Ccna Discovery 2 Hoofdstuk 5

  • May 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Ccna Discovery 2 Hoofdstuk 5 as PDF for free.

More details

  • Words: 23,651
  • Pages: 80
CCNA Discovery - Working at a Small-toMedium Business or ISP 5 Configuring Network Devices 5.0 Chapter Introduction 5.0.1 Introduction Page 1: 5.0.1 - Introduction One network infrastructure is now expected to support enhanced integrated applications, like voice and video, for more users than ever before. The underlying routing and switching technologies must provide the foundation for a wide range of business applications. Network engineers and technicians set up and configure the routers and switches that provide LAN and WAN connectivity and services. After completion of this chapter, you should be able to: Configure a router with an initial configuration. Use Cisco Security Device Manager to configure a Cisco ISR with LAN connectivity, Internet connectivity, and NAT. Configure a Cisco router for LAN connectivity, Internet connectivity and NAT using the Cisco I O S C L I. Configure a WAN connection from a customer premise to an ISP . Describe, setup, and configure a stand-alone LAN switch.

5.1 Initial ISR Router Configuration 5.1.1 ISR Page 1: The Cisco Integrated Services Router (ISR) is one of the most popular networking devices to meet the growing communications needs of businesses. The ISR combines features such as routing and LAN switching functions, security, voice, and WAN connectivity into a single device. This makes the ISR ideal for small to medium-sized businesses and for ISP-managed customers. The optional integrated switch module allows small businesses to connect LAN devices directly to the 1841 ISR. With the integrated switch module, if the number of LAN hosts exceeds the number of switch ports, additional switches or hubs can be connected in a daisy chain to extend the number of LAN ports available. If the switch module is not included, external switches are connected to the router interfaces of the ISR.

The ISR routing function allows a network to be broken into multiple local networks using subnetting and supports internal LAN devices connecting to the Internet or WAN. 5.1.1 - ISR The diagram depicts four types of routers, as follows: Cisco 800 series ISR Designed for small offices and home-based users 1 WAN Supports 4 10 /100 Mbps Combines data, security, and wireless services Provides services at broadband speeds Cisco 3800 series ISR Designed for medium to large businesses and enterprise branch offices Supports up to 2 10/100/1000 Mbps router ports Supports up to 112 10 /100 Mbps switch ports Supports 240 Cisco IP phone users Combines data, security, voice, video, and wireless service Provides services at broadband speeds using DSL, cable and T1/E1 connections Cisco 1800 series ISR Designed for small to medium businesses and small enterprise branch offices Supports up to 8 10 /100 Mbps router ports Supports 8 10 /100 Mbps switch ports Combines data, security, and wireless services Provides services at broadband speeds using DSL, cable and T 1 /E 1 connections Cisco 2800 series ISR Designed for small to medium businesses and small enterprise branch offices Supports up to 2 10/100/1000 Mbps router ports Supports up to 64 10 /100 Mbps switch ports Supports 96 Cisco IP phone users Combines data, security, voice, video, and wireless services Provides services at broadband speeds using multiple T 1 /E 1 connections

Page 2: 5.1.1 - ISR The diagram depicts the front and rear view of a Series ISR: Model 1841. Front view The 1841 is a relatively low cost ISR designed for small to medium-sized businesses and small enterprise branch offices. It combines the features of data, security, and wireless services with the addition of a wireless module. The L E D's indicate the following information: System Power L E D (SYS-PWR) Indicates power is received and that the internal power supply is functional. L E D is solid green. System Activity (SYS ACT) A blinking L E D indicates the system is actively transferring packets.

Rear View The 1841 ISR uses modules that allow for different configurations of ports. The following components are found on the router: Modular Slot 1 with a High-speed WAN Interface Card (H WIC) Modular slots can be used for different types of interfaces. The H WIC shown here provides serial connectivity over a wide-area network. Console Port This port is used to configure the ISR via a directly connected host. Auxiliary Port This port is used to configure the ISR via a modem connection. Single Slot USB Port The USB Flash feature allows users to store images and configurations and boot directly via USB Flash memory. Fast Ethernet Ports These ports provide 10 /100 Mbps connectivity for local area networks. Compact Flash Module This removable module is used to store the Cisco I O S and other operating software for the ISR. Modular Slot 0 with a Four Port Ethernet Switch Modular slots can be used for different types of interfaces. The four port Ethernet card shown here provides LAN connectivity to multiple devices.

Page 3: The Cisco Internetwork Operating System (IOS) software provides features that enable a Cisco device to send and receive network traffic using a wired or wireless network. Cisco IOS software is offered to customers in modules called images. These images support various features for businesses of every size. The entry-level Cisco IOS software image is called the IP Base image. The Cisco IOS IP Base software supports small to medium-sized businesses and supports routing between networks. Other Cisco IOS software images add services to the IP Base image. For example, the Advanced Security image provides advanced security features, such as private networking and firewalls. Many different types and versions of Cisco IOS images are available. Images are designed to operate on specific models of routers, switches, and ISRs. It is important to know which image and version is loaded on a device before beginning the configuration process.

5.1.1 - ISR The diagram depicts a flow chart of I O S Software A.IP Base flows to Advanced Security, IP Voice, and Service Provider Services. B.Advanced Security flows to Advanced IP Services. C.IP Voice flows to S P Services. D.Service Provider Services flows to Enterprise Services. E.S P Services flows to both Advanced IP Services and Enterprise Services. F.Advanced IP Services flows to Advanced Enterprise Services. G.Enterprise Services flows to Advanced Enterprise Services.

5.1.2 Physical Setup of the ISR Page 1: Each ISR is shipped with the cables and documentation needed to power up the device and begin the installation. When a new device is received, it is necessary to unpack the device and verify that all the hardware and equipment is included. Items shipped with a new Cisco 1841 ISR include: • • • • • • •

RJ-45 to DB-9 console cable DB-9 to DB-25 modem adapter Power cord Product registration card, called the Cisco.com card Regulatory compliance and safety information for Cisco 1841 routers Router and Security Device Manager (SDM) Quick Start guide Cisco 1800 Series Integrated Services Router (Modular) Quick Start guide

5.1.2 - Physical Setup of the ISR The diagram depicts components of a Cisco ISR. Black power supply cord Serial port adapter for converting a 25-pin serial port (DB-25) on a PC or a modem to a 9-pin serial port (DB-9) in order to connect the console cable. Cisco documentation and software CD. Blue console cable to connect the PC or modem to the device console port in order to monitor or configure the device.

Page 2: To install a new Cisco 1841 ISR requires special tools and equipment, which most ISPs and technician labs usually have available. Any additional equipment required depends on the model of the device and any optional equipment ordered.

Typically, the tools required to install a new device include: • PC with a terminal emulation program, such as HyperTerminal • Cable ties and a No. 2 Phillips screwdriver • Cables for WAN interfaces, LAN interfaces, and USB interfaces It may also be necessary to have equipment and devices required for WAN and broadband communication services, such as a modem. Additionally, Ethernet switches may be required to connect LAN devices or expand LAN connectivity, depending on whether the integrated switch module is included and the number of LAN ports required. 5.1.2 - Physical Setup of the ISR The diagram depicts components needed to set up the Cisco ISR. PC with Terminal Emulation Program Cable ties and Number 2 Phillips Screwdriver WAN Interface Cable LAN Interface Cable U S B Interface Cable Ethernet Switch Modem

Page 3: Before beginning any equipment installation, be sure to read the Quick Start guide and other documentation that is included with the device. The documentation contains important safety and procedural information to prevent accidental damage to the equipment during installation. Follow these steps to power up an 1841 ISR. 1. Securely mount and ground the device chassis, or case. 2. Seat the external compact flash card. 3. Connect the power cable. 4. Configure the terminal emulation software on the PC and connect the PC to the console port. 5. Turn on the router. 6. Observe the startup messages on the PC as the router boots up.

5.1.2 - Physical Setup of the ISR The diagram depicts steps for setting up an ISR. Step 1 Cisco routers and ISR's can be wall-mounted, set on a shelf or desktop, or installed in a rack. Step 2 Seat the external compact flash memory card into the slot. Be certain that it is firmly seated and verify that the eject button is fully extended. The eject button is usually located to the left of the slot. Step 3 Connect the power cable to the device and then to a reliable power source. Routers and networking devices are usually connected to an uninterruptible power supply that contains a battery. This ensures that the device does not fail if the electricity goes off unexpectedly. Step 4 On a PC, configure the terminal emulating software with required settings for communication with a Cisco router. Connect the PC running the emulation program to the console port of the ISR using the console that came with the device. Step 5 Turn the ISR on using the power switch located on the rear of the device. Step 6 Observe the start-up messages as they appear in the terminal program window. These messages are generated by the routers operating system.

5.1.3 Bootup Process Page 1: The router bootup process has three stages. 1. Perform Power-on self test (POST) and load the bootstrap program. The POST is a process that occurs on almost every computer when it boots up. POST is used to test the router hardware. After POST, the bootstrap program is loaded. 2. Locate and load the Cisco IOS software. The bootstrap program locates the Cisco IOS software and loads it into RAM. Cisco IOS files can be located in one of three places: flash memory, a TFTP server, or another location indicated in the startup configuration file. By default, the Cisco IOS software loads from flash memory. The configuration settings must be changed to load from one of the other locations. 3. Locate and execute the startup configuration file or enter setup mode. After the Cisco IOS software is loaded, the bootstrap program searches for the startup configuration file in NVRAM. This file contains the previously saved configuration commands and parameters,

including interface addresses, routing information, passwords, and other configuration parameters. If a configuration file is not found, the router prompts the user to enter setup mode to begin the configuration process. If a startup configuration file is found, it is copied into RAM and a prompt containing the host name is displayed. The prompt indicates that the router has successfully loaded the Cisco IOS software and configuration file. 5.1.3 - Boot Up Process The diagram depicts three stages of the boot up process. Stage 1 ROMPOSTPerform PostPerform POST ROMBootstrapLoad BootstrapExecute Bootstrap Loader Console screen output: System Bootstrap, Version 12.3 (8r)T8, RELEASE SOFTWARE (fcl) Cisco 1841 (revision 5.0) with 114688K/1684K bytes of memory. Stage 2 The I O S can be loaded from Flash or a TFTP server. FlashCisco Internetwork Operating SystemLocate and load Operating system TFTP ServerCisco Internetwork Operating SystemLocate and load Operating system Console screen output: System Bootstrap, Version 12.3 (8r)T8, RELEASE SOFTWARE (fcl) Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory. Self decompressing the image: ### [OK] Stage 3 The configuration file can be loaded from NV RAM, a TFTP server or the console. NV RAM Configuration, then Locate, load, and execute the Configuration file or enter "setup" mode TFTP Server Configuration, then Locate, load, and execute the Configuration file or enter "setup" mode Console Configuration, then Locate, load, and execute the Configuration file (configuration commands entered from the console host keyboard) or enter "setup" mode Console screen output: System Bootstrap, Version 12.3 (8r) T8, RELEASE SOFTWARE (fcl) Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory. Self decompressing the image: ### [OK]

Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set fourth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR Sec . 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec . 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco I O S Software, 1840 Software (C1841-IP BASE-M), Version 12.3 (14) T7, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Mon 15-May-06 14:54 by pt_team Image text-base: 0x6007D180, data-base: 0x61400000 Port Statistics for unclassified packets is not turned on. Cisco 1841 (revision 5.0) with 114688K /16384K bytes of memory. Processor board ID FTX0947Z18E M860 processor: part number 0, mask 49 2 FastEthernet/IEEE 802.3 interface(s) 2 Low-speed serial (sync/async) network interface(s) 191K bytes of NV RAM/ 31360K bytes of ATA CompactFlash (Read/Write) Cisco I O S Software, 1841 Software (C1841-IP BASE-M), Version 12.3 (14) T7, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c)1986-2006 by Cisco Systems, Inc. Compiled Mon 15-May-06 14:54 by pt_team ---System Configuration Dialog--Continue with configuration dialog? [yes/no]: no

Page 2: To avoid the loss of data, it is important to have a clear understanding of the difference between the startup configuration file and the running configuration file. Startup Configuration File The startup configuration file is the saved configuration file that sets the properties of the device each time the device is powered up. This file is stored in non-volatile RAM (NVRAM), meaning that it is saved even when power to the device is turned off. When a Cisco router is first powered up, it loads the Cisco IOS software to working memory, or RAM. Next, the startup configuration file is copied from NVRAM to RAM. When the startup configuration file is loaded into RAM, the file becomes the initial running configuration.

Running Configuration File The term running configuration refers to the current configuration running in RAM on the device. This file contains the commands used to determine how the device operates on the network. The running configuration file is stored in the working memory of the device. Changes to the configuration and various device parameters can be made when the file is in working memory. However, the running configuration is lost each time the device is shut down, unless the running configuration is saved to the startup configuration file. Changes to the running configuration are not automatically saved to the startup configuration file. It is necessary to manually copy the running configuration to the startup configuration file. When configuring a device via the Cisco command line interface (CLI) the command copy running-config startup-config, or the abbreviated version copy run start, saves the running configuration to the startup configuration file. When configuring a device via the Cisco SDM GUI, there is an option to save the router running configuration to the startup configuration file each time a command is completed. 5.1.3 - Boot Up Process The animation depicts the startup config being copied from NV RAM to the RAM. Tip Popup Information Warning: Making a spelling mistake when typing startup-config in the copy command could lead to copying the running configuration to a different file name. This may result in the loss of configuration changes when the router is reloaded.

Page 3: After the startup configuration file is loaded and the router boots successfully, the show version command can be used to verify and troubleshoot some of the basic hardware and software components used during the bootup process. The output from the show version command includes: • The Cisco IOS software version being used. • The version of the system bootstrap software, stored in ROM memory, that was initially used to boot the router. • The complete filename of the Cisco IOS image and where the bootstrap program located it. • Type of CPU on the router and amount of RAM. It may be necessary to upgrade the amount of RAM when upgrading the Cisco IOS software. • The number and type of physical interfaces on the router. • The amount of NVRAM. NVRAM is used to store the startup-config file. • The amount of flash memory on the router. Flash is used to permanently store the Cisco IOS image. It may be necessary to upgrade the amount of flash when upgrading the Cisco IOS

software. • The current configured value of the software configuration register in hexadecimal. The configuration register tells the router how to boot up. For example, the factory default setting for the configuration register is 0x2102. This value indicates that the router attempts to load a Cisco IOS software image from flash and loads the startup configuration file from NVRAM. It is possible to change the configuration register and, therefore, change where the router looks for the Cisco IOS image and the startup configuration file during the bootup process. If there is a second value in parentheses, it denotes the configuration register value to be used during the next reload of the router. 5.1.3 - Boot Up Process The animation highlights the following information that is displayed when the show version command is issued. I O S Version I O S (t) 2500 Software (C2500-I-L),Version 12.0 (17a), RELEASE SOFTWARE (fc1) Bootstrap Version ROM:system Bootstrap, Version 11.0 (10c), SOFTWARE BOOTFLASH :3000 Bootstrap Software (I G S-BOOT-R), Version 11.0 (10c), RELEASE SOFTWARE (fc1) I O S image file System image file is "flash:c2500-i-l.120-17a.bin" Model and CPU Cisco 2500 (68030 processor (revision N) Amount of RAM With 2048K/2048K Number and type of interfaces 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) Amount of NV RAM 32K bytes of non-volatile configuration memory. Amount of flash 8192K bytes of processor board system flash (Read ONLY) Configuration register Configuration register is 0x2102 More Information Popup The configuration register tells the router how to boot. There are many possible settings for the configuration register. The most common ones are: 0x2102 - Factory default setting for Cisco routers (load the I O S image from flash and load the startup config file from NV RAM)

0x2142 - Router ignores the contents of Non-Volatile RAM (NV RAM) 0x2120 - Router boots into ROMmon mode

Page 4: There are times when the router does not successfully boot. This failure can be caused by a number of factors, including a corrupt or missing Cisco IOS file, an incorrect location for the Cisco IOS image specified by the configuration register, or inadequate memory to load a new Cisco IOS image. If the router fails to boot the IOS, it then boots up in ROM monitor (ROMmon) mode. ROMmon software is a simple command set stored in read only memory (ROM) that can be used to troubleshoot boot errors and recover the router when the IOS is not present. When the router boots up to ROMmon mode, one of the first steps in troubleshooting is to look in flash memory for a valid image using the dir flash: command. If an image is located, attempt to boot the image with the boot flash: command. rommon 1>boot flash:c2600-is-mz.121-5 If the router boots properly with this command, there are two possible reasons why the Cisco IOS image did not load from flash initially. First, use the show version command to check the configuration register to ensure that it is configured for the default boot sequence. If the configuration register value is correct, use the show startup-config command to see if there is a boot system command that instructs the router to use a different location for the Cisco IOS image. 5.1.3 - Boot Up Process The diagram depicts the output of the show startup-config command. The boot system commands in the startup config file determine the sequence the router uses to locate the I O S and boot. Boot system flash 1841-ad v Ip services k9-mz.124-10b.bin Boot system tftp 1841-ad v Ip services k9-mz.124-10b.bin 192.168.1.1 Boot system rom

Page 5: Lab Activity Power up an ISR and view the router system and configuration files using show commands. Click the lab icon to begin. 5.1.3 - Boot Up Process Link to Hands-on Lab: Powering Up an Integrated Services Router

5.1.4 Cisco IOS Programs Page 1: There are two methods to connect a PC to a network device to perform configuration and monitoring tasks: out-of-band management and in-band management. Out-of-band Management Out-of-band management requires a computer to be directly connected to the console port or auxiliary port (AUX) of the network device being configured. This type of connection does not require the local network connections on the device to be active. Technicians use out-of-band management to initially configure a network device, because until properly configured, the device cannot participate in the network. Out-of-band management is also useful when the network connectivity is not functioning correctly and the device cannot be reached over the network. Performing out-of-band management tasks requires a terminal emulation client installed on the PC. In-band Management Use in-band management to monitor and make configuration changes to a network device over a network connection. For a computer to connect to the device and perform in-band management tasks, at least one network interface on the device must be connected to the network and be operational. Either Telnet, HTTP or SSH can be used to access a Cisco device for in-band management. A web browser or a Telnet client program can be used to monitor the network device or make configuration changes. 5.1.4 - Cisco I O S Programs The diagram depicts an out-of-band and in-band router configuration. Out-of-band Router Configuration PC connected to router via console port. PC connected via PSTN link to router auxiliary port. In-band Router Configuration PC connected to router via Ethernet interface. PC connected via WAN or Internet to a serial interface of a router.

Page 2: The Cisco IOS command line interface (CLI) is a text-based program that enables entering and executing Cisco IOS commands to configure, monitor, and maintain Cisco devices. The Cisco CLI can be used with either in-band or out-of-band management tasks.

Use CLI commands to alter the configuration of the device and to display the current status of processes on the router. For experienced users, the CLI offers many time-saving features for creating both simple and complex configurations. Almost all Cisco networking devices use a similar CLI. When the router has completed the power-up sequence, and the Router> prompt appears, the CLI can be used to enter Cisco IOS commands. Technicians familiar with the commands and operation of the CLI find it easy to monitor and configure a variety of different networking devices. The CLI has an extensive help system that assists users in setting up and monitoring devices. 5.1.4 - Cisco I O S Programs The diagram depicts the output on a Hyper-Terminal showing the use of the command line interface (C L I) to access the serial 0 /1 /0 interface of the router to configure it. Router > Router > enable Router # configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router (config) # interface serial 0 /1 /0 Router (config-if) #

Page 3: In addition to the Cisco IOS CLI, other tools are available to assist in configuring a Cisco router or ISR. Security Device Manager (SDM) is a web-based GUI device management tool. Unlike CLI, SDM can be used only for in-band management tasks. SDM Express simplifies the initial router configuration. It uses a step-by-step approach to create a basic router configuration quickly and easily. The full SDM package offers more advanced options, such as: • • • •

Configuring additional LAN and WAN connections Creating firewalls Configuring VPN connections Performing security tasks

SDM supports a wide range of Cisco IOS software releases and is available free of charge on many Cisco routers. SDM is pre-installed on the flash memory of the Cisco 1800 Series ISR. If the router has SDM installed, it is good practice to use SDM to perform the initial router configuration. This configuration is done by connecting to the router via a preset network port on the router. 5.1.4 - Cisco I O S Programs The diagram depicts the opening windows of the Cisco SDM Express and Cisco Router and

Security Device Manager (SDM).

Page 4: Not all Cisco devices support SDM. In addition, SDM does not support all the commands that are available through the CLI. Consequently, it is sometimes necessary to use the CLI to complete a device configuration that is started using SDM. Familiarity with both methods is critical to successfully support Cisco devices. 5.1.4 - Cisco I O S Programs The diagram compares the following features of Cisco I O S C L I and Cisco SDM: user interface, router configuration method, enterprise in Cisco device configuration, help features, router Flash memory requirements, availability, and when used. User Interface Cisco I O S C L I: Terminal emulation software Telnet session Cisco SDM: Web-based browser Router Configuration Method Cisco I O S C L I: Text-based Cisco commands Cisco SDM: G U I buttons and text boxes Expertise in Cisco Device Configuration Cisco I O S C L I: Depends on configuration task Cisco SDM: Do not need knowledge of the C L I commands Help Features Cisco I O S C L I: Command prompt based Cisco SDM: GUI based on-line help and tutorials Router Flash Memory Requirements Cisco I O S C L I: Covered by I O S image Cisco SDM: 6 MB of free memory Availability Cisco I O S C L I: All Cisco devices Cisco SDM: Cisco 830 Series through Cisco 7301

When Used Cisco I O S C L I: Cisco Device does not support Cisco SDM Configuration task not supported by Cisco SDM Cisco SDM: Performing the initial configuration on an SDM equipped device Step through configuration of devices without C L I knowledge required

Page 5: 5.1.4 - Cisco I O S Programs The diagram depicts an activity in which you must determine when to use C L I or SDM based on the following descriptions. Descriptions One.Used to configure a Cisco router with both in-band and out-of-band management. Two.Used for initial configuration of a Cisco router using a Web-based G U I. Three.Used to configure a Cisco router with limited knowledge of I O S commands. Four.Supported, by default, on all Cisco I O S routers.

5.2 Using Cisco SDM Express and SDM 5.2.1 Cisco SDM Express Page 1: When adding a new device to a network, it is critical to ensure that the device functions correctly. The addition of one poorly configured device can cause an entire network to fail. Configuring a networking device, such as a router, can be a complex task, no matter which tool is used to enter the configuration. Therefore, follow best practices for installing a new device to ensure that all device settings are properly configured and documented. 5.2.1 - Cisco SDM Express The diagram depicts the best practices and details for Cisco SDM Express. Best Practice 1: Obtain and document all information before beginning the configuration. Details: Name assigned to device Location where it will be installed User names and passwords Types of connections required (LAN and WAN) IP address information for all network interfaces, including IP address, subnet mask, and default

gateway DHCP server settings Network Address Translation Settings Firewall settings Best Practice 2: Create a network diagram showing how cables will be connected. Details: Label the diagram with the interface designation and address information Best Practice 3: Create a checklist of configuration steps. Details: Mark off each step as it is successfully completed Best Practice 4: Verify the configuration using a network simulation Details: Test before it is place on the running network Best Practice 5: Update the network documentation and keep a copy in a safe place. Details: Save on a server Print and keep in a file cabinet

Page 2: Cisco SDM Express is a tool bundled within the Cisco Router and Security Device Manager that makes it easy to create a basic router configuration. To start using SDM Express, connect an Ethernet cable from the PC NIC to the Ethernet port specified in the quick start guide on the router or ISR being configured. SDM Express uses eight configuration screens to assist in creating a basic router configuration: • • • • • • • •

Overview Basic Configuration LAN IP Address DHCP Internet (WAN) Firewall Security Settings Summary

The SDM Express GUI provides step-by-step guidance to create the initial configuration of the router. After the initial configuration is completed, the router is available on the LAN. The router can also have a WAN connection, a firewall, and up to 30 security enhancements configured.

5.2.1 - Cisco SDM Express The diagram depicts a router deployment using SDM Express, which is ideal for non-expert users. The SDM disk will guide the user through the setup of the router.

5.2.2 SDM Express Configuration Options Page 1: The SDM Express Basic Configuration screen contains basic settings for the router that is being configured. The following information is required: • Host name - The name assigned to the router being configured. • Domain name for the organization - An example of a domain name is cisco.com, but domain names can end with a different suffix, such as .org or .net. • Username and password - The username and password used to access SDM Express to configure and monitor the router. The password must be at least six characters long. • Enable secret password - The password that controls user access to the router, which affects the ability to make configuration changes using the CLI , Telnet, or the console ports. The password must be at least six characters long. 5.2.2 - SDM Express Configuration Options The diagram depicts the Cisco SDM Express Wizard Window with the Basic Configuration option highlighted.

Page 2: The LAN configuration settings enable the router interface to participate on the connected local network. • IP address - Address for the LAN interface in dotted-decimal format. It can be a private IP address if the device is installed in a network that uses Network Address Translation (NAT) or Port Address Translation (PAT). It is important to take note of this address. When the router is restarted, this address is the one used to access SDM Express, not the address that was provided in the Quick Start guide. • Subnet mask - Identifies the network portion of the IP address. • Subnet bits - Number of bits used to define the network portion of the IP address. The number of bits can be used instead of the subnet mask. • Wireless parameters - Optional. Appear if the router has a wireless interface, and Yes was clicked in the Wireless Interface Configuration window. Specifies the SSID of the wireless network.

5.2.2 - SDM Express Configuration Options The diagram depicts the Cisco SDM Express Wizard Window with the LAN IP Address option highlighted.

Page 3: DHCP is a simple way to assign IP addresses to host devices. DHCP dynamically allocates an IP address to a network host when the host is powered up, and reclaims the address when the host is powered down. In this way, addresses can be reused when hosts no longer need them. Using SDM Express, a router can be configured as a DHCP server to assign addresses to devices, such as PCs, on the internal local network. To configure a device for DHCP, select the Enable DHCP Server on the LAN Interface checkbox. Checking this box enables the router to assign private IP addresses to devices on the LAN. IP addresses are leased to hosts for a period of one day. DHCP uses a range of allowable IP addresses. By default, the valid address range is based on the IP address and subnet mask entered for the LAN interface. The starting address is the lowest address in the IP address range. The starting IP address can be changed, but it must be in the same network or subnet as the LAN interface. The ending IP address is the highest address in the IP address range and it can be changed to decrease the pool size. It must be in the same network as the IP starting address. 5.2.2 - SDM Express Configuration Options The diagram depicts the Cisco SDM Express Wizard Window with the DHCP option highlighted.

Page 4: Additional DHCP configuration parameters include: • Domain name for the organization - This name is given to the hosts as part of the DHCP configuration. • Primary domain name server - IP address of the primary DNS server. Used to resolve URLs and names on the network. • Secondary domain name server - IP address of a secondary DNS sever, if available. Used if the primary DNS server does not respond. Selecting Use these DNS values for DHCP clients enables the DHCP server to assign DHCP clients with the configured DNS settings. This option is available if a DHCP server has been

enabled on the LAN interface. 5.2.2 - SDM Express Configuration Options The diagram depicts the Cisco SDM Express Wizard Window with the DHCP option highlighted and the DNS section filled in.

Page 5: 5.2.2 - SDM Express Configuration Options The diagram depicts an activity in which you must match each configuration parameter from the SDM Express to each type of information that must be entered. Configuration Parameters. A.Secondary DNS Server Address. B.Domain Name. C.Host Name. D.Enable Secret Password. E.Primary DNS Server Address. F.Starting IP Address. G.Subnet Bits. Information One.IP Address of server to use to resolve name if first configured server is not available. Two.The registered name assigned to the organization, such as cisco.com. Three.The name assigned to the device by an administrator. Four.Controls user access to make configuration changes through Telnet or the console. Five.The IP address of the first server hosts can use to resolve names. Six.First IP address in the range assigned to hosts by the DHCP server. Seven.Designates the portion of the IP address that represents the network and subnetwork.

5.2.3 Configuring WAN Connections Using SDM Express Page 1: Configuring an Internet (WAN) Connection A serial connection can be used to connect networks that are separated by large geographic distances. These WAN network interconnections require a telecommunications service provider (TSP). Serial connections are usually lower speed links, compared to Ethernet links, and require additional configuration. Prior to setting up the connection, determine the type of connection and protocol encapsulation required.

The protocol encapsulation must be the same at both ends of a serial connection. Some encapsulation types require authentication parameters, like username and password, to be configured. Encapsulation types include: • High-Level Data Link Control (HDLC) • Frame Relay • Point-to-Point Protocol (PPP) 5.2.3 - Configuring WAN Connections Using SDM Express The diagram depicts the three encapsulation types, HDLC, Frame Relay, and P P P, available on the Add Serial 0 /1 /0 Connection window, and a brief description of each. High-Level Data Link Control (HDLC) A bit-orientated Data Link Layer protocol developed by the International Standards Organization (I S O). Frame Relay A packet-switch Data Link Layer protocol that handles multiple virtual circuits, meaning that the circuit connections are temporarily built up and torn down based on need. The D L C I is a required number, supplied by the service provider to identify the virtual circuit. Point-to-Point Protocol (P P P) Commonly used to establish a direct connection between two devices. It can connect computers using serial cable, phone line, trunk line, cellular telephone, specialized radio links, or fiber-optic links. Most Internet service providers use PPP for customer dial-up access to the Internet. There are features of PPP to allow authentication before a connection is made. PPP username and passwords can be setup using SDM.

Page 2: The WAN configuration window has additional WAN parameters. Address Type List Depending on the type of encapsulation selected, different methods of obtaining an IP address for the serial interface are available: • Static IP address - Available with Frame Relay, PPP, and HDLC encapsulation types. To configure a static IP address, enter the IP address and subnet mask. • IP unnumbered - Sets the serial interface address to match the IP address of one of the other functional interfaces of the router. Available with Frame Relay, PPP, and HDLC encapsulation types. • IP negotiated - The router obtains an IP address automatically through PPP. • Easy IP (IP Negotiated) - The router obtains an IP address automatically through PPP.

5.2.3 - Configuring WAN Connections Using SDM Express The diagram depicts an Add Serial 0 /1 /0 Connection window being configured using the encapsulation type, HDLC, and the address type, IP Unnumbered.

Page 3: Lab Activity Configure an ISR using Cisco SDM Express Click the lab icon to begin. 5.2.3 - Configuring WAN Connections Using SDM Express Link to Hands-on Lab: Configuring an ISR with Cisco SDM Express

5.2.4 Configuring NAT Using Cisco SDM Page 1: Either Cisco SDM Express or Cisco SDM can be used to configure a router. SDM supports many of the same features that SDM Express supports; however, SDM has more advanced configuration options. For this reason, after the router basic configuration is completed using SDM Express, many users switch to SDM. For example, enabling NAT requires the use of SDM. The Basic NAT Wizard configures Dynamic NAT with PAT, by default. PAT enables the hosts on the internal local network to share the single registered IP address assigned to the WAN interface. In this manner, hosts with internal private addresses can have access to the Internet. Only the hosts with the internal address ranges specified in the SDM configuration are translated. It is important to verify that all address ranges that need access to the Internet are included. Steps for configuring NAT include: Step 1. Enable NAT configuration using SDM. Step 2. Navigate through the Basic NAT Wizard. Step 3. Select the interface and set IP ranges.

Step 4. Review the configuration. 5.2.4 - Configuring NAT Using Cisco SDM The diagram depicts the steps to use Cisco SDM to configure dynamic NAT on a Cisco ISR Router. Step 1. Enable NAT Configuration using SDM. Choose Configure, then NAT, then Basic NAT. Then click Launch the selected task. Step 2.Navigate through the Basic NAT Wizard. Step 3. Choose the interface that connects to the Internet or the ISP . This interface should have the public registered address assigned to it. Next, select the IP address range of the internal network addresses that should be translated to the public registered address. Step 4. Review Configuration. Click Finish, if the configuration is satisfactory.

Page 2: Lab Activity Configure Dynamic NAT using the Cisco SDM basic NAT wizard. Click the lab icon to begin. 5.2.4 - Configuring NAT Using Cisco SDM Link to Hands-on Lab: Configuring Dynamic NAT with SDM

5.3 Configuring a Router Using IOS CLI 5.3.1 Command Line Interface Modes Page 1: Using the Cisco IOS CLI to configure and monitor a device is very different from using SDM. The CLI does not provide step-by-step configuration assistance; therefore, it requires more planning and expertise to use. CLI Command Modes The Cisco IOS supports two levels of access to the CLI: user EXEC mode and privileged EXEC mode. When a router or other Cisco IOS device is powered up, the access level defaults to user EXEC

mode. This mode is indicated by the command line prompt: Router> Commands that can be executed in user EXEC mode are limited to obtaining information about how the device is operating, and troubleshooting using some show commands and the ping and traceroute utilities. To enter commands that can alter the operation of the device requires privileged level access. Enable the privileged EXEC mode by entering enable at the command prompt and pressing Enter. The command line prompt changes to reflect the mode change. The prompt for privileged EXEC mode is: Router# To disable the privileged mode and return to user mode, enter disable at the command prompt. Both modes can be protected with a password, or a username and password combination. 5.3.1 - Command Line Interface Modes The diagram depicts HyperTerminal window Cisco I O S C L I Command Modes, focusing on the user-mode prompt and privileged-mode prompt, as follows: User-Mode Prompt: router > Privileged-Mode Prompt: router #

Page 2: Various configuration modes are used to set up a device. Configuring a Cisco IOS device begins with entering privileged EXEC mode. From privileged EXEC mode, the user can access the other configuration modes. In most cases, commands are applied to the running configuration file using a terminal connection. To use these commands, the user must enter global configuration mode. To enter global configuration, type the command configure terminal or config t. Global configuration mode is indicated by the command line prompt: Router(config)#

Any commands entered in this mode take effect immediately and can alter the operation of the device. From global configuration mode, the administrator can enter other sub-modes. Interface configuration mode is used to configure LAN and WAN interfaces. To access interface configuration mode, from global configuration type the command interface [type] [number]. Interface configuration mode is indicated by the command prompt: Router(config-if)# Another commonly used sub-mode is the router configuration submode represented by the following prompt: Router(config-router)# This mode is used to configure routing parameters. 5.3.1 - Command Line Interface Modes The diagram depicts Hyper Terminal window Configuration Modes, focusing on the following modes: Command to Enter Global Configuration Mode: configure terminal Command to Enter Interface Configuration Sub-Mode: interface fast ethernet 0 /1 Using the help command to search commands: IP address, question mark

Page 3: E-Lab Activity Using the Cisco CLI explore the various configuration modes. Click the lab icon to begin. 5.3.1 - Command Line Interface Modes Link to E-Lab: Entering Command Modes

5.3.2 Using the Cisco IOS CLI Page 1: The Cisco IOS CLI is full of features that help in recalling commands needed to configure a device.

These features are one reason why network technicians prefer to use the Cisco IOS CLI to configure routers. The context-sensitive help feature is especially useful when configuring a device. Entering help or the ? at the command prompt displays a brief description of the help system. Router# help Context-sensitive help can provide suggestions for completing a command. If the first few characters of a command are known but the exact command is not, enter as much of the command as possible, followed by a ?. Note that there is no space between the command characters and the ?. Additionally, to get a list of the parameter options for a specific command, enter part of the command, followed by a space, and then the ?. For example, entering the command configure followed by a space and a ? shows a list of the possible variations. Choose one of the entries to complete the command string. Once the command string is completed, a appears. Press Enter to issue the command. If a ? is entered and nothing matches, the help list will be empty. This indicates that the command string is not a supported command. 5.3.2 - Using the Cisco I O S C L I The diagram depicts the Hyper Terminal window focusing on the following text: Commands available to complete initial command fragment using a question mark for help: Router # con, question mark, configure connect

Page 2: Users sometimes make a mistake when typing a command. The CLI indicates if an unrecognized or incomplete command is entered. The % symbol marks the beginning of an error message. For example, if the command interface is entered with no other parameters, an error message displays indicating an incomplete command: % Incomplete command Use the ? to get a list of the available parameters. If an incorrect command is entered, the error message would read: % Invalid input detected

It is sometimes hard to see the mistake within an incorrectly entered command. Fortunately, the CLI provides an error indicator. The caret symbol (^) appears at the point in the command string where there is an incorrect or unrecognized character. The user can return to the point where the error was made and use the help function to determine the correct command to use. 5.3.2 - Using the Cisco I O S C L I The diagram depicts the Hyper Terminal window showing the difference between an incomplete command and a misspelled command. Also shown is the use of help, question mark, after the main command (with a space) to determine appropriate secondary entries.

Page 3: Another feature of the Cisco IOS CLI is the ability to recall previously typed commands. This feature is particularly useful for recalling long or complex commands or entries. The command history is enabled by default and the system records 10 command lines in the history buffer. To change the number of command lines the system records during a session, use the terminal history size or the history size command. The maximum number of command lines is 256. To recall the most recent command in the history buffer, press Ctrl-P or the Up Arrow key. Repeat this process to recall successively older commands. To return to a more recent command in the history buffer, press Ctrl-N or the Down Arrow key. Repeat this process to recall successively more recent commands. The CLI recognizes partially typed commands based on their first unique character. For example, type int instead of interface. If a short cut, such as int is entered, pressing the Tab key will automatically complete the entire command entry of interface. On most computers, additional select and copy functions are available using various function keys. A previous command string may be copied and then pasted or inserted as the current command entry. 5.3.2 - Using the Cisco I O S C L I The diagram depicts the Hyper Terminal window showing the show history command and listing previous commands issued.

Page 4: 5.3.2 - Using the Cisco I O S C L I The diagram depicts an activity in which you must match each keystroke combination to its

function. Keystroke combinations. A.Ctrl-P, or up-arrow key. B.Ctrl-N, or down arrow key. C.Show history. D.Terminal history size number-of-lines. E.TAB. Definitions. One.Steps backwards through the command history. Two.Steps forward through the command history. Three.Shows the contents of the command buffer. Four.Sets the command buffer size. Five.Completes a command entry.

Page 5: Packet Tracer Activity Explore the features of the Cisco IOS CLI. Click the Packet Tracer icon to begin. 5.3.2 - Using the Cisco I O S C L I Link to Packet Tracer Exploration: Exploring the Cisco I O S C L I

5.3.3 Using Show Commands Page 1: The Cisco IOS CLI includes show commands that display relevant information about the configuration and operation of the device. Network technicians use the show commands extensively for viewing configuration files, checking the status of device interfaces and processes, and verifying the device operational status. Show commands are available whether the device was configured using the CLI or SDM. The status of nearly every process or function of the router can be displayed using a show command. Some of the more popular show commands are: • show running-config • show interfaces

• • • •

show arp show ip route show protocols show version

5.3.3 - Using Show Commands The diagram depicts the following show commands. Show running-config R1 # show running-config Some output omitted Building configuration Current configuration: 1063 bytes Version 12.4 Service timestamps debug date time m sec Service timestamps log date time m sec No service password-encryption Host name R 1 Enable secret 5 $1$i6w9$dvdpVM6zV10E^tSLdkR5/ No IP domain lookup Interface FastEthernet 0 /0 Description LAN 192.168.1.0 default gateway Ip address 192.168.1.1 255.255.255.0 Duplex auto Speed auto Interface FastEthernet 0 /1 No I P address Shutdown Duplex auto Speed auto Interface Serial 0 /0/ 0 Description WAN link to R 2 Encapsulation ppp Clock rate 64000 No fair-queue Interface Serial 0 /0 /1 No IP address shutdown Interface V lan 1 No IP address Router rip Version 2 Network 192.168.1.0 Network 192.168.2.0

Banner m o td ^C Unauthorized Access Prohibited ^ C Ip http server Line con 0 Password cisco Login Line a u x 0 Line v t y 0 4 Password cisco login Show interfaces R1 # show interfaces < Some output omitted > FastEthernet0 /0 is up, line protocol is up Hardware is Gt96k F E, address is 001b.5325.256e (b I a 001b.5325.256e Internet address is 192.168.1.1 /24 M T U 1500 bytes, BW 100000 k bit, D L Y 100 u sec, Reliability 255 /255, t x load 1 /255, r x load 1 /255 Encapsulation A R P A, loopback not set Keep alive set (10 sec) Full-duplex, 100Mb/s, 100Base TX/FX ARP type: ARP, ARP timeout 04:00:00 Last input 00:00:17, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); total output drops: 0 Queueing strategy: fifo Output queue: 0 /40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 196 packets input, 31850 bytes Received 181 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watch dog 0 input packets with dribble condition detected 392 packets output, 35239 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet0/1 is administratively down, line protocol is down Serial 0 /0 /0 is up, line protocol is up Hardware is GT96K serial Internet address is 192.168.2.1 /24 MTU 1500 bytes, BW 1544 k bit, D L Y 20000 u sec, Reliability 255 /255, tx load 1/255, rx load 1 /255 Encapsulation PPP, LCP Listen, loopback not set Keepalive set (10 sec)

Last input 00:00:02, output 00:00:03, output hang never Last clearing of "show interface" counters 00:51:52 Input queue: 0/75/0/0 (size/max/drops/flushes); total output drops: 0 Queueing strategy: fifo Output queue: 0 /40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 401 packets input, 27437 bytes, 0 no buffer Received 293 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 389 packets output, 26940 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 6 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Serial0/0/1 is administratively down, line protocol is down Show arp R1 # show arp Protocol AddressAge (min) Hardware AddrTypeInterface Internet 172.17.0.1-001b.5325.256eA R P A FastEthernet 0 /0 Internet 172.17.0.212000b.db04.a5cdA R P A FastEthernet0 /0 Show IP route R1 # show IP route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - E I GRP, Ex - E I GRP external, O - O SPF, I A - O SPF inter area N1 - O SPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - O SPF external type 1, E2 - O SPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - O D R, P - periodic downloaded static route Gateway of last resort is not set C192.168.1.0 /24 is directly connected, FastEthernet0/0 C192.168.2.0 /24 is directly connected, Serial0/0/0 R192.168.3.0 /24 [120 /1] via 192.168.2.2, 00:00:24, Serial0/0/0 Show protocols R1 # show protocols Global values : Internet Protocol routing is enabled FastEthernet0 /0 is up, line protocol is up Internet address is 192.168.1.1 /24 FastEthernet 0 /1 is administratively down, line protocol is down FastEthernet 0 /1 /0 is up , line protocol is down FastEthernet 0 /1 /1 is up , line protocol is down FastEthernet 0 /1 /2 is up , line protocol is down FastEthernet 0 /1 /3 is up , line protocol is down

Serial 0 /0 /0 is up , line protocol is up Internet address is 192.168.2.1 /24 Serial 0 /0 /1 is administratively down, line protocol is down V lan 1 is up, line protocol is down Show version R1# show version < Some output omitted> Cisco l O S Software , 1841 Software (C1841-AD V IP SERVICESK9-M) , Version 12.4(l O b) , RELEASE SOFTWARE (f c3) Technical Support: http://www.cisco.com/tech support copyright (c) 1986-2007 by Cisco Systems , Inc. Compiled Fri 19-Jan-07 15 :15 by prod_reI_team ROM: System Bootstrap, Version 12.4 (13r) T , RELEASE SOFTWARE (fc1) R1 uptime is 43 minutes System returned to ROM by reload at 22:05:12 U TC Sat Jan 5 2008 System image file is "flash:c1841-ad v I p servicesk9-mz.124-10b.bin" Cisco 1841 (revision 6.0) with 174080K/22528K bytes of memory . Processor board 10 FTX1111WOQF 6 FastEthernet interfaces 2 Serial (sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity disabled. 191 K bytes of N V RAM. 62720 K bytes of A T A CompactFlash (Read/Write) Configuration register is O x 2l02

Page 2: E-Lab Activity Use the show run and show interface commands to answer questions about the router configuration. Click the lab icon to begin. 5.3.3 - Using Show Commands Link to E-Lab: Viewing the Router Interface Information

Page 3: Packet Tracer Activity Use Cisco IOS show commands on a router located at the ISP.

Click the Packet Tracer icon to begin. 5.3.3 - Using Show Commands Link to Packet Tracer Exploration: Using the Cisco I O S Show Commands

5.3.4 Basic Configuration Page 1: The initial configuration of a Cisco IOS device involves configuring the device name and then the passwords that are used to control access to the various functions of the device. A device should be given a unique name as one of the first configuration tasks. This task is accomplished in global configuration mode with the following command. Router(config)# hostname [name] When the Enter key is pressed, the prompt changes from the default host name, which is Router, to the newly configured host name. The next configuration step is to configure passwords to prevent access to the device by unauthorized individuals. The enable password and enable secret commands are used to restrict access to privileged EXEC mode, preventing unauthorized users from making configuration changes to the router. Router(config)# enable password [password] Router(config)# enable secret [password] The difference between the two commands is that the enable password is not encrypted by default. If the enable password is set, followed by the enable secret password, the enable secret command overrides the enable password command. 5.3.4 - Basic Configuration The diagram depicts an example of a basic router configuration, including the following types of commands: set device name, enable password, and enable encrypted password. Set Device Name Router (config) # host name Tokyo Router

Tokyo Router (config) # Enable Password Router (config) # enable password san-fran Enable Encrypted Password Router (config) # enable secret password1 2 3

Page 2: Other basic configurations of a router include configuring a banner, enabling synchronous logging, and disabling domain lookup. Banners A banner is text that a user sees when initially logging on to the router. Configuring an appropriate banner is part of a good security plan. At a very minimum, a banner should warn against unauthorized access. Never configure a banner that welcomes an unauthorized user. There are two types of banners: message-of-the-day (MOTD) and login information. The purpose for two separate banners is to be able to change one without affecting the entire banner message. To configure the banners, the commands are banner motd and banner login. For both types, a delimiting character, such as a #, is used at the beginning and at the end of the message. The delimiter allows the user to configure a multiline banner. If both banners are configured, the login banner appears after the MOTD but before the login credentials. Synchronous Logging The Cisco IOS software often sends unsolicited messages, such as a change in the state of a configured interface. Sometimes these messages occur in the middle of typing a command. The message does not affect the command, but can cause the user confusion when typing. To keep the unsolicited output separate from the typed input, the logging synchronous command can be entered in global configuration mode. Disabling Domain Lookup By default, when a host name is entered in enable mode, the router assumes that the user is attempting to telnet to a device. The router tries to resolve unknown names entered in enable mode by sending them to the DNS server. This process includes any words entered that the router does not recognize, including mistyped commands. If this capability is not wanted, the no ip domain-

lookup command turns off this default feature. 5.3.4 - Basic Configuration The diagram depicts a New Connection SSH HyperTerminal window showing the following banner m o td # command: R1 (config) # banner m o td # Enter TEXT message. End with the character #. ***** WARNING!! Unauthorized Access Prohibited! ! ***** #

Page 3: There are multiple ways to access a device to perform configuration tasks. One of these ways is to use a PC attached to the console port on the device. This type of connection is frequently used for initial device configuration. Setting a password for console connection access is done in global configuration mode. These commands prevent unauthorized users from accessing user mode from the console port. Route(config)# line console 0 Router(config)# password [password] Router(config)# login When the device is connected to the network, it can be accessed over the network connection. When the device is accessed through the network, it is considered a vty connection. The password must be configured on the vty port. Route(config)# line vty 0 4 Router(config)# password [password] Router(config)# login 0 4 represents 5 simultaneous in-band connections. It is possible to set a different password for each connection by specifing specific line connection numbers, such as line vty 0.

To verify that the passwords are set correctly, use the show running-config command. These passwords are stored in the running-configuration in clear text. It is possible to set encryption on all passwords stored within the router so that they are not easily read by unauthorized individuals. The global configuration command service password-encryption ensures that all passwords are encrypted. Remember, if the running configuration is changed, it must be copied to the startup configuration file or the changes are lost when the device is powered down. To copy the changes made to the running configuration back to the stored startup configuration file, use the copy run start command. 5.3.4 - Basic Configuration The diagram depicts an example of a basic router configuration, including the following types of commands: console password, which is the password for a host with an out-of-band direct connection to the router console port, virtual terminal password, which is the password for a host with an in-band connection to a router over the network, and perform password encryption. Console Password Router (config) # line console 0 Router (config-line) # password cisco Router (config-line) # login Virtual Terminal Password Router (config) # line v t y 0 4 Router (config-line) # password cisco Router (config-line) # login Perform Password Encryption Router (config) # service password-encryption

Page 4: Packet Tracer Activity Use Cisco IOS CLI to perform an initial router configuration. Click the Packet Tracer icon to begin. 5.3.4 - Basic Configuration Link to Packet Tracer Exploration: Performing an Initial Router Configuration.

5.3.5 Configuring An Interface Page 1: To direct traffic from one network to another, router interfaces are configured to participate in each

of the networks. A router interface connecting to a network will typically have an IP address and subnet mask assigned that is within the host range for the connected network. There are different types of interfaces on a router. Serial and Ethernet interfaces are the most common. Local network connections use Ethernet interfaces. WAN connections require a serial connection through an ISP. Unlike Ethernet interfaces, serial interfaces require a clock signal to control the timing of the communications, called a clock rate. In most environments, data communications equipment (DCE) devices, such as a modem or CSU/DSU, provide the clock rate. When a router connects to the ISP network using a serial connection, a CSU/DSU is required if the WAN is digital. A modem is required if the WAN is analog. These devices convert the data from the router into a form acceptable for crossing the WAN, and convert data from the WAN into an acceptable format for the router. By default, Cisco routers are data terminal equipment (DTE) devices. Because the DCE devices control the timing of the communication with the router, the Cisco DTE devices accept the clock rate from the DCE device. Though uncommon, it is possible to connect two routers directly together using a serial connection. In this instance, no CSU/DSU or modem is used, and one of the routers must be configured as a DCE device to provide clocking. If the router is connected as the DCE device, a clock rate must be set on the router interface to control the timing of the DCE/DTE connection. 5.3.5 - Configuring An Interface The diagram depicts a router (D T E) connected to a CSU /DSU (D C E) which connects to another CSU /DSU (D C E) across the Internet via a transmission line. The second CSU /DSU (D C E) connects to a second router (D T E).

Page 2: Configuring an interface on the router must be done in global configuration mode. Configuring an Ethernet interface is very similar to configuring a serial interface. One of the main differences is that a serial interface must have a clock rate set if it is acting as a DCE device. The steps to configure an interface include: Step 1. Specify the type of interface and the interface port number. Step 2. Specify a description of the interface. Step 3. Configure the interface IP address and subnet mask.

Step 4. Set the clock rate, if configuring a serial interface as a DCE. Step 5. Enable the interface. After an interface is enabled, it may be necessary to turn off an interface for maintenance or troubleshooting. In this case, use the shutdown command. When configuring the serial interface on a 1841, the serial interface is designated by 3 digits, C/S/P, where C=Controller#, S=Slot# and P=Port#. The 1841 has two modular slots. The designation Serial0/0/0 indicates that the serial interface module is on controller 0, in slot 0, and that the interface to be used is the first one (0). The second interface is Serial0/0/1. The serial module is normally installed in slot 0 but may be installed in slot 1. If this is the case, the designation for the first serial interface would be Serial0/1/0 and the second would be Serial0/1/1. For built in ports, such as the FastEthernet ports the designation is 2 digits, C/P, where C=Controller#, and P=Port#. The designation Fa0/0 represents controller 0 and interface 0. 5.3.5 - Configuring An Interface The diagram depicts basic configuration commands for a FastEthernet and Serial interface: Router (config) # interface fastethernet 0 /0 Router (config-if) # description connection to Admin LAN Router (config-if) # IP address 192.168.2.1 255.255.255.0 Router (config-if) # no shutdown Router (config-if) # exit Router (config) # interface serial 0 /0 /0 Router (config-if) # description connection to Router 2 Router (config-if) # IP address 192.168.1.125 255.255.255.0 Router (config-if) # clock rate 64000 Router (config-if) # no shutdown More Information Popup On serial links that are directly interconnected, as in a lab environment, one side must be considered a D C E and provide a clocking signal. The clock is enabled and speed is specified with the clock rate command. The available clock rates in bits per second are 1200, 2400, 9600, 19200, 38400, 56000, 64000, 72000, 125000, 148000, 500000, 800000, 1000000, 1300000, 2000000, or 4000000. Some bit rates might not be available on certain serial interfaces. This depends on the capacity of each interface. The commands that are used to set a clock rate and enable a serial interface are in the diagram.

Page 3: E-Lab Activity Configure the serial interfaces on two routers.

Click the icon to begin. 5.3.5 - Configuring An Interface Link to E-Lab: Configuring a Serial Interface on Routers for Communication.

Page 4: Packet Tracer Activity Configure the Ethernet and Serial interfaces of a router. Click the Packet Tracer icon to begin. 5.3.5 - Configuring An Interface Link to Packet Tracer Exploration: Configuring Ethernet and Serial Interfaces.

Page 5: Lab Activity Configure basic settings on a router using the Cisco IOS CLI. Click the lab icon to begin. 5.3.5 - Configuring An Interface Link to Hands-on Lab: Configuring Basic Router Settings with the Cisco I O S C L I.

5.3.6 Configuring a Default Route Page 1: A router forwards packets from one network to another based on the destination IP address specified in the packet. It examines the routing table to determine where to forward the packet to reach the destination network. If the router does not have a route to a specific network in its routing table, a default route can be configured to tell the router how to forward the packet. The default route is used by the router only if the router does not know where to send a packet. Usually, the default route points to the next hop router on the path to the Internet. The information

needed to configure the default route is the IP address of the next hop router, or the interface that the router uses to forward traffic with an unknown destination network. Configuring the default route on a Cisco ISR must be done in global configuration mode. Router(config)# ip route 0.0.0.0 0.0.0.0 [next-hop-IP-address] or Router(config)# ip route 0.0.0.0 0.0.0.0 [interface-type] [number] 5.3.6 - Configuring a Default Route The diagram depicts the configuration of a default route. Router 1 S 0 /0 /0 interface, with IP address 192.168.1.4, is connected to Router 2 S 0 /0 /1 interface, with IP address 192.168.1.5. Configure a Default Route Router 1 (config) # IP route 0.0.0.0 0.0.0.0 192.168.1.5 OR Router 1 (config) # IP route 0.0.0.0 0.0.0.0 S 0 /0 /0

Page 2: Packet Tracer Activity Configure a default route on routers in a medium-sized business network topology. Click the Packet Tracer icon to begin. 5.3.6 - Configuring a Default Route Link to Packet Tracer Exploration: Configuring a Default Route.

5.3.7 Configuring DHCP Services Page 1: The Cisco IOS CLI can be used to configure a router to function as a DHCP server. Using a router configured with DHCP simplifies the management of IP addresses on a network. The administrator needs to update only a single, central router when IP configuration parameters change.

Configuring DHCP using the CLI is a little more complex than configuring it using SDM. There are eight basic steps to configuring DHCP using the CLI. Step 1. Create a DHCP address pool. Step 2. Specify the network or subnet. Step 3. Exclude specific IP addresses. Step 4. Specify the domain name. Step 5. Specify the IP address of the DNS server. Step 6. Set the default gateway. Step 7. Set the lease duration. Step 8. Verify the configuration. 5.3.7 - Configuring DHCP Services The diagram depicts eight steps used to configure DHCP services. Step 1: Create DHCP Address Pool Router (config) # ip dhcp pool LAN-address Router (dhcp-config) # Navigate to the privileged EXEC mode, enter the password if prompted and then enter the global configuration mode. Now create a name for the DHCP server address pool. More than one address pool can exist on a router. The Cisco I O S C L I will enter the DHCP pool configuration mode. Use these commands: Router> enable Router # configure terminal Router (config) # ip dhcp pool LAN-address Router (config) # ip dhcp pool LAN-address Router(dhcp-config) # This example created an address pool named LAN-address. Step 2: Specify the Network or Subnet Router (dhcp-config) # network 172.16.0.0 255.255.0.0 Specify the network or subnet network number and the subnet mask of the DHCP address pool. Use

this command: Router (dhcp-config) # network 172.16.0.0 255.255.0.0 Depending on the version of I O S, the subnet mask may also be specified using the prefix convention /16. Step 3: Exclude IP Addresses Router (config) # ip dhcp excluded-address 172.16.1 .100 172.16.1 .103 Recall that the DHCP server assumes that all other I P addresses in a DHCP address pool subnet are available for assigning to DHCP clients. Exclude addresses from the pool so the DHCP server does not allocate those I P addresses. If a range of addresses is to be excluded, only the starting address and ending address need to be entered. Use this command: Router (config) # ip dhcp excluded-address 172.16.1 .100 172.16.1 .103 The example shown excludes the four addresses, 172.16.1 .100, 172.16.1 .101, 172.16.1 .102, and 172.16.1 .103 from being given out to hosts by DHCP. These addresses can be statically assigned by the administrator. Step 4: Specify the Domain Name Router (dhcp-config) # domain-name cisco.com Now specify the domain name for the client. Use this command: Router(dhcp-config)# domain-name cisco.com Clients in this example will receive the domain name cisco.com as part of their DHCP configuration. Domain name is an optional DHCP configuration parameter and is not necessary for DHCP to function. The network administrator can provide information as to whether or not a domain name is necessary. Step 5: DNS Server IP Address Router (dhcp-config) # dns-server 172.16.1 .103 172.16.2 .103 Now specify the IP address of a DNS server that is available to a DHCP client. One P address is required. Up to eight IP addresses can be configured on one line. If listing more than one DNS Server list the servers in order of importance. Use this command: Router (dhcp-config) # dns-server 172.16.1 .103 172.16.2 .103 In this example, there are two DNS servers that clients can use, a primary server and a secondary server. At least one DNS server must be configured for hosts to resolve host names and U RLs in order to access services on the network. Step 6: Set the Default Gateway Router (dhcp-config) # default-router 172.16.1 .100 Now specify the IP address of the default router for the DHCP clients on the network. Typically this will be the LAN I P of the router. This command will set the default gateway for the client devices on the network that will be using DHCP. After a DHCP client has booted, the client begins sending packets to its default router. The IP address must be on the same subnet as the client I P addresses given out by the router. One I P address is required. Use this command: Router (dhcp-config) # default-router 172.16.1 .100 Clients in this example use the router interface 172.16.1 .100 as their default gateway. Step 7: Set the Lease Duration

Router (dhcp-config) # lease {days [hours] [minutes] | infinite} Router (dhcp-config) # end DHCP gives out IP address information each time a host powers on and connects to the network. The default time that a client IP address is reserved for a specific host is one day. If the host does not renew its address, then the reservation ends and the IP address is again available to be given out through DHCP. It is possible to change the lease timer to a longer period of time, if necessary. This is the last step in configuring a DHCP service on a router. Use the end command to finish the DHCP configuration and return to the Global configuration mode. Use these commands: Router (dhcp-config) # lease {days [hours] [minutes] | infinite} Router (dhcp-config) # end Step 8: Verify the Configuration Router# show running-config Verify the DHCP configuration by viewing the running-configuration. To do this use the command: Router # show running-config Here is an example of the DHCP part of the configuration running on a DHCP enabled router: ip dhcp pool LAN-addresses domain-name cisco.com network 172.16.0.0 255.255.0.0 ip dhcp excluded-address 172.16.1 .100 172.16.1 .103 dns-server 172.16.1 .103 172.16.2 .103 default-router 172.16.1 .100 lease infinite When the configuration is correct, copy the running-configuration to the startup-configuration.

Page 2: Packet Tracer Activity Configure a router as a DHCP server for attached clients. Click the Packet Tracer icon to begin. 5.3.7 - Configuring DHCP Services Link to Packet Tracer Exploration: Configuring a Cisco Router as a DHCP server

Page 3: Lab Activity Use the Cisco SDM and IOS CLI to configure a router as a DHCP server.

Click the lab icon to begin. 5.3.7 - Configuring DHCP Services Link to Hands-on Lab: Configuring DHCP with SDM and the Cisco I O S C L I

5.3.8 Configuring Static NAT Using Cisco IOS CLI Page 1: NAT enables hosts with internal private addresses to communicate on the Internet. When configuring NAT, at least one interface must be configured as the inside interface. The inside interface is connected to the internal, private network. Another interface, usually the external interface used to access the Internet, must be configured as the outside interface. When devices on the internal network communicate out through the external interface, the addresses are translated to one or more registered IP addresses. There are occasions when a server located on an internal network must be accessible from the Internet. This accessibility requires that the server has a specific registered address that external users can specify. One way to provide this address to an internal server is to configure a static translation. Static NAT ensures that addresses assigned to hosts on the internal network are always translated to the same registered IP address. Configuring NAT and static NAT using the Cisco IOS CLI requires a number of steps. Step 1. Specify the inside interface. Step 2. Set the primary IP address of the inside interface. Step 3. Identify the inside interface using the ip nat inside command. Step 4. Specify the outside interface. Step 5. Set the primary IP address of the outside interface. Step 6. Identify the outside interface using the ip nat outside command. Step 7. Define the static address translation.

Step 8. Verify the configuration. 5.3.8 - Configuring Static NAT Using Cisco I O S C L I The diagram depicts the steps used to configure static NAT using Cisco I O S C L I. Step 1: Specify the inside interface Router (config) # interface fastethernet 0 /0 To begin configuring NAT services on a Cisco router navigate to the privileged EXEC mode, enter the password if prompted to and then enter the global configuration mode. Specify which interface is connected to the inside local network. Doing this enters the interface configuration mode. Use these commands: Router> enable Router# configure terminal Router (config) # interface fastethernet 0 /0 Step 2: Set the primary IP address of the inside interface Router (config-if) # ip address 172.31.232.182 255.255.255.0 Use this command to set the primary IP address for the inside interface: Router (config-if) # ip address 172.31.232.182 255.255.255.0 Step 3: Identify the inside interface using the IP nat inside command Router (config-if) # ip nat inside Router (config-if) # no shutdown Router (config-if) # exit Now identify this interface as the interface connected to the inside of the network and then exit the configuration of the inside interface and return to configuration mode. Use these commands: Router (config-if) # ip nat inside Router (config-if) # no shutdown Router (config-if) # exit Step 4: Specify the outside interface Router (config) # interface serial 0 /0 Configure the outside interface. Specify the interface connecting to the Internet Service Provider and return to the interface configuration mode. Use this command: Router (config) # interface serial 0 /0 Step 5: Set the primary IP address of the outside interface Router (config-if) # ip address 209.165.201.1 255.255.255.252 Now identify this interface as the interface connected to the outside of the network and then exit the configuration of the outside interface and return to configuration mode. Use these commands: Router (config-if) # ip address 209.165.201.1 255.255.255.252 Step 6: Identify the outside interface using the IP nat outside command Router (config-if) # ip nat outside Router (config-if) # no shutdown

Router (config-if) # exit Now identify this interface as the interface connected to the outside of the network and then exit the configuration of the outside interface and return to configuration mode. Use these commands: Router (config-if) # ip nat outside Router (config-if) # no shutdown Router (config-if) # exit Step 7: Define the static address translation Router (config) # ip nat inside source static 172.31.232.14 209.165.202.130 Router (config) # exit Use this command to create the translation: Router (config) # I P nat inside source static 172.31.232.14 209.165.202.130 In this example, a server with the inside address 172.31.232.14 is always translated to the external address 209.165.202.130. Use this command to create the translation. When finished, exit the global configuration mode. Step 8: Verify the configuration show running-config Verify the static NAT configuration. Use this command: show running-config Here is an example: interface fastethernet 0 /0 ip address 172.31.232.182 255.255.255.0 ip nat inside interface serial 0 /0 ip address 209.165.201.1 255.255.255.252 ip nat outside ip nat inside source static 172.31.232.14 209.165.202.130 Be sure to save the running-configuration to the startup-configuration.

Page 2: There are several router CLI commands to view NAT operations for verification and troubleshooting. One of the most useful commands is show ip nat translations. The output displays the detailed NAT assignments. The command shows all static translations that have been configured and any dynamic translations that have been created by traffic. Each translation is identified by protocol and its inside and outside local and global addresses. The show ip nat statistics command displays information about the total number of active translations, NAT configuration parameters, how many addresses are in the pool, and how many have been allocated.

Additionally, use the show run command to view NAT configurations. By default, if dynamic NAT is configured, translation entries time out after 24 hours. It is sometimes useful to clear the dynamic entries sooner than 24 hours. This is especially true when testing the NAT configuration. To clear dynamic entries before the timeout has expired, use the clear ip nat translation * command in the enable mode. Only the dynamic translations are removed from the table. Static translations cannot be cleared from the translation table. 5.3.8 - Configuring Static NAT Using Cisco I O S C L I The diagram depicts a man sitting at his workstation verifying NAT operations by entering the show I P nat translations and using the router C L I interface. The output from the show IP nat statistics command displays detailed NAT assignments. The command shows all static translations that have been configured and any dynamic translations that have been created by traffic. Each translation is identified by a protocol, and its inside and outside local and global addresses. The show IP nat statistics command displays information about the total number of active translations, NAT configuration parameters, how many addresses are in the pool, and how many have been allocated.

Page 3: Packet Tracer Activity Configure static NAT on a router. Click the Packet Tracer icon to begin. 5.3.8 - Configuring Static NAT Using Cisco I O S C L I Link to Packet Tracer Exploration: Configuring Static NAT on a Cisco Router.

Page 4: Lab Activity Configure PAT using Cisco SDM and static NAT using Cisco IOS CLI. Click the lab icon to begin.

5.3.8 - Configuring Static NAT Using Cisco I O S C L I Link to Hands-on Lab: Configuring PAT with SDM and Static NAT using Cisco I O S Commands.

5.3.9 Backing Up a Cisco Router Configuration Page 1: After a router is configured, the running configuration should be saved to the startup configuration file. It is also a good idea to save the configuration file in another location, such as a network server. If the NVRAM fails or becomes corrupt and the router cannot load the startup configuration file, another copy is available. There are multiple ways that a configuration file can be saved. One way configuration files can be saved to a network server is using TFTP. The TFTP server must be accessible to the router via a network connection. Step 1. Enter the copy startup-config tftp command. Step 2. Enter the IP address of the host where the configuration file will be stored. Step 3. Enter the name to assign to the configuration file or accept the default. Step 4. Confirm each choice by answering yes. The running configuration can also be stored on a TFTP server using the copy running-config tftp command. To restore the backup configuration file, the router must have at least one interface configured and be able to access the TFTP server over the network. Step 1. Enter the copy tftp running-config command. Step 2. Enter the IP address of the remote host where the TFTP server is located. Step 3. Enter the name of the configuration file or accept the default name. Step 4. Confirm the configuration filename and the TFTP server address. Step 5. Using the copy run start command, copy the running-configuration to the startupconfiguration file to ensure that the restored configuration is saved.

When restoring your configuration, it is possible to copy the tftp file to the startup configuration file. However, this does require a router reboot in order to load the startup configuration file into the running configuration. 5.3.9 - Backing Up a Cisco Router Configuration The diagram depicts the process of copying the configuration to and from a TFTP server by saving and restoring a configuration. Saving a Configuration HyperTerminal window Router # copy startup-config tftp Address or name of remote host [ ]? 10.1 0.10.1 Destination filename [router-config]? tokyo.2 Write file tokyo.2 to 10.1 0.10.1 [confirm] Writing tokyo.2 !!!!!! [OK] Router # Restoring a Configuration HyperTerminal window Router # copy tftp running-config Address or name of remote host [ ]? 131.108.2.155 Source filename [ ]? tokyo.2 Destination filename [running-config]? y Accessing tftp://131.108.2.155/ tokyo.2

Page 2: Another way to create a backup copy of the configuration is to capture the output of the show running-config command. To do this from the terminal session, copy the output, paste it into a text file, and then save the text file. The following steps are used to capture the configuration from a HyperTerminal screen. Step 1. Select Transfer. Step 2. Select Capture Text. Step 3. Specify a name for the text file to capture the configuration. Step 4. Select Start to start capturing text. Step 5. Use the show running-config command to display the configuration on the screen. Step 6. Press the spacebar when each "-More -" prompt appears.

After the complete configuration has been displayed, the following steps stop the capture. Step 1. Select Transfer. Step 2. Select Capture Text. Step 3. Select Stop. After the capture is complete, the configuration file must be edited to remove extra text, such as the "building configuration" Cisco IOS message. Also, the no shutdown command must be added to the end of each interface section. Click File > Save to save the configuration. The configuration file can be edited from a text editor such as Notepad. The backup configuration can be restored from a HyperTerminal session. Before the configuration is restored, any other configurations should be removed from the router using the erase startupconfig command at the privileged EXEC prompt. The router is then restarted using the reload command. The following steps copy the backup configuration to the router. Step 1. Enter router global configuration mode. Step 2. Select Transfer > Send Text File in HyperTerminal. Step 3. Select the name of the file for the saved backup configuration. Step 4. Restore the startup configuration with the copy run start command 5.3.9 - Backing Up a Cisco Router Configuration The diagram depicts a Hyper Terminal window with the Transfer dropdown selected, then Capture Text, then Stop, to stop menu item open. Output from commands previously entered are captured.

Page 3: Packet Tracer Activity Back up the running configuration to a TFTP server.

Click the Packet Tracer icon to begin. 5.3.9 - Backing Up a Cisco Router Configuration Link to Packet Tracer Exploration: Backing Up a Cisco Router Configuration to a TFTP Server.

Page 4: Lab Activity Use HyperTerminal to save and load the running configuration. Click the lab icon to begin. 5.3.9 - Backing Up a Cisco Router Configuration Link to Hands-on Lab: Managing Router Configuration Files Using HyperTerminal.

Page 5: Lab Activity Use TFTP to save and load the running configuration. Click the lab icon to begin. 5.3.9 - Backing Up a Cisco Router Configuration Link to Hands-on Lab: Managing Router Configuration Files Using TFTP

5.4 Connecting the CPE to the ISP 5.4.1 Installing the CPE Page 1: One of the main responsibilities of an on-site network technician is to install and upgrade equipment located at a customer home or business. Network devices installed at the customer location are called customer premises equipment (CPE) and include devices such as routers, modems, and switches. The installation or upgrade of a router can be disruptive for a business. Many businesses rely on the Internet for their correspondence and have e-commerce services that must be accessed during the

day. Planning the installation or upgrade is a critical step in ensuring successful operation. Additionally, planning enables options to be explored on paper, where it is easy and inexpensive to correct errors. The ISP technical staff usually meets with business customers for planning. During planning sessions, the technician determines the configuration of the router to meet customer needs and the network software that may be affected by the new installation or upgrade. The technician works with the IT personnel of the customer to decide which router configuration to use and to develop the procedure that verifies the router configuration. From this information, the technician completes a configuration checklist. The configuration checklist provides a list of the most commonly configured components. It typically includes an explanation of each component and the configuration setting. The list is a tool for ensuring that everything is configured correctly on new router installations. It is also helpful for troubleshooting previously configured routers. There are many different formats for configuration checklists, including some that are quite complex. ISPs should ensure that support technicians have, and know how to use, router configuration checklists. 5.4.1 - Installing the C P E The diagram depicts blank work order form with a brief description of the following fields. Date and Work Order Used to record the date that the configuration checklist is issued Used to record a number used to track the contract work ISP Contact The name and telephone number of the ISP representative if any questions or concerns arise Customer The name of the company or customer. Customer Contact The name and telephone number of the person at the customer site responsible for the project. Router Manufacturer and Model The router manufacturer and model number Router Serial Number The router serial number Configured Basic Parameters Check here to confirm that basic router parameters are configured. Cisco SDM can be used to configure basic parameters, if supported by the device. Configured Global Parameters Check here to confirm that the global parameters are configured. Including: host name of the router, a privilege mode password, and disabling the router from recognizing typing mistakes as commands. Configured Fast Ethernet LAN Interfaces Check here to confirm that the Fast Ethernet LAN interfaces have been configured. Configured WAN Interfaces Check here to confirm that the WAN interfaces have been configured

Configured Command-Line Access to the Router Check here to confirm that the parameters used to control Cisco I O S C L I access to the router have been configured. This includes: the interval of time that the EXEC command interpreter waits until user input is detected. Configured Static Routes Check here to confirm that the static routes are configured. An ISP may use a separate sheet to detail each static route configured. Static routes are manually configured on the router and must be changed manually if new routes are required. Configured Dynamic Routing Protocols Check here to confirm that the dynamic routing protocols are configured. In dynamic routing, the network protocol adjusts the path automatically, based on network traffic or topology. Changes in dynamic routes are shared with other routers in the network. Configured Security Features Check here to confirm that security features on the router are configured. The Cisco SDM configuration tool makes it easy to configure the basic security features. To configure security features using the Cisco I O S C L I requires an in-depth knowledge of the Cisco I O S security commands.

Page 2: When new equipment is required, the devices are typically configured and tested at the ISP site before being installed at the customer site. Anything that is not functioning as expected can be replaced or fixed immediately. If a router is being installed, the network technician makes sure that the router is fully configured and that the router configuration is verified. When the router is known to be configured correctly, all network cables, power cables, management cables, manufacturer documentation, manufacturer software, configuration documentation, and the special tools needed for router installation are assembled. An inventory checklist is used to verify that all necessary equipment needed to install the router is present. Usually, the network technician signs the checklist, indicating that everything has been verified. The signed and dated inventory checklist is included with the router when it is packaged for shipping to the customer premises. The router is now ready to be installed by the on-site technician. It is important to find a time that provides the minimum amount of disruption. It may not be possible to install or upgrade network equipment during normal business hours. If the installation will cause the network to be down, the network technician, the ISP sales person, and a representative of the company prepare a router installation plan. This plan ensures that the customer experiences a minimum of disruption in service while the new equipment is installed. Additionally, the router installation plan identifies who the customer contact is and what the arrangements are for access to the site after business hours. As part of the installation plan, an installation checklist is created to ensure that equipment is installed appropriately. 5.4.1 - Installing the C P E The diagram depicts images of the installation planning process with the customer and installation of the router following the plan.

Page 3: The on-site network technician must install the router at the customer premises using the router installation plan and checklist. When installing customer equipment, it is important to complete the job in a professional manner. This means that all network cables are labeled and fastened together or run through proper cable management equipment. Excess lengths of cable are coiled and secured out of the way. Documentation should be updated to include the current configuration of the router, and network diagrams should be updated to show the location of the equipment and cables installed. After the router is successfully installed and tested, the network technician completes the installation checklist. The completed checklist is then verified by the customer representative. The verification of the router installation often involves demonstrating that the router is correctly configured and that services that depend on the router work as expected. When the customer representative is satisfied that the router has been correctly installed and is operational, the customer signs and dates the checklist. Sometimes there is a formal acceptance document in addition to the checklist. This procedure is often called the sign-off phase. It is critical that the customer representative signs off on the job, because the ISP can then bill the customer for the work. 5.4.1 - Installing the C P E The diagram depicts images of the completion of the checklist and review of the installation with a customer representative. Obtaining the customer acceptance of the new equipment and approval of the installation is also depicted.

Page 4: Installation Documentation When customer equipment is configured and installed on the customer premises, it is important to document the entire process. Documentation includes all aspects of equipment configuration, diagrams of equipment installation, and checklists to validate the correct installation. If a new configuration is needed, the documentation is compared with the previous router configuration to determine if and how the new configuration has changed. Activity logs are used to track modifications and access to equipment. Properly maintained activity logs help when troubleshooting problems. The technician starts documenting the work during router installation. All cables and equipment are correctly labeled and indicated on a diagram to simplify future identification. The technician uses the installation and verification checklist when installing a router. This checklist

displays the tasks to be completed at the customer premises. The checklist helps the network technician avoid errors and ensures that the installation is done efficiently and correctly. A copy of the final documentation is left with the customer. 5.4.1 - Installing the C P E The diagram depicts images related to router installation documentation. Verify Checklists Document any installation modifications that were not part of the original installation plan. Clearly label all cables for future identification. Finally, verify the install by using the installation checklist. Update Network Diagrams Update any network diagrams to include any changes made during the installation. This is an example of a network diagram created using Microsoft Visio. Prepare Activity Logs Use activity logs to document when modifications are made so they can be used to determine if a configuration activity has contributed to a network problem.

5.4.2 Customer Connections over a WAN Page 1: New equipment at the customer site must be connected back to the ISP to provide Internet services. When customer equipment is upgraded, it is sometimes necessary to also upgrade the type of connectivity provided by the ISP. Wide Area Networks When a company or organization has locations that are separated by large geographical distances, it may be necessary to use the telecommunications service provider (TSP) to interconnect the LANs at the different locations. The networks that connect LANs in geographically separated locations are referred to as wide area networks (WANs). TSPs operate large regional networks that can span long distances. Traditionally, TSPs transported voice and data communications on separate networks. Increasingly, these providers are offering converged information network services to their subscribers. Individual organizations usually lease connections through the TSP network. Although the organization maintains all the policies and administration of the LANs at both ends of the connection, the policies within the communications service provider network are controlled by the ISP.

ISPs sell various types of WAN connections to their clients. WAN connections vary in the type of connector used, in bandwidth, and in cost. As small businesses grow, they require the increased bandwidth offered by some of the more expensive WAN connections. One of the jobs at an ISP or medium-sized business is to assess what type of WAN connection is needed. 5.4.2 - Customer Connections over a WAN The diagram depicts two LANs connected via a WAN link using CSU/DSU equipment.

Page 2: There are three types of serial WAN connections. Point-to-Point A point-to-point connection is a predefined communications path from the customer premises through a TSP network. It is a dedicated circuit with fixed bandwidth available at all time. Point-topoint lines are usually leased from the TSP. These lines are often called leased lines. Point-to-point connections are typically the most expensive of the WAN connection types, and are priced based on the bandwidth required and the distance between the two connected points. An example of a pointto-point WAN connection is a T1 or E1 link. Circuit-Switched A circuit-switched connection functions similarly to the way a phone call is made over a telephone network. When making a phone call to a friend, the caller picks up the phone, opens the circuit, and dials the number. The caller hangs up the phone when finished and the closes the circuit. An example of a circuit-switched WAN connection is an ISDN or dialup connection. Packet-Switched In a packet-switched connection, networks have connections into the TSP switched network. Many customers share this TSP network. Instead of the circuit being physically reserved from source to destination, as in a circuit-switched network, each customer has its own virtual circuit. A virtual circuit is a logical path between the sender and receiver, not a physical path. An example of a packet-switched network is Frame Relay. 5.4.2 - Customer Connections over a WAN The diagram depicts the following types of WAN connections: point-to-point, circuit-switched, and packet-switched. Point-to-Point A host is connected to a switch which is connected to a router, which is connected to another router via a WAN link, which is connected to a switch, which is connected to a host.

Circuit-Switched An I S D N circuit-switched network showing three customer sites connected using D C E equipment. The I S D N circuit switched network is represented by a cloud of switches with paths (circuits) connecting the customer sites together. These circuits are established as needed and disassembled when not. Packet-Switched Customer A, Site 1, 2, and 3 and Customer B, Site 1 and 2 are all connected to each other via D C E equipment. Any of these sites can communicate with any of the other sites. Paths of traffic flow may not be the same for all packets in a message. The Frame Relay network circuits are virtual and are shared with other customers.

5.4.3 Choosing a WAN Connection Page 1: When choosing a WAN, the decision is largely dependent on the bandwidth and cost of the WAN connection. Smaller businesses are not able to afford some of the more expensive WAN connection options, such as SONET or ATM WAN connections. They usually install the less expensive DSL, cable, and T1 connections. In addition, higher bandwidth WAN connections may not be available in geographically isolated locations. If the offices supported are close to an urban center, there are more WAN choices. Another factor that affects the decision on which WAN to choose is how the business plans to use the connection. If the business provides services over the Internet, it may require higher upstream bandwidth. For example, if a business hosts a web server for an e-commerce business, it needs enough upstream bandwidth to accommodate the number of external customers that visit its site. On the other hand, if the business uses an ISP to manage its e-commerce site, the business does not need as much upstream bandwidth. For some businesses, the ability to get a service level agreement (SLA) with their WAN connection affects their decision. Less expensive WAN connections like dialup, DSL, and cable typically do not come with an SLA, whereas more expensive connections do. 5.4.3 - Choosing a WAN Connection The diagram depicts a table with information about various types of WAN connections. Connection: Dialup Bandwidth: Up to 56 Kbps Cost: Low Connection: Frame Relay Bandwidth: 128 Kbps - 512 Kbps Cost: Low - Medium Connection: DSL (note 1) Bandwidth: 128 Kbps -6+ Mbps¹

Cost: Low Connection: Cable (note 1) Bandwidth: 128 Kbps -10+ Mbps¹ Cost: Low Connection: Fractional T1 Bandwidth: 64 Kbps - 1.544 Mbps Cost: Low - Medium Connection: T1/E1 Bandwidth: 1.544/2.048 Mbps Cost: Medium Connection: Fractional T3 Bandwidth: 1.544Mbps - 44.736 Mbps Cost: Medium - High Connection: T3/E3 Bandwidth: 44.736/34.368 Mbps Cost: High Connection: SONET Bandwidth: 51.840 Mbps - 9953.280 Mbps Cost: High - Very High Connection: ATM Bandwidth: 622 Mbps Cost: Very High * This list is a small subset of available options available from an ISP or Telco provider. Availability varies by provider and location. Note: Upstream bandwidth is typically slower than the listed downstream bandwidth

Page 2: There are many things to consider when planning a WAN upgrade. The ISP initiates the process by analyzing the customer needs and reviewing the available options. A proposal is then generated for the customer. The proposal addresses the existing infrastructure, the customer requirements, and possible WAN options. Existing Infrastructure This is an explanation of the current infrastructure being used by the business. It helps the customer understand how the existing WAN connection provides services to their home or business. Customer Requirements

This section of the proposal describes why a WAN upgrade is necessary for the customer. It outlines where the current WAN connection does not meet the customer needs. It also includes a list of requirements that the new WAN connection must meet to satisfy the current and future customer requirements. WAN Options This is a list of all the available WAN choices with the corresponding bandwidth, cost, and other features that are applicable for the business is included in the proposal. The recommended choice is indicated, including possible other options. The WAN upgrade proposal is presented to the business decision-makers. They review the document and consider the options. When they have made their decision, the ISP works with the customer to develop a schedule and coordinate the WAN upgrade process. 5.4.3 - Choosing a WAN Connection The diagram depicts a man explaining WAN connection options.

Page 3: Lab Activity Complete a WAN upgrade plan based on the business scenario presented. Click the lab icon to begin. 5.4.3 - Choosing a WAN Connection Link to Hands-on Lab: Planning a WAN upgrade

5.4.4 Configuring WAN Connections Page 1: How a WAN is configured depends on the type of WAN connection required. Some WAN connections support Ethernet interfaces. Other WAN connections support serial interfaces. Leased-line WAN connections typically use a serial connection, and require a channel service unit and data service unit (CSU/DSU) to attach to the ISP network. The ISP equipment needs to be configured so that it can communicate through the CSU/DSU to the customer premises.

For a serial connection, it is important to have a preconfigured clock rate that is the same on both ends of the connection. The clock rate is set by the DCE device, which is typically the CSU/DSU. The DTE device, typically the router, accepts the clock rate set by the DCE. The Cisco default serial encapsulation is HDLC. It can be changed to PPP, which provides a more flexible encapsulation and supports authentication by the remote device. 5.4.4 - Configuring WAN Connections The diagram depicts a WAN connection between a customer ISR router and customer CSU/DSU, and between an ISP ISR router and an ISP CSU/DSU using P P P encapsulation. Customer Cisco ISR router connects to a customer CSU/DSU, which is connected to a WAN cloud. The WAN cloud connects to ISP CSU/DSU, which is connected to the ISP Cisco ISR Router. Customer Cisco ISR Router Router > enable Router # configure terminal Enter configuration commands, one per line. End with CNTL/Z, Router (config) # interface serial 0 /0 Router (config-if) # ip address 192.168.2.125 255.255.255.0 Router (config-if) # encapsulation ppp Router (config-if) # no shutdown ISP Cisco ISR Router Router > enable Router # configure terminal Enter configuration commands, one per line. End with CNTL/Z, Router (config) # interface serial 0 /0 Router (config-if) # ip address 192.168.2.123 255.255.255.0 Router (config-if) # encapsulation ppp Router (config-if) # no shutdown

Page 2: Packet Tracer Activity Configure a serial WAN connection from a Cisco ISR to a CSU/DSU at an ISP. Click the Packet Tracer icon to begin. 5.4.4 - Configuring WAN Connections Link to Packet Tracer Exploration: Configuring a PPP Connection Between a Customer and an ISP .

5.5 Initial Cisco 2960 Switch Configuration 5.5.1 Standalone Switches Page 1: Although the integrated swith module of the 1841 ISR is adequate for connecting a small number of hosts to the LAN, it may be necessary to add larger, more capable switches to support additional users as the network grows. A switch is a device that directs a stream of messages from one port to another based on the destination MAC address within the frame. A switch cannot route traffic between two different local networks. In the context of the OSI model, a switch performs Layer 2 functions. Layer 2 is the Data Link Layer. Several models of Ethernet switches are available to meet various user requirements. The Cisco Catalyst 2960 Series Ethernet switch is designed for the networks of medium-sized businesses and branch offices. The Catalyst 2960 Series of switch are fixed-configuration, standalone devices that do not support modules or flash card slots. Because the physical configuration cannot change, fixed-configuration switches must be chosen based on the required number and type of ports. 2960 Series switches can provide 10/100 Fast Ethernet and 10/100/1000 Gigabit Ethernet connectivity. These switches use Cisco IOS software and can be configured using a GUI-based Cisco Network Assistant or through the CLI. 5.5.1 - Standalone Switches The diagram depicts several switches and information about each. Cisco 2960 Fast Ethernet Switch 8 Fast Ethernet ports One dual purpose Gigabit Ethernet uplink port The Gigabit Ethernet uplink port can support a 10 /100 /1000 copper cable or a fiber based S F P connector. This switch does not require a fan Cisco 2960 Gigabit Ethernet Switch 7 Gigabit Ethernet ports One dual purpose Gigabit Ethernet uplink port The Ethernet uplink port can support a 10 /100 /1000 copper cable or a fiber based small formfactor pluggable (S F P) connector. This switch does not require a fan Cisco Catalyst 2960-24TT 24 10 /100 ports 2 10 /100 /1000 uplink ports Cisco Catalyst 2960-24TC 24 10 /100 ports 2 dual-purpose uplink ports

Cisco Catalyst 2960-48TT 48 10 /100 ports 2 10 /100 /1000 uplink ports Cisco Catalyst 2960-48TC 44 10 /100 /1000 ports 4 dual-purpose uplink ports Cisco Catalyst 2960G-24TC 24 10 /100 /1000 ports 4 dual-purpose uplink ports Cisco Catalyst 2960G-48TC 44 10 /100 /1000 ports 4 dual-purpose uplink ports

Page 2: 5.5.1 - Standalone Switches The diagram depicts the front and rear view of a switch. Brief descriptions are given for various components of the switch. 2960 Series Switch Cisco Catalyst 2960 Series Intelligent Ethernet Switches are suitable for small and medium-sized networks. They provide 10 /100 Fast Ethernet and 10 /100 /1000 Gigabit Ethernet LAN connectivity. Front View Status L E D's SYST L E D Shows whether the system is receiving power and is working properly. Green: The system is working properly. Amber: The system is receiving power but is not working properly. RPSLED The redundant power system (R P S) L E D shows the R P S status. Green: The R P S is connected and ready to provide back-up power, if required. Blinking green: The R P S is connected but is unavailable because it is providing power to another device. Amber: The R P S is in standby mode or in a fault condition. Blinking amber: The internal power supply in a switch has failed, the R P S is providing power to the switch. Mode Button and Port Status L E D Port L E D's display information about the switch and about the individual ports. Mode Button

The mode button is used to select one of the port modes: status mode, duplex mode, or speed mode. To select or change a mode, press the Mode button until the desired mode is highlighted. The purpose of the L E D is dependent upon the port mode setting. Port Status, or STAT, the Default Port Mode Off: No link, or port was administratively shut down. Green: Link present. Blinking green: Port is transmitting or receiving data. Alternating green-amber: Link fault. Error frames can affect connectivity, and errors such as excessive collisions, C R C errors, and alignment and jabber errors are monitored for a link-fault indication. Amber: Port is blocked by Spanning Tree Protocol (S T P) and is not forwarding data. Blinking amber: Port is blocked by STP but continues to transmit and receive inter-switch information messages. Duplex L E D Port duplex mode, or D U P L X, is either full duplex or half duplex. Off: Port is operating in half duplex. Green: Port is operating in full duplex. Speed L E D SPEED mode: The 10 /100 ports, 10 /100 /1000 ports and S P F module ports operating speeds. For 10 /100 ports: Off: Port is operating at 10 Mbps Green: Port is operating at 100 Mbps. For 10 /100 /1000 ports: Off: Port is operating at 10 Mbps. Green: Port is operating at 100 Mbps. Blinking green: Port is operating at 1000 Mbps. 10 /100 and 10 /100 /1000 Ports The 10 /100 Ethernet ports can be set to support speeds of 10 or 100 Mbps. The 10 /100 /1000 ports operate at 10, 100, or 1000 Mbps S F P Ports A Gigabit capable Ethernet S F P port can be used to support fiber and copper transceivers modules. The fiber transceivers support fiber-optic cables. The copper transceivers support Category 5 cables with R J-45 connectors. The ability to plug into the Gigabit Ethernet S F P ports allows the fiber and copper transceivers to be easily replaceable in the field should a connection go bad. Rear View All of the Ethernet ports are located on the front of the 2960. The back of the 2960 contains the power plug, the console port, and the fan ventilation. Console Port Used to connect the switch to a PC by means of a R J-45-to-D B-9 cable. Used for out-of-band management tasks.

Page 3: All switches support both half-duplex or full-duplex mode. When a port is in half-duplex mode, at any given time, it can either send or receive data but not both. When a port is in full-duplex mode, it can simultaneously send and receive data, doubling the throughput. Both the port and the connected device must be set to the same duplex mode. If they are not the same, a duplex mismatch occurs, which can lead to excessive collisions and degraded communication. The speed and duplex can be set manually, or the switch port can use autonegotiation. Autonegotiation allows the switch to autodetect the speed and duplex of the device that is connected to the port. Autonegotiation is enabled by default on many Cisco switches. For autonegotiation to be successful, both devices must support it. If the switch is in autonegotiation mode and the connected device does not support it, the switch uses the speed of the other device (10, 100, or 1000) and is set to half-duplex mode. Defaulting to half duplex can create problems if the non-autonegotiating device is set to full duplex. If the connected device does not autonegotiate, manually configure the duplex settings on the switch to match the duplex settings on the connected device. The speed parameter can adjust itself, even if the connected port does not autonegotiate. 5.5.1 - Standalone Switches The diagram depicts a half-duplex and a full-duplex transmission. Half-Duplex A server and a switch exchange information. Only one device can send at any one time. Full-Duplex A server and a switch- exchange information. Both devices can send and receive at the same time.

Page 4: Switch settings, including the speed and duplex port parameters, can be configured using the Cisco IOS CLI. When configuring a switch using the Cisco IOS CLI, the interface and command structure is very similar to the Cisco routers. As with the Cisco routers, there is a variety of choices for the Cisco IOS image for switches. The IP-base software image is supplied with the Cisco Catalyst 2960 switch. This image provides the switch with basic switching capabilities and IP services. Other Cisco IOS software images supply additional services to the IP-base image.

5.5.1 - Standalone Switches The diagram depicts Image of a flowchart. IP Services provided by the IP Base flow to Enterprise Services and Advanced IP Services, which then both flow to Advanced Enterprise Services.

5.5.2 Power Up the Cisco 2960 Switch Page 1: Powering up a Cisco 2960 switch is similar to powering up a Cisco 1841 ISR. The three basic steps for powering up a switch include: Step 1. Check the components. Step 2. Connect the cables to the switch. Step 3. Power up the switch. When the switch is on, the power-on self-test (POST) begins. During POST, the LEDs blink while a series of tests determine that the switch is functioning properly. POST is completed when the SYST LED rapidly blinks green. If the switch fails POST, the SYST LED turns amber. When a switch fails POST, it is necessary to return the switch for repairs. When all startup procedures are finished, the Cisco 2960 switch is ready to configure. 5.5.2 - Power Up the Cisco 2960 Switch The diagram depicts steps to power up a switch. Step 1 - Check the Components Ensure all the components that came with the Cisco 2960 switch are available. These include the console cable, power cord, Ethernet cable, and switch documentation. Step 2 - Connect the Cables to the Switch Connect the PC to the switch with a console cable and start a terminal emulation session. Connect the A C power cord to the switch and to a grounded A C outlet. Step 3 - Power up the switch Some Cisco switch models do not have an on/off switch. The 2960 switch powers up as soon as the power cord is connected to the electrical power.

Page 2: Lab Activity Power up a Cisco 2960 switch. Click the lab icon to begin. 5.5.2 - Power Up the Cisco 2960 Switch Link to Hands-on Lab: Powering Up a Switch.

5.5.3 Initial Switch Configuration Page 1: There are several ways to configure and manage a Cisco LAN switch. • • • • •

Cisco Network Assistant Cisco Device Manager Cisco IOS CLI CiscoView Management Software SNMP Network Management Products

Some of these methods use IP connectivity or a web browser to connect to the switch, which requires an IP address. Unlike router interfaces, switch ports are not assigned IP addresses. To use an IP-based management product or Telnet session to manage a Cisco switch, it is necessary to configure a management IP address on the switch. If the switch does not have an IP address, it is necessary to connect directly to the console port and use a terminal emulation program to perform configuration tasks. 5.5.3 - Initial Switch Configuration The diagram depicts brief descriptions of various network management options. Cisco Network Assistant PC-based network management G U I application optimized for LANs of small and medium-sized businesses Offers centralized management of Cisco switches through a user-friendly G U I Used to configure and manage groups of switches or standalone switches Available at no cost and can be downloaded from Cisco website Device Manager Web browser based software that is stored in the switch memory

Web interface that offers quick configuration and monitoring Used to fully configure and monitor a switch Access through a web browser or by using Telnet or S S H from a remote PC Cisco I O S C L I Based on Cisco I O S software and enhanced to support desktop-switching features Used to fully configure and monitor the switch and members in a group of switches from the C L I Access by connecting the PC directly to the switch console port or by using Telnet from a remote PC CiscoView Displays the switch image used to set configuration parameters and to view switch status and performance information Purchased separately and it can be a standalone application or part of a Simple Network Management Protocol (S N M P) platform Simple Network Management Protocol Managed from an S N M P-compatible management station Examples of S N M P-compatible management stations are H P OpenView or SunNet Manager Typically utilized at large companies

Page 2: The Cisco Catalyst 2960 switch comes preconfigured and only needs to be assigned basic security information before being connected to the network. The commands to configure the host name and passwords on the switch are the same commands used to configure the ISR. To use an IP-based management product or Telnet with a Cisco switch, configure a management IP address. To assign an address to a switch, the address must be assigned to a virtual local area network VLAN interface. A VLAN allows multiple physical ports to be grouped together logically. By default, there is one VLAN, preconfigured in the switch, VLAN1, that provides access to management functions. To configure the IP address assigned to the management interface on VLAN 1, enter global configuration mode. Switch>enable Switch#configure terminal Next, enter the interface configuration mode for VLAN 1. Switch(config)#interface vlan 1

Set the IP address, subnet mask, and default gateway for the management interface. The IP address must be valid for the local network where the switch is installed. Switch(config-if)#ip address 192.168.1.2 255.255.255.0 Switch(config-if)#exit Switch(config)#ip default-gateway 192.168.1.1 Switch(config)#end Save the configuration by using the copy running-configuration startup-configuration command. 5.5.3 - Initial Switch Configuration The diagram depicts C L I commands used to configure some basic switch parameters. Switch> enable Switch # configure terminal Switch (config) # interface v lan 1 Switch (config-if) # ip address 192.168.1.2 255.255.255.0 Switch (config-if) # no shut down Switch (config-if) # exit Switch (config) # ip default-gateway 192.168.1.1 Switch (config) # end Switch # copy running-config startup-config

Page 3: E-Lab Activity Configure the basic settings on a Cisco Catalyst switch. Click the lab icon to begin. 5.5.3 - Initial Switch Configuration Link to E-Lab: Configuring a Cisco 2960 Switch.

Page 4:

Packet Tracer Activity Perform a basic switch configuration. Click the Packet Tracer icon to begin. 5.5.3 - Initial Switch Configuration Link to Packet Tracer Exploration: Performing an Initial Switch Configuration.

5.5.4 Connecting the LAN Switch to the Router Page 1: Connect the Switch to the Network To connect the switch to a router, use a straight-through cable. LED lights on the switch and router indicate that the connection is successful. After the switch and router are connected, determine if the two devices are able to exchange messages. First, check the IP address configuration. Use the show running-configuration command to verify that the IP address of the management interface on the switch VLAN 1 and the IP address of the directly connected router interface are on the same local network. Then test the connection using the ping command. From the switch, ping the IP address of the directly connected router interface. Repeat the process from the router by pinging the management interface IP address assigned to the switch VLAN 1. If the ping is not successful, verify the connections and configurations again. Check to ensure that all the cables are correct and that the connections are seated. After the switch and router are successfully communicating, individual PCs can be connected to the switch using straight-through cables. These cables can be directly connected to the PCs, or can be used as part of the structured cabling leading to wall outlets. 5.5.4 - Connecting the LAN Switch to the Router Hosts H 1, H 2, and H 3 are connected to a 2960-24TT switch. The switch is connected to an 1841 router. Link between H3 and 2960-24TT Switch Connect PC's to the switch using a straight-through Ethernet cable.

Green Lights of 2960-24TT Switch The port lights on the switch will blink green when the connection is up and running. Link between 1841 and 2960-24TT Switch Connect the router to the switch using a straight-through Ethernet cable.

Page 2: Switch ports can be an entry point to the network by unauthorized users. To prevent this, switches provide a feature called port security. Port security limits the number of valid MAC addresses allowed per port. The port does not forward packets with source MAC addresses that are outside the group of defined addresses. There are three ways to configure port security. Static MAC addresses are manually assigned using the switchport port-security mac-address [macaddress] interface configuration command. Static MAC addresses are stored in the address table and added to the running configuration. Dynamic MAC addresses are dynamically learned and stored in the address table. The number of addresses learned can be controlled. By default, the maximum number of MAC addresses learned per port is one. Addresses that are learned are cleared from the table if the port is shutdown or if the switch is restarted. Sticky Similar to dynamic, except that the addresses are also saved to the running configuration. Port security is disabled by default. If port security is enabled, a violation will result in the port being shutdown. For example, if dynamic port security is enabled and the maximum number of MAC addresses per port is one, the first address learned becomes the secure address. If another workstation attempts to access the port with a different MAC address, a security violation occurs. There is a security violation when either of these situations occurs: • The maximum number of secure MAC addresses has been added to the address table, and a device with a MAC address that is not in the address table attempts to access the interface.

• An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. Before port security can be activated, the port must be set to access mode with the switchport mode access command. 5.5.4 - Connecting the LAN Switch to the Router The diagram depicts the following configuration commands for port security: configure static port security, configure dynamic port security, and configure sticky port security. Configure Static Port Security Cisco I O S C L I Command Syntax Enter global configuration mode: S 1 # configure terminal Specify the type and number of the physical interface to configure, for example fastEthernet F A 0 / 18. And enter interface configuration mode: S1 (config) # interface fastEthernet 0 /18 Set the interface mode to: access. An interface in the dynamic desirable default mode cannot be configured as a secure port: S 1 (config) # switchport mode access Enable port security on the interface: S 1 (config-if) # switchport-security mac-address Return to privileged EXEC mode: S 1 (config-if) # end Configure Dynamic Port Security Cisco I O S C L I Command Syntax Enter global configuration mode. S 1 # configure terminal Cisco I O S C L I Command Syntax Specify the type and number of the physical interface to configure, for example fastEthernet F A 0 / 18. And enter interface configuration mode: S 1 (config) # interface fastEthernet 0 /18 Set the interface mode to: access. An interface in the dynamic desirable default mode cannot be configured as a secure port: S 1 (config ) # switchport mode access Enable port security on the interface: S 1 (config-if) # switchport-security Return to privileged EXEC mode: S 1 (config-if) # end Configure Sticky Port Security

Enter global configuration mode. S 1 # configure terminal Specify the type and number of the physical interface to configure. S 1 (config) # interface fastEthernet 0/18 Set the interface mode to: access. S 1 (config) # switchport mode access Enable port security on the interface: S 1 (config-if) # switchport-security Set the maximum number of secure addresses to 50. S 1 (config-if) # switchport port-security maximum 50 Enable sticky learning of MAC address S 1 (config-if) # switchport port-security Mac-address sticky Return to privileged EXEC mode: S 1 (config-if) # end More Information Popup Port security is similar to MAC-address filtering on the Linksys device. Only secure MAC addresses, learned dynamically or manually configured, are permitted to send and receive messages over the network.

Page 3: To verify port security settings for the switch or the specified interface, use the show port-security interface interface-id command. The output displays the following: • • • •

Maximum allowed number of secure MAC addresses for each interface Number of secure MAC addresses on the interface Number of security violations that have occurred Violation mode

Additionally, the show port-security address command displays the secure MAC addresses for all ports, and the show port-security command displays the port security settings for the switch. If static port security or sticky port security is enabled, the show running-config command can be used to view the MAC address associated with a specific port. There are three ways to clear a learned MAC address that is saved in the running configuration: • Use the clear port-security sticky interface [port-number] access to clear any learned addresses. Next, shutdown the port using the shutdown command. Finally, re-enable the

port using the no shutdown command. • Disable port security using the no switchport port-security interface command. Once disabled, re-enable port security. • Reboot the switch. Rebooting the switch will only work if the running configuration is not saved to the startup configuration file. If the running configuration is saved to the startup configuration file, that will eliminate the need for the switch to relearn addresses when the system reboots. However, the learned MAC address will always be associated with a particular port unless the port is cleared using the clear port-security command or disabling port security. If this is done, be sure to re-save the running configuration to the startup configuration file to prevent the switch from reverting to the original associated MAC address upon reboot. If there are any ports on a switch that are unused, best practice is to disable them. It is simple to disable ports on a switch. Navigate to each unused port and issue the shutdown command. If a port needs to be activated, enter the no shutdown command on that interface. In addition to enabling port security and shutting down unused ports, other security configurations on a switch include setting passwords on vty ports, enabling login banners, and encrypting passwords with the service password-encryption command. For these configurations, use the same Cisco IOS CLI commands as those used to configure a router. 5.5.4 - Connecting the LAN Switch to the Router The diagram depicts terminal windows that contains the information when verifying port security settings and verifying secure MAC addresses. Verify Port Security Settings Switch # show port-security interface fastEthernet 0 /18 The output is available in the Hands-on Lab: Configuring the Cisco 2960 switch. Verify Secure MAC Addresses Switch # show port security address Secure Mac Address Table V lanMac Address TypePortsRemaining Age (mins) 99050.B A A6.06 C ESecureConfigured F A 0 /18Total Addresses in System (excluding one mac per port):0 Max addresses limit in System (excluding one mac per port):8320

Page 4: Packet Tracer Activity Configure and connect the switch to the LAN using a configuration checklist.

Click the Packet Tracer icon to begin. 5.5.4 - Connecting the LAN Switch to the Router Link to Packet Tracer Exploration: Connecting a Switch

Page 5: Lab Activity Configure and connect the Cisco 2960 switch. Click the lab icon to begin. 5.5.4 - Connecting the LAN Switch to the Router Link to Hands-on Lab: Configuring the Cisco 2960 Switch

5.5.5 Cisco Discovery Protocol Page 1: Cisco Discovery Protocol (CDP) is an information-gathering tool used on a switch, ISR, or router to share information with other directly connected Cisco devices. By default, CDP begins running when the device boots up. It then sends periodic messages, known as CDP advertisements, onto its directly connected networks. CDP operates at Layer 2 only and can be used on many different types of local networks, including Ethernet and serial networks. Because it is a Layer 2 protocol, it can be used to determine the status of a directly connected link when no IP address has been configured, or if the IP address is incorrect. Two Cisco devices that are directly connected on the same local network are referred to as being neighbors. The concept of neighbor devices is important to understand when interpreting the output of CDP commands. Information gathered by CDP includes: • • • • •

Device identifiers - Configured host name Address list - Layer 3 address, if configured Port identifier - Directly connected port; for example, serial 0/0/0 Capabilities list - Function or functions provided by the device Platform - Hardware platform of the device; for example, Cisco 1841

The output from the show cdp neighbors and show cdp neighbors detail commands displays the information that a Cisco device collects from its directly connected neighbors. Viewing CDP information does not require logging in to the remote devices. Because CDP collects and displays a lot of information about directly connected neighbors, and no login is required, it is usually disabled in production networks for security purposes. Additionally, CDP consumes bandwidth and can impact network performance. 5.5.5 - Cisco Discovery Protocol The diagram depicts a host, H 2, connected to a switch with network address 172.16.1.0 /24, which is connected to the F A 0 /0 of router, R 2, with the IP address 172.16.1 .1/ 24. R 2 is connected via S 0 /0 /0 with the address 172.16.2.2 /24 to S 0 /0 /1 of router R 1 with the address 172.16.2 .1 /24. R 1 is connected via F A 0 /0 with the address 172.16.3.1 /24 to a switch, which is connected to host, H 1. R 2 is connected via S 0 /0 /1 D C E with the address 192.168.1.2 /24 to router, R 3, with the address 192.168.1.1 /24. R 3 is connected via F A 0 /0 with address 192.168.2.1 /24 to a switch, which is connected to host, H 3. Show C D P Neighbors R3 # show c d p neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Hose, I - I GMP, r - Repeater, P - phone Device IDLocal IntrfceHoldtimeCapabilityPlatformPort ID Switch F A S 0 /0133S IWS-C2950-2F A S 0 /11 R 2 S e r 0 /0 /149R S I Cisco 1841 S e r 0 /0 /1 Show C D P Neighbors Detail R 3 # show c d p neighbors detail Device I D: R 2 Entry address(es): IP address: 192.168.1.2 Platform: Cisco 1840, Capabilities: Router Switch I G M P Interface: Serial 0 /0 /1, port ID (outgoing port): Serial 0 /0 /1 Holdtime : 161 sec Version: Cisco I S O Software, 1840 Software (C1841-AD V I PSERVICESK-9M), Version 12.4 (10b), RELEASE SOFTWARE (fc3) Technical support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco System, Inc. Compiled Fri 19-Jun-07 15:15 by prod_rel_team Advertisement version: 2 VTP Management Domain: Device ID: s 3 Entry address(es): Platform: Cisco WS-C2950-24, Capabilities: Switch I G M P Interface: FastEthernet 0 /0, Port I D (outgoing port): FastEthernet 0 /11

Holdtime : 148 sec Version: Cisco Internetwork Operating System Software I S O c2950 Software (c2950-I6Q4L2-M), Version 12.1 (9) E A1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by Cisco System, Inc. Compiled Wed 24-Apr-02 06:57 by antonio Advertisement version: 2 Protocol Hello: OUI=0x0000C, protocol ID=0x0112; payload l e n=27, Value=00000000FFFFFFFF0 10231FF000000000000000AB769F6C0FF0000 VTP Management Domain: "C C N A3" Duplex: full R3# Show Disabling and Enabling C D P To disable CDP globally use R 3 (config) # no c d p run or, to disable CDP on only an interface R3 (config-if) # no cdp enable If C D P is disabled globally, it must be enabled globally and per interface with the following two commands: Router (config), c d p run Router (config-if), c d p enable

Page 2: Packet Tracer Activity Use the CDP show commands to discover information about devices in the network. Click the Packet Tracer icon to begin. 5.5.5 - Cisco Discovery Protocol Link to Packet Tracer Exploration: Using C D P as a Network Discovery Tool

5.6 Chapter Summary 5.6.1 Summary Page 1:

5.6.1 - Summary Diagram 1, Image The diagram depicts the components of a router. Diagram 1 text The key components on a Cisco 1841 ISR are: H WIC slots Compact flash module U S B port Dual 10 /100 fast Ethernet ports Console and auxiliary ports System Power L E D The router bootup process has three stages: 1.Performing the POST. 2.Locating and Loading the I O S software. 3.Locating and executing the startup configuration file. There are two possible methods to connect a PC to a network device for configuration and monitoring tasks, in-band and out-of-band management. Diagram 2, Image The diagram depicts packaging for Cisco Router and Security Device Manager (SDM), and Cisco SDM Express software. Diagram 2 text Cisco Router and Security Device Manager (SDM) is a graphical user interface (G U I) tool that can be used to configure, monitor, and maintain Cisco devices. Cisco SDM is the recommended way to configure a new Cisco ISR. The Cisco I O S command line interface (C L I) is a text-based program that enables the entering and executing of Cisco I O S commands to configure, monitor, and maintain Cisco devices. The Cisco I O S C L I is used for the advanced configuration of Cisco devices and to configure older devices that do not support SDM. The configuration checklist job aid is an important tool to help ensure that the customer gets the configuration they want. Diagram 3, Image The diagram depicts a Cisco SDM Express Wizard form. Diagram 3 text SDM Express is a tool bundled within the Cisco Router and Security Device Manager that makes it easy to create a basic router configuration. SDM is a more advanced G U I interface with more configuration options available. Both SDM and SDM Express use G U I-based configuration Wizards to simplify the configuration of the Cisco devices. Some of the features that can be configured include: basic configuration, LAN IP configurations, DHCP, WAN IP configurations and NAT. Diagram 4, Image The diagram depicts output in an S S H HyperTerminal window.

Diagram 4 text The C L I does not provide step-by-step configuration assistance; therefore it requires more planning and expertise to complete. The privileged exec, global config and interface modes are all used when configuring a router using the Cisco I O S C L I. Context-sensitive help can provide suggestions for completing a command as well as determining additional command parameters. Diagram 5, Image The diagram depicts output in an S S H HyperTerminal window. Diagram 5 text The I O S show commands are a fundamental tool for verifying and troubleshooting router configurations. The startup configuration file is stored on the device in NV RAM and is loaded into working memory and begins device operation. The running configuration is the set of commands that is currently active in the device RAM. I O S C L I can be used to configure basic router setting including router name, password, and banners. It can also be used to configure serial and Ethernet interfaces, DHCP, and NAT. Diagram 6, Image The diagram depicts a WAN. Diagram 6 text A WAN connection is a type of network connection that can send a network signal over long distances. There are three types of serial WAN connections: point-to-point, circuit switched and packet switched. Choosing the correct WAN involves planning and consideration. Cisco devices can be configured remotely across a WAN connection using Telnet or S S H. S S H is the preferred method. Some WAN connections support Ethernet interfaces. Other WAN connections support serial interfaces. Diagram 7, Image The diagram depicts components of a switch. Diagram 7 text The key components of a Cisco Catalyst 2960 Series Switch are: 24 10 /100 Ethernet Ports Port Status L E D's Mode button Console port Dual Purpose 10 /100 /1000 or S F P port Cisco I O S LAN-based Software Image The 2960 supports port autonegotiation of duplex and speed. Diagram 8, Image The diagram depicts switch configuration information. Diagram 8 text When configured with an IP address, interface V LAN 1 allows you to remotely manage the switch

using S S H or other TCP/IP applications such as network management software. A basic switch configuration includes switch name and encrypted passwords used to access the switch and the Cisco C L I configuration commands. Port security limits the number of valid MAC addresses allowed per port and can be configured statically, dynamically, or dynamic sticky.

5.7 Chapter Quiz 5.7.1 Quiz Page 1: Take the chapter quiz to check your knowledge. Click the quiz icon to begin. 5.7.1 - Quiz Chapter 5 Quiz: Configuring Network Devices 1.When configuring an ISR device using Cisco SDM Express Wizard, what does setting the Enable Secret Password field accomplish? a.ensures that authorization must be granted before accessing the Internet. b.blocks unauthorized users from accessing the LAN. c.controls access to user executable mode. d.controls access to privileged mode. 2.When using Cisco SDM, which WAN encapsulation type can be configured to require a username and password before a connection is granted? a.high-level data link control (HDLC). b.frame relay. c.point-to-point protocol (P P P). d.A T M P V C. 3.What speed and duplex setting will result on a Catalyst switch if it is set to auto-negotiate speed and duplex and is connected to a 100 Mbps port on a device that does not support auto-negotiation? a.10 half duplex b.10 full duplex c.100 half duplex d.100 full duplex 4.Which method can be used to configure a Cisco Catalyst switch before an IP address has been applied to the management interface? a.Cisco I O S C L I using V lan 1. b.Cisco I O S C L I using console port. c.Cisco device manager using console port. d.CiscoView software using V lan 1. 5.What is a secure way that a client can connect to a device in-band for the purpose of remote monitoring and administration?

a.Telnet b.HTTP c.S S H d.console port 6.Which type of wide area network (WAN) connection uses packet switched networks? a.I S D N b.dial-up c.frame relay d.point-to-point 7.A small company with two offices in the same building is requesting advice on WAN connections. Which two questions would give a technician information to base a recommendation? (Choose two.) a.What operating system is being used? b.How much money has the customer budgeted to spend on the WAN connection? c.What type of e-mail client software is used by the employees? d.Are the computers laptops or workstations? e.Are the company web servers located in the building or at the ISP? 8.What is one fundamental difference between Cisco's C L I versus the SDM interface? a.The SDM interface can be used with both in-band and out-of-band management. b.The C L I interface can be used with both in-band and out-of-band management. c.The SDM interface requires a terminal emulation program on the PC. d.The C L I interface cannot be used over a Telnet connection. 9.Which two statements describe the command history feature? (Choose two.) a.It requires configuration of a history buffer before it can be used. b.It displays the most recently entered command strings in the current mode. c.It saves the output from the most recent show commands. d.It displays the last five commands that were entered in global configuration mode. e.It can be accessed by using the up and down arrow keys. 10.Which router mode displays a prompt of Router#? a.global configuration mode b.privileged EXEC mode c.setup mode d.user EXEC mode 11.In which two cases would out-of-band management of a router be required? (Choose two.) a.when accessing a customer router from the ISP to monitor the normal operation. b.to access and configure the router before the IP network is operational. c.to correct an error that has shutdown the network interfaces on a router. d.when the NAT translation configuration settings are incorrect. e.to back up the running configuration on a tftp server. 12.Which two statements describe the result of entering the ip route 0.0.0.0 0.0.0.0 192.168.1.1 command on a router? (Choose two.) a.The router is not able to reach the 192.168.1.0 network. b.All packets received by the router are sent to the address 192.168.1.1. c.The remote network 192.168.1.0 can be reached using any interface.

d.A default static route is added to the routing table. e.If a route to a destination network is not known, the packet is sent to 192.168.1.1. 13.Identify the category where each command belongs. Commands enable ip address 172.16.1.1 255.255.255.0 show ip route ping no shutdown configure terminal show interfaces interface fastethernet 0 /0 Categories a.Used to change router modes or sub-modes. b.Used by administrator to verify or monitor router operation. c.Affects the operation of the network. 14.What is the purpose of assigning an IP address to the interface V LAN 1 on the Cisco switch? a.to be able to telnet to the switch to manage and configure it. b.to enable the switch to route between networks. c.to create a new IP local network on the switch. d.to permit IP packets to be forwarded by the switch. 15.Match each step of the router bootup process to the correct order of operation. Operations locate the I O S load the bootstrap program load the I O S load the configuration file/enter setup mode locate the configuration file perform POST Steps Step 1 Step 2 Step 3 Step 4 Step 5 Step 6

Related Documents