0 (or Fa0/0) connections on Cornwall (R1) and Devon (R3). If you

are using Netlab+ this will be available by default, using one of the virtual machines.

Now refer to Table 4, which has the NAT and DHCP commands for Cornwall and

Devon; there is nothing to configure on Somerset.

Table 4 Clearing the configuration

Router Command Purpose

Cornwall configure terminal

access-list 1 permit 192.168.1.0 0.0.0.255 ACLs are used

for traffic control

as well as

creating

decision-based

rules

ip nat inside source list 1 interface

fastethernet0/0 overload

Or E0 or Gi0/0

interface fastethernet 0/0 Or E0 or Gi0/0

ip nat inside

interface serial0/0 Or s0 or s0/0/0

ip nat outside

Exit

service dhcp Optional

depending on

router being

used

ip dhcp pool cornwallpool

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 192.168.1.2

domain-name cornwall.open.ac.uk This will not

work in the real

world

Exit

ip dhcp excluded-address 192.168.1.1

192.168.1.10

End

copy run start

Devon configure terminal

access-list 1 permit 172.17.0.0 0.0.0.255 ACLs are used

for traffic control

as well as

creating

decision-based

rules



ip nat inside source list 1 interface

fastethernet0/0 overload

Or E0 or Gi0/0

interface fastethernet 0/0 Or E0 or Gi0/0

ip nat inside

interface serial0/1 Or s1 or s0/0/1

ip nat outside

exit

service dhcp Optional

depending on

router being

used

ip dhcp pool devonpool

network 172.17.0.0 255.255.255.0

default-router 172.17.0.1

dns-server 172.17.0.2

domain-name devon.open.ac.uk This will not

work in the real

world

exit

ip dhcp excluded-address 172.17.0.1

172.17.0.10

end

copy run start



3.3 To check DHCP Make sure that your computer has DHCP (obtain an IP address automatically) set (see Figure 7). Depending on your version of operating system, this option may

appear in different parts of the system, if you go via control panel/network settings (or

a similarly named area) you will eventually drill down to the IPv4 settings for your

network card.

Netlab+ tip: if you are using Netlab+, you will need to configure and use PCs A, B

and C. If you are at a day school, ignore the Netlab+ advice. If you are getting

spurious information, apply the shutdown command to Fa0/18 on S2.

Figure 7

Start the command prompt (Figure 8). This may also be available via the start menu or

other ways.



Figure 8



Run ipconfig to check that the DHCP address has been obtained (see Figure 9 though in this example a different network is in use).

Figure 9

Run ipconfig /release to remove an automatic addressing (Figure 10).

Figure 10

Run ipconfig /renew to receive a new DHCP licensed address (Figure 11 is representative).

Figure 11



3.4 To check NAT You must ping the nearside interface on an afar router from the host on the LAN; from

the computer on the Cornwall LAN you must ping 1.0.0.2 -t (note that the -t means continuous no timeout).

On each router, issue the clear ip nat translation * command and the show ip nat translations commands.

3.5 Adding VLANs Continuing from the previous steps, add two individual switches to E1 (Fa0/1) on

Cornwall and E1 (Fa0/1) on Devon. As shown in Figure 12, E5 is port 5 or Fa0/5.

Remember this is the base network, which is the MAP (multi-access pod) on Netlab+

so the switches should already be available.

Figure 12

Table 5 shows a sequence of commands for S1 and S3, enabling three VLANs.



Table 5 VLAN configuration

Router Command Purpose

S1 enable

del vlan.dat

configure terminal

hostname cornwall_LAN

vlan 10

name core

exit

vlan 20

name Camborne

exit

vlan 30

name StIves

exit

vlan 40

name Penzance

exit

interface range fa0/1 - 5

no shutdown

switchport mode access

switchport access vlan 10

exit


no shutdown



exit


no shutdown





exit


no shutdown



exit

S3 enable

del vlan.dat

configure terminal

hostname devon_LAN

vlan 10

name core

exit

vlan 20

name Exeter

exit

vlan 30

name Barnstaple

exit

vlan 40

name Torquay

exit


no shutdown



exit




no shutdown



exit


no shutdown

switchport mode access Netlab+ tip: if you are using

Netlab+ you will notice CDP native vlan mismatch

warnings. Ignore these unless you have shut down ports

from S1 to S2 and S3, as well

as S2 to S1 and S3.


exit


no shutdown



exit

On each switch, issue a show vlan command. How has the switch been reorganised?

When you have completed this lab you must complete the commands shown in Table

6, on all devices.


Router Command Purpose (student to

complete)

All erase start

All reload

Tip: did you read the tip at the end of section 2?



4 Open Shortest Path First (OSPF) and Access Control Lists (ACLs)

4.1 OSPF configuration

OSPF is a multi-area protocol, which can be configured to ensure that it listens for

updates on a range of possible interface addresses. This means that it uses the

wildcard mask, synonymous with ACLs, to add simple decision-making to routing.

Before commencing you will need to ensure that the system is back to the basic

configuration found in section 2. This exercise is an adaptation of the standard

structure used in T216, and assumes that the core structure is already configured.

Figure 13 shows the set-up required, and Table 6 shows the necessary command

sequence.

Figure 13

Table 6 OSPF command sequence

Router Command Purpose (student to

complete)

All show run Check your running

configuration

All show ip interface brief Check your interfaces

are up


All router ospf 1 Note: this is the process

id, not the area

Cornwall network 1.0.0.0 0.0.0.255 area 0

network 3.0.0.0 0.0.0.255 area 0

network 192.168.1.0 0.0.0.255 area 0

network 192.168.2.0 0.0.0.255 area 0

Somerset network 1.0.0.0 0.0.0.255 area 0

network 2.0.0.0 0.0.0.255 area 0



network 10.1.1.0 0.0.0.255 area 0

network 10.2.2.0 0.0.0.255 area 0

Devon network 3.0.0.0 0.0.0.255 area 0

network 2.0.0.0 0.0.0.255 area

0

network 172.16.0.0 0.0.0.255 area 0

network 172.17.0.0 0.0.0.255 area 0

All End

All Copy run start

All Show ip route

All Show ip ospf

All Show ip ospf neighbors

If session time permits:

Cornwall Interface s0, s0/0 or s0/0/0

ip ospf priority 33

Interface s1, s0/1, or s0/0/1

ip ospf priority 33

Somerset Interface s0

ip ospf priority 66


ip ospf priority 66

Devon Interface s0, s0/0 or s0/0/0

ip ospf priority 99


ip ospf priority 99

All End

All Copy run start

All Clear ip ospf process This must be done

simultaneously on all

routers.

All Show ip ospf neigbors

Like most complex routing protocols, OSPF timers and router priorities can be

adapted. Using a loopback interface, how would you add another entry to the OSPF

routing tables? You may need to complete a little research on how this command

works.

Netlab+ tip: if you are using Netlab+, you will need to shut down ports fa0/5 and 6 on

S1 and fa0/5 and 18 on S3.



4.2 ACL configuration In this exercise you should reuse the base configuration from the OSPF exercise (see

Figure 13). Any suggested additions you may have made should not affect this

exercise.

Table 8 shows the syntax of the ACL commands you will use in this exercise. ACLs

are complex, powerful and subtle commands. For the range of commands available,

refer to the Cisco material.

Table 8 ACL command syntax

Command Result

access-list 101 deny tcp/udp/icmp

x.x.x.x w.w.w.w y.y.y.y w.w.w.w eq

port (or echo)

Blocks specific class of traffic

x is the source address

w is wildcard

y is the destination address

access-list 101 permit ip any any Allows any other traffic

ip access-group 101 in/out Applies access list to inbound/outbound

traffic

The rules will be as follows:

stop a LAN on Somerset from reaching (pinging) a LAN on Cornwall

stop a LAN on Cornwall from reaching (pinging) a LAN on Devon

stop a LAN on Devon from reaching (pinging) a LAN on Somerset

allow all other traffic.

Table 9 shows the command sequence for extended ACLs.

Table 9 Command sequence for extended ACLs

Router Command


Cornwall access-list 101 deny icmp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

echo

Devon access-list 101 deny icmp 192.168.2.0 0.0.0.255 172.16.0.0

0.0.0.255 echo

Somerset access-list 101 deny icmp 172.17.0.0 0.0.0.255 10.2.2.0 0.0.0.255

echo

All access-list 101 permit ip any any

All interface s0 (or s0/0)

ip access-group 101 in

interface s1 (or s0/1)

ip access-group 101 in

All Complete an extended ping from your router to the banned LAN

Note: check the syntax of the ACL command if you are using Packet Tracer.



To test the ACLs you must use an extended ping similar to the example in Table 10.

This tests whether the ACLs on Cornwall are responding to traffic from Somerset.

Table 10 Extended ping

Router Command (note that there may be some variations)

Somerset ping

Protocol [ip]:

Target IP address: 192.168.1.1

Repeat count [5]:10

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.1.1.1

Then press [n] for all other options

Somerset ping

Protocol [ip]:

Target IP address: 192.168.2.1

Repeat count [5]:10

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.1.1.1

Then press [n] for all other options

Which of the above works, and which does not?

A working ping has an exclamation mark !; one that has no reply has a full stop ..

Change the addresses to prove/disprove the ACLs working on Somerset and Devon.

When you have completed this lab you must complete the commands shown in Table

11, on all devices.



All erase start

All reload

Tip: did you read the tip at the end of section 3?



5 Answers to questions Do resist reading this section until you have completed or at least attempted the day

school or ALE.

3.1 Redistribution: Why can you not ping from Somerset or Cornwall to the

172.17.0.0 network on Devon? What do you need to do to rectify this?

o You need to add the missing network in Somerset. There are many

ways to accomplish this. The simplest would be to add the missing

network: ip route 172.17.0.0 255.255.255.0 2.0.0.2

o But a more subtle method would be to create an aggregate entry, by

changing the subnet mask: ip route 172.16.0.0 255.255.240.0 2.0.0.2

o This would include networks 172.16.0.0 through to 172.31.0.0 (all

private class B networks) reducing the need to update the router with static routes for each new private system.

3.5 Adding VLANs: On each switch, issue a show vlan command. How has the switch been organised?

o Your ports should now be arranged next to each of the VLANs. Some

ports will remain unassigned and should be collected in VLAN1.

4.1 OSPF configuration: Using a loopback interface, how could you add

another entry to the OSPF routing tables?

o Adding a loopback interface is not dissimilar to adding a normal real interface. Loopbacks are used as IDs on routers and often help create

large routing tables when there is a limit on the number of physical

interfaces available.

o Looking at Table 12, you could apply this to Somerset.

Table 12 Adding a loopback

Router Command Notes

Somerset configure terminal

interface loopback 1 Creates the loopback

interface

ip address 99.99.99.99 255.255.255.0

no shutdown This should not be needed

router ospf 1

network 99.99.99.0 0.0.0.255 area 0

Cornwall show ip route

4.2 ACL configuration: Which of the above works, and which does not?

o The ping will work for the network allowed, and not work for the

network that is blocked. Confirm this with the ACL command being

used on the Devon router.

CCNA - Day School 2

Documents

Transcript of CCNA - Day School 2