D3 SBA Student Ans Key

March 20, 2018 | Author: Mytha Quirky | Category: Router (Computing), Ip Address, File Transfer Protocol, Computer Network, Computer Networking
Share
Report this link


Comments



Description

CCNA Discovery Introducing Routing and Switching in the EnterpriseSkills-Based Assessment Academy Student Version – Answer Key Grading The exam is divided into two parts. If the exam is conducted in two separate sessions, hand out Part 1 on planning and let the students complete it. Then have them turn in Part 1 so that you can grade it before the second session. Return Part 1 to the students at the start of the second session, which is a hands-on session. If there are problems with the planning in Part 1, the student will know of them before starting on Part 2. If both parts of the exam are done in one session, you should still grade Part 1 before the students start on Part 2. Students must complete Part 1 before starting Part 2. Suggested point totals are listed for the main fill-in-the-blank questions. They currently total 100 points, but can be adjusted or changed as desired. Divide the correct points by the possible points for an overall percentage grade. Exam Time • The time allowed to complete Part 1 is 50 minutes. Part 2 takes longer than 50 minutes. All contents are Copyright © 1992–2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 41 • • • At the instructor’s discretion, the amount of time allowed may be adjusted. Part 2 of the exam can be split into two parts to accommodate class schedules. Part 3 begins with Task 8: Configure ACL Security on HQ and R2. To save time and avoid splitting Part 2, have the equipment set up and cabled for the students prior to starting device configuration. Exam Overview This skills-based assessment is the final practical exam for the course CCNA Discovery – Introducing Routing and Switching in the Enterprise. The exam is divided into two parts, and Part 1 must be completed before Part 2. In Part 1, you develop an IP subnet scheme and document the device interfaces. In Part 2, you cable the network and configure customer routers and switches using Cisco IOS CLI commands. The remote office router routes between the local network and the headquarters router. The headquarters router is configured to provide access to the ISP router. The OSPF routing protocol is used between the remote office and headquarters router. Static routing is used between the headquarters router and the ISP. The instructor will preconfigure the ISP router and erase the startup configuration in the headquarters router and the remote office router prior to starting the exam. When you have completed Part 1, give it to the instructor to check before starting on Part 2. You have 50 minutes to complete Part 1. The instructor will inform you of how Part 2 will be conducted and the time allotted, Instructor Note: For this exam, the ISP router is set up to connect to two sets of student equipment. By adding the second ISP router as shown in the diagram, two additional students can be tested simultaneously using a single Discovery Server. If needed, you can add more ISP routers. Two students can be tested for each ISP router added. See the instructor lab setup diagram and ISP router running-config at the end of this document. Objectives • • Part 1 – Create an IP addressing plan and document the network device interfaces. Part 2 – Connect and configure the network equipment and verify network connectivity. Required Equipment The following equipment is required for each student: • • ISP router with two serial and two Fast Ethernet interfaces (preconfigured by the instructor) One computer to act as the Discovery Server (using the Discovery Server Live CD). Optionally, the ISP router can be configured with a loopback address. If the loopback address is used, it restricts the protocols that can be filtered using an ACL. One switch or crossover cable to connect the Discovery Server to the ISP router One 1841 HQ router (or other router with two serial interfaces) One 1841 R2 router (or other router with one serial interface and one Fast Ethernet interface) Two Ethernet 2960 switches Two Windows XP-based PCs Cat 5 and serial cabling, as necessary • • • • • • All contents are Copyright © 1992–2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 41 Skills-Based Assessment – Part 1 [52 points] Develop the IP Addressing Scheme and Assign Interface Addresses Step 1: Gather required information. Use the topology diagram at the beginning of the exam and the following information provided by the instructor to document the network. a. You will be working with customer AnyCompanyX, where X is the number assigned by the instructor. Enter the number you are assigned here: AnyCompany___ b. If your local network is connected to the ISP as AnyCompany1, the IP address of the ISP serial 0/0/0 interface is 209.165.201.1/30. If your local network is connected to the ISP as AnyCompany2, the IP address of the ISP serial 0/0/1 interface is 209.165.201.5/30. If more than one ISP router is being used, additional addresses from the 209.165.201.x/30 range are needed. Check with the instructor to verify the ISP serial interface IP address for you to use. Enter the ISP serial interface IP address here: _______________________________ c. The base IP address CIDR block from which you will create the VLSM addressing scheme is based on the AnyCompanyX number that you are assigned. If the local network is AnyCompany1, use 192.168.1.0 /24. If the local network is AnyCompany2, use 192.168.2.0 /24. If more than one ISP router is being used, additional addresses from the 192.168.X.0/24 range are needed. Check with the instructor to verify the correct IP address block for you to use. Enter the base IP address and subnet mask here: ____________________________ Step 2: Determine the size of each VLSM block to accommodate users. Develop a VLSM subnet scheme that optimally subnets the base address and allows for three VLANs on the local R2 network, the hosts on the HQ local network, and the WAN link between HQ and R2. The HQ router uses NAT/PAT to translate internal client addresses to the external address. a. Determine the size of the subnet address block required for a network area or group of users. Fill in the table with this information. VLSM Subnet Requirements [7 points, one for each VLSM block size] Network Area AnyCompanyX block size to subdivide HQ local network R2 local network / VLANs VLAN 1 (Default/Mgmt-IP) VLAN 11 (Dept 1) VLAN 12 (Dept 2) R2 to HQ WAN link Total users and total block sizes Number of Users / IPs N/A 23 5 45 97 2 172 VLSM Block Size / Number of IPs (Powers of 2) 256 (8 bits) 32 8 64 128 4 236 b. To optimally allocate addresses from the /24 address assigned, sort the block sizes from largest to smallest. Use the table below to order the network areas by the VLSM block size. List the blocks starting with the largest to the smallest. [3 points for the correct order] All contents are Copyright © 1992–2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 41 Network Area / VLAN R2 – VLAN 12 (Dept 2) R2 – VLAN 11 (Dept 1) HQ – Local network R2 – VLAN 1 (Default/Mgmt-IP) R2 – HQ Wan link VLSM Block Size 128 64 32 8 4 Step 3: Allocate blocks of addresses to each area of the network. [15 points, one for each address/prefix, usable range, and subnet mask] a. Determine which blocks of the CIDR address to assign to each area of the network or VLAN. You may use the CIDR / VLSM subnet chart (Appendix A) to enter the subnet information for each CIDR block. b. Fill in the following table based on the subnet information in the VLSM Subnet Requirements tables above. Instructor note: Answers may vary depending on the VLSM addressing used. The following sample answers in Steps 3, 4, and 5 are for AnyCompany1. Network Area / VLAN R2 – VLAN 12 (Dept 2) R2 – VLAN 11 (Dept 1) HQ – Local network (simulated with Lo0) R2 – VLAN 1 (Default/Mgmt) R2 – HQ Wan link Unused IP addresses c. VLSM Block Size (Number of Addresses) 128 64 32 8 4 20 Subnet Address and Prefix 192.168.1.0 /25 192.168.1.128 /26 192.168.1.192 /27 192.168.1.224/29 192.168.1.232/30 Useable Address Range 192.168.1.1 – 192.168.1.126 192.168.1.129 192.168.1.190 192.168.1.193 – 192.168.1.222 192.168.1.225 – 192.168.1.230 192.168.1.233 – 192.168.1.234 Subnet Mask 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.248 255.255.255.252 Have the instructor verify that your addressing scheme is accurate and assigns address space efficiently. You should not have any overlapping subnets and should have unused contiguous blocks of addresses that can be used for future growth. Step 4: Select IP addresses for use when configuring devices. [22 points, one for IP each address and subnet mask] Select addresses from the block assigned to an area of the network, and fill in the VLSM block size, IP address and subnet mask for each device/interface in the topology. Include the /# bits mask with the IP address These IP addresses are used in Part 2 when you configure the network equipment. Note: When you are finished with this step, check with the instructor before proceeding. All contents are Copyright © 1992–2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 41 1.255.255.255.1/16 255.252 255.1.1/30 (AnyCompany1) 209.) S1 S2 H1 H2 Discovery Server (or ISP Loopback address .227/29 192.255.pre-configured) VLAN 1 VLAN 1 NIC NIC NIC 192.248 255.255.128 255.129/26 192.201.255.248 255.255.255.255.130/26 192.255.168.255.192 255.255.255.168.255.165.252 255.17.201.Device Interface / IP Address Chart Device HQ-X Interface Serial 0/0/0 Serial 0/0/1 (Use the next address compatible with the ISP serial interface address of AnyCompanyX) Loopback0 IP Address 192.2/25 172.165.255.168.255.1.0. Inc.255.224 255.255.1.5/30 (AnyCompany2) 172.0.168.234/30 209.1.17.252 None 255.1.168.201. Page 5 of 41 .193/27 192.0.168.165.1/25 209. All rights reserved.255.6/30 (AnyCompany2) 192.225/29 192.1.12 ISP ISP Serial 0/0/0 (pre-configured) Serial 0/0/1 (pre-configured) Fa0/0 (pre-configured default gateway for Discovery Server.165.255. This document is Cisco Public Information.233/30 None 192.11 Subint Fa0/0.1.255.192 255.1.2/30 (AnyCompany1) 209.1.168.255.168.168.1 Subint Fa0/0.255.255. Optional if ISP loopback is used.168.255.226/29 192.128 255.1.255.0 R2 Serial 0/0/0 Fast Ethernet 0/0 Subint Fa0/0.0 All contents are Copyright © 1992–2010 Cisco Systems.255.201.1 Subnet Mask 255.252 255.252 255.248 255.255. device. the two host computers. the two AnyCompanyX routers (HQ and R2). Page 6 of 41 . Logical Network Diagram for AnyCompany____ (enter number) Step 6: Check your work with the instructor before going on to Part 2. This information is used to configure the AnyCompanyX routers and switches in Part 2 of the exam. and the Discovery Server. the switches. Inc. [5 points] Draw a simple logical network diagram of your AnyCompanyX network. the three VLANs. This document is Cisco Public Information. Be sure to include the subinterfaces on R2. All rights reserved. Include the ISP router. All contents are Copyright © 1992–2010 Cisco Systems. Write the IP address and /# bits subnet mask next to each interface. or VLAN using the addresses identified in Step 4.Step 5: Create a logical network diagram. interfaces on switch ports may be shown. All contents are Copyright © 1992–2010 Cisco Systems. If the student desires. Page 7 of 41 .Note: This is a sample diagram for the instructor version only. IP addresses may vary based on the VLSM addressing scheme used. This document is Cisco Public Information. but are not part of the logical diagram because they do not have IP addresses assigned. All rights reserved. Inc. HQ-1(config)#interface s0/0/0 HQ-1(config-if)#ip address 192.Skills-Based Assessment – Part 2 [48 points] Instructor note: Part 2 of the exam may be split into two parts to accommodate class schedules. Configure no domain lookup.224 All contents are Copyright © 1992–2010 Cisco Systems.1. Connect the AnyCompanyX network HQ-X router to the appropriate ISP router interface: Serial 0/0/0 for AnyCompany1 or S0/0/1 for AnyCompany2 (unless instructed otherwise by the instructor). configure the ISP router. Assign the host name HQ-X (where X is the number of AnyCompanyX) and the passwords.234 255. Note: Make sure that the routers and the switches have been erased and have no startup configurations. and specify the message-of-the-day as “Unauthorized use prohibited”. have the equipment set up and cabled for the students prior to starting device configuration. The IP addresses used to configure the devices in the following tasks are based on your solution for the VLSM scheme in Part 1.255. Inc.1.255. Before students start Part 2.165.255. Router(config)#hostname HQ-1 HQ-1(config)#line console 0 HQ-1(config-line)#password cisco HQ-1(config-line)#login HQ-1(config-line)#line vty 0 4 HQ-1(config-line)#password cisco HQ-1(config-line)#login HQ-1(config-line)#exit HQ-1(config)#enable secret class HQ-1(config)#no ip domain-lookup HQ-1(config)#banner motd #Unauthorized use prohibited# Step 2: Configure the HQ router serial and loopback interfaces.252 HQ-1(config-if)#encapsulation ppp HQ-1(config-if)#ppp authentication chap HQ-1(config-if)#no shutdown HQ-1(config-if)#interface lo0 HQ-1(config-if)#ip address 192.255. Refer to the topology diagram at the beginning of Part 1 for other DTE/DCE settings. All rights reserved.2 255. Task 2: Configure the HQ Router Step 1: Configure the router.193 255.255.168.252 HQ-1(config-if)#clock rate 64000 HQ-1(config-if)#no shutdown HQ-1(config-if)#interface s0/0/1 HQ-1(config-if)#ip address 209. The WAN link from HQ to R2 uses default Cisco HDLC encapsulation.255. The WAN link from HQ to ISP uses PPP with CHAP authentication. The ISP router and the Discovery Server should be preconfigured by the instructor.) Task 1: Build the Network and Connect the Cables Using the topology diagram provided at the beginning of Part 1 and the logical network diagram you created in Step 5. The ISP provides the clocking for the HQ router. build the network. This document is Cisco Public Information. the HTTP service in the router must be enabled. Page 8 of 41 . To save time and avoid splitting this part of the exam.168.201. Instructor note: If the ISP router is configured with a loopback address in lieu of the Discovery Server. Part 3 would begin with Task 8: Configure ACL Security on HQ and R2. (See running-config at end of lab. Step 3: Create the CHAP user ID and password. All rights reserved.168. c.0.1.1Q encapsulation. HQ-1(config)#ip route 0.168.0. Task 3: Configure the Remote Office Router Step 1: Configure basic setting for the R2 router.0.255 HQ-1(config)#ip nat inside source list 1 interface s0/0/1 overload HQ-1(config)#interface s0/0/0 HQ-1(config-if)#ip nat inside HQ-1(config-if)#interface lo0 HQ-1(config-if)#ip nat inside HQ-1(config-if)#interface s0/0/1 HQ-1(config-if)#ip nat outside Step 7: Save the router running-config configuration to startup-config.201. Step 2: Configure the R2 Fast Ethernet subinterfaces and serial interfaces. For CHAP authentication.0 0.0.0 s0/0/1 HQ-1(config)#router ospf 1 HQ-1(config-router)#default-information originate Step 6: Configure overloaded NAT (PAT) on HQ.31 area 0 Step 5: Configure a default route to the ISP on HQ and propagate this route to R2 using OSPF.1.168.3 area 0 HQ-1(config-router)#network 192.0.168.1 R2(config-subif)#encapsulation dot1Q 1 R2(config-subif)#ip address 192.192 0.255. Inc.0 0. HQ-1(config)#username ISP password cisco Step 4: Configure OSPF routing for Area 0 on HQ.0. They should also use 802.1. b.0. HQ-1(config)#access-list 1 permit 192. VLAN 1 is the native VLAN. R2(config)#interface fa0/0 R2(config-if)#no shutdown R2(config-if)#interface fa0/0. Configure no domain lookup.0.1.129 255. Page 9 of 41 .255. This document is Cisco Public Information.0.255.225 255.0 0.1.0.X.0.232 0.248 R2(config-subif)#interface fa0/0.0. and specify the message-of-the-day as “Unauthorized use prohibited”.255. Use the IP address on the serial port that connects to the ISP as the overloaded address.165. Define the Fast Ethernet subinterfaces to match the numbers of the VLANs they represent.0/24 address space to be translated (where X is the number assigned to AnyCompany).168. Specify the inside and outside NAT interfaces.3 area 0 HQ-1(config-router)#network 209.168.192 All contents are Copyright © 1992–2010 Cisco Systems. Assign the host name and the passwords.11 R2(config-subif)#encapsulation dot1Q 11 R2(config-subif)#ip address 192. Permit the entire 192. HQ-1(config)#router ospf 1 HQ-1(config-router)#network 192. configure a username for the ISP router on the HQ router with a password of cisco. a. Configure no domain lookup. R2(config)#router ospf 1 R2(config-router)#network R2(config-router)#network R2(config-router)#network R2(config-router)#network 192.255. VLAN Number VLAN 1 (default VLAN) VLAN 11 (Dept 1 users) VLAN 12 (Dept 2 users) VLAN Name default Dept1 Dept2 Ports Assigned None 3 to 11 12 to 24 Notes VLAN 1 cannot be renamed S1(config)#vlan 11 S1(config-vlan)#name Dept1 S1(config-vlan)#vlan 12 S1(config-vlan)#name Dept2 S1(config-vlan)#exit S1(config-if-range)#interface range fa0/3-11 S1(config-if-range)#switchport mode access S1(config-if-range)#switchport access vlan 11 S1(config-if-range)#interface range fa0/12-24 S1(config-if-range)#switchport mode access S1(config-if-range)#switchport access vlan 12 S1(config-if-range)#exit All contents are Copyright © 1992–2010 Cisco Systems. and assign the ports to each VLAN as indicated.1 255. Specify the subnet for each R2 interface using the appropriate wildcard mask. delete the vlan. and reload the switch before beginning the configuration. and specify the message-of-the-day as “Unauthorized use prohibited”.168.224 0.0.128 R2(config-subif)#interface s0/0/0 R2(config-if)#ip address 192.3 area 0 Step 4: Save the router running-config configuration to startup-config.0. This document is Cisco Public Information.255.168.0.1. Inc.1.0 0.0.R2(config-subif)#interface fa0/0.0.255. All rights reserved.168.1.168.12 R2(config-subif)#encapsulation dot1Q 12 R2(config-subif)#ip address 192.0.1. Step 2: Configure the VLANs for S1. Use the VLAN numbers and names in the following table.1.0.128 0.252 R2(config-if)#no shutdown Step 3: Configure OSPF routing for Area 0 on R2.dat file.7 area 0 192.127 area 0 192.1.255. Use this table to configure switch S2 in Task 5.63 area 0 192. Assign the host name and the passwords. Page 10 of 41 . Task 4: Configure the Remote Office Switch S1 Note: Be sure to erase the startup-config.233 255.168.232 0.168. Step 1: Configure the basic settings on the S1 switch.0. dat file.1Q trunks so that they can carry VLAN information. Inc.168. All rights reserved. Change the priority of native VLAN 1 so that it becomes the root switch. and specify the message-of-the-day as “Unauthorized use prohibited”. Assign the VLAN 1 address according to the Device Interface / IP Address chart in Part 1. connecting any other host disables the port.225 Step 4: Configure S1 switch ports. Task 5: Configure the Remote Office Switch S2 Note: Be sure to erase the startup-config. Assign the host name and the passwords.226 255. Configure the AnyCompanyX domain name on S1 and assign the password cisco. Step 1: Configure the basic settings on the S2 switch.1.1. Configure switch ports Fa0/1 and Fa0/2 as 802. S1(config)#vtp domain AnyCompany1 S1(config)#vtp mode server S1(config)#vtp password cisco Step 7: Configure switch port security. S1(config-if)#interface vlan1 S1(config-if)#ip address 192. Page 11 of 41 . delete the vlan.248 S1(config-if)#no shutdown S1(config-if)#exit S1(config)#ip default-gateway 192. Step 2: Configure a VTP domain.255. S1(config)#interface fa0/1 S1(config-if)#switchport mode trunk S1(config-if)#interface fa0/2 S1(config-if)#switchport mode trunk Step 5: Configure S1 as the root switch for STP. This document is Cisco Public Information. and reload the switch before beginning the configuration. Configure port security for port Fa0/9 on switch S1.255. Configure the switch with a default gateway to router R2 for VLAN 1. S1(config)#interface fa0/9 S1(config-if)#shutdown S1(config-if)#switchport port-security S1(config-if)#switchport port-security mac-address sticky S1(config-if)#no shutdown S1(config-if)#end Step 8: Save the S1 switch running-config configuration to startup-config. Step 4.168.Step 3: Assign an IP address to the Management VLAN 1 on S1. When port security is configured. S1(config)#spanning-tree vlan 1 priority 4096 Step 6: Configure a VTP domain. All contents are Copyright © 1992–2010 Cisco Systems. Configure no domain lookup. Configure the AnyCompanyX domain name on S2 and assign the password cisco. All rights reserved. S2(config-if-range)#interface range fa0/3-11 S2(config-if-range)#switchport mode access S2(config-if-range)#switchport access vlan 11 S2(config-if-range)#interface range fa0/12-24 S2(config-if-range)#switchport mode access S2(config-if-range)#switchport access vlan 12 S2(config-if-range)#exit Step 4: Assign an IP address to the Management VLAN 1 on S2.S2(config)#vtp domain AnyCompany1 S2(config)#vtp mode client S2(config)#vtp password cisco Step 3: Assign ports to the VLANs. Configure port security for port Fa0/15 on switch S2.255.255. and default gateway using the information in the Device Interface / IP Address chart in Part 1. S2(config-if)#interface vlan1 S2(config-if)#ip address 192. Task 6: Configure Host IP Addresses Configure each host IP address.168. Configure the switch with a default gateway to router R2 for VLAN 1. Inc. Page 12 of 41 . connecting any other host disables the port. Use the information in the table in Task 4.225 Step 5: Configure switch port Fa0/2 as an 802. When port security is configured.168.248 S2(config-if)#no shutdown S2(config-if)#exit S2(config)#ip default-gateway 192. Step 4. S2(config)#interface fa0/15 S2(config-if)#shutdown S2(config-if)#switchport port-security S2(config-if)#switchport port-security mac-address sticky S2(config-if)#no shutdown S2(config-if)#end Step 7: Save the S2 switch running-config configuration to startup-config. subnet mask. Step 4. Assign the VLAN 1 address according to the Device Interface / IP Address table in Part 1. S2(config)#interface fa0/1 S2(config-if)#switchport mode trunk S2(config-if)#interface fa0/2 S2(config-if)#switchport mode trunk Step 6: Configure switch port security.1.1. This document is Cisco Public Information.1Q trunk to carry VLAN information.227 255. Step 2 to assign ports to the VLANs. All contents are Copyright © 1992–2010 Cisco Systems. etc. IPs) S2 VLANs S2 ports in correct VLANs S2 802. Instructor note: Other commands than the ones listed may be used if they verify the same information. .Task 7: Verify Device Configurations and Basic Connectivity [33 points. IPs) HQ routing table (OSPF. Configuration Items to Verify HQ basic config (host. Have the instructor check off each item when verified. IPs) R2 routing table (OSPF. show port-security S2 basic config (host. This document is Cisco Public Information. pass. static/default) R2 subinterfaces on Fa0/0 R2 subinterfaces encapsulation S1 basic config (host.1Q trunk ports S2 is VTP client S2 port security Connectivity Items to Verify Ping S1 from H1 and H2 Ping S2 from H1 and H2 Ping R2 default gateway from H1 and H2 Ping R2 default gateway from S1 and S2 Ping from H1 to H2 (between VLANs) Ping HQ from R2 Ping from H1 and H2 to HQ S0/0/0 Ping from H1 and H2 to HQ Lo0 (HQ LAN) Ping from H1 and H2 to ISP S0/0/0 Ping from H1 and H2 to ISP Discovery Server Web browser from H1 and H2 to Discovery Server (or ISP router Loopback) Ping ping ping ping ping ping ping ping ping ping IP IP IP IP IP IP IP IP IP IP address address address address address address address address address address Internet Explorer or other browser to IP address Page 13 of 41 All contents are Copyright © 1992–2010 Cisco Systems. pass. S1.) R2 basic config (host. static/default) HQ NAT config (ACL. R2. Include the IP address to be pinged when verifying connectivity. verify the items listed in the table and indicate which command you used. show port-security show running-config show vlan brief show vlan brief show interfaces trunk show vtp status show running-config. Inc. interfaces. pass. one for each item verified with command output and checked by instructor] Before configuring ACLs in the next task. and S2. IPs) S1 VLANs S1 ports in correct VLANs S1 802. pass. See the end of the lab for the show-run output and sample output for other commands on HQ. All rights reserved.1Q trunk ports S1 is root switch S1 is VTP server S1 port security Command Used show running-config show ip route show running-config show show show show running-config ip route vlans vlans Check show running-config show vlan brief show vlan brief show interfaces trunk show spanning-tree show vtp status show running-config. 127 any eq ftp- 101 permit tcp 192.1. Use the show access-lists command to verify that the ACL is working.168. _________ Instructor check. a. Add an explicit deny statement to the end of the ACL so that statistics can be collected on the number of packets denied.0. Telnet traffic is permitted if it originates in VLAN 11.0.1.0. Have the instructor verify. Have the instructor verify.1. c.0. Have the instructor verify. Step 1: Create and apply an numbered extended ACL on R2.168.0 0. Include remarks in your ACL to document what it is doing.128 0.0 0. All rights reserved. Pings should be successful. Telnet from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address.168. Page 14 of 41 .255 any allow telnet for VLAN 11 tcp 192. one for each instructor check] The ACL must allow web requests and pings to leave the R2 network if they originated from any location within the R2 AnyCompanyX network. You should not be able to telnet from a host in VLAN 12. _______ Instructor check.1.0.0. Example ACL: R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list R2(config)#access-list data R2(config)#access-list R2(config)#access-list 101 101 101 101 101 101 101 101 remark permit remark permit remark permit remark permit allow web access for R2 internal network tcp 192. Telnet from host H2 in VLAN 12 to the HQ router using its S0/0/0 IP address. _______ Instructor check. Inc. __________ Instructor check. You should see counts on several ACL statements. Using a browser from H1 and H2.255 any eq www allow pings for R2 internal network icmp 192. Apply the ACL to the appropriate R2 interface. d. _______ Instructor check. Have the instructor verify.168. The R2 ACL permits telnet from VLAN 11 hosts.0. Should be able to get to the login screen of the router HTTP/SDM interface or the default web page on the Discovery Server.0.0. [6 points. This document is Cisco Public Information. All contents are Copyright © 1992–2010 Cisco Systems.0 0. All other traffic is denied.0 0.1.63 any eq telnet allow FTP for VLAN 12 tcp 192.0. _______ Instructor check. telnet and web browser from H1 or H2 to ISP loopback or Discovery Server) Command Used telnet IP address show ip nat translations Check Task 8: Configure ACL Security on HQ and R2 Note: The following commands are based on IP address ranges for one possible solution to the VLSM scheme in Part 1 of the lab. Have the instructor verify. enter the ISP router Loopback0 address or the IP address of the Discovery Server. The R2 ACL blocks telnet from VLAN 12 hosts. Test the ACL by pinging from H1 and H2 to the ISP loopback address or the IP address of the Discovery Server. and FTP traffic (FTP control and FTP data) is permitted if it originates in VLAN 12. You should be able to telnet from any host in VLAN 11.127 any eq ftp 101 deny ip any any R2(config)#interface Serial0/0/0 R2(config)#ip access-group 101 out b.168.Configuration Items to Verify Telnet from H1 and H2 to HQ and R2 Verify HQ NAT translations (display translations after ping. e. Have the instructor verify the ACL statements and placement. 255 any eq www (10 matches) 20 permit icmp 192.0 0.168. Inc. a.0 0.0.0.0.168.0. S1.1.168.0.168.127 any eq ftp-data 50 permit tcp 192. Have the instructor verify. Apply the ACL to vty lines 0 through 4 on the HQ router. Telnet from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address.0 0.63 any eq telnet (6 matches) 40 permit tcp 192.130 HQ-1(config)#access-list 2 deny any HQ-1(config)#line vty 0 4 HQ-1(config-line)#access-class 2 in b. one for each instructor check] The ACL should deny vty access for all hosts from any network or interface to the HQ router.0. Page 15 of 41 . c. All rights reserved.255 (20 matches) Standard IP access list 2 10 permit 192. R2.1.0. This document is Cisco Public Information.0.1. [5 points] Save the output from HQ-X. save the router running configuration to NVRAM. Use the show access-lists command to verify that the ACL is working.1.0. and S2 to a single text file on your desktop and name it XXX-D3-SBAConfigs.0.127 any eq ftp 60 deny ip any any (6 matches) Step 2: Create and apply a standard ACL to control vty access to the HQ router.168. Change the IP address of H1 to another address that is on VLAN 11. The HQ vty ACL permits telnet from host H1. HQ-1(config)#access-list 2 permit host 192.txt (where XXX are your initials).168. and telnet again from host H1 in VLAN 11 to the HQ router using its S0/0/0 IP address.1. _______ Instructor check.1. All contents are Copyright © 1992–2010 Cisco Systems. Add an explicit deny statement to the end of the ACL so that statistics can be collected on the number of packets denied. HQ-1#sh access-lists Standard IP access list 1 10 permit 192. [4 points. Step 4: Save the running configurations for each networking device to a file. wildcard bits 0.R2#show access-lists Extended IP access list 101 10 permit tcp 192. _______ Instructor check. _______ Instructor check. You should see counts on several ACL statements.0. Have the instructor verify the ACL statements and placement.0.168.0 0.0.255 any (4 matches) 30 permit tcp 192. Show it to the instructor. Have the instructor verify.168. _________ Instructor check.1.1. __________ Instructor check.128 0. Have the instructor verify. The HQ vty ACL denies telnet from any host IP address other than the original one for H1.130 (2 matches) 20 deny any (6 matches) Step 3: On R2 and HQ. except for host H1 on VLAN 11. 0 1.80 1.64 1.40 1. CIDR / VLSM Subnet Chart AnyCompanyX ____ Base Address: ________________ (192.255.92 1. Leave the headings in bold for the first 3 rows and the words “Subnet # (octets 3&4)” in row 5.104 1.0) CIDR mask Dot mask (octets 3&4) Number of hosts possible /24 255.112 1.72 1.32 1.0 1.48 1.28 1. All rights reserved.80 1.8 1.32 1.0 1.48 1.64 1.64 1. Remove the Possible Solution at the end of this spreadsheet.128 128 /26 255.36 1.0 1.192 64 /27 255.88 1.96 1.100 1.112 1.8 1.0 1.4 1.16 1.0 256 /25 255.24 1.0 1.120 1.40 1.120 1.116 1.48 1.32 1.32 1.X. remove the values and colors from the body of the chart. column 1. Inc.68 1.255. 1.240 16 /29 255.112 1.64 1.72 1.168.248 8 /30 255.88 1. Page 16 of 41 .64 1.224 32 Subnet Mask: 255.96 1.108 1.12 1.0 1.24 1.60 1.252 4 Subnet # (octets 3 & 4) 1.84 1. This document is Cisco Public Information.8 1.124 All contents are Copyright © 1992–2010 Cisco Systems.44 1.56 1.0 /28 255.16 1.96 .52 1.104 1.76 1.56 1.20 1.96 1.16 1.Appendix A Instructor note: For student version of lab. 192 1.160 1.200 1.232 1.176 1.184 1.168.248 1.148 1.192 1.168.236 1.228 1.172 1.160 1.152 1.136 1.1.224 1.128/26 192.168.240 1.248 1.128 1.212 1.220 1.196 1.232/27 All contents are Copyright © 1992–2010 Cisco Systems.192/27 192.208 1.128 1.192 1. Inc.252 Possible Solution Color code Area / VLAN R2 VLAN 12 R2 VLAN 11 HQ Network R2 VLAN 1 R2/HQ WAN link Unused addresses Total Block size 128 64 32 8 4 20 256 Subnet / Prefix 192.224 1.240 1.152 1.184 1.136 1.168 1.224 1.180 1.192 1.1.0/25 192.156 1.216 1.232 1. All rights reserved. Page 17 of 41 .192 1.244 1.200 1.128 1.1.164 1.168 1.188 1.132 1.128 1.160 1.128 1.224/27 192.140 1.144 1.224 1.168.1.168.204 1.176 1.1. This document is Cisco Public Information.1.160 1.144 1.128 1.216 1.208 1.144 1.176 1.240 1. This document is Cisco Public Information.Appendix B HQ-1 Router Config (1841 – Cisco IOS 12.. All rights reserved.168.1.255.4) Plus sample command outputs Instructor note: Config items to be tested are highlighted in green HQ-1#show running-config Building configuration. Current configuration : 1650 bytes ! version 12.224 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! All contents are Copyright © 1992–2010 Cisco Systems.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname HQ-1 ! enable secret 5 $1$k611$ET5OUWkjhCLvgkWJg36yQ0 enable password cisco ! no ip domain lookup ! username ISP-A password 0 cisco ! interface Loopback0 ip address 192.193 255.255. Page 18 of 41 . Inc.. 1.0.165.168.interface Serial0/0/0 ip address 192.255 access-list 2 permit 192.168.234 255.165.0.0 0.0.232 0.168.252 ip nat outside encapsulation ppp ppp authentication chap ! interface Vlan1 no ip address ! router ospf 1 log-adjacency-changes network 192.3 area 0 default-information originate ! ip route 0.1.3 area 0 network 209.168.2 255.201.1.255.255.0 0.1.168.0.0 Serial0/0/1 ! ! ip http server no ip http secure-server ip nat inside source list 1 interface Serial0/0/1 overload ! access-list 1 permit 192.255. Page 19 of 41 . All rights reserved.0 0.31 area 0 network 192.0.0.0.130 access-list 2 deny ! banner motd ^CUnauthorized use prohibited^C ! line con 0 password cisco login line aux 0 any All contents are Copyright © 1992–2010 Cisco Systems.0.192 0.0.201.255.0. Inc. This document is Cisco Public Information.0.1.252 ip nat inside clock rate 64000 ! interface Serial0/0/1 ip address 209.0. 1.168.0.0 to network 0.17. All rights reserved.1:512 172.2:512 tcp 209.233.233.ODR.IS-IS level-2 ia .0/25 [110/65] via 192. Serial0/0/1 HQ-1#show ip nat translations Pro Inside global Inside local Outside local 172.1. E2 .1:80 172.0 209. B .1. Serial0/0/0 0.165.168. * .IS-IS inter area.0. EX . Serial0/0/0 192.per-user static route o .168.165.168.OSPF NSSA external type 2 E1 .static.17.168. P .17.IS-IS summary.1.233.OSPF external type 2 i . su .1. N2 .connected. 00:57:54.1:512 172.1.OSPF. 5 subnets.233.OSPF NSSA external type 1.224/29 [110/65] via 192.OSPF external type 1.2:1090 tcp 209. Serial0/0/0 192.2:1090 192. R .1:23 HQ-1# All contents are Copyright © 1992–2010 Cisco Systems. 00:57:54. 5 masks O C O O O S* HQ-1# 192.EIGRP external.EIGRP. 00:57:54. Inc.165. L1 . O . Serial0/0/1 192.1:23 icmp 209.201.0/24 is variably subnetted.line vty 0 4 access-class 2 in password cisco login ! end HQ-1#show ip route Codes: C .1.0.0/24 is variably subnetted. 00:57:54.224/29 [110/65] via 192.0/30 is directly connected.168.168.232/30 is directly connected.201. Page 20 of 41 .130:1175 172.1.168.168.165. S .168. Serial0/0/0 192.201.0.IS-IS level-1.1.periodic downloaded static route Gateway of last resort is 0. 2 masks C C 209. L2 .168. U .2:1175 192. This document is Cisco Public Information.RIP. IA .0.0/0 is directly connected.1.OSPF inter area N1 .201.17.1.17.0. 2 subnets.1.168.1. Serial0/0/1 209.IS-IS.201.168.128/26 [110/65] via 192.BGP D .mobile.165.1:80 Outside global 172.2:512 192.1.1.1/32 is directly connected.candidate default. Serial0/0/0 192.1.201.1.1.165.17. M .1. 225 255.1 255.168.1 encapsulation dot1Q 1 native ip address 192.1.192 ! interface FastEthernet0/0.255.255. Inc.12 encapsulation dot1Q 12 ip address 192.255.11 encapsulation dot1Q 11 ip address 192.255.248 ! interface FastEthernet0/0.128 ! interface FastEthernet0/1 no ip address All contents are Copyright © 1992–2010 Cisco Systems. Current configuration : 2062 bytes ! version 12.168.168.255. Page 21 of 41 ..R2 Router Config (1841 – Cisco IOS 12.129 255. This document is Cisco Public Information.4) Plus sample command outputs R2#show running-config Building configuration.1.1..255.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! enable secret 5 $1$wQ9o$JKvDTtgVJY9qSV1KB6mZ7/ enable password cisco ! no ip domain lookup ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0. All rights reserved. 0.1.0.0.255 any eq www access-list 101 remark allow pings for R2 internal network access-list 101 permit icmp 192.0 0. Page 22 of 41 .1.168.1.127 any eq ftp access-list 101 deny ! ! ip any any All contents are Copyright © 1992–2010 Cisco Systems.63 any eq telnet access-list 101 remark allow FTP for VLAN 12 access-list 101 permit tcp 192.128 0.168.0.255 any access-list 101 remark allow telnet for VLAN 11 access-list 101 permit tcp 192.168.0.0.0. All rights reserved.3 area 0 ! ip http server no ip http secure-server ! access-list 101 remark allow web access for R2 internal network access-list 101 permit tcp 192.233 255.168.0 0.63 area 0 network 192.7 area 0 network 192.127 any eq ftp-data access-list 101 permit tcp 192.0 0.255.128 0.0. Inc.168.0 0.168.252 ip access-group 101 out no fair-queue ! interface Serial0/0/1 no ip address shutdown ! interface Vlan1 no ip address ! router ospf 1 log-adjacency-changes network 192.0.1.168.224 0.1.1.168.168.0.0.127 area 0 network 192.1.0.168.0.1. This document is Cisco Public Information.shutdown duplex auto speed auto ! interface Serial0/0/0 ip address 192.0 0.255.1.0.0.1.232 0.0.0.0. OSPF external type 2 i .234.1. This document is Cisco Public Information.234 to network 0. EX . Inc.per-user static route o .mobile. Serial0/0/0 192.168.0 [110/128] via 192.168.RIP. E2 .OSPF.periodic downloaded static route Gateway of last resort is 192.OSPF external type 1.1. su . Serial0/0/0 192.0/25 is directly connected.EIGRP external.IS-IS.1.0.EIGRP.168. FastEthernet0/0. 03:01:40. Serial0/0/0 R2#sh vlans All contents are Copyright © 1992–2010 Cisco Systems.224/29 is directly connected.201.OSPF NSSA external type 2 E1 . L2 .1.128/26 is directly connected.168.0/30 is subnetted.168.candidate default.165. P .OSPF NSSA external type 1.201.IS-IS inter area. Serial0/0/0 192. Page 23 of 41 .0.168. O .0/24 is variably subnetted.static.165.IS-IS level-1. R .168.banner motd ^CUnauthorized use prohibited^C ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login ! end R2#sh ip route Codes: C .ODR. * .232/30 is directly connected.11 O*E2 0. All rights reserved. 1 subnets O 209.193/32 [110/65] via 192.168. 03:01:40. U . 5 subnets.234.connected.234.OSPF inter area N1 . 5 masks C C C O C 192. M . S .1.1.12 192.168.IS-IS summary.1.1.0. 03:01:40. IA .1 192. FastEthernet0/0. B .1. L1 . N2 .BGP D .0 209.168.0.1. FastEthernet0/0.0/0 [110/1] via 192.IS-IS level-2 ia . 12 Protocols Configured: IP Other Address: 192.Virtual LAN ID: 1 (IEEE 802. All rights reserved.1Q Encapsulation) vLAN Trunk Interface: FastEthernet0/0. 140912 bytes output ISP-A Router Config (1841 – Cisco IOS 12.1 Received: 23016 0 Transmitted: 1486 21 23016 packets.129 Received: 512 0 Transmitted: 2338 27 512 packets.1. This document is Cisco Public Information. 217830 bytes output Virtual LAN ID: 12 (IEEE 802.1 This is configured as native Vlan for the following interface(s) : FastEthernet0/0 Protocols Configured: IP Other Address: 192.168. Configured by instructor All contents are Copyright © 1992–2010 Cisco Systems.1Q Encapsulation) vLAN Trunk Interface: FastEthernet0/0. Inc.4) Plus sample command outputs. 327975 bytes output Virtual LAN ID: 11 (IEEE 802. 706302 bytes input 2578 packets. Page 24 of 41 .168.1Q Encapsulation) vLAN Trunk Interface: FastEthernet0/0.1.11 Protocols Configured: IP Other Address: 192.1.168.225 Received: 2211 0 Transmitted: 2194 384 3376 packets. 2216436 bytes input 1507 packets. 61184 bytes input 2365 packets. . Inc. This document is Cisco Public Information.255.1 255. Current configuration : 1467 bytes ! version 12.1 255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 description Connection to AnyCompany1 network ip address 209. All rights reserved.255.ISP-A#sh running-config Building configuration.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ISP-A ! enable secret 5 $1$9Vz7$DM5oMilgvcjBS5O/ojl2Z.165. Page 25 of 41 ..255.201.0.252 encapsulation ppp no fair-queue ppp authentication chap All contents are Copyright © 1992–2010 Cisco Systems. enable password cisco ! no ip domain lookup ! username HQ-1 password 0 cisco username HQ-2 password 0 cisco ! interface FastEthernet0/0 description Gateway for ISP Web Server ip address 172.0.17. All rights reserved.255.201. so the route to 209.165. IA . Inc. ISP-A#sh ip route Codes: C .165. R . This document is Cisco Public Information.201. N2 .252 Serial0/0/0 ip route 209.EIGRP external.4/30 is not present in the routing table.201.255. EX .255.252 encapsulation ppp clock rate 64000 ppp authentication chap ! interface Vlan1 no ip address ! ip route 209.255.! interface Serial0/0/1 description Connection to AnyCompany2 network ip address 209.5 255.RIP.OSPF.0 255.255. Page 26 of 41 .255.201.mobile.connected.4 255.165. S .OSPF inter area N1 .EIGRP.BGP D . M .252 Serial0/0/1 ! ! ip http server no ip http secure-server ! banner motd ^CUnauthorized use prohibited^C ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login ! scheduler allocate 20000 1000 end Note: AnyCompany2 is not connected. O .OSPF NSSA external type 1.static.165. B .OSPF NSSA external type 2 All contents are Copyright © 1992–2010 Cisco Systems. E2 .eOmFIEBgkDnl. L1 .17.. Serial0/0/0 S1 Switch Config (2960 – Cisco IOS 12.0/30 is directly connected. Page 27 of 41 . All rights reserved.165. 2 masks C C 209.candidate default. Inc. Loopback0 209.IS-IS inter area. su .IS-IS level-1.165.IS-IS summary.201.IS-IS level-2 ia . P .0/16 is directly connected.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname S1 ! enable secret 5 $1$hhGK$.Gm6MkyD1 enable password cisco ! no aaa new-model ip subnet-zero ! no ip domain-lookup ! spanning-tree mode pvst spanning-tree extend system-id spanning-tree vlan 1 priority 4096 ! vlan internal allocation policy ascending All contents are Copyright © 1992–2010 Cisco Systems.OSPF external type 1. L2 . 2 subnets. This document is Cisco Public Information. Serial0/0/0 209.IS-IS. U .periodic downloaded static route Gateway of last resort is not set C 172.OSPF external type 2 i .201.E1 .2/32 is directly connected..201. * . Current configuration : 2780 bytes ! version 12.per-user static route o .0/24 is variably subnetted.ODR.2) Plus sample command outputs S1#show running-config Building configuration.0.165. This document is Cisco Public Information. Page 28 of 41 . All rights reserved.db04.! interface FastEthernet0/1 switchport mode trunk ! interface FastEthernet0/2 switchport mode trunk ! interface FastEthernet0/3 switchport access vlan 11 switchport mode access ! interface FastEthernet0/4 switchport access vlan 11 switchport mode access ! interface FastEthernet0/5 switchport access vlan 11 switchport mode access ! interface FastEthernet0/6 switchport access vlan 11 switchport mode access ! interface FastEthernet0/7 switchport access vlan 11 switchport mode access ! interface FastEthernet0/8 switchport access vlan 11 switchport mode access ! interface FastEthernet0/9 switchport access vlan 11 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 000b.a5cd (Note: MAC address is learned dynamically and will vary) All contents are Copyright © 1992–2010 Cisco Systems. Inc. Page 29 of 41 . This document is Cisco Public Information.! interface FastEthernet0/10 switchport access vlan 11 switchport mode access ! interface FastEthernet0/11 switchport access vlan 11 switchport mode access ! interface FastEthernet0/12 switchport access vlan 12 switchport mode access ! interface FastEthernet0/13 switchport access vlan 12 switchport mode access ! interface FastEthernet0/14 switchport access vlan 12 switchport mode access ! interface FastEthernet0/15 switchport access vlan 12 switchport mode access ! interface FastEthernet0/16 switchport access vlan 12 switchport mode access ! interface FastEthernet0/17 switchport access vlan 12 switchport mode access ! interface FastEthernet0/18 switchport access vlan 12 switchport mode access ! interface FastEthernet0/19 All contents are Copyright © 1992–2010 Cisco Systems. All rights reserved. Inc. All rights reserved.168.248 no ip route-cache ! ip default-gateway 192.255.1.226 255.255. Inc.225 ip http server ! banner motd ^CCUnauthorized use prohibited^C ! line con 0 password cisco All contents are Copyright © 1992–2010 Cisco Systems. This document is Cisco Public Information. Page 30 of 41 .168.1.switchport access vlan 12 switchport mode access ! interface FastEthernet0/20 switchport access vlan 12 switchport mode access ! interface FastEthernet0/21 switchport access vlan 12 switchport mode access ! interface FastEthernet0/22 switchport access vlan 12 switchport mode access ! interface FastEthernet0/23 switchport access vlan 12 switchport mode access ! interface FastEthernet0/24 switchport access vlan 12 switchport mode access ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192. Fa0/23 Fa0/24 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default S1# S1# S1#show interfaces trunk act/unsup act/unsup act/unsup act/unsup Port Fa0/1 Fa0/2 Mode on on Encapsulation 802.1q 802.------------------------------1 11 default Dept1 active active Gi0/1. Fa0/6 Fa0/7. Fa0/4. Fa0/22. All rights reserved. Fa0/10 Fa0/11 12 Dept2 active Fa0/12.login line vty 0 4 password cisco login line vty 5 15 password cisco login ! end S1# S1#show vlan brief VLAN Name Status Ports ---. Page 31 of 41 .1q Status trunking trunking Native vlan 1 1 Port Fa0/1 Vlans allowed on trunk 1-4094 All contents are Copyright © 1992–2010 Cisco Systems. Fa0/15 Fa0/16. Fa0/17.--------. Inc. Fa0/13. Fa0/21. Fa0/19 Fa0/20. Fa0/8. Fa0/14. Fa0/18. Fa0/5.-------------------------------. Fa0/9. Gi0/2 Fa0/3. This document is Cisco Public Information. --.11-12 S1#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority Address 4097 001d.0c80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time 4097 (priority 4096 sys-id-ext 1) 001d.0c80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec All contents are Copyright © 1992–2010 Cisco Systems. Inc.11-12 1. All rights reserved.Nbr Type ---------------.--------.11-12 1.11-12 Port Fa0/1 Fa0/2 S1# S1# Vlans in spanning tree forwarding state and not pruned 1.1 128.---.4635.0c80 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.-------------------------------Fa0/1 Fa0/2 Desg FWD 19 Desg FWD 19 128. This document is Cisco Public Information.-------.Fa0/2 1-4094 Port Fa0/1 Fa0/2 Vlans allowed and active in management domain 1. Page 32 of 41 .4635.2 P2p P2p VLAN0011 Spanning tree enabled protocol ieee Root ID Priority Address 32779 001d.4635. Nbr Type ---------------.---.---.4635.9 P2p P2p P2p VLAN0012 Spanning tree enabled protocol ieee Root ID Priority Address 32780 001d.Nbr Type ---------------.-------------------------------Fa0/1 Fa0/2 Desg FWD 19 Desg FWD 19 128.4635. Inc.-------.0c80 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.4635.--.--------.2 P2p P2p S1# S1# S1#show vtp status VTP Version Configuration Revision : 2 : 2 Maximum VLANs supported locally : 255 Number of existing VLANs VTP Operating Mode VTP Domain Name : 7 : Server : AnyCompany1 All contents are Copyright © 1992–2010 Cisco Systems.--.0c80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time 32780 (priority 32768 sys-id-ext 12) 001d.0c80 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.-------------------------------Fa0/1 Fa0/2 Fa0/9 Desg FWD 19 Desg FWD 19 Desg FWD 19 128.1 128. This document is Cisco Public Information.Bridge ID Priority Address Hello Time 32779 (priority 32768 sys-id-ext 11) 001d. All rights reserved.--------.1 128.2 128. Page 33 of 41 .-------. .0.226 on interface Vl1 (lowest numbered VLAN interfa ce found) S1# S1# S1# S1#show port-security Secure Port MaxSecureAddr (Count) CurrentAddr (Count) SecurityViolation (Count) Security Action --------------------------------------------------------------------------Fa0/9 1 1 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 8320 S1# 7677777767 S2 Switch Config (2960 – Cisco IOS 12.1.VTP Pruning Mode VTP V2 Mode VTP Traps Generation MD5 digest : Disabled : Disabled : Disabled : 0x86 0x1A 0x63 0x7B 0x6F 0xDC 0xD9 0x8C Configuration last modified by 0. All rights reserved. This document is Cisco Public Information. Page 34 of 41 .0.0 at 3-1-93 00:07:14 Local updater ID is 192.168. Inc. Current configuration : 2743 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname S2 ! enable secret 5 $1$2NCL$Q/ICmXfABr8mOF70h7H2A0 enable password cisco ! no aaa new-model All contents are Copyright © 1992–2010 Cisco Systems..2) Plus sample command outputs S2#show running-config Building configuration. This document is Cisco Public Information. Inc. Page 35 of 41 .ip subnet-zero ! no ip domain-lookup ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport mode trunk ! interface FastEthernet0/2 switchport mode trunk ! interface FastEthernet0/3 switchport access vlan 11 switchport mode access ! interface FastEthernet0/4 switchport access vlan 11 switchport mode access ! interface FastEthernet0/5 switchport access vlan 11 switchport mode access ! interface FastEthernet0/6 switchport access vlan 11 switchport mode access ! interface FastEthernet0/7 switchport access vlan 11 switchport mode access ! interface FastEthernet0/8 switchport access vlan 11 All contents are Copyright © 1992–2010 Cisco Systems. All rights reserved. Page 36 of 41 .ce53 (Note: MAC address is learned dynamically and will vary) ! interface FastEthernet0/16 switchport access vlan 12 switchport mode access ! All contents are Copyright © 1992–2010 Cisco Systems.switchport mode access ! interface FastEthernet0/9 switchport access vlan 11 switchport mode access ! interface FastEthernet0/10 switchport access vlan 11 switchport mode access ! interface FastEthernet0/11 switchport access vlan 11 switchport mode access ! interface FastEthernet0/12 switchport access vlan 12 switchport mode access ! interface FastEthernet0/13 switchport access vlan 12 switchport mode access ! interface FastEthernet0/14 switchport access vlan 12 switchport mode access ! interface FastEthernet0/15 switchport access vlan 12 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 0007. All rights reserved.e963. This document is Cisco Public Information. Inc. 227 255.168.interface FastEthernet0/17 switchport access vlan 12 switchport mode access ! interface FastEthernet0/18 switchport access vlan 12 switchport mode access ! interface FastEthernet0/19 switchport access vlan 12 switchport mode access ! interface FastEthernet0/20 switchport access vlan 12 switchport mode access ! interface FastEthernet0/21 switchport access vlan 12 switchport mode access ! interface FastEthernet0/22 switchport access vlan 12 switchport mode access ! interface FastEthernet0/23 switchport access vlan 12 switchport mode access ! interface FastEthernet0/24 switchport access vlan 12 switchport mode access ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.255. This document is Cisco Public Information.248 All contents are Copyright © 1992–2010 Cisco Systems. Inc.1. All rights reserved. Page 37 of 41 .255. Fa0/13. Fa0/10 Fa0/11 12 VLAN0012 active Fa0/12.-------------------------------. Fa0/15 Fa0/16. Fa0/21. Gi0/1. Fa0/5. Fa0/23 Fa0/24 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default act/unsup act/unsup act/unsup act/unsup All contents are Copyright © 1992–2010 Cisco Systems. Gi0/2 Fa0/3. Fa0/18. Fa0/9. This document is Cisco Public Information.------------------------------1 11 default VLAN0011 active active Fa0/1.168. Page 38 of 41 . Fa0/8. Fa0/22. Inc. Fa0/6 Fa0/7. Fa0/19 Fa0/20. Fa0/14. Fa0/4.no ip route-cache ! ip default-gateway 192. Fa0/17.225 ip http server ! banner motd ^CCUnauthorized use prohibited^C ! line con 0 password cisco login line vty 0 4 password cisco login line vty 5 15 password cisco login ! end S2# S2# S2# S2#show vlan brief VLAN Name Status Ports ---.--------. All rights reserved.1. 0c80 19 2 (FastEthernet0/2) 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time 32769 (priority 32768 sys-id-ext 1) 001d. All rights reserved.S2# S2# S2# S2#show interfaces trunk Port Fa0/2 Mode on Encapsulation 802.7b00 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.2 P2p All contents are Copyright © 1992–2010 Cisco Systems.--------. Page 39 of 41 .4662.--.1q Status trunking Native vlan 1 Port Fa0/2 Vlans allowed on trunk 1-4094 Port Fa0/2 Vlans allowed and active in management domain 1.4635.---. Inc.11-12 S2#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority Address Cost Port Hello Time 4097 001d.Nbr Type ---------------.-------------------------------Fa0/2 Root FWD 19 128.11-12 Port Fa0/2 S2# S2# S2# Vlans in spanning tree forwarding state and not pruned 1. This document is Cisco Public Information.-------. --------.4635.4662.-------------------------------Fa0/2 Fa0/15 Root FWD 19 Desg FWD 19 128.--.-------------------------------Fa0/2 Root FWD 19 128. This document is Cisco Public Information.Nbr Type ---------------.0c80 19 2 (FastEthernet0/2) 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time 32780 (priority 32768 sys-id-ext 12) 001d.Nbr Type ---------------.2 P2p VLAN0012 Spanning tree enabled protocol ieee Root ID Priority Address Cost Port Hello Time 32780 001d.---.--. Inc.7b00 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.2 128.7b00 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.4635.--------.4662.---.-------.-------.0c80 19 2 (FastEthernet0/2) 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time 32779 (priority 32768 sys-id-ext 11) 001d. All rights reserved.15 P2p P2p S2# All contents are Copyright © 1992–2010 Cisco Systems.VLAN0011 Spanning tree enabled protocol ieee Root ID Priority Address Cost Port Hello Time 32779 001d. Page 40 of 41 . Inc. All rights reserved.0 at 3-1-93 00:12:24 S2# S2# S2# S2#show port-security Secure Port MaxSecureAddr (Count) CurrentAddr (Count) SecurityViolation (Count) Security Action --------------------------------------------------------------------------Fa0/15 1 1 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 8320 S2# S2# S2# S2# All contents are Copyright © 1992–2010 Cisco Systems.S2# S2# S2#show vtp status VTP Version Configuration Revision : 2 : 2 Maximum VLANs supported locally : 255 Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode VTP V2 Mode VTP Traps Generation MD5 digest : 7 : Client : AnyCompany1 : Disabled : Disabled : Disabled : 0xC3 0xA3 0x05 0x9F 0x27 0x3D 0xC0 0x03 Configuration last modified by 0.0. This document is Cisco Public Information.0. Page 41 of 41 .
Copyright © 2024 DOKUMEN.SITE Inc.