CCNA Lab - Unlock IEWB RS Vol 1 - Lab 9 - 1

interface FastEthernet0/15 switchport trunk encapsulation dot1q switchport mode trunk Task 1.1 Breakdown In order to ease in management of ports that have similar configuration, the s

Trang 1

1 Bridging and Switching

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/14

!

Task 1.1 Breakdown

In order to ease in management of ports that have similar configuration, the switches support interface-range macros These macros are user defined

identifiers that represent a range of ports To define an interface-range macro,

use the global configuration command define interface-range [name]

[range] After the macro is defined, these ports can be referenced by issuing

the interface range macro [name] command

Task 1.1 Verification

Verify macro definition:

Rack1SW1#show running-config | include define

define interface-range DOT-ONE-Q FastEthernet0/13 – 15

Verify trunking configuration:

Rack1SW1#show interfaces trunk

Port Mode Encapsulation Status Native vlan

Trang 2

!

interface range FastEthernet0/16 - 18

) Quick Note

Any etherchannel groupnumber and mode would

be acceptable switchport mode trunk

channel-group 13 mode on

Rack1SW3#show etherchannel summary | begin Group

Group Port-channel Protocol Ports

Trang 3

Port Vlans allowed and active in management domain

switchport mode dynamic desirable

!

switchport mode dynamic desirable

Rack1SW3#show interfaces trunk | exclude Po13

Fa0/19 auto 802.1q trunking 1

Fa0/20 auto 802.1q trunking 1

Port Vlans allowed on trunk

Trang 4

Fa0/19 desirable 802.1q trunking 1

Fa0/20 desirable 802.1q trunking 1

Port Vlans allowed on trunk

Trang 5

to know about it These include the following:

Trang 6

for VLAN 7 only needs to go as far as the port where SW4 is connected SW4’s interface Fa0/21 is connected to SW3, so VLAN 7 needs to be configured on

SW1, SW2, and SW3, but not SW4

VLAN 3 has a connection to SW1 from SW3, but the connection on SW3 is configured as a layer 3 port The port used on SW3 is Fa0/13, which is

connected to SW1 Therefore, VLAN 3 only needs to be configured on SW1 If SW3 was configured with the interface as an SVI instead, then layer 2

connectivity for the VLAN would need to be from SW1 to SW3, including SW2

Rack1R1#ping 148.1.18.8

Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 148.1.18.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Rack1R2#ping 192.10.1.3

!!!!!

Rack1R2#ping 192.10.1.254

Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:.!!!!

Rack1R3#ping 192.10.1.254

Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:.!!!!

Trang 7

Rack1R3#ping 148.1.3.9

!!!!!

Rack1R5#ping 148.1.57.7

!!!!!

Rack1R6#ping 148.1.68.8

!!!!!

Rack1SW1#ping 148.1.7.10

!!!!!

Rack1SW1#ping 204.12.1.254

!!!!!

Strategy Tip

Perform a basic connectivity test between the directly connected

FastEthernet interfaces before moving forward This should be one of the goals that you plan to complete within the early stages of the lab

Trang 8

Spanning-tree root guard is typically used when a provider is leasing an

FastEthernet line out to a customer In the case that a switch in the customer’s network is elected root, all traffic from the provider and its other customers must follow sub-optimal forwarding Root guard can be used to prevent this case by disabling the port connected to the customer if a superior BPDU is received The

term superior BPDU implies that the cost to the root out that port is better than

the current root port To enable root guard, use the interface level command

spanning-tree guard root

Spanning-Tree Protocol Root Guard Enhancement

Rack1SW2#show spanning-tree interface fa0/24 detail

Port 26 (FastEthernet0/24) of VLAN0232 is forwarding

Port path cost 100, Port priority 128, Port Identifier 128.26

Designated root has priority 33000, address 0015.63c8.8800

Designated bridge has priority 33000, address 0016.9d31.8380

Designated port id is 128.26, designated path cost 9

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

Link type is shared by default

Root guard is enabled on the port

BPDU: sent 2346, received 0

Task 1.6

SW2:

spanning-tree vlan 68 root primary diameter 3 hello-time 1

Trang 9

This bridge is the root

Hello Time 1 sec Max Age 7 sec Forward Delay 5 sec

Task 1.7

SW1:

system mtu 1504

interface range FastEthernet0/17, Fa0/20

switchport access vlan 100

switchport mode dot1q-tunnel

l2protocol-tunnel cdp

no cdp enable

spanning-tree bpdufilter enable

!

interface range FastEthernet0/18, Fa0/21

switchport access vlan 101

switchport mode dot1q-tunnel

Trang 10

Rack1SW3#show etherchannel summary | begin Group

Group Port-channel Protocol Ports

-+ -+ -+ -

1 Po1(RU) - Fa0/14(P) Fa0/15(P)

13 Po13(SU) - Fa0/16(P) Fa0/17(P) Fa0/18(P) Rack1SW3#ping 148.1.1.10

Trang 11

Rack1R1#show frame-relay map

Serial0/0 (up): ip 148.1.0.2 dlci 102(0x66,0x1860), static,

broadcast,

CISCO, status defined, active

broadcast,

Serial0/0 (up): ip 148.1.0.1 dlci 201(0xC9,0x3090), static,

broadcast,

Serial0/0 (up): ip 148.1.0.3 dlci 203(0xCB,0x30B0), static,

broadcast,

Serial0/0 (up): ip 148.1.0.4 dlci 201(0xC9,0x3090), static,

Serial1/0.302 (up): point-to-point dlci, dlci 302(0x12E,0x48E0),

broadcast

status defined, active

Serial0/0.401 (up): point-to-point dlci, dlci 401(0x191,0x6410),

broadcast

Rack1R1#ping 148.1.0.2

!!!!!

Rack1R1#ping 148.1.0.3

!!!!!

Rack1R1#ping 148.1.0.4

Trang 12

Serial1/0.302 (up): point-to-point dlci, dlci 302(0x12E,0x48E0),

broadcast

Serial1/1 (up): ip 148.1.35.5 dlci 315(0x13B,0x4CB0), dynamic,

broadcast,, status defined, active

Serial0/0 (up): ip 148.1.35.3 dlci 513(0x201,0x8010), dynamic,

broadcast,, status defined, active

Rack1R5#ping 148.1.35.3

!!!!!

Task 1.10

R4:

Trang 13

Rack1R4#show backup

Primary Interface Secondary Interface Status

- - -

Serial0/0.401 Serial0/1 normal operation

Test the backup configuration:

Rack1R4(config)#interface s0/0.401

Rack1R4(config-subif)#do debug backup

Backup events debugging is on

Rack1R4(config-subif)#no frame-relay interface-dlci 401

BACKUP(Serial0/0.401): event = primary interface went down

BACKUP(Serial0/0.401): changed state to "waiting to backup"

BACKUP(Serial0/0.401): event = timer expired on primary

BACKUP(Serial0/0.401): secondary interface (Serial0/1) made activeBACKUP(Serial0/0.401): changed state to "backup mode"

%LINK-3-UPDOWN: Interface Serial0/1, changed state to up

BACKUP(Serial0/1): event = secondary interface came up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changedstate to up

BACKUP(Serial0/1): event = secondary interface came up

Rack1R4(config-subif)#do show backup

- - -

Serial0/0.401 Serial0/1 backup mode

Rack1R4(config-subif)# frame-relay interface-dlci 401

BACKUP(Serial0/0.401): event = primary interface came up

BACKUP(Serial0/0.401): changed state to "waiting to revert"

Rack1R4(config-fr-dlci)#exit

Rack1R4(config-subif)#do show backup

Trang 14

Verify the OSPF neighbors:

Rack1SW2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address

Interface

150.1.6.6 0 FULL/DROTHER 00:00:39 148.1.68.6 Vlan68150.1.1.1 0 FULL/DROTHER 00:00:34 148.1.18.1 Vlan18

Verify the loopback network advertisement:

Rack1R1#show ip route ospf | include 150

150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks

O 150.1.8.8/32 [110/2] via 148.1.18.8, 00:02:46, FastEthernet0/0

Rack1R6#show ip route ospf | include 150

Trang 15

Cisco’s OSPF implementation does not support type 6 LSA (multicast OSPF)

By default, every time one of these LSAs is received, a syslog message is

generated To disable this behavior, issue the OSPF routing process

subcommand ignore lsa mospf

Trang 16

As previously covered, there are two ways to enable OSPF authentication, on a per area basis and on a per interface basis As the above task states, that the

ip ospf authentication message-digest command cannot be used,

area authentication must be used However, this task also states that the

adjacency between R6 and SW2 must not be authenticated Since R1, R6, and SW2 are all in the same area, this presents a problem This task illustrates that there are actually three types of OSPF authentication, MD5, clear text, and

NULL By setting the OSPF authentication type to NULL on VLAN 68, SW2 has effectively disabled OSPF authentication on that interface

Next, this task states that R1 and SW2 should use a pre-encrypted key with the number 7 This task is designed to illustrate the difference between key number and encryption type The key number of an MD5 key is used as a seed or salt value in the MD5 hash algorithm This seed is a number used to randomize the output of the hash algorithm, and decrease the effectiveness of a brute force attack on the MD5 algorithm Key numbers must match on all devices

authenticating on the segment

The encryption type determines whether or not the password is stored in a

clear-text or encrypted form in the router’s configuration file By issuing the service

password-encryption global configuration command, all clear text passwords

in the routers configuration are encrypted with type 7 encryption Type 7

encryption uses a Cisco proprietary insecure reversible encryption algorithm, based on a Vigenere cipher This encryption is simply used to shield a password from an over the shoulder user seeing the password in show commands or

backups or configuration files

Passwords and Privileges Commands

Cisco IOS Password Encryption Facts

Trang 17

Rack1SW2#show ip ospf interface vl18 | begin Message

Message digest authentication enabled

Youngest key id is 7

Rack1SW2#show running-config interface vl68 | begin Message

Rack1SW2#

Verify password encryption:

Rack1R1#show running-config interface fa0/0

Trang 18

Verify the EIGRP neighbors (note that R4 will not appear until the

backup link is active):

Rack1R5#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num

1 148.1.57.7 Fa0/0 14 00:02:39 1 200 0 2

0 148.1.35.3 Se0/0 122 00:02:46 39 234 0 8

Verify the EIGRP routes:

Rack1R3#show ip route eigrp

D 150.1.7.0 [90/414720] via 148.1.3.9, 00:00:22, FastEthernet0/0

Trang 19

To adjust neighbor hello and dead intervals in EIGRP, use the interface level

commands ip hello-interval eigrp [AS] [hello_interval] and ip

hold-time eigrp [AS] [hold_time] By default, the EIGRP hello interval

is 60 seconds for low speed NBMA interfaces and 5 seconds for all other media The hold-time defaults to three times these values.

Verify the EIGRP interface characteristics:

Rack1R5#show ip eigrp interfaces detail s0/0

IP-EIGRP interfaces for process 100

Xmit Queue Mean Pacing Time Multicast PendingInterface Peers Un/Reliable SRTT Un/Reliable Flow Timer RoutesSe0/0 1 0/0 39 0/15 159 0 Hello interval is 4 sec

Next xmit serial <none>

Un/reliable mcasts: 0/0 Un/reliable ucasts: 4/7

Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 1

Retransmissions sent: 1 Out-of-sequence rcvd: 0

Authentication mode is not set

Rack1R3#show ip eigrp interfaces detail s1/1

Xmit Queue Mean Pacing Time Multicast PendingInterface Peers Un/Reliable SRTT Un/Reliable Flow Timer RoutesSe1/1 1 0/0 663 5/190 3454 0 Hello interval is 4 sec

Next xmit serial <none>

Authentication mode is not set

Trang 20

accept-lifetime 00:00:00 Jan 1 1993 00:15:00 Jan 1 2010

send-lifetime 00:00:00 Jan 1 1993 23:45:00 Dec 31 2009

key 2

key-string CISCO2010

accept-lifetime 23:15:00 Dec 31 2009 infinite

send-lifetime 23:45:00 Dec 31 2009 infinite

R5:

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 EIGRP

SW1:

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 EIGRP

Key chain authentication allows for key lifetime and rotation based on time This option allows for smooth transition between authentication keys throughout the entire network at the same time The two options that dictate a key’s timing are

the accept-lifetime and the send-lifetime As their names imply, the accept

lifetime is the time period for which the specified key will be accepted from a neighbor as valid for authentication The send-lifetime specifies during which

time interval the key will be valid for transmission to a neighbor The infinite

option dictates that the specified key is valid from the start time on

To ensure smooth key transition is a real network, NTP should be used in any practical time based key chain authentication implementations

Trang 21

Verify EIGRP authentication:

Rack1SW1#show ip eigrp interfaces detail fa0/5

Xmit Queue Mean Pacing Time Multicast PendingInterface Peers Un/Reliable SRTT Un/Reliable Flow Timer RoutesFa0/5 1 0/0 4 0/10 50 0 Next xmit serial <none>

Authentication mode is md5, key-chain is "EIGRP"

Rack1SW1#show key chain EIGRP

Key-chain EIGRP:

key 1 text "CISCO2005"

accept lifetime (00:00:00 UTC Jan 1 1993) - (00:15:00 UTC Jan 12006) [valid now]

send lifetime (00:00:00 UTC Jan 1 1993) - (23:45:00 UTC Dec 312005) [valid now]

key 2 text "CISCO2006"

accept lifetime (23:15:00 UTC Dec 31 2005) - (infinite)

send lifetime (23:45:00 UTC Dec 31 2005) - (infinite)

Rack1SW1#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num

version commands The interface level commands always override the

process level version command

Trang 22

; RIP Version Verification

Router#show ip protocols

Routing Protocol is "rip"

Sending updates every 30 seconds, next due in 23 seconds

Invalid after 180 seconds, hold down 180, flushed after 240

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

Redistributing: rip

Default version control: send version 1, receive any version

Interface Send Recv Triggered RIP Key-chain

FastEthernet0/0 1 1 2 Serial0/0 1 1 2 Loopback0 1 1 2 Automatic network summarization is in effect

Maximum path: 4

Routing for Networks:

10.0.0.0

Routing Information Sources:

Gateway Distance Last Update

Trang 24

Verify the RIP routes:

Rack1R3#show ip route rip

148.1.0.0/24 is subnetted, 9 subnets

R 148.1.18.0 [120/2] via 192.10.1.2, 00:00:17, FastEthernet0/1 [120/2] via 148.1.0.1, 00:00:17, Serial1/0.302

Rack1R2#show ip route rip

R 148.1.18.0 [120/1] via 148.1.0.1, 00:00:11, Serial0/0

R 148.1.4.0 [120/2] via 148.1.0.4, 00:00:11, Serial0/0

R 148.1.3.0 [120/1] via 192.10.1.3, 00:00:06, FastEthernet0/0 [120/1] via 148.1.0.3, 00:00:15, Serial0/0

R 148.1.35.0 [120/1] via 148.1.0.3, 00:00:15, Serial0/0

[120/1] via 192.10.1.3, 00:00:06, FastEthernet0/0 150.1.0.0/24 is subnetted, 3 subnets

!!!!!

Trang 25

to add the explicit permit sequence so that all other traffic is forwarded

unmodified Alternatively, an access list could also be applied inbound on the port connecting to BB2

Configuring Network Security with ACLs

Before filter has been applied:

Rack1R2(config)#access-list 100 permit udp any any eq 520

Rack1R2#debug interface fastEthernet 0/0

Condition 1 set

Rack1R2#debug ip packet detail 100

IP packet debugging is on (detailed) for access list 100

IP: s=192.10.1.254 (FastEthernet0/0), d=224.0.0.9, len 132, rcvd 2 UDP src=520, dst=520

IP: s=192.10.1.2 (local), d=224.0.0.9 (FastEthernet0/0), len 172,

sending broad/multicast

UDP src=520, dst=520

IP: s=192.10.1.254 (FastEthernet0/0), d=224.0.0.9, len 132, rcvd 2

After filter has been applied:

Rack1R2#debug ip packet detail 100

IP packet debugging is on (detailed) for access list 100

IP: s=192.10.1.2 (local), d=224.0.0.9 (FastEthernet0/0), len 132,

sending broad/multicast

UDP src=520, dst=520

IP: s=192.10.1.3 (FastEthernet0/0), d=224.0.0.9, len 112, rcvd 2

Trang 26

Note: Make sure to verify this section after completing redistribution The

networks for the loopbacks of R2, R3 and R4, for example, are only known via RIP initially, since those devices are not running EIGRP

Rack1SW3#show ip route rip

R 204.12.1.0/24 [80/2] via 148.1.1.10, 00:00:22, Port-channel1

R 192.10.1.0/24 [80/1] via 148.1.3.3, 00:00:10, FastEthernet0/13 148.1.0.0/24 is subnetted, 13 subnets

Trang 27

R 30.2.0.0 [80/3] via 148.1.1.10, 00:00:23, Port-channel1

Rack1SW3#show ip route eigrp

R 31.3.0.0 [80/2] via 148.1.7.7, 00:00:25, FastEthernet0/21

R 31.0.0.0 [80/2] via 148.1.7.7, 00:00:25, FastEthernet0/21 30.0.0.0/16 is subnetted, 4 subnets

Rack1SW4#show ip route eigrp

D 150.1.7.0/24 [90/156160] via 148.1.7.7, 00:01:10,

FastEthernet0/21

Định dạng
Số trang	54
Dung lượng	767,87 KB