Scribd
Upload
83 views

Packet Tracer Commands - CCNA

The document provides instructions for basic router configuration including: 1) Entering configuration mode, specifying the router hostname, setting encrypted passwords, and disabling domain name lookups. 2) Configuring Ethernet and serial interfaces including setting IP addresses, enabling interfaces, and setting clock rates on serial interfaces. 3) Setting console, vty, and auxiliary line passwords, and creating login and message-of-the-day banners. 4) Assigning host names to IP addresses to allow configuration using host names instead of IP addresses.

Uploaded by

Reem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
83 views

Packet Tracer Commands - CCNA

The document provides instructions for basic router configuration including: 1) Entering configuration mode, specifying the router hostname, setting encrypted passwords, and disabling domain name lookups. 2) Configuring Ethernet and serial interfaces including setting IP addresses, enabling interfaces, and setting clock rates on serial interfaces. 3) Setting console, vty, and auxiliary line passwords, and creating login and message-of-the-day banners. 4) Assigning host names to IP addresses to allow configuration using host names instead of IP addresses.

Uploaded by

Reem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Basic Router Configuration

Steps Command Purpose


Router> enable Enters global configuration mode, when using the console port.
Step 1 Router# configure terminal If you are connecting to the router using a remote terminal, use the following:
Router(config)#
hostname name Specifies the name for the router.
Step 2
Router(config)# hostname Router
enable secret password Specifies an encrypted password to prevent unauthorized access to the router.
Step 3
Router(config)# enable secret cr1ny5ho
no ip domain-lookup Disables the router from translating unfamiliar words (typos) into IP addresses.
Step 4
Router(config)# no ip domain-lookup Router(config)#
logging synchronous Disables the router from translating unfamiliar words (typos) into IP addresses.
Step 5 Router(config)#line console 0 Moves to line console configuration mode.
Router(config-line)#logging synchronous
Turns on synchronous logging. Information items sent to the console will not
interrupt the command you are typing. The command will be moved to a new line.
Configure the Fast Ethernet Interface
Steps Command Purpose
interface type number Enters the configuration mode for a Fast Ethernet interface on the router.
Router(config)# interface fastethernet 0/0
Router(config-int)# ip address 192.1.12.2 255.255.255.0 Sets the IP address and subnet mask for the specified Fast Ethernet interface.
Step 3 Router(config-int)#no shutdown Enables the Ethernet interface, changing its state from administratively down to administratively up.
Configuring a Serial Interface
Steps Command Purpose
Step 1 Router(config)#interface s0/0/0 Moves to serial interface 0/0/0 configuration mode
Optional descriptor of the link is locally significant
Step 2 Router(config-if)#description Link to ISP

Step 3 Router(config-if)#ip address 192.168.10.1 255.255.255.0 Assigns address and subnet mask to interface
Step 4 Router(config-if)#clock rate 56000 Assigns a clock rate for the interface
Step 5 Router(config-if)#no shutdown Turns interface on

TIP: The clock rate command is used only on a serial interface that has a DCE cable plugged into it. There must be a clock rate set on every serial link
between routers.

The exec-timeout Command


Steps Command Purpose
1 Router(config)#line console 0 Moves to line console
Sets the time limit when the console automatically logs off. Set to 0 0 (minutes
2 Router(config-line)#exec-timeout 0 0
seconds) means the console never logs off.
Router(config-line)#
TIP: The command exec-timeout 0 0 is great for a lab environment because the console never logs out. This is considered to be bad security
3
and is dangerous in the real world. The default for the exec-timeout command is 10 minutes and zero (0) seconds (exec-timeout 10 0).

Configuring Passwords
Steps Command Purpose
Step 1 Router(config)#enable password cisco Sets enable password
Step 2 Router(config)#enable secret class Sets enable secret password
Router(config)#line console 0 Enters console line mode
Step 3 Router(config-line)#password console Sets console line mode password to console
Router(config-line)#login Enables password checking at login
Router(config)#line vty 0 4 Enters vty line mode for all five vty lines
Step 4 Router(config-line)#password telnet Sets vty password to telnet
Router(config-line)#login Enables password checking at login
Router(config)#line aux 0 Enters auxiliary line mode
Step 5 Router(config-line)#password auxpassword Sets auxiliary line mode password to auxpassword
Router(config-line)#login Enables password checking at login
CAUTION: The enable secret password is encrypted by default. The enable password is not. For this reason, recommended practice is that you never
use the enable password command. Use only the enable secret password command in a router or switch configuration.
You cannot set both enable secret password and enable password to the same password. Doing so defeats the use of encryption.
Password Encryption
Steps Command Purpose
Step 1 Router(config)#service password-encryption Applies a weak encryption to passwords
Step 2 Router(config)#enable password cisco Sets enable password to cisco
Step 3 ter(config)#line console 0 Moves to console line mode
Step 4 Router(config-line)#password Cisco Continue setting passwords as above
Step 5 Router(config)#no service passwordencryption Turns off password encryption
Creating a Message-of-the-Day Banner
Steps Command Purpose
Router(config)#banner motd # Building Power
will be interrupted next Tuesday evening from # is known as a delimiting character. The delimiting character must surround the banner message and
Step 1
8 – 10 PM. # can be any character so long as it is not a character used within the body of the message.
Router(config)#
TIP: The MOTD banner is displayed on all terminals and is useful for sending messages that affect all users. Use the no banner motd command to disable the
MOTD banner. The MOTD banner displays before the login prompt and the login banner, if one has been created.

Creating a Login Banner


Steps Command Purpose
Router(config)#banner login # Authorized
Personnel Only! Please enter your username and # is known as a delimiting character. The delimiting character must surround the banner message and
Step 1
password. # can be any character so long as it is not a character used within the body of the message.
Router(config)#
TIP: The login banner displays before the username and password login prompts. Use the no banner login command to disable the login banner. The
MOTD banner displays before the login banner.

Assigning a Local Host Name to an IP Address


Steps Command Purpose
Assigns a host name to the IP address. After this assignment, you can use the host name rather than
Step 1 Router(config)#ip host london 172.16.1.3
an IP address when trying to Telnet or ping to that address.
Step 2 Router#ping london = Router#ping 172.16.1.3 Both commands execute the same objective: sending a ping to address 172.16.1.3.
TIP: The default port number in the ip host command is 23, or Telnet. If you want to Telnet to a device, just enter the IP host name itself:
Router#london = Router#telnet london = Router#telnet 172.16.1.3
Saving Configurations
Steps Command Purpose
Step 1 Router#copy running-config startup-config Saves the running configuration to local NVRAM
Step 2 Router#copy running-config tftp Saves the running configuration remotely to a TFTP server
Erasing Configurations
Steps Command Purpose
Step 1 Router#erase startup-config Deletes the startup configuration file from NVRAM
TIP: The running configuration is still in dynamic memory. Reload the router to clear the running configuration.

Show Commands
Steps Command Purpose
Step 1 Router#show ? Lists all show commands available.
Step 2 Router#show running-config Displays the configuration currently running in RAM.
Step 3 Router#show startup-config Displays the configuration saved in NVRAM.
Step 4 Router#show interfaces Displays statistics for all interfaces.
Step 5 Router#show interface serial 0/0/0 Displays statistics for a specific interface (in this case, serial 0/0/0).
Step 6 Router#show ip interface brief Displays a summary of all interfaces, including status and IP address assigned.
Displays statistics for interface hardware. Statistics display if the clock rate is set and if the cable is
Step 7 Router#show controllers serial 0/0/0
DCE, DTE, or not attached.
Step 8 Router#show clock Displays time set on device.
Displays local host-to-IP address cache. These are the names and addresses of hosts on the network
Step 9 Router#show hosts
to which you can connect.
Step 10 Router#show users Displays all users connected to device.
Step 11 Router#show history Displays the history of commands used at this edit level.
Step 12 Router#show flash Displays info about flash memory.
Step 13 Router#show version Displays info about loaded softwareversion.
Step 14 Router#show arp Displays the Address Resolution Protocol (ARP) table.
Step 15 Router#show protocols Displays info about loaded softwareversion.

Configuration Example: Basic Router Configuration


Steps Command Purpose
Step 1 Router>enable Enters privileged mode.
Step 2 Router#clock set 18:30:00 15 May 2015 Sets the local time on the router.
Step 3 Router#configure terminal Enters global configuration mode.
Step 4 Router(config)#hostname Saudi Sets the router name to Saudi.
Step 5 Sadui(config)#no ip domain-lookup Turns off name resolution on unrecognized commands (spelling mistakes).
Sadui(config)#banner motd # This is the Boston Router.
Step 6 Creates an MOTD banner.
Authorized Access Only #
Step 7 Sadui(config)#enable secret cisco Enables secret password set to cisco.
Step 8 Sadui(config)#service password-encryption Passwords will be given weak encryption.
Step 9 Sadui(config)#line console 0 Enters line console mode.
Step 10 Sadui(config-line)#logging synchronous Commands will not be interrupted by unsolicited messages.
Step 11 Sadui(config-line)#password class Sets the password to class.
Step 12 Sadui(config-line)#login Enables password checking at login.
Step 13 Sadui(config-line)#line vty 0 4 Moves to virtual Telnet lines 0 through 4.
Step 14 Sadui(config-line)#password class Sets the password to class.
Step 15 Sadui(config-line)#login Enables password checking at login.
Step 16 Sadui(config-line)#line aux 0 Moves to line auxiliary mode.
Step 17 Sadui(config-line)#password class Boston(config-line)#password class
Step 18 Sadui(config-line)#login Enables password checking at login.
Step 19 Sadui(config-line)#exit Turns off password encryption.
Step 20 Sadui(config)#no service passwordencryption Turns off password encryption.
Step 21 Sadui(config)#interface fastethernet 0/0 Moves to interface Fast Ethernet 0/0 configuration mode.
Sadui(config-if)#description Engineering
Step 22 Sets locally significant description of the interface.
LAN
Sadui(config-if)#ip address 172.16.10.1
Step 23 Assigns an IP address and subnet mask to the interface.
255.255.255.0
Step 24 Sadui(config-if)#no shutdown Turns on the interface.
Step 25 Sadui(config-if)#interface serial 0/0/0 Moves directly to interface serial 0/0/0 configuration mode.
Sadui(config-if)#description Link to
Step 26 Sets locally significant description of the interface.
Buffalo Router
Saduin(config-if)#ip address 172.16.20.1
Step 27 Assigns an IP address andsubnet mask to the interface.
255.255.255.252
Step 28 Sadui(config-if)#clock rate 56000 Sets a clock rate for serial transmission. The DCE cable must be plugged into this interface.
Step 29 Sadui(config-if)#no shutdown Turns on the interface.
Step 30 Sadui(config-if)#exit Moves back to global configuration mode.
Step 31 Sadui(config)#ip host buffalo 172.16.20.2 Sets a local host name resolution to IP address172.16.20.2.
Step 32 Sadui(config)#exit Moves back to privileged mode.
Step 33 Sadui#copy running-config startup-config Saves the running configuration to NVRAM.

Configuring a Switch
Help Commands
Steps Command Purpose
Step 1 switch>? The ? works here the same asin a router.
Command Modes
Steps Command Purpose
Step 1 switch>enable User mode, same as a router
Step 2 switch# Privileged mode
Step 3 switch#disable Leaves privileged mode
Step 4 switch>exit Leaves user mode
Verifying Commands
Steps Command Purpose
Step 1 switch#show version Displays information aboutsoftware and hardware.
Step 2 switch#show flash: Displays information aboutflash memory (for the 2900/2950 series only).
Step 3 switch#show mac-address-table Displays the current MACaddress forwarding table.
Step 4 switch#show running-config Displays the currentconfiguration in DRAM.
Step 5 switch#show startup-config Displays the currentconfiguration in NVRAM.
Step 6 switch#show post Displays whether the switchpassed POST.
Step 7 switch#show vlan Displays the current VLANconfiguration.
Step 8 switch#show interfaces Displays the interfaceconfiguration and status ofline: up/up, up/down, admindown.
Step 9 switch#show interface vlan1 Displays setting of virtualinterface VLAN 1, thedefault VLAN on the switch.
Resetting Switch Configuration
Steps Command Purpose
Step 1 Switch#delete flash:vlan.dat Removes the VLAN databasefrom flash memory.
Step 2 Delete filename [vlan.dat]? Press®.Enter
Step 3 Delete flash:vlan.dat? [confirm] Press®.Enter
Step 4 Switch#erase startup-config Erases the file from NVRAM.
Step 5 Switch#reload Restarts the switch.
Setting Host Names
Steps Command Purpose
Step 1 Switch#configure terminal Moves to global configurationmode.
Step 2 Switch(config)#hostname S1_PSU Privileged mode
Step 3 S1_PSU(config)#

Setting Passwords
Steps Command Purpose
Step 1 S1_PSU(config)#enable password cisco Sets the enable password tocisco
Step 2 S1_PSU(config)#enable secret class Sets the encrypted secretpassword to class
Step 3 S1_PSU(config)#line console 0 Enters line console mode
Step 4 S1_PSU(config-line)#login Enables password checking
Step 5 S1_PSU(config-line)#password cisco Sets the password to cisco
Step 6 S1_PSU(config-line)#exit Exits line console mode
Step 7 S1_PSU(config-line)#line aux 0 Enters line auxiliary mode
Step 8 S1_PSU(config-line)#login Enables password checking
Step 9 S1_PSU(config-line)#password cisco Sets the password to cisco
Step 10 S1_PSU(config-line)#exit Exits line auxiliary mode
Step 11 S1_PSU(config-line)#line vty 0 4 Enters line vty mode for allfive virtual ports
Step 12 S1_PSU(config-line)#login Enables password checking
Step 13 60Switch(config-line)#password cisco Sets the password to cisco
Step 14 S1_PSU(config-line)#exit Exits line vty mode
Step 15 S1_PSU(config)#
Setting IP Addresses and Default Gateways
Steps Command Purpose
Step 1 S1_PSU(config)#interface vlan1 Enters the virtual interfacefor VLAN 1, the defaultVLAN on the switch
Step 2 S1_PSU(config-if)#ip address 172.16.10.2 255.255.255.0 Sets the IP address andnetmask to allow for remoteaccess to the switch
Step 3 S1_PSU(config-if)#exit
Step 4 S1_PSU(config)#ip default-gateway 172.16.10.1 Allows IP information anexit past the local network
Note : For the S1_PSU series switches, the IP address of the switch is just that—the IP address for the entire switch. That is why you set the address in VLAN 1 (the
default VLAN of the switch) and not in a specific Ethernet interface.

Setting Interface Descriptions


Steps Command Purpose
Step 1 S1_PSU(config)#interface fastethernet 0/1 Enters interfaceconfiguration mode
Step 2 S1_PSU(config-if)#description Finance VLAN description
Setting Duplex Operation
Steps Command Purpose
S1_PSUSwitchS1_PSUSwitch(config)#interface
Step 1 Moves to interfaceconfiguration mode
fastethernet 0/1
Step 2 S1_PSUSwitch(config-if)#duplex full Forces full-duplexoperation
Step 3 S1_PSUSwitch(config-if)#duplex auto Enables auto-duplex config
Step 4 S1_PSUSwitch(config-if)#duplex half Forces half-duplex operation
Setting Operation Speed
Steps Command Purpose
S1_PSUSwitchS1_PSUSwitch(config)#interface
Step 1 Moves to interfaceconfiguration mode
fastethernet 0/1
Step 2 S1_PSUSwitch(config-if)#speed 10 Forces 10-Mbps operation
Step 3 S1_PSUSwitch(config-if)#speed 100 Forces 100-Mbps operation
Step 4 S1_PSUSwitch(config-if)#speed auto Enables autospeedconfiguration
Managing the MAC Address Table
Steps Command Purpose
Step 1 switch#show mac address-table Displays current MACaddress forwarding table
Step 2 switch#clear mac address-table Deletes all entries fromcurrent MAC addressforwarding table
Switch Port Security
Steps Command Purpose
Step 1 Switch(config)#interface fastethernet 0/1 Moves to interfaceconfiguration mode.
Step 2 Switch(config-if)#switchport port-security Enables port security on the interface.
Step 3 Switch(config-if)#switchport port-security maximum 4 Sets a maximum limit of four MAC addresses that will be allowed on this port.
NOTE: The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in
Step 4
the system.
Switch(config-if)#switchport port-security Sets a specific secure MAC address 1234.5678.90ab. You can add additional secure MAC addresses
Step 5
mac-address 1234.5678.90ab up to the maximum value configured.
Step 6 Switch(config-if)#switchport port-security mac-address sticky Converts all dynamic portsecurity learned MACaddresses to sticky secureMAC addresses.
Step 7 Switch(config-if)#switchport port-security violation shutdown Configures port security toshut down the interface if asecurity violation occurs.

Step 8 NOTE: In shutdown mode, the port is errdisabled, a log entry is made, and manua intervention or errdisable recovery must be used to reenable the interface.

Step 9 Switch(config-if)#switchport port-security violation restrict Configures port security torestrict mode if a securityviolation occurs.
Step 10 NOTE: In restrict mode, frames from a nonallowed address are dropped, and a log entry is made. The interface remains operational.
Step 11 Switch(config-if)#switchport port-security violation protect Configures port security to protect mode if a security violation occurs.

Step 12 NOTE: In protect mode, frames from a nonallowed address are dropped, but no log entry is made. The interface remains operational.

Configuration Example: basic configuration of a S1_PSU series switch

Steps Command Purpose


Step 1 switch>enable Enters privileged mode.
Step 2 switch#configure terminal Enters global configurationmode.
Step 3 switch(config)#no ip domain-lookup Turns off Domain NameSystem (DNS) queries sothat spelling mistakes do notslow you down.
Step 4 Switch#configure terminal Moves to global configurationmode.
Step 5 Switch(config)#hostname S1_PSU Privileged mode
Step 6 S1_PSU(config)#enable secret class Sets the encrypted secretpassword to class
Step 7 S1_PSU(config)#line console 0 Enters line console mode
Step 8 S1_PSU(config-line)#logging synchronous Appends commands to anew line; router informationwill not interrupt.
Step 9 S1_PSU(config-line)#login Enables password checking
Step 10 S1_PSU(config-line)#password cisco Sets the password to cisco
Step 11 S1_PSU(config-line)#exec-timeout 0 0 Console will never log out.
Step 12 S1_PSU(config-line)#exit Exits line console mode
Step 13 S1_PSU(config-line)#line aux 0 Enters line auxiliary mode
Step 14 S1_PSU(config-line)#login Enables password checking
Step 15 S1_PSU(config-line)#password cisco Sets the password to cisco
Step 16 S1_PSU(config-line)#exit Exits line auxiliary mode
Step 17 S1_PSU(config-line)#line vty 0 15 Enters line vty mode for all16 virtual ports
Step 18 S1_PSU(config-line)#login Enables password checking
Step 19 60Switch(config-line)#password cisco Sets the password to cisco
Step 20 S1_PSU(config-line)#exit Exits line vty mode
Step 21 S1_PSU(config)#interface vlan1 Enters the virtual interfacefor VLAN 1, the defaultVLAN on the switch
Step 22 S1_PSU(config-if)#ip address 192.168.1.2 255.255.255.0 Sets the IP address andnetmask to allow for remoteaccess to the switch
Step 23 S1_PSU(config-if)#exit
Step 24 S1_PSU(config)#ip default-gateway 192.168.1.1 Allows IP information anexit past the local network
Step 25 S1_PSU(config)#interface fastethernet 0/24 Enters interfaceconfiguration mode
Step 26 S1_PSU(config-if)#description Link to Router description

2.2.4.9 Packet Tracer - Configuring Switch Port Security


Part 1: Configure Port Security
Steps Command Purpose
Step 1 S1(config)# interface range fa0/1 - 2
Access the command line for S1 and enable port security on Fast Ethernet ports 0/1 and 0/2.
Step 2 S1(config-if-range)# switchport port-security
Step 3 S1(config-if-range)# switchport port-security maximum 1 Set the maximum so that only one device can access the Fast Ethernet ports 0/1 and 0/2.
Secure the ports so that the MAC address of a device is dynamically learned and
Step 4 S1(config-if-range)# switchport port-security mac-address sticky
added to the running configuration.
Set the violation so that the Fast Ethernet ports 0/1 and 0/2 are not disabled when
S1(config-if-range)# switchport port-security violation restrict
a violation occurs, but packets are dropped from an unknown source.
S1(config-if-range)# interface range fa0/3 - 24 Disable
, gi0/1 all -the2 remaining unused ports. Hint: Use the range keyword to apply this
Step 5 S1(config-if-range)# shutdown configuration to all the ports simultaneously.
Part 2: Verify Port Security
Steps Command Purpose
Step 1 PC1 >> C:/ping 10.10.10.11 From PC1, ping PC2.
Verify port security is enabled and the MAC addresses of PC1 and PC2 were added to the running
Step 2 S1#show running-config
configuration.
Step 3 Attach Rogue Laptop to any unused switch port and notice that the link lights are red.
from Rogue Laptop >> C:\ping 10.10.10.10
Step 4 Enable the port and verify that Rogue Laptop can ping PC1 and PC2. After verification, shut down the
S1(config)# interface fa0/3
port connected to Rogue Laptop.
R1(config-int)# shutdown
Step 5
from Rogue Laptop >> C:\ping 10.10.10.10 Verify that Rogue Laptop is unable to ping PC1.
S1# show port-security interface fa0/2 Display the port security violations for the port Rogue Laptop is connected to.
Disconnect Rouge Laptop and reconnect PC2.
Step 6 from PC2 >> C:\ping 10.10.10.10 Verify PC2 can ping PC1.
Why is PC2 able to ping PC1, but the Rouge Laptop is not?
S1#show running-config

Configuring a VLANs
Using VLAN Configuration Mode
Steps Command Purpose
Step 1 Switch(config)#vlan 10 Creates VLAN 10 and enters VLAN configuration mode for further definitions.
Step 2 Switch(config-vlan)#name Engineering Assigns a name to the VLAN. The length of the name can be from 1 to 32 characters.
Step 3 Switch(config)#vlan 30 Creates VLAN 30 and enters VLAN configuration mode for further definitions.
Step 4 Switch(config-vlan)#name HR Assigns a name to the VLAN. The length of the name can be from 1 to 32 characters.
Step 5 Switch(config-vlan)#exit Applies changes, increases the revision number by 1, and returns to global configuration mode.
Assigning Ports to VLANs
Steps Command Purpose
Step 1 Switch(config)#interface fastethernet 0/1 Moves to interface configuration mode
Step 2 Switch(config-if)#switchport mode acce Sets the port to access mode
Step 3 Switch(config-if)#switchport access vlan 10 Assigns this port to VLAN 10
Using the range Command
Steps Command Purpose
Step 1 Switch(config)#interface range fastethernet 0/1 - 9 Enables you to set the same configuration parameters on multiple ports at the same time.
Step 2 NOTE: There is a space before and after the hyphen in the interface range command.
Step 3 Switch(config-if-range)#switchport mode access Sets ports 1–9 as access ports.
Step 4 Switch(config-if-range)#switchport access vlan 10 Assigns ports 1–9 to VLAN 10.
Verifying VLAN Information
Steps Command Purpose
Step 1 Switch#show vlan Displays VLAN information
Step 2 Switch#show vlan brief Displays VLAN information in brief
Step 3 Switch#show vlan id 2 Displays information about VLAN 2 only
Step 4 Switch#show vlan name marketing Displays information about VLAN named marketing only
Step 5 Switch#show interfaces vlan x Displays interface characteristics for the specified VLAN

Erasing VLAN Configurations


Steps Command Purpose
Step 1 Switch#delete flash:vlan.dat Removes the entire VLAN database from flash.
Step 2 WARNING: Make sure there is no space between the colon (:) and the characters vlan.dat.

Step 3 Switch(config)#interface fastethernet 0/5 Moves to interface configuration mode.


Step 4 Switch(config-if)#no switchport access vlan 5 Removes port from VLAN 5 and reassigns it to

VLAN 1—the default VLAN.


Step 5 Switch(config-if)#exit Moves to global configuration mode.
Step 6 Switch(config)#no vlan 5 Removes VLAN 5 from the VLAN database.
Step 7 Switch#vlan database Enters VLAN database mode.
Step 8 Switch(vlan)#no vlan 5 Removes VLAN 5 from the VLAN database.
Step 9 Switch(vlan)#exit Applies changes, increases the revision number by 1, and exits VLAN database mode.

Configuration Example: 3.2.1.7 Packet Tracer – Configuring VLANs

Part 1: View the Default VLAN Configuration


Verify the VLAN configuration.
issue the command that displays all VLANs configured. By default, all interfaces are assigned to VLAN
Step 1 S1# show vlan brief
1.
Verify connectivity between PCs on the same network.
Step 2 PC1 ping PC4
Step 3 PC2 ping PC5 Pings to PCs in other networks fail.
Step 4 PC3 ping PC6
The primary benefits of using VLANs are as follows: security, cost reduction, higher performance, broadcast storm
mitigation, improved IT staff efficiency, and simpler project and application management.

Part 2: Configure VLANs


Steps Command Purpose
( Create and name VLANs on S1 ).Create the following VLANs. Names are case-sensitive:
S1#(config)# vlan 10
Step 1
S1#(config-vlan)# name Faculty/Staff
S1#(config-vlan)# vlan 20
Step 2
S1#(config-vlan)# name Students
S1#(config-vlan)# vlan 30
Step 3
S1#(config-vlan)# name Guest(Default)
S1#(config-vlan)# vlan 99
Step 4
S1#(config-vlan)# name Management&Native
Verify the VLAN configuration.
S1# show vlan brief
Create the VLANs on S2 and S3.
S2#(config)# vlan 10 S 3#(config)# vlan 10
Step 1
S2#(config-vlan)# name Faculty/Staff S3#(config-vlan)# name Faculty/Staff
S2#(config-vlan)# vlan 20 S3#(config-vlan)# vlan 20
Step 2
S2#(config-vlan)# name Students S3#(config-vlan)# name Students
S2#(config-vlan)# vlan 30 S3#(config-vlan)# vlan 30
Step 3
S2#(config-vlan)# name Guest(Default) S3#(config-vlan)# name Guest(Default)
S2#(config-vlan)# vlan 99 S3#(config-vlan)# vlan 99
Step 4
S2#(config-vlan)# name Management&Native S3#(config-vlan)# name Management&Native
Verify the VLAN configuration.
S2# show vlan brief S3# show vlan brief
Part 3: Assign VLANs to Ports
Steps Command Purpose
Assign VLANs to the active ports on S2 and S3.
S2(config)# interface fa0/11 S3(config)# interface fa0/11
Step 1
S2(config-if)# switchport access vlan 10 S3(config-if)# switchport access vlan 10
S2(config-if)# interface fa0/18 S3(config-if)# interface fa0/18
Step 2
S2(config-if)# switchport access vlan 20 S3(config-if)# switchport access vlan 20
S2(config-if)# interface fa0/6 S3(config-if)# interface fa0/6
Step 3
S2(config-if)# switchport access vlan 30 S3(config-if)# switchport access vlan 30
Verify loss of connectivity.
S2# show vlan brief S3# show vlan brief
Verify connectivity between PCs on the same network.
Step 2 PC1 ping PC4
Step 3 PC2 ping PC5 all Pings between PCs fail. WHY ???????
Step 4 PC3 ping PC6
Step 22 S1_PSU#copy running-config startupconfig Saves the configuration in NVRAM.

Vlans Trunk and Inter Vlan ( Router in a stick )


config a Trunk
Steps Command Purpose
Step 1 S1_PSU(config)#interface fastethernet 0/1 Enables you to set the same configuration parameters on multiple ports at the same time.
Step 2 S1_PSU(config-if)#switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link
Step 3 S1_PSU(config-if)#switchport trunk native vlan 99 Sets the native VLAN for the 802.1Q trunk from default value to vlan 99
Step 4 S1_PSU(config-if)#switchport trunk allow vlan 15-20 Sets allowed VLANs for the trunk interface. The default is to allow all VLANs on the trunk interface

Inter-VLAN Communication Using an External Router:Router-on-a-Stick


Steps Command Purpose
Step 1 Router(config)#interface fastethernet 0/0 Moves to interface configuration mode.

Step 2 Router(config-if)#duplex full Sets the interface to full duplex.

Step 3 Router(config-if)#no shutdown Enables the interface.


Step 4 Router(config-if)#interface fastethernet 0/0.1 Creates subinterface 0/0.1 and moves to subinterface configuration mode.
Step 5 Router(config-subif)#description Management VLAN 1 (Optional) Sets the locally significant description of the subinterface.
Assigns VLAN 1 to this subinterface. VLAN 1 will be the native VLAN. This
Step 6 Router(config-subif) #encapsulation dot1q 1 native
subinterface will use the 802.1q trunking protocol.
Step 7 Router(config-subif)#ip address 192.168.1.1 255.255.255.0 Assigns the IP address and netmask.
Step 8 Router(config-subif)#interface fastethernet 0/0.10 Creates subinterface 0/0.10 and moves to subinterface configuration mode.
Step 9 Router(config-subif)#description Accounting VLAN 10 (Optional) Sets the locally significant description of the subinterface.
Step 10 Router(config-subif) #encapsulation dot1q 10 Assigns VLAN 10 to this subinterface. This subinterface will use the 802.1q trunking protocol.
Step 11 Router(config-subif)#ip address 192.168.10.1 255.255.255.0 Assigns the IP address and netmask.
Step 12 Router(config-subif)#exit Returns to interface configuration mode.
Step 13 Router(config-if)#exit Returns to global configuration mode.
Step 14 Router(config)#

Configuration Example:Packet Tracer 5.1.3.6 Inter-VLAN - Router-on-a-Stick


Part 1: Test Connectivity Without Inter-VLAN Routing
Steps Command Purpose
Step 1 Ping between PC1 and PC3. PCs are on separate networks and R1 is not configured, the ping fails.
Step 2 Switch to Simulation mode to monitor pings. Switch to Simulation mode by clicking the Simulation tab or pressing Shift+S.
Click Capture/Forward to see the steps the ping takes between
Step 3 Notice how the ping never leaves PC1.
PC1 and PC3.
Part 2: Add VLANs to a Switch
Steps Command Purpose
Step 1 Create VLANs on S1.
S1(config)# vlan 10 Return to Realtime mode and create VLAN 10 and VLAN 30 on S1.
S1(config-vlan)# vlan 30
Step 2 Assign VLANs to ports.
S1(config-vlan)# int fa0/11 Configure interface F0/6 and F0/11 as access ports and assign VLANs
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# int fa0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 30
S1# show vlan brief Issue the show vlan brief command to verify VLAN configuration.
Step 3 Test connectivity between PC1 and PC3.
From PC1, ping PC3. The pings should still fail.
Why ? Each VLAN is a separate network and requires a router or a layer 3 switch to provide communication between them.
Part 3:Configure Subinterfaces
Step 1 Configure subinterfaces on R1 using the 802.1Q encapsulation.
Create the subinterface G0/0.10. Set the encapsulation type to 802.1Q and assign VLAN 10 to the subinterface.
R1(config)# int g0/0.10 Refer to the Address Table and assign the correct IP address to the subinterface.
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 172.17.10.1 255.255.255.0
R1(config-subif)# int g0/0.30 Repeat for the G0/0.30 subinterface.
R1(config-subif)# encapsulation dot1Q 30
R1(config-subif)# ip address 172.17.30.1 255.255.255.0
Step 2 Verify Configuration.
Use the show ip interface brief
Enable the G0/0 interface. Verify that the subinterfaces are now
active.
Part 4 :Test Connectivity with Inter-VLAN Routing
Step 1 Ping between PC1 and PC3.
From PC1, ping PC3. The pings should still fail.
Step 2 Enable trunking.
On S1, issue the show vlan command. What VLAN is G0/1 assigned to? VLAN 1
Because the router was configured with multiple subinterfaces assigned to different VLANs, the switch port connecting to the router must be configured as a
trunk. Enable trunking on interface G0/1.
S1(config-if)# int g0/1
S1(config-if)# switchport mode trunk

show interface trunk verify the interface is configured as a trunk.

Step 3 Switch to Simulation mode to monitor pings.


clicking the Simulation tab or pressing Shift+S.
ping between PC1 and PC3. Click Capture/Forward
You should see ARP requests and replies between S1 and R1. Then ARP requests and replies between R1 and S3. Then PC1 can encapsulate an ICMP echo
request with the proper data-link layer information and R1 will route the request to PC3.

Configuring Single Area OSPF


Configuring OSPF
Steps Command Purpose
Starts OSPF process 123. The process ID is any positive integer value between 1 and 65,535. The
Step 1 Router(config)#router ospf 123 process ID is not related to the OSPF area. The process ID merely distinguishes one process from
another within the device.
Switch to OSPF advertises interfaces, not networks. Uses the wildcard mask to determine which
Step 2 Router(config-router)#network 172.16.10.0 0.0.0.255 area 0 interfaces to advertise. Read this line to say “Any interface with an address of
172.16.10.x is to be put into area 0.”
NOTE: The process ID number of one router does not have to match the process ID of any other router. Unlike Enhanced Interior Gateway Routing Protocol
Step 3
(EIGRP), matching this number across all routers does not ensure that network adjacencies will form.

Loopback Interfaces
Steps Command Purpose
Creates a virtual interface named loopback 0, and then moves the router to interface configuration
Step 1 Router(config)#interface loopback 0
mode.

Step 2 Router(config-if)#ip address 192.168.100.1 255.255.255.255 Assigns the IP address to the interface.

NOTE: Loopback interfaces are always “up and up” and do not go down unless manually shut down. This makes loopback interfaces great for use as OSPF
Step 3
router IDs.

Router ID
Steps Command Purpose
Step 1 Router(config)#router ospf 1 Starts OSPF process 1.
Sets the router ID to 10.1.1.1. If this command is used on an OSPF router process that is already
Step 2 RoRouter(config-router)#router-id 10.1.1.1 active (has neighbors), the new router ID is used at the next reload or at a manual OSPF process
restart.
Removes the static router ID from the configuration. If this command is used on an OSPF router
Step 3 Router(config-router)#no router-id 10.1.1.1 process that is already active (has neighbors), the old router ID behavior is used at the next
reload or at a manual OSPF process restart.

DR/BDR Elections
Steps Command Purpose
Step 1 Router(config)#interface serial 0/0 Changes the router to interface configuration mode.
Step 2 Router(config-if)#ip ospf priority 50 Changes the OSPF interface priority to 50.
NOTE: The assigned priority can be between 0 and 255. A priority of 0 makes the router ineligible to become a designated router (DR) or backup designated router
Step 3 BDR). The highest priority wins the election. A priority of 255 guarantees a tie in the election. If all routers have the same priority, regardless of the priority
number, they tie. Ties are broken by the highest router ID.
Modifying Cost Metrics
Steps Command Purpose
Step 1 Router(config)#interface serial 0/0 Changes the router to interface configuration mode.
Step 2 Router(config-if)#bandwidth 128 If you change the bandwidth, OSPF recalculates the cost of the link.
Step 3 or
Step 4 Router(config-if)#ip ospf cost 1564 Changes the cost to a value of 1564.
NOTE: The cost of a link is determined by dividing the reference bandwidth by the interface bandwidth. The bandwidth of the interface is a
Step 5 number between 1 and 10,000,000. The unit of measurement is kilobits. The cost is a number between 1 and 65,535. The cost has no unit of measurement—it is
just a number.

Timers
Steps Command Purpose
Step 1 Router(config-if)#ip ospf hello interval timer 20 Changes the Hello Interval timer to 20 seconds.
Step 2 Router(config-if)#ip ospf deadinterval 80 Changes the Dead Interval timer to 80 seconds.

Step 3 NOTE: Hello and Dead Interval timers must match for routers to become neighbors.

Propagating a Default Route


Steps Command Purpose
Step 1 Router(config)#ip route 0.0.0.0 0.0.0.0 s0/0 Creates a default route.
Step 2 Router(config)#router ospf 1 Starts OSPF process 1.
Step 3 Router(config-router)#defaultinformation originate Sets the default route to be propagated to all OSPF routers.
Verifying OSPF Configuration
Steps Command Purpose
Step 1 Router#show ip protocol Displays parameters for all protocols running on the router
Step 2 Router#show ip route Displays a complete IP routing table
Step 3 Router#show ip ospf Displays basic information about OSPF routing processes
Step 4 Router#show ip ospf interface Displays OSPF info as it relates to all interfaces
Step 5 Router#show ip ospf interface fastethernet 0/0 Displays OSPF information for interface fastethernet 0/0
Step 6 Router#show ip ospf neighbor Lists all OSPF neighbors and their states
Step 7 Router#show ip ospf neighbor detail Displays a detailed list of neighbors
Step 8 Router#show ip ospf database Displays contents of the OSPF database

Configuration Example:8.2.2.7 Packet Tracer - Configuring OSPFv2 in a Single Area


Part 1 :Configure OSPFv2 Routing
Steps Command Purpose
Step 1 Configure OSPF on the R1
a. R1(config)# router ospf 10 Starts OSPF process 10
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 172.16.1.0 0.0.0.255 area 0 Any interface with an address of 172.16.1.x is to be put into area 0.
R1(config-router)# network 172.16.3.0 0.0.0.3 area 0 Any interface with an address of 172.16.3.x is to be put into area 0.
R1(config-router)# network 192.168.10.4 0.0.0.3 area 0 Any interface with an address of 192.168.10.4 is to be put into area 0.
R1(config-router)#passive-interface GigabitEthernet0/0
b. Configure OSPF on the R2
R2(config)# router ospf 10 Starts OSPF process 10
R2(config-router)# router-id 2.2.2.2
R2(config-router)#network 172.16.2.0 0.0.0.255 area 0 Any interface with an address of 172.16.2.x is to be put into area 0.
R2(config-router)# network 172.16.3.0 0.0.0.3 area 0 Any interface with an address of 172.16.3.x is to be put into area 0.
R2(config-router)# network 192.168.10.8 0.0.0.3 area 0 Any interface with an address of 192.168.10.8 is to be put into area 0.
R2(config-router)#passive-interface GigabitEthernet0/0
c. Configure OSPF on the R3
R3(config)# router ospf 10 Starts OSPF process 10
R3(config-router)# router-id 1.1.1.1
R3(config-router)# network 172.16.1.0 0.0.0.255 area 0 Any interface with an address of 172.16.1.x is to be put into area 0.
R3(config-router)# network 172.16.3.0 0.0.0.3 area 0 Any interface with an address of 172.16.3.x is to be put into area 0.
R3(config-router)# network 192.168.10.4 0.0.0.3 area 0 Any interface with an address of 192.168.10.4 is to be put into area 0.
R3(config-router)#passive-interface GigabitEthernet0/0
Step 2 Verify OSPF routing is operational.
R1#show ip route On each router, the routing table should now have a route to every network in the topology.
R2#show ip route
R3#show ip route
Part 2: Verify the Configurations
Steps Command Purpose
Step 1 Each PC should be able to ping the other two PCs. If not, check your configurations.

IP Access Control List Security


Creating Standard ACLs
Steps Command Purpose
Read this line to say, “All packets with a source IP address of 172.16.x.x will be permitted to continue
Step 1 Router(config)#access-list 10 permit 172.16.0.0 0.0.255.255
through the internetwork.”
Step 2 access-list ACL command.
Step 3 10 Arbitrary number between 1 and 99, or 1300 and 1999, designating this as a standard IP ACL.
Step 4 permit Packets that match this statement will be allowed to continue.
Step 5 172.16.0.0 Source IP address to be compared to.
Step 6 0.0.255.255 Wildcard mask.
Read this line to say, “All packets with a source IP address of 172.17.0.1 will
Step 7 Router(config)#access-list 10 deny host 172.17.0.1
be dropped and discarded.”
Step 8 access-list ACL command.
Step 9 10 Arbitrary number between 1 and 99, or 1300 and 1999, designating this as a standard IP ACL.
Step 10 deny Packets that match this statement will be dropped and discarded.
Step 11 host Keyword.
Step 12 172.17.0.1 Specific host address.
Read this line to say, “All packets with any source IP address will be permitted to continue through the
Step 13 Router(config)#access-list 10 permit any
internetwork.”
Step 14 access-list ACL command.
Step 15 10 Arbitrary number between 1 and 99, or 1300 and 1999, designating this as a standard IP ACL.
Step 16 permit Packets that match this statement will be allowed to continue.
Step 17 any Keyword to mean all IP addresses.
TIP: An implicit deny statement is hard-coded into every ACL. You cannot see it, but it states “deny everything not already permitted.” This is always the last
Step 18 line of any ACL. If you want to defeat this implicit deny, put a permit any statement in your standard ACLs or permit ip any any in your extended ACLs
as the last line.

Applying Standard ACLs to an Interface


Steps Command Purpose
Step 1 Router(config)#interface fastethernet 0/0 Moves to interface configuration mode.
Step 2 Router(config-if)#ip access-group 10 in ACL command.
Step 3 TIP: Access lists can be applied in either an inbound direction (keyword in) or in an outbound direction (keyword out).

Step 4 TIP: Apply a standard ACL as close as possible to the destination network or device.

Verifying ACLs
Steps Command Purpose
Step 1 Router#show ip interface Displays any ACLs applied to that interface
Step 2 Router#show access-lists Displays the contents of all ACLs on the router
Step 3 Router#show access-list access-list-number Displays the contents of the ACL by the number specified
Step 4 Router#show access-list name Displays the contents of the ACL by the name specified
Displays all ACLs and
Step 5 Router#show run
interface assignments
Removing ACLs
Steps Command Purpose
Step 1 Router(config)#no access-list 10 Removes all ACLs numbered 10
Creating Extended ACLs
Steps Command Purpose
Router(config)#access-list 110 permit tcp Read this line to say, “HTTP packets with a source IP address of 172.16.0.x will be permitted to travel
Step 1
172.16.0.0 0.0.0.255 192.168.100.0 0.0.0.255 eq 80 to the destination address 192.168.100.x.”
Step 2 access-list ACL command.
Step 3 110 Number is between 100 and 199, or 2000 and 2699, designating this as an extended IP ACL.
Step 4 permit Packets that match this statement will be allowed to continue.
Step 5 tcp Protocol must be TCP.
Step 6 172.16.0.0 Source IP address to be compared to.
Step 7 0.0.0.255 Wildcard mask for the source IP address.
Step 8 192.168.100.0 Destination IP address to be compared to.
Step 9 0.0.0.255 Wildcard mask for the destination IP address..
Step 10 eq Operand, means “equal to.”
Step 11 80 Port 80, indicating HTTP traffic.
Router(config)#access-list 110 deny tcp any Read this line to say, “Telnet packets with any source IP address will be dropped if they are addressed
Step 12
192.168.100.7 0.0.0.0 eq 23 to specific host 192.168.100.7.”
Step 13 access-list ACL command.
Step 14 110 Number is between 100 and 199, or 2000 and 2699, designating this as an extended IP ACL.
Step 15 tcp Protocol must be TCP.
Step 16 any Any source IP address.
Step 17 192.168.100.7 Destination IP address to be compared to.
Step 18 0.0.0.0 Wildcard mask; address must match exactly.
Step 19 eq Operand, means “equal to.”
Port 23, indicating Telnet
Step 20 23
traffic.
Applying Extended ACLs to an Interface
Steps Command Purpose
Step 1 Router(config)#interface fastethernet 0/0 Moves to interface configuration mode and takes all access list lines that are defined as being
part of group 110 and applies them in an outbound manner. Packets going out fastethernet 0/0
Step 2 Router(config-if)#ip access-group 110 out will be checked.

TIP: Access lists can be applied in either an inbound direction (keyword in) or in an outbound direction (keyword out).

TIP: Only one access list can be applied per interface, per direction.

TIP: Apply an extended ACL as close as possible to the source network or device.

Creating Named ACLs


Steps Command Purpose
Step 1 Router(config)#ip access-list extended serveraccess Creates an extended named ACL called serveraccess and moves to named ACL configuration mode.
Router(config-ext-nacl)#permit tcp any host
Step 2 Permits mail packets from any source to reach host 131.108.101.99.
131.108.101.99 eq smtp
Router(config-ext-nacl)#permit udp any host Permits Domain Name System (DNS) packets from any source to reach
Step 3
131.108.101.99 eq domain host 131.108.101.99.
Denies all other packets from going anywhere. If any packets do get denied, this logs the results for
Step 4 Router(config-ext-nacl)#deny ip any any log
you to look at later.
Step 5 Router(config-ext-nacl)#exit Returns to global configuration mode.
Router(config)#interface fastethernet 0/0
Moves to interface configuration mode and applies this ACL to the fastethernet interface 0/0
Step 6 Router(config-if)#ip access-group serveraccess
in an outbound direction.
out
Removing ACLs
Steps Command Purpose
Step 1 Router(config)#no access-list 10 Removes all ACLs numbered 10
Using Sequence Numbers in Named ACLs
Steps Command Purpose
Step 1 Router(config)#ip access-list extended serveraccess2 Creates an extended named ACL called serveraccess2.
Router(config-ext-nacl)#10 permit tcp any host Uses a sequence number 10
Step 2
131.108.101.99 eq smtp for this line.
Router(config-ext-nacl)#20 permit udp any host
Step 3 Sequence number 20 will be applied after line 10..
131.108.101.99 eq domain
Step 4 Router(config-ext-nacl)#30 deny ip any any log Sequence number 30 will be applied after line 20.
Step 5 Router(config-ext-nacl)#exit Returns to global configuration mode.
Step 6 Router(config)#interface fastethernet 0/0 Moves to interface configuration mode.
Step 7 Router(config-if)#ip access-group serveraccess2 out Applies this ACL in an outbound direction.
Step 8 Router(config-if)#exit Returns to global configuration mode.
Step 9 Router(config)#ip access-list extended serveraccess2 Moves to named ACL configuration mode for the ACL serveraccess2.
Router(config-ext-nacl)#25 permit tcp any host
Step 10 Sequence number 25 places this line after line 20 and before line 30.
131.108.101.99 eq ftp
Step 11 Router(config-ext-nacl)#exit Returns to global configuration mode.

TIP: Sequence numbers are used to allow for easier editing of your ACLs. The preceding example used numbers 10, 20, and 30 in the ACL lines. If you had
Step 12 needed to add another line to this ACL, it would have previously been added after the last line—line 30. If you had needed a line to go closer to the top, you would
have had to remove the entire ACL and then reapply it with the lines in the correct order. Now you can enter in a new line with a sequence number, placing it in the
correct location.

Step 13 NOTE: The sequence-number argument was added in Cisco IOS Software Release 12.2(14)S. It was integrated into Cisco IOS Software Release 12.2(15)T.

Removing Specific Lines in Named ACLs Using Sequence Num


Steps Command Purpose
Step 1 Router(config)#ip access-list extended serveraccess2 Moves to named ACL configuration mode for the ACL serveraccess2
Step 2 Router(config-ext-nacl)#no 20 Removes line 20 from the list
Step 3 Router(config-ext-nacl)#exit Returns to global configuration mode
Restricting Virtual Terminal Access
Steps Command Purpose
Step 1 Router(config)#access-list 2 permit host 172.16.10.2 Permits host 172.16.10.2 to Telnet into this router based on where this ACL is applied..
Permits anyone from the 172.16.20.x address range to Telnet into this router based on where this
Step 2 Router(config)#access-list 2 permit 172.16.20.0 0.0.0.255
ACL is applied.

Step 3 The implicit deny statement restricts anyone else from being permitted to Telnet.
Step 4 Router(config)#line vty 0 4 Moves to vty line configuration mode.
Step 5 Router(config-line)access-class 2 in Applies this ACL to all 5 vty virtual interfaces in an inbound direction.

TIP: When restricting access through Telnet, use the access-class command rather than the access-group command, which is used when applying an ACL to a
Step 6
physical interface.

Configuration Example:9.2.3.3 Packet Tracer - Configuring an ACL on VTY Lines

Part 1 :Configure and Apply an ACL to VTY Lines


Steps Command Purpose
Step 1 Verify Telnet access before the ACL is configured.
Both computers should be able to Telnet to the Router. The password is cisco.
Step 2 Configure a numbered standard ACL.
Because we do not want to permit access from any other computers, the implicit deny property of the
Router(config)# access-list 99 permit host 10.0.0.1
access list satisfies our requirements.
Step 3 Place a named standard ACL on the router.
Router(config)# line vty 0 15 Access to the Router interfaces must be allowed, while Telnet access must be restricted. Therefore we
must place the ACL on Telnet lines 0 through 4. From the configuration prompt of Router, enter line
Router(config-line)# access-class 99 in configuration mode for lines 0 – 4 and use the access-class command to apply the ACL to all the VTY
lines:

Part 2: Verify the ACL Implementation


Steps Command Purpose
Step 1 Verify the ACL configuration and application to the VTY lines
show access-lists Use the show run command to verify the ACL is applied to the VTY lines.
Step 2 Verify that the ACL is working properly.
Both computers should be able to ping the Router,but only PC should be able to Telnet to it.

Configuration Example:9.3.2.12 Packet Tracer - Configuring Extended ACLs


Part 1 :Configure a Named Extended ACL
Steps Command Purpose
Use one named ACL to implement the following policy:

Block HTTP and HTTPS access from PC1 to Server1 and Server2. The servers are inside the cloud and you only know their IP
addresses.
Block FTP access from PC2 to Server1 and Server2.
Block ICMP access from PC3 to Server1 and Server2.

Step 1 Deny PC1 to access HTTP and HTTPS services on Server1 and Server2.
ip access-list extended ACL What is the command to begin the named ACL?
deny tcp host 172.31.1.101 host 64.101.255.254 eq 80 Record the statement that denies access from PC1 to Server1, only for HTTP (port 80).
deny tcp host 172.31.1.101 host 64.101.255.254 eq 443 Record the statement that denies access from PC1 to Server1, only for HTTPS (port 443).
deny tcp host 172.31.1.101 host 64.103.255.254 eq 80 Record the statement that denies access from PC1 to Server2, only for HTTP.
deny tcp host 172.31.1.101 host 64.103.255.254 eq 443 Record the statement that denies access from PC1 to Server2, only for HTTPS.
Step 2 Deny PC1 to access HTTP and HTTPS services on Server1 and Server2.
deny tcp host 172.31.1.102 host 64.101.255.254 eq 21 Record the statement that denies access from PC2 to Server1, only for FTP (port 21 only).
deny tcp host 172.31.1.102 host 64.103.255.254 eq 21 Record the statement that denies access from PC2 to Server2, only for FTP (port 21 only).
Step 3 Deny PC3 to ping Server1 and Server2.
Record the statement that denies ICMP access from PC3 to
deny icmp host 172.31.1.103 host 64.101.255.254
Server1.
Record the statement that denies ICMP access from PC3 to
deny icmp host 172.31.1.103 host 64.103.255.254
Server2.
Step 4 Permit all other IP traffic.
By default, an access list denies all traffic that does not match any rule in the list. What
permit ip any any
command permits all other traffic?
Apply and Verify the Extended ACL
Steps Command Purpose
Step 1 Apply the ACL to the correct interface and in the correct direction.
interface g0/0 What are the commands you need to apply the ACL to the correct interface and in the correct direction?
ip access-group ACL in
Step 2 Test access for each PC.
a Access the websites of Server1 and Server2 using the Web Browser of PC1 and using both HTTP and HTTPS protocols.
b Access FTP of Server1 and Server2 using PC1. The username and password is “cisco”.
c Ping Server1 and Server2 from PC1.
d Repeat Step 2a to Step 2c with PC2 and PC3 to verify proper access list operation.

Configuring DHCP
Steps Command Purpose
Router(config)#ip dhcp excludedaddress Specifies the range of addresses not to
Step 1
172.16.10.1 172.16.10.9 be leased out to clients.
Step 2 Router(config)#ip dhcp pool DHCP_PSU Creates a DHCP pool called DHCP_PSU
Defines the address of the default router
Step 3 Router(dhcp-config)#defaultrouter 172.16.10.1
for the client.
Defines the address of the Domain
Step 4 Router(dhcp-config)#dns-server 172.16.10.10 Name System (DNS) server for the
client
Step 5 Router(dhcp-config)#domain-name psu.com Defines the domain name for the client.
Turns the DHCP service off. DHCP
Step 6 Router(config)#no service dhcp service is on by default in Cisco IOS
Software.
Step 7 Router#show ip dhcp binding Displays a list of all bindings created
Step 8 Router#show ip dhcp database Displays recent activity on the DHCP database

Configuration Example:10.1.3.3 Packet Tracer - Configuring DHCPv4 Using Cisco IOS


Part 1: Configure a Router as a DHCP Server
Step 1 Step 1: Configure the excluded IPv4 addresses.
R2(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10
Configure R2 to exclude the first 10 addresses from the R1 and R3 LANs. All other addresses should
be available in the DHCP address pool.
R2(config)# ip dhcp excluded-address 192.168.30.1 192.168.30.10

Step 2 Step 2: Create a DHCP pool on R2 for the R1 LAN.


a R2(config)# ip dhcp pool R1-LAN Create a DHCP pool named R1-LAN (case-sensitive).
R2(dhcp-config)# network 192.168.10.0 255.255.255.0 R2(dhcp-
Configure the DHCP pool to include the network address, the default gateway, and the IP address of
b config)# default-router 192.168.10.1 R2(dhcp-config)# dns-server
the DNS server.
192.168.20.254
Step 3 Create a DHCP pool on R2 for the R3 LAN.
a R2(config)# ip dh pool R3-LAN Create a DHCP pool named R3-LAN (case-sensitive).
R2(dhcp-config)# network 192.168.30.0 255.255.255.0 R2(dhcp-
Configure the DHCP pool to include the network address, the default gateway, and the IP address of
b config)# default-router 192.168.30.1 R2(dhcp-config)# dns-server
the DNS server.
192.168.20.254
Part 2: Configure DHCP Relay
Steps Command Purpose
Step 1 Configure R1 and R3 as a DHCP relay agent.
R1(config)# interface g0/0
R1(config-if)# ip helper-address 10.1.1.2
R3(config)# interface g0/0
R3(config-if)# ip helper-address 10.2.2.2
Step 2 Set PC1 and PC2 to receive IP addressing information from DHCP.
Part 3: Configure R2 as a DHCP Client
Steps Command Purpose
Step 1 Configure the Gigabit Ethernet 0/1 interface on R2 to receive IP addressing from DHCP and activate the interface.
a R2(config)# interface g0/1
Note: Use Packet Tracer’s Fast Forward Time feature to speed up the process or wait until R2
R2(config-if)# ip address dhcp
forms an EIGRP adjacency with the ISP router.
R2(config-if)# no shutdown
b Use the show ip interface brief command to verify that R2 received an IP address from DHCP.
Part 4: Verify DHCP and Connectivity
Steps Command Purpose
Step 1 Verify DHCP bindings.
a R2# show ip dhcp binding
Step 1 Step 2: Verify configurations.
Verify that PC1 and PC2 can now ping each other and all other devices.

IP Access Control List Security


Configuring Static NAT: One Private to One PermanentPublic Address Translation
Steps Command Purpose
Permanently translates the inside address of 172.16.16.1 to a public address of 64.100.50.1 .
Step 1 R1(config)# ip nat inside source static 172.16.16.1 64.100.50.1
Use the command for each of the private IP addresses you want to statically map to a public address.

Step 2 R1(config-if)# ip nat inside You can have more than one inside interface on a router.
Step 3 R1(config)# interface s0/0/0 Moves to interface configuration mode.
Step 4 R1(config-if)# ip nat outside Defines which interface is the outside interface for NAT.
CAUTION: Make sure that you have in your router configurations a way for packets to travel back to your NAT router. Include a static route on the ISP router
advertising your NAT pool and how to travel back to your internal network. Without this in place, a packet can leave your network with a public address, but it will
Step 5
not be able to return if your ISP router does not know where the pool of public addresses exists in the network. You should be advertising the pool of
public addresses, not your private addresses.

Configuring Dynamic NAT: One Private to One Public Address Translation


Steps Command Purpose
Step 1 R2(config)# access-list 1 permit 172.16.0.0 0.0.255.255 Create an access control list (ACL) that will identify which private IP addresses will be translated.
Defines the following: The name of the pool is any-name-heret. (The name of the pool can be
R2(config)# ip nat pool any-name-here 209.165.76.196
Step 2 anything.) The start of the pool is 209.165.76.196. The end of the pool is 209.165.76.199.
209.165.76.199 netmask 255.255.255.252
The subnet mask is 255.255.255.252.
Step 3 ip nat inside source list 1 pool any-name-here Link the ACL to the pool of addresses (create the translation).
Step 4 R1(config)# interface s0/0/0 Moves to interface configuration mode.
Step 5 R1(config-if)# ip nat outside Defines which interface is the outside interface for NAT.
Configuring PAT: Many Private to One Public Address Translation
Steps Command Purpose
Step 1 R2(config)# access-list 1 permit 172.16.0.0 0.0.255.255 Create an access control list (ACL) that will identify which private IP addresses will be translated.
Defines the following: The name of the pool is any-name-heret. (The name of the pool can be
R2(config)# ip nat pool any-name-here 209.165.76.196
Step 2 anything.) The start of the pool is 209.165.76.196. The end of the pool is 209.165.76.199.
209.165.76.199 netmask 255.255.255.252
The subnet mask is 255.255.255.252.
Link the ACL to the pool of addresses (create the translation).The overload keyword
Step 3 ip nat inside source list 1 pool any-name-here overload
states that port numbers will be used to handle many translations.
Step 4 R1(config)# interface s0/0/0 Moves to interface configuration mode.
Step 5 R1(config-if)# ip nat outside Defines which interface is the outside interface for NAT.
Verifying NAT and PAT Configurations
Steps Command Purpose
Step 1 Router#show ip nat translations Displays the translation table
Step 2 Router#show ip nat statistics Displays NAT statistics
Step 3 Router#clear ip nat translations inside a.b.c.d outside e.f.g.h Clears a specific translation from the table before it times out
Step 4 Router#clear ip nat translations* Clears the entire translation table before entries time out

11.2.3.6 Packet Tracer - Implementing Static and Dynamic NAT Instructions

Part 1: Configure Dynamic NAT with PAT


Step 1 Configure traffic that will be permitted for NAT translations.
a R2(config)# ip access-list standard R2NAT
b R2(config-std-nacl)# permit 192.168.10.0 0.0.0.255 On R2, configure a standard ACL named R2NAT that uses three statements to permit, in order, the
c R2(config-std-nacl)# permit 192.168.20.0 0.0.0.255 following private address spaces:192.168.10.0/24, 192.168.20.0/24, and 192.168.30.0/24.
d R2(config-std-nacl)# permit 192.168.30.0 0.0.0.255
Step 2 Step 2: Configure a pool of addresses for NAT.
R2(config)# ip nat pool R2POOL 209.165.202.128 Configure R2 with a NAT pool named R2POOL that uses the first three addresses in the
209.165.202.130 netmask 255.255.255.252 209.165.202.128/30 address space. The fourth address is used for static NAT later in Part 2.
Step 3 Associate the named ACL with the NAT pool and enable PAT.
R2(config)# ip nat inside source list R2NAT pool R2POOL
Create a DHCP pool named R3-LAN (case-sensitive).
overload
Step 4 Configure the NAT interfaces.
R2(config)# inte fa0/0
R2(config-if)# ip nat inside
R2(config-if)# inte s0/0/0
R2(config-if)# ip nat inside
Configure R2 interfaces with the appropriate inside and outside NAT commands.
R2(config-if)# inte s0/0/1
R2(config-if)# ip nat inside
R2(config-if)# inte s0/1/0
R2(config-if)# ip nat outside
Part 2: Configure Static NAT
Step 1 Configure traffic that will be permitted for NAT translations.
R2(config)# ip nat inside source static 192.168.20.254 Refer to the Topology. Create a static NAT translation to map the local.pka inside address to its outside
a
209.165.202.131 address.
Part 3: Verify NAT Implementation
Step 1 Step 1: Access services across the Internet.
From the web browser of PC1, or PC3, access the web page for
a
cisco.pka.
From the web browser for PC4, access the web page for
b
local.pka.
Step 1 Step 2: View NAT translations.
R2# show ip nat translations View the NAT translations on R2.

You might also like