Hedgehog Technical Institute

CCNA® Training

2012-12-31T01:59:00.034-06:00

Providing Online Technical Training.

Time to configure your third and final switch. The third switch is important for understanding two critical subjects that will be on the exam: Spanning Tree Protocol (STP) and Virtual Trunking Protocol (VTP). Yep, that's a lot of protocols. But they will be on the exam, probably in difficult questions (at least, they were difficult when I took the exam).

You should be able to do this from memory. As the Headgehog says in Lab 16, "If you can't do it from memory, then you can't do it at all." Seriously, however, by now, you should know how to configure a switch with a basic configuration. If you can't, it's time for a lot of review if you hope to pass the test.

For single switch labs, check (believe it or not!) Single Switch Labs!

For multi-switch labs, check in the Multiple Switch Labs (shocking but true!).

New to Hedgehog Tech?

See the Contents on the right. If you do not have a lab, see the Contents on the right. Start with Building Your CCNA Lab.

If you have a lab, start with the Single Switch exercises. And keep checking back. More to follow.

Lab 16 - New Switch Configuration

2009-09-05T16:51:00.010-05:00

Time to configure a new switch. This will be the last switch configured for your labs.

hostname labsw3
interface VLAN 1 - IP address 192.168.1.77 255.255.255.0

All other parts of the configuration should be the same as labsw1:
All passwords: enable secret, console, vty
Password encryption
motd banner
DNS server

VLANs
200 - interfaces Fa0/7, Fa0/8
201 - interfaces Fa0/5, Fa0/6
202 - interfaces Fa0/3, Fa0/4
203 - interfaces Fa0/1, Fa0/2

Configure interfaces Fa0/23 and Fa0/24 (or the last 2 interfaces on your switch) as trunk ports.

You have already configured interface Fa0/24 on labsw1 and labsw2 as trunk ports. You should also reconfigure interface Fa0/23 on both switches as trunk ports. When this is complete, each switch in your lab will have two trunk ports: Fa0/23 and Fa0/24 (or the last two interfaces on your switches).

You may have noticed that we keep moving the interface VLAN assignments around. The reason is simple: in an enterprise network, interface VLAN assignments are either
the entire switch is one VLAN, such as a smaller remote office
Or
the interface VLAN assignments are somewhat random, and you have to use displays such as show vlan to determine which VLAN the interface is in.

While no lab can reproduce an actual enterprise network environment, we keep trying. The important thing is that you assign interfaces to the VLANs used in these labs, and that you test the configuration to insure that you have done it correctly.

If this site was a discussion of actual network practices instead of labs to learn Cisco configuration, we would spend a lot of time talking about the low quality of most network documentation and test processes. It’s a jungle out there. Many problems can be avoided by testing a configuration before putting it in production. The time required spent in resolving other problems could be significantly reduced by good documentation. But as you will hear from many networks across the galaxy, “We have standards and they are very, very low.”

Oh, well. Test your configuration.

When you have finished the configuration, save to the startup config and the TFTP server. Test all configurations as was done in Labs 1-9.

Again, consider this a test, or a pre-test. You should be able to do most of these things from memory. If you can't, you should be concerned about your knowledge of switch configurations. Review the previous labs closely and repeat them as often as necessary to remember them.

In the words of the Headgehog, "Repetition is the mother of education." And "If you can't do it from memory, then you can't do it at all." (He says a lot things like that. Boring at times, but of course, he's right.)

This stuff will be on the test. When and if you get a job in an enterprise network, you will need to know it.

Lab 15 - Ethernet Address Management in a Multi-switch Network – End Device Address Management

2009-09-04T11:04:00.028-05:00

Goal:
● Understand how switches manage Ethernet addresses of attached devices.

Requirements:
● Labsw1 and labsw2 configured and connected from previous labs
● 2 PCs connected to the network with Ethernet cables
● Console cable on PC1

Lab 14 covered internal switch addressing, which, just like we keep threatening, will become very important in a couple of labs. However, how switches manage addresses from external devices is also an important concept to master. Yes, it is a potential test question, as well as very important in managing an enterprise network. (Notice how often those two are related?)

The basis of Ethernet address management was covered in Lab 5:
● Switches learn Ethernet addresses by capturing the source address of each new frame that enters the switch
● Switches record the addresses and the interfaces the frames used to enter the switch in a MAC Address Table.
● Switches use MAC Address Table to make the decision to forward or filter packets.

The above is pretty much the definition of layer 2 switching.

How does that work in a network with multiple switches? Consider 2 configurations:

Configuration 1

Both PC1 and PC2 are connected to labsw1 on interfaces Fa0/1 and Fa0/5, both in VLAN 200. In this exercise, we will ping PC2, 192.168.1.3, from PC1, 192.168.1.2. Before connecting PC1 and PC2 to the network, record their MAC addresses.

PC1: 0009.7CDC.DD12
PC2: 0040.0B5B.E116

Verify that the only addresses in the MAC Address Table of labsw1 and labsw2 are the internal MAC addresses of the respective switches by using the “show mac-address-table dynamic” command. Remember, these addresses should be associated with interface Fa0/24, the trunk port. If there are other addresses in the MAC Address Tables, clear the MAC Address Table using the “clear mac-address-table dynamic” command.

Connect both computers to labsw1 as shown in the schematic above.
PC1 on interface Fa0/1
PC2 to interface Fa0/5

(Note: any two interfaces can be used if both are in the same VLAN. If you don’t remember the interface VLAN assignments, display them with “show vlan” command.) When the interfaces have synchronized (LEDs are green):
1. PC1> ping 192.168.1.3
Request timed out. (You may not receive this response, though.)
Reply from 192.168.1.3: bytes=32 time=63ms TTL=128
Reply from 192.168.1.3: bytes=32 time=63ms TTL=128
Reply from 192.168.1.3: bytes=32 time=62ms TTL=128

Display the MAC Address Table of labsw1

2. labsw1# show mac-address-table dynamic


          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0001.c9c8.a118    DYNAMIC     Fa0/24
 200    0001.c9c8.a118    DYNAMIC     Fa0/24
 200    0009.7cdc.dd12    DYNAMIC     Fa0/1
 200    0040.0b5b.e116    DYNAMIC     Fa0/5
 201    0001.c9c8.a118    DYNAMIC     Fa0/24
 202    0001.c9c8.a118    DYNAMIC     Fa0/24
 203    0001.c9c8.a118    DYNAMIC     Fa0/24

Both MAC addresses are in the MAC Address Table.
PC1, 0009.7cdc.dd12, on interface Fa0/1
PC2, 0040.0b5b.e116, on interface Fa0/5.

You should understand this from Lab 5. However, now look at the MAC Address Table on labsw2.

3. labsw2# show mac-address-table dynamic


          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0001.63d7.d918    DYNAMIC     Fa0/24
 200    0001.63d7.d918    DYNAMIC     Fa0/24
 200    0009.7cdc.dd12    DYNAMIC     Fa0/24
 201    0001.63d7.d918    DYNAMIC     Fa0/24
 202    0001.63d7.d918    DYNAMIC     Fa0/24
 203    0001.63d7.d918    DYNAMIC     Fa0/24

labsw2 now has the MAC address of PC1, 0009.7cdc.dd12, in its MAC Address Table. How did that happen? PC1 is not connected to labsw2.

Review the responses from PC1 when the ping was started.

Request timed out. (You may not receive this response, though.)
Reply from 192.168.1.3: bytes=32 time=63ms TTL=128
Reply from 192.168.1.3: bytes=32 time=63ms TTL=128
Reply from 192.168.1.3: bytes=32 time=62ms TTL=128

On the first ping attempt, PC1 did not know the MAC address of PC2, IP address 192.68.1.3. To learn the MAC address, PC1 issued an ARP request, a broadcast, for the MAC address associated with an IP address (Review Lab 5).

How does a switch process a broadcast frame? First, it records the MAC address of the issuing computer in the MAC Address Table, 0009.7cdc.dd12, the MAC address of PC1, interface Fa0/1. The next step is to forward the broadcast on all active interfaces except for the interface used to enter the switch: interface Fa0/1.

Review the diagram above. Which other interfaces are active? Interface Fa0/5 is active, since it supports PC2. But interface Fa0/24 is also active, since it is the trunk port between the switches. labsw1 forwards the ARP broadcast on both Fa0/5 and Fa0/24. PC2 responds to the ARP request, and labsw1 updates the MAC Address table with PC2’s MAC address and switch interface.

labsw2 received the broadcast frame on the trunk port, Fa0/24. labsw2 processes the frame according to the rules of switching: it updates its MAC address table with the PC1 MAC address, 0009.7cdc.dd12, learned on interface Fa0/24. labsw2 cannot forward the frame because it has a single active interface: Fa0/24. It will not forward a frame on the same interface that it received the frame on. After updating the MAC Address Table, labsw2 discards, or filters, the frame. If labsw2 had computers connected to other interfaces, however, it would have forwarded the broadcast to those interfaces.

(Even if the first ping request from PC1 did not time out, PC1 still issued an ARP request. Your lab was able to process the ARP request before the first ping attempt failed. Sometimes it works out that way. You still need to know this for the exam.)

Review the MAC Address tables of both labsw1 and labsw2 again.

Labsw1


          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

   1    0001.c9c8.a118    DYNAMIC     Fa0/24
 200    0001.c9c8.a118    DYNAMIC     Fa0/24
 200    0009.7cdc.dd12    DYNAMIC     Fa0/1
 200    0040.0b5b.e116    DYNAMIC     Fa0/5
 201    0001.c9c8.a118    DYNAMIC     Fa0/24
 202    0001.c9c8.a118    DYNAMIC     Fa0/24
 203    0001.c9c8.a118    DYNAMIC     Fa0/24

Labsw2


          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0001.63d7.d918    DYNAMIC     Fa0/24
 200    0001.63d7.d918    DYNAMIC     Fa0/24
 200    0009.7cdc.dd12    DYNAMIC     Fa0/24
 201    0001.63d7.d918    DYNAMIC     Fa0/24
 202    0001.63d7.d918    DYNAMIC     Fa0/24
 203    0001.63d7.d918    DYNAMIC     Fa0/24

Why doesn’t labsw2 know about PC2, MAC Address 0040.0b5b.e116?

The reason is that PC2 did not issue a broadcast. Review the process from the perspective of PC2:

PC2 received the ARP request from PC1.

PC2 recognized that the ARP request was intended for itself, since it has IP address 192.168.1.3.

PC2 responded to the ARP request, using PC1’s MAC address as the destination for the reply: 0009.7cdc.dd12. PC2 used its own MAC address as the source address: 0040.0b5b.e116.

When PC2 responds to the ARP request, labsw1 updates the MAC Address Table with PC2’s MAC address and interface: 0040.0b5b.e116, interface Fa0/5.

labsw1 then checks the MAC Address Table for MAC address 0009.7cdc.dd12, the destination address in the response frame. It finds the MAC address on interface Fa0/1.

labsw1 forwards the frame to interface Fa0/1.

PC1 continues to issue pings, PC2 continues to respond to pings, and labsw1 continues to forward the frames based on the MAC Address Table.

The response from PC2 is a unicast frame to PC1, not a broadcast. Since labsw1 knows which interface supports PC1, the frame is not forwarded on Fa0/24. labsw2 knows about PC1, but it does not yet know about PC2.

Configuration 2

PC1 is connected to labsw1 on interface Fa0/1, VLAN 200.
PC2 is connected to labsw2 on interface Fa0/2, also in VLAN 200.

Repeat the process used to test Configuration 1 above. Clear the MAC Address Table in both labsw1 and labsw2.

1. PC1> ping 192.168.1.3
Request timed out. (You may not receive this response, though.)
Reply from 192.168.1.3: bytes=32 time=63ms TTL=128
Reply from 192.168.1.3: bytes=32 time=63ms TTL=128
Reply from 192.168.1.3: bytes=32 time=62ms TTL=128

Display the MAC Address Table on both labsw1 and labsw2.

2. labsw1# show mac-address-table dynamic


          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0001.c9c8.a118    DYNAMIC     Fa0/24
 200    0001.c9c8.a118    DYNAMIC     Fa0/24
 200    0009.7cdc.dd12    DYNAMIC     Fa0/1
 200    0040.0b5b.e116    DYNAMIC     Fa0/24
 201    0001.c9c8.a118    DYNAMIC     Fa0/24
 202    0001.c9c8.a118    DYNAMIC     Fa0/24
 203    0001.c9c8.a118    DYNAMIC     Fa0/24

labsw1 has the MAC address of both PC1 and PC2 recorded in the MAC Address Table. PC1 is on Fa0/1, as expected. PC2, however, is associated with interface Fa0/24, the trunk port.

3. labsw2# show mac-address-table dynamic


          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

   1    0001.63d7.d918    DYNAMIC     Fa0/24
 200    0001.63d7.d918    DYNAMIC     Fa0/24
 200    0009.7cdc.dd12    DYNAMIC     Fa0/24
 200    0040.0b5b.e116    DYNAMIC     Fa0/2
 201    0001.63d7.d918    DYNAMIC     Fa0/24
 202    0001.63d7.d918    DYNAMIC     Fa0/24
 203    0001.63d7.d918    DYNAMIC     Fa0/24

labsw2 also has the MAC addresses of both PC1 and PC2 recorded in its MAC Address Table. The MAC address of PC2 is recorded on interface Fa0/2, and the MAC address of PC1 is recorded on interface Fa0/24. By now, you should be able to figure out the process.

PC1, on Fa0/1, issued an ARP request for PC2’s MAC Address.

labsw1 recorded PC1’s MAC address in its MAC Address Table: 0009.7cdc.dd12, interface Fa0/1.

labsw1 forwarded the frame on all active interfaces except interface Fa0/1. The only other interface that is active on labsw1 is Fa0/24, the trunk port.

labsw2 received the ARP request on the trunk port, Fa0/24. labsw2 recorded the source MAC address of the frame and the interface that it received the frame on: 0009.7cdc.dd12, from Fa0/24.

labsw2 forwarded the broadcast frame on all active interfaces except Fa0/24. Only interface Fa0/2 is active, which supports PC2.

PC2 responds to the ARP request, using PC1’s MAC address as the destination and its own address, 0040.0b5b.e116, as the source address.

labsw2 recorded the MAC address for PC2 in its MAC Address Table on interface Fa0/2.

labsw2 checked its MAC Address Table for the destination MAC address, PC1, in the frame. labsw2 recorded the MAC address for PC1 when it received the ARP request on the trunk port. The MAC Address Table showed the PC1 MAC address on interface Fa0/24. labsw2 forwarded the frame on the trunk port.

labsw1 received the response on the trunk port, Fa0/24. It recorded the MAC address for PC2 in its MAC Address Table: 0040.0b5b.e116, Fa0/24.

labsw1 received the PC2 response on trunk port Fa0/24. labsw1 checked the destination address, found it in the MAC Address Table: 0009.7cdc.dd12, Fa0/1.

labsw1 forwarded the frame to Fa0/1.

PC1, labsw1, and labsw2 all know the MAC Address of PC2. PC1 continues the ping process using the MAC address for PC2. labsw1 and labsw2 continue to forward the frame, using the trunk connection to deliver the frame to the neighboring switch. PC2 continues to respond to the ping requests.

The process occurs about a bazillion times a day in an enterprise network. Each switch knows the MAC addresses of the computers connected to each of its access ports. It knows about the rest of addresses from the traffic on its trunk ports.

This also shows why the process is known as "transparent switching." You have seen that there are MAC addresses associated with the switches in Lab 14. However, these addresses are "transparent" to the end devices. The computers connected to the switches do not need the switch MAC address, and never learn them.

Review this lab as many times as necessary to understand it. It will be on the test in some format. It will be a part of your job.

Lab 14 – Ethernet Address Management in a Multi-switch Network – Internal Switch Addresses

2009-09-02T17:16:00.020-05:00

Goal:

● Understand internal MAC addresses on Cisco switches

Requirements:

● labsw1 and labsw2 configured in previous labs
● PC with console cable

This lab should be conducted using on the console port on each switch. Attach no devices to the FastEthernet interfaces.

In Lab 5 – Ethernet Address Management, we covered how a single switch builds and uses MAC Address Tables. The switch reads the source MAC address of every frame that enters the switch, and creates an entry in the MAC Address Table that identifies the address and the port that it used to enter the switch. Review Lab 5 if necessary.

We also covered how a switch handles broadcasts and unknown MAC addresses: the frame is forwarded on all active ports. This part of Lab 5 was not very exciting, considering that we only had two PCs.

Switches in a multi-switch network manage Ethernet addresses the same way, but the process now involves more Ethernet addresses. Labs 11 and 12 showed that trunk ports allow a computer on labsw1 to communicate with a device on labsw2, as long as the devices are in the same VLAN. This lab expands on that process to show what actually happens in a multi-switch environment. We will use two lab configurations for this lab.

When switches are connected by a trunk port, each switch learns MAC addresses associated with the “other” or neighboring switches. These MAC address will be displayed when the “show mac-address-table” command is used. These addresses are critical for switch function in a multi-switch environment, and future labs will covers the use of the addresses in detail. This lab provides an explanation of the internal MAC addresses.

Display the MAC address table on labsw1 and labsw2. (There may be a difference between Cisco switches, as well as the Packet Tracer display. By now, you should be able to understand the differences between the labs and your configuration.)

1. labsw1#sho mac-address-table dynamic


          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0001.c9c8.a118    DYNAMIC     Fa0/24

2. labsw2# show mac-address-table dynamic


          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0009.43cb.3018    DYNAMIC     Fa0/24
 200    0009.43cb.3018    DYNAMIC     Fa0/24
 201    0009.43cb.3018    DYNAMIC     Fa0/24
 202    0009.43cb.3018    DYNAMIC     Fa0/24
 203    0009.43cb.3018    DYNAMIC     Fa0/24

These MAC addresses were learned without connecting a computer to either switch. Where did these Ethernet addresses come from? We know that the switches are connected on interface Fa0/24 for both routers, and the MAC addresses (0009.43cb.3018, 0001.c9c8.a118) were learned on those ports. These MAC addresses can be verified by using the “show interface” command for each interface:

3. labsw1# show interface fa0/24
FastEthernet0/24 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0009.43cb.3018 (bia 0009.43cb.3018)
.
(Lines omitted)

4. labsw2#show interface fa0/24
FastEthernet0/24 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 000a.8ae6.5198 (bia 000a.8ae6.5198)
.
(Lines omitted)

labsw1 knows MAC address 000a.8ae6.5198 because it receives information from labsw2 on interface Fa0/24.

labsw2 knows about MAC address 0009.43cb.3018 because it receives information from labsw1 on interface Fa0/24.

What data does each switch receive from the other on the respective interfaces Fa0/24? (Review Lab 12.) We know at this point that cdp updates are passed between the switches, and future labs will identify STP (Spanning Tree Protocol) data passed on the trunk connections, critical data for real networks as well for the exam.

Two critical points about switch internal MAC addresses:

Switch internal MAC addresses have no impact on attached devices. Ethernet switches use transparent switching, meaning that internal switch MAC addresses are not used in Ethernet frames created by end devices. End devices learn the MAC addresses of other end devices, not the switch.

Switch internal MAC addresses are critical to switch function.

That means that your PC can ignore internal switch MAC address, but you, hedgeling, cannot.

Each switch has a MAC address associated with the overall switch. It is identified as the CPU address, and is displayed by the “show mac-address-table” command (without the “dynamic” qualifier. Not available on Packet Tracer), as well as by the “show version” command. It is also the MAC address of interface VLAN 1.

In this example, labsw1 has an internal, or CPU, MAC address of 0009.43cb.3000. (Remember, MAC addresses are displayed in various formats. Pay attention to the address, not the format.)

5. labsw1# show version
Cisco Internetwork Operating System Software
(Lines omitted)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:09:43:CB:30:00
Motherboard assembly number: 73-5781-09
Power supply part number: 34-0965-01
.
(Lines omitted)

6. labsw1#show mac-address-table


          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0009.43cb.3000    STATIC      CPU
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0cdd.dddd    STATIC      CPU
   1    000a.8ae6.5198    DYNAMIC     Fa0/24

7. labsw2# show version
Cisco Internetwork Operating System Software
(Lines omitted)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0A:8A:E6:51:80
Motherboard assembly number: 73-5781-09
Power supply part number: 34-0965-01
.
(Lines omitted)

8. labsw2#show mac-address-table


          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    000a.8ae6.5180    STATIC      CPU
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0cdd.dddd    STATIC      CPU
   1    0009.43cb.3018    DYNAMIC     Fa0/24
 200    0009.43cb.3018    DYNAMIC     Fa0/24
 201    0009.43cb.3018    DYNAMIC     Fa0/24
 202    0009.43cb.3018    DYNAMIC     Fa0/24
 203    0009.43cb.3018    DYNAMIC     Fa0/24

(Note: Understanding the above is critical. Learn it)

In addition to the CPU address, each interface on the switch has a unique MAC address that is based on the CPU address. To view the interface MAC address on each switch, use the “show interface” command. The command will display information on all interfaces. Page through the display to review the interface MAC addresses (it’s a long display, so we won’t reproduce it here. However, you should review the output and make sure you understand the display.

labsw1 (The interface MAC addresses increment by a binary 1, but are expressed in hexadecimal.)
CPU MAC address: 00:09:43:CB:30:00
Interface VLAN 1: 0009.43cb.3000
Interface Fa0/1: 0009.43cb.3001
Interface Fa0/2: 0009.43cb.3002
Interface Fa0/3: 0009.43cb.3003
.
Interface Fa0/10: 0009.43cb.300a
Interface Fa0/11: 0009.43cb.300b
.
.
Interface Fa0/24: 0009.43cb.3018

labsw2
CPU MAC Address: 00:0A:8A:E6:51:80
Interface VLAN 1: 000a.8ae6.5180
Interface Fa0/1: 000a.8ae6.5181
Interface Fa0/2: 000a.8ae6.5182
Interface Fa0/3: 000a.8ae6.5183
.
(Interfaces omitted)
Interface Fa0/24: 000a.8ae6.5198

Understanding internal switch MAC addresses is critical. Learn it, live it, love it. It will become critical in future labs, on the exam, and in any network that has Cisco switches.

Lab 13 – Cisco Discovery Protocol (CDP)

2009-08-26T17:05:00.030-05:00

Goal:
Demonstrate Cisco Discovery Protocol
Configure Cisco Discovery Protocol

Requirements:

● Switches labsw1, labsw1
● 1 PC with COM port, Ethernet port optional
● Cisco rollover cable
● 1 Ethernet cables - optioinal
● 1 Ethernet crossover cable

In this lab, labsw2, interface Fa0/21, will be used as the trunk port connected to labsw1, interface Fa0/24. The reason for the change is to reduce confusion in displays for this lab. Note the change in the diagram above.

Cisco Discovery Protocol (CDP) is a proprietary protocol developed by Cisco to assist with troubleshooting, and it is a great troubleshooting tool. A Cisco switch or router communicates specific information with any other Cisco device that it is connected to. CDP is a Layer 2 protocol, which means it does not require IP to function. In fact, two routers that are configured incorrectly, and therefore will never pass user data without being re-configured, can communicate certain types of system or device information with an attached Cisco device. Network techs regularly use cdp to identify problems with configuration.

Cisco Discovery Protocol runs automatically on all Cisco devices, which means it is part of the default, “out-of-the-box” configuration. cdp must be turned off if it is not wanted. The default configuration can be viewed by using the “show cdp” command.
1. labsw1#show cdp
Switch#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

The first parameter is self-explanatory: cdp packets are sent on active interfaces every 60 seconds. The holdtime value needs explanation. Cisco uses hold timers for a number of functions, and their purpose is usually the same. A holdtime value is the amount of time that can elapse without an update before the connection is declared down.

In the case of the default CDP configuration, each device sends a cdp packet every 60 seconds. Sort of. There are reasons that a cdp packet will not be sent. One of them would be that “real” data, user data, has priority over cdp data, and it will delay the cdp packet when “real” data needs to be sent. However, it is more likely that a missed cdp packet will be the result of an error in the network. Which is where the holdtime value comes in. In this case, if a cdp packet is not received in 180 seconds, or three times the cdp value, the cdp cache will be flushed for that interface.

The real value of cdp is found in the following commands:
show cdp neighbor
show cdp neighbor detail
show cdp neighbor fa0/x (or active interface) (not available on Packet Tracer)
show cdp neighbor fa0/x detail (or active interface) (not available on Packet Tracer)

These commands will display information about an attached, or neighboring, Cisco device.

1. labsw1# show cdp neighbor
Capability Codes: R-Router, T-Trans Bridge, B-Sce Rte Brdge
S-Switch, H-Host, I-IGMP, r-Repeater, P-Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
labsw2 Fas 0/24 124 S I WS-C2950-2Fas 0/21

“Capability Code” shows the device types available for display.

“Device ID” is the hostname of the remote device. In this case, labsw2 is the remote device to labsw1.

“Local interface” is the interface on the local device that is receiving cdp packets. In this case, it is Fa0/24, on labsw1.

“Holdtme” is the amount of time before the cdp connection is declared down. In this example, 124 seconds remain before the connection is declared down, which means that 56 seconds have elapsed since the last cdp packet was recieved. This value is reset to 180 seconds each time a cdp packet is received. Examples are provided below.

“Capability” is the device type, based on the codes shown in Capability Codes: “S” indicates that it is a switch, “I” indicates IGMP.

“Platform” indicates the model of the device. labsw2 is a 2950 switch: WS-C2950.

“Port ID” is the port on the remote device that supports the connection. Interface Fa0/21 is the interface on labsw2 that connects to labsw1.

As indicated in the Holdtime value (124), the value is reset whenever a cdp packet is received. The examples below are taken from labsw1 and show the value change as cdp packets are received:
labsw1#sho cdp neighbor
labsw1# show cdp neighbor
Capability Codes: R-Router, T-Trans Bridge, B-Sce Rte Brdge
S-Switch, H-Host, I-IGMP, r-Repeater, P-Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
labsw2 Fas 0/24 133 S I WS-C2950-2Fas 0/21

labsw1#sho cdp neighbor
labsw1# show cdp neighbor
Capability Codes: R-Router, T-Trans Bridge, B-Sce Rte Brdge
S-Switch, H-Host, I-IGMP, r-Repeater, P-Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
labsw2 Fas 0/24 126 S I WS-C2950-2Fas 0/21

labsw1#sho cdp neighbor
labsw1# show cdp neighbor
Capability Codes: R-Router, T-Trans Bridge, B-Sce Rte Brdge
S-Switch, H-Host, I-IGMP, r-Repeater, P-Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
labsw2 Fas 0/24 122 S I WS-C2950-2Fas 0/21

labsw1#sho cdp neighbor
labsw1# show cdp neighbor
Capability Codes: R-Router, T-Trans Bridge, B-Sce Rte Brdge
S-Switch, H-Host, I-IGMP, r-Repeater, P-Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
labsw2 Fas 0/24 177 S I WS-C2950-2Fas 0/21

In the display above, labsw2 is connected to labsw1. The Holdtime value counts down (133 seconds, 126 seconds, 122 seconds) before a cdp packet is reset. When the packet is received, the timer resets to 180, and begins the count down again (177).

Significantly more information about the remote device is available with the “show cdp neighbor detail” display:

2. labsw1#sho cdp neighbor detail
-------------------------
Device ID: labsw2
Entry address(es):
IP address: 192.168.0.76
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/24, Port ID (outgoing port): FastEthernet0/21
Holdtime : 127 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 02:22 by yenanh

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000000A8AE65180FF0000
VTP Management Domain: 'tlbeh'
Native VLAN: 1
Duplex: full
Management address(es):
IP address: 192.168.0.76

Much of the information shown above is easily understood. labsw2 was configured with an IP address of 192.168.1.76 for VLAN 1. The device name, device type, connected ports (Fa0/24, Fa0/21) were seen in the previous display. Other information, such as the IOS version, has been seen in previous labs. Some information, such as Native VLAN and VTP Management Domain, has not yet been covered in these labs, but is important for managing a network. However, it should obvious that the Detail command contains more detail.

In an enterprise network, it is common for a switch or router to have dozens of devices connected to it. The commands above will show the information for all of those devices. In an imaginary network where labsw1 is connected to a dozen devices, the display would be something like
labsw1#sho cdp neighbor
labsw1# show cdp neighbor
Capability Codes: R-Router, T-Trans Bridge, B-Sce Rte Brdge
S-Switch, H-Host, I-IGMP, r-Repeater, P-Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
labsw2 Fas 0/24 124 S I WS-C2950-2Fas 0/21
labsw3 Fas 0/23 124 S I WS-C2950-2Fas 0/24
labsw4 Fas 0/22 124 S I WS-C2950-2Fas 0/23
labsw5 Fas 0/21 124 S I WS-C2950-2Fas 0/24
labsw6 Fas 0/20 124 S I WS-C2950-2Fas 0/23
labsw7 Fas 0/19 124 S I WS-C2950-2Fas 0/21
labsw8 Fas 0/18 124 S I WS-C2950-2Fas 0/24
labsw9 Fas 0/17 124 S I WS-C2950-2Fas 0/23
labsw10 Fas 0/16 124 S I WS-C2950-2Fas 0/21
etc.

These displays can get very long and take a while to search for the needed information. If the “show cdp neighbor detail” command was used, the full detail display for all devices would be displayed. That can be a lot of data to sift through.

To display the information on a single interface such as Fa0/24, use “show cdp neighbor fa0/24”

labsw1#sho cdp neighbor fa0/24
Capability Codes: R-Router, T-Trans Bridge, B-Sce Rte Brdge
S-Switch, H-Host, I-IGMP, r-Repeater, P-Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
labsw2 Fas 0/24 124 S I WS-C2950-2Fas 0/21

The display will be limited to the specified interface: Fa0/24.

This is even more valuable when using the detail command in a large network. The display will be only for the specified interface and not the entire switch:

labsw1#sho cdp neighbor fa0/24 detail
-------------------------
Device ID: labsw2
Entry address(es):
IP address: 192.168.0.76
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/24, Port ID (outgoing port): FastEthernet0/21
Holdtime : 121 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 02:22 by yenanh

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000000A8AE65180FF0000
VTP Management Domain: 'tlbeh'
Native VLAN: 1
Duplex: full
Management address(es):
IP address: 192.168.0.76

It is possible to change the cdp timing parameters. To change the cdp timer:

labsw1(config)#cdp timer x (number of seconds between cdp packets)

The default holdtime is 3 times the cdp packet timer. If 30 seconds was configured for the cdp timer, the hold time would be 90 seconds. However, this can also be changed:
labsw1(config)#cdp holdtime x (number of seconds for the hold time)

If the timers are changed, they should be changed on both connecting devices. The only reason for changing cdp timers is to reduce network traffic.

cdp timers are rarely changed. It is more common to disable cdp. There are two reasons for disabling cdp:
1. If the device is not connected to another Cisco device: a standalone switch, for example. Disabling cdp prevents the cdp transmission on the active interfaces. Similarly, cdp may be disabled on interfaces that do not connect to Cisco devices. This will insure that cdp is available on the interfaces that support other Cisco devices.
2. If you are connecting to a customer network, you may not want the customer to be able to gather information about your network from cdp advertisements.

To disable cdp:

labsw1(config)#no cdp run

This configuration disables all cdp for the Cisco device.

It is more common to disable cdp on the interface that connects to the customer network, and keep cdp enabled on the connections to your network. To disable cdp on an interface, enter interface configuration mode for the interface and disable cdp on the interface:

labsw1(config)#int fa0/24
labsw1(config-if)#no cdp enable

cpd is a valuable tool for network management, and it is a likely test question.

Lab 12 - Configuring Trunk Ports

2009-08-23T15:09:00.015-05:00

Goal:
Create static trunk ports

Requirements:

● Switches labsw1, labsw1
● 2 PCs with COM port, Ethernet ports
● Cisco rollover cable
● 2 Ethernet cables
● 1 Ethernet crossover cable

The following lab will create permanent trunk connections, using labsw1, interface Fa0/24, and labsw2, interface Fa0/24. Creating a trunk configuration requires two interface-specific commands:

switchport mode trunk
switchport trunk allowed vlan [all]

The first command: switchport mode trunk, changes the port to a trunking-only port. It disables DTP. If the port can only trunk, then it cannot dynamically “decide” to be a trunk port or an access port.

The second command: (switchport trunk allowed vlan all, specifies which VLANs can use the trunk, or more accurately, what VLAN data will be “allowed” on the trunk connection. The command in this example allows the trunk to carry all VLAN traffic, and will be used in most labs. (However, the trunk can be configured to carry traffic only for specified VLANs.)

labsw1

1. labsw1(config)#int fa0/24
2. labsw1(config-if)#switchport mode trunk
3. labsw1(config-if)#switchport trunk allowed vlan all
4. labsw1 (config-if)# Crtl-Z

labsw2

5. labsw2(config)#int fa0/24
6. labsw2(config-if)#switch mode trunk
7. labsw2(config-if)#switchport trunk allowed vlan all
8. labsw2 (config-if)#Crtl-Z

Notice the changes in Administrative Mode in Steps 9 and 10 below. For both switches, the trunking interfaces are now “trunk”, not “dynamic desirable.” Dynamic Trunking Protocol (DTP) has been disabled. The ports will now only function as trunk ports.

labsw1

9. labsw1#show interface fa0/24 switchport

Name: Fa0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
(lines omitted)

labsw2

10. labsw2#show interface fa0/24 switchport

Name: Fa0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
(lines omitted)

Notice that the switchport mode has changed from “desirable” to “on.”

labsw1

11. labsw1#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/24 On 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/24 1-4094

Port Vlans allowed and active in management domain
Fa0/24 1,200-203

Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,200-203

labsw2

11. labsw2#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/24 On 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/24 1-4094

Port Vlans allowed and active in management domain
Fa0/24 1,200-203

Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,200-203

Best practices dictate that all trunk ports should be configured as trunk ports, and not rely on DTP to create them. Controlling connectivity is an important part of network management, and interface configuration is the best way to accomplish that. A later, critical lab on VTP (VLAN Trunking Protocol) will not work if the trunk links are created dynamically.

In fact, all configuration choices should be hard coded whenever possible. Switches are able to negotiate multiple configuration choices such as speed and duplex. However, all dynamically negotiated parameters take time to be accomplished, and occasionally, the results do not function as planned.

It is also important to understand that for many configurations, a dynamic trunk port and a configured trunk port function the same way. The trunk connection will deliver data the same regardless of how the trunk is created. This can be verified by repeating the ping tests from Lab 11.

Extra Credit (but not necessary. If you understand the “all” parameter, you can figure out how to change the all to a specific VLAN)

As noted above, the trunk configuration allows the trunk to carry VLAN traffic for all VLANs. If the decision is made to allow the trunk to carry traffic only some VLANs, the command would be

switchport trunk allowed vlan [VLAN number]

If more than one VLAN is needed, the command is

switchport trunk allowed vlan add [new VLAN number]

Specifying individual VLANs on trunk links in this manner has some risk. If a new VLAN is created, consideration must be given to whether a particular trunk must have the VLAN added. This step is often forgotten, and can create problems until the configuration is changed to support the new VLAN. Unless there is a reason to limit the VLANs that can use a specific trunk link, it is advisable to allow all VLANs to use trunk links.

The example below will configure labsw2, interface Fa0/22, to carry VLAN traffic only for VLANs 200 and 202:

1a. labsw2(config)#interface fa0/22
2a. labsw2(config-if)#switchport mode trunk
3a. labsw2(config-if)#switchport trunk allowed vlan 200
4a. labsw2(config-if)#switchport trunk allowed add vlan 202


 Repeat the above command for each VLAN to be included

5a. labsw2(config-if)#Crtl-Z
If interface Fa0/22 was connected to another switch to created a trunk port, only VLANs 200 and 202 could use the new trunk.

6a. labsw2#show run interface fa0/22

Building configuration...
Current configuration : 96 bytes
!
interface FastEthernet0/22
switchport trunk allowed vlan 200,202
switchport mode trunk
end

7a. labsw2#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/22 On 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/22 200, 202

Port Vlans allowed and active in management domain
Fa0/22 200, 202

Port Vlans in spanning tree forwarding state and not pruned
Fa0/22 1,200-203
8a. labsw2#show interface fa0/22 switchport

Name: Fa0/22
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
.
(lines omitted)
.
Trunking VLANs Enabled: 200,202
(lines omitted)

This lab is the critical lab for trunking. You should memorize the two commands, whether you are preparing for the exam or working in an enterprise network.

Lab 11 - Dynamic Trunking Protocol (DTP)

2009-08-23T13:12:00.040-05:00

Goals:

● Understand Dynamic Trunking Protocol
● Create trunk connections dynamically
● Test the trunk connections

Requirements:
2 Cisco switches, with configurations from Labs 1 - 10
2 PCs with COM port, Ethernet ports
Cisco rollover cable
2 Ethernet cables
1 Ethernet Crossover cable

Notes for 2900XL switch and Packet Tracer users.

1. 2900XL switches (2912/2924) do not support Dynamic Trunking Protocol (DTP). Static trunk configuration is required to create trunk ports. However, if you are studying for the CCNA exam, you may have DTP questions that relate to 2950/2960 switches. You should study this lab even if you cannot perform it. The concept, though important, is not difficult to understand. Interestingly, Cisco advises that switch are more secure if DTP is disabled from all switch interfaces.

Furthermore, 2900XL switches support two trunking protocols: ISL and 802.1q. The 2950 and later models only support 802.1q. ISL, a proprietary Cisco protocol, is the default trunking protocol for 2900XL switches, but it can be changed. To configure a trunk interface for 802.1q, use the encapsulation command:

labsw[x](config)# interface fa0/[y]
labsw[x](config)# switchport trunk encapsulation dot1q

If you are feeling cheated, don’t. In a far distant lab on Ethernet sub-interfaces, you will have to configure the encapsulation on the router interface, and it’s the same command.

2. Packet Tracer switches do not perform like real switches. The developers of Packet Tracer apparently used a different “default” configuration to force students to configure trunking interfaces. The difference can be seen in the show interface fa0/x switchport command.

An actual 2950 switch has a default interface configuration of “dynamic desirable,” meaning that it will first try to create a trunk connection when a device is connected to it.
A 2950 Packet Tracer switch has a default interface configuration of “dynamic auto,” meaning that it will not attempt to create a trunk connection, but will create one if another switch initiates the process.

This is a common issue for network simulators. Writing a network simulator is a balance between features and cost. To include every IOS feature in a simulator can be very expensive, and the developers usually focus on the most important features. As we said about using Cisco hardware in Building Your CCNA® Lab, “Since it is real Cisco hardware, it performs exactly like … real Cisco hardware.” However, Packet Tracer will provide the hands-on experience required to pass the exam.

The major difference can be managed by configuration. To configure a Packet Tracer switch to act like a real switch, make the following configuration change to interfaces Fa0/23 and Fa0/24 (Note: it is our intention to always use the last interfaces as trunk ports. If you have a 12 port switch, use ports 11 and 12 as trunk ports.):

Labsw[x](config)interface fa0/23 (or 24)
Labsw[x](config)switchport mode dynamic desirable

(If you made the configuration changes above, save the running-config to the startup-config.)

That being said, it is strongly advised that any switch in a production environment never be configured to allow dynamic trunk creation. DTP should be disabled on every port, either by making the port an access port, or by configuring a port as a trunk port (only when needed). Dynamic trunking is considered insecure. However, it is important to understand DTP, so we are going to ignore that advice for these labs.

Another less important difference between an actual 2950 switch and a Packet Tracer is the lack of support for all show running-config commands. You should know by now that show running-config will display the entire switch configuration. Cisco IOS can limit the text in a show command by using various qualifiers. One very convenient command is show running-config interface fa0/x. This reduces the time spent scrolling through the configuration to find the desired configuration. We will begin to use the command exclusively when we are discussing the configuration of a specific interface. Packet Tracer users will need to use show running-config and scroll to the appropriate interface.

If you are just beginning to study switches, the paragraphs above may be confusing. However, it is important for those who use 2900XL switches and/or Packet Tracer to understand why their switches do not behave as described in this lab, and more importantly, understand how real hardware performs.

So after a long discussion about the differences between switches and simulators, on to the actual lab.

Dynamic Trunking Protocol

Cisco has designed switches and IOS to function in a simple network with no additional configuration. This is true for both access ports and trunk ports. Cisco IOS supports a feature called “Dynamic Trunking Protocol” (DTP) that allows switches to pass data between the switches without configuring the interfaces.

Cisco switches support two different uses for Ethernet interfaces: access and trunk. The previous labs configured and tested access ports, or ports that support connections to devices that are not Cisco switches. Access ports carry data for devices in a single VLAN. A VLAN is a broadcast domain consisting of ports configured for that VLAN.

Trunk ports on Cisco switches are used to carry data for multiple VLANs between switches. Consider labsw1 and labsw2, which were configured in previous labs. Trunking allows a port in VLAN 200 on labsw1, for example, to communicate with a port in VLAN 200 on labsw2.

Dynamic Trunking Protocol (DTP) creates trunk connections automatically, or “dynamically”, when two switches are connected to each other. DTP is the default, or “out-of-the-box” configuration for every interface on a 2950/2960 switch.

To display the switchport mode on each switch, use the following command: show interface switchport. (Interfaces Fa0/23 and Fa0/24 should have the default configuration and should not be connected.)

1. labsw1[or 2]#show interface FastEthernet 0/24 switchport

Name: Fa0/24
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
.
(lines omitted)

Even though the interface has not been configured, the interface Administrative Mode is “dynamic desirable”, meaning that

The interface considers trunking to be the preferred mode, or “desirable”, though it will also be an access port if connected to a device that is not a switch.

The interface will dynamically negotiate with another switch to create a trunk connection.

The operational mode is down, because the interface is down, down.

Compare with the Administrative Mode of interface Fa0/1, configured as an access port and assigned to VLAN 200.
2. labsw1[or 2]#show interface fa0/1 switchport

Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 200 (Acct)
(lines omitted)

Configuring interface Fa0/1 as an access port disabled Dynamic Trunking Protocol. The Administrative Mode is no longer “dynamic desirable.” Instead, Administrative Mode is now “static access” and Negotiation of Trunking is “Off.” Connecting interface Fa0/1 to another switch will not create a trunk port. (Unfortunately, Packet Tracer switches do not change the display of these parameters when the switch is configured. However, it is just the display. Interfaces on Packet Tracer switches will perform as they should when configured as access ports.)

For the following exercise, connect labsw1, Fa0/24, and labsw2, Fa0/24 with an Ethernet crossover cable. (Note: Connections between Cisco switches once exclusively required an Ethernet crossover cable. Newer model switches, such as the 2960 switch, have auto-mdix, and can auto-detect the cable type. For the exam, all connections between switches should be made with crossover cable.) After the connecting the switches, observe the following:

The interface status of the port on each switch: up, up
3. labsw1# show interface Fa0/24

FastEthernet0/24 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0009.43cb.3018 (bia 0009.43cb.3018)
.
(lines omitted)

4. labsw2# show interface Fa0/24

FastEthernet0/24 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 000a.8ae6.5198 (bia 000a.8ae6.5198)
.
(lines omitted)

Because the Administrative Mode of each port was “dynamic desirable”, both interfaces became trunk ports when connected. Note that the trunking mode is “desirable,” meaning that it was created by DTP, not by configuring the interface as trunk ports. (Note: Another area where Packet Tracer will differ. Mode will show “on”.) In addition, notice the VLANs supported by the trunk connection. VLANs 1 - 4094 are allowed (yes, 4094 VLANs. If you actually have 4094 VLANs in your network, then, wow.) However, only VLANs 1, 200-203 are active. These are the only VLANs that have been created in this network.

5. labsw1# show interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/24 desirable 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/24 1-4094

Port Vlans allowed and active in management domain
Fa0/24 1,200-203

Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,200-203

6. labsw2# show interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/24 desirable 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/24 1-4094

Port Vlans allowed and active in management domain
Fa0/24 1,200-203

Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,200-203

Display the switchport mode of each interface.

7. labsw1[or 2]#show interface Fa0/24 switchport

name: Fa0/24
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
(lines omitted)

Compare Steps 11, 12 displays to the display from Step 3. The Operational mode has changed from “down” to “trunk” because the interface is now “up, up.” The interfaces have become trunk connections. The trunk will support all VLANs from VLAN 1 to VLAN 4094, but currently only VLANs 1, 200, 201, 202 and 203 are active.

Review the VLAN port assignments on labsw1 and labsw2. First, notice that interface Fa0/24 on each switch is no longer in VLAN1. A trunk port is not associated with a single VLAN, since it carries data for all VLANs.


8. labsw1[or 2]# show vlan

VLAN Name         Status    Ports
---- ----------- --------- -------------------------------
1    default      active    Fa0/9, Fa0/10,..Fa0/23      
200  Acct         active    Fa0/1, Fa0/5
201  Admin        active    Fa0/2, Fa0/6
202  Backbone     active    Fa0/3, Fa0/7
203  VLAN0203     active    Fa0/4, Fa0/8

(lines omitted)

Testing the VLANs

The following interfaces should be in the same VLANs


VLAN  labsw1  labsw2
200   Fa0/1   Fa0/1
201   Fa0/2   Fa0/3
202   Fa0/3   Fa0/5
203   Fa0/4   Fa0/7

Connect PC1 to labsw1, and PC2 to labsw2, using interfaces in the table above that are in the same VLAN. From PC1 (192.168.1.2), use the ping 192.168.1.3 command to test connectivity. Each ping attempt should be successful. (Note: if you test between multiple interfaces on these switches, you may have to clear the mac-address-table between each test: labswx# clear mac-address-table dynamic.

Verify that VLAN boundaries are maintained between the switches. Connect PC1 and PC2 to the following interfaces, and repeat the ping test above. Each attempt should fail.


Labsw1 interface VLAN Labsw2 interface VLAN
        Fa0/1     200         Fa0/3     201
        Fa0/2     201         Fa0/5     202
        Fa0/3     202         Fa0/7     203
        Fa0/4     203         Fa0/1     200

Testing connectivity to the switches

It is also now possible to telnet from PC1 or PC2 to either of the switches, or to telnet from labsw1 to labsw2. To perform these tests, make sure you connect PC1 and/or PC2 to an interface in VLAN 1 (why is that?)
9. labsw1#telnet 192.168.1.76
Trying 192.168.1.76 ... Open

User Access Verification

Password: (cisco) (Password not displayed)
labsw2>
Terminate the connection
11. labsw2 > exit

It should also be possible to test and telnet from both PC1 and PC2 to either switch.

Connect PC1 to labsw1, interface Fa0/10, VLAN 1 (or any interface in VLAN 1)
Connect PC2 to labsw2, interface Fa0/9, VLAN 1

From both PC1 and PC2:
12. C:>\ping 192.168.1.75

13. C:>\ping 192.168.1.76

14. C:>\telnet 192.168.1.75 (sign on and exit after connecting)

15. C:>\telnet 192.168.1.76 (sign on and exit after connecting)

For Extra Credit

Actually, this is not extra credit, though it not covered very often. We are going to assign an interface to VLAN 200, but we are not going to make it an access port. Configure interface Fa0/22 in VLAN 200, but do not configure it as an access port.

1a. labsw1(config)#int fa0/22
2a. labsw1(config-if)#switchport access vlan 200
3a. labsw1(config-if)#Cntl_Z

Verify that interface fa0/22 is now actually in VLAN 200.


4. labsw1# show vlan

VLAN Name         Status    Ports
---- ----------- --------- -------------------------------
1    default      active    Fa0/9, Fa0/10,..Fa0/23      
200  Acct         active    Fa0/1, Fa0/5, Fa0/22 
201  Admin        active    Fa0/2, Fa0/6
202  Backbone     active    Fa0/3, Fa0/7
203  VLAN0203     active    Fa0/4, Fa0/8

(lines omitted)

Disconnect the Ethernet crossover cable from labsw1, Fa0/24, and connect it to Fa0/22. When the ports have synchronized, verify the trunk connections on labsw1. Interface Fa0/22 has become a trunk port even though it was assigned to VLAN 200.

5. labsw1#show interface trunk

Port Mode Encapsulation Status Native vlan
Fa0/22 desirable 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/22 1-4094

Port Vlans allowed and active in management domain
Fa0/22 1,200-203

Port Vlans in spanning tree forwarding state and not pruned
Fa0/22 1,200-203

Display the VLAN port assignments again, and notice that Fa0/22 is no longer in VLAN 200. It has become a trunk port, and therefore is no longer associated with a single VLAN. Also notice the interface Fa0/24 is now back in VLAN1, since it is no longer a trunk port.

6. labsw1# show vlan



VLAN Name         Status    Ports
---- ----------- --------- -------------------------------
1    default      active    Fa0/9, Fa0/10,..Fa0/24      
200  Acct         active    Fa0/1, Fa0/5 
201  Admin        active    Fa0/2, Fa0/6
202  Backbone     active    Fa0/3, Fa0/7
203  VLAN0203     active    Fa0/4, Fa0/8

(lines omitted)

Until an interface is configured as an access port with the command "switchport mode access" it is not an access port. It will still create a trunk dynamically.

Lab 10 - New Switch Configuration

2009-08-05T14:15:00.004-05:00

The next switch labs will cover multiple switches in a switching fabric. To prepare for these labs, another switch is required. Configure a new switch:

hostname labsw2
interface VLAN 1 - IP address 192.168.1.76 255.255.255.0

All other parts of the configuration should be the same as labsw1:
All passwords: enable secret, console, vty
Password encryption
DNS server

VLANs
200 - interfaces Fa0/1, Fa0/2
201 - interfaces Fa0/3, Fa0/4
202 - interfaces Fa0/5, Fa0/6
203 - interfaces Fa0/7, Fa0/8

When you have finished the configuration, save to the startup config and the TFTP server. Test all configurations as was done in Labs 1-9.

Actually, this is partially a test. You should be able to do most of these things from memory. If you can't, review the previous labs closely.

Good luck. The next labs will connect multiple switches and begin discussing the switch fabric.

Lab 9 - Configuration Issues

2009-08-01T17:55:00.041-05:00

In Lab 9, we cover topics that are not directly related to device function. If these changes are not implemented, switches will still forward or filter frames, and routers will still route packet. However, all will make life in the network much easier or more secure, and some are covered on the CCNA® exam.

The topics covered in Lab 9 are

● Port security
● motd banner
● History file configuration and use
● Password encryption
● DNS configuration

Port Security

Port security allows you to control who can use a particular interface on a switch. An interface is configured to control the MAC addresses, or the number of MAC addresses that can use an interface.

It is not easy to understand the need for port security in a lab. If these labs are your first experience with network equipment, it may seem like a simple issue: don’t plug a computer into a port.

In reality, it’s not that easy. In a real network, switches and routers are locked in a computer room or a wiring closet that is not close to where computers are located. Cat 5 cabling runs from offices and cubicles to the switches. If you work in a typical office, your computer is probably connected to an RJ-45 jack in your cubicle. The other end of the wiring is connected to an interface on a switch in the computer room.

The problem is that someone can unplug your computer and plug in their computer. Then they are in your VLAN, with an IP address in your subnet, and possibly have access that you don’t want them to have. When you go home, the Ethernet connection in your cubicle or the vice president’s office is now available to anyone with a laptop. No cares if they use your cubicle when your (or I) are not there, but that vice president cares a great deal.

As stated earlier, port security is configured on each interface. Port security limits the number of MAC addresses that can use the interface, and actual addresses that can use the interface. The “number of addresses” really is not much of an issue these days. Most examples will show a hub in a critical department like Accounting, and discuss the need to limit access to a certain number of computers, like only the Accounting computers. You would plug all of the Accounting computers in the hub, connect the hub to the switch, and configure the switch interface to only support the number of MAC addresses that correspond to the number of computers. If you have four computers in the department, you would limit the number of MAC addresses to four.

The first step in configuring port security is to enable port security. The interface should be configured as an access port and assigned to a VLAN before configuring security.

labsw1 (config)interface fa0/9
labsw1 (config-if) switchport mode access
labsw1 (config-if) switchport access vlan x
labsw1 (config-if) switchport port-security

The next command defines the number of MAC address that can use the interface. If it is the vice president’s connection, you probably want "1".

Labsw1 (config-if) Switchport port-security maximum (number of addresses)

The next command determines what the port does if the security configuration is violated. The options are protect, restrict or shutdown.

labsw1 (config-if)switchport port-security violation (protect|restrict|shutdown)

Protect will drop frames from an unauthorized MAC address
Restrict will generate an alarm to the network monitoring system (NMS)
Shutdown will physically disable the port

To statically define the MAC addresses that can use the interface:

labsw1 (config-if) switchport port-security mac-address (MAC address)

The switch can learn the MAC addresses that can use the port. Refer to the maximum command above. The interface will support the first addresses it learns until it reaches the number set in maximum. These addresses are called “sticky”, perhaps because the first addresses will “stick”.

If your maximum is four, it will learn the first four addresses, and then follow the configuration choice used in the violation command: protect, restrict or shutdown.

MOTD Banner

Cisco IOS provides for a banner to be displayed when the switch or router is accessed. If you are familiar with UNIX, you probably have seen similar banners, sometimes called the MOTD, or “message of the day.”

The message of today seems to be a warning to unauthorized people to go away. There is a fable, which may even be true, that a person was criminally charged with maliciously accessing a system and destroying the system or data on the system. According to the tale, when the person accessed the system, they received a “Welcome” banner. This apparently meant that the person had permission from the owners to cause as much damage as possible, and, therefore, the case was dismissed. Homeowners fear that the dismissal of the case will soon apply to them, which is why sales of welcome mats have decreased and sales of firearms have increased.

The banner is any text that you decide to be displayed each time someone accesses the switch or router from the console port or a vty connection. The banner is created in global configuration mode by using the banner command.

There are several types of banners:


  LINE             c banner-text c, where 'c' is a delimiting character
  Exec             Set EXEC process creation banner
  Incoming         Set incoming terminal line banner
  Login            Set login banner
  Motd             Set Message of the Day banner
  prompt-timeout   Set Message for login authentication timeout
  slip-ppp         Set Message for SLIP/PPP

A delimiter character is required in the banner command. The delimiter character is the character that notifies the IOS to terminate the banner text. In English, that means that you specify a character that will tell the switch or router that you have entered all of the banner text.

It is possible to use the Enter key while creating the banner to help format the banner. A banner can be 256 characters, but a normal monitor screen displays about 80 or so characters. If you don’t want most of your banner to disappear on the right side of your screen, use the Enter key to start a new line occasionally. The router or switch will not consider the banner to be “finished” until you use the delimiter character.

The command format is
banner [banner type] [delimiter character] [text] [delimiter character]

In the example below, the “&” character will be used as the delimiter character.

labsw1(config)#banner motd & This is a private network and not available to unauthorized
labsw1(config)access. If you are not authorized, you can and will be
labsw1(config)# prosecuted to the fullest extent of the law. &

Test the banner by exiting your connection and re-establshing the connection. When you connect, you should receive a message:

PC>telnet labsw1

Trying 192.168.1.75 ...
This is a private network and not available for private
access. If you are not authorized, you can and will be prosecuted to the fullest extent of the law.

User Access Verification

Password:

It is a very good idea to AVOID commonly used characters like letters and numbers as the delimiter character. If, for example above, you specified the letter “a” as the delimiter in the banner above, the message would end with the first occurrence of “a”, and the banner would read “This is”. While that may be existentially true, it’s not very helpful.

Packet Tracer only supports motd banner messages. Exam hint, perhaps?

History file

Cisco IOS supports command recall to reuse, or to modify and use, commands that have been entered in the current session. The current session is the one that started when you logged in. All commands are deleted when you exit the session. To access the commands, use the Up arrow key and Down arrow key to cycle through the commands.

The history file is context sensitive. If you are in EXEC mode, only commands that were entered in EXEC mode can be recalled. If you are in configuration terminal mode, commands entered in configuration terminal mode can be recalled, but not the commands that were entered in EXEC mode. When you return to Exec mode, only commands previously entered in EXEC mode can be recalled.

Practical Note: An interesting feature of command recall is that Delete does not work. This can be frustrating when you first try to use the Delete key. Placing the cursor on a character and pressing the Delete key will probably insert a nonsensical character into the text without deleting anything. If you need to modify a previous command, place the cursor under the character to the right of the one that you want to delete, and press the Backspace key. You can backspace to remove characters as long as you have characters to backspace and delete. Typing inserts character to the left of the cursor. Practice with it. It’s an important skill but probably not on the exam.

The number of commands saved by the switch or router, however, may be a test question. The default history size is the last ten commands, which may be too limited, depending on the tasks you are performing in the switch or router. To increase the number of commands stored in the history file, use the EXEC command (not a configuration command):

labsw1#terminal history size x

(where x is a number between 1 and 256. That right: 256. 257 and above will not work.)

To recall commands already entered, use the Up key on the keyboard. Continue to press Up until the desired command is displayed. Hit Enter to reuse the command. This is a time saving tool when doing repetitive tasks. If you need to "go back" through the list of previous commands, use the Down arrow.

To display all of the commands in the history file, use the command:

labsw1#show terminal history

Remember: when you exit the switch or router, all of your command history is deleted. The change to the terminal history file size is also reset to the default. You get to start over.

Like all of the topics on the exam, the true value of command recall is when you are actually working with Cisco equipment. It is convenient to recall a long command that has a typo and correct the typo instead of retyping the command (and making the mistake again). Or you may need to use a particular show command multiple times to see if a status changes, or to watch totals change. The Up arrow makes that much easier and faster.

What we are saying, hedgelings, is learn how to use the Up and Down arrows and/or backspace to make your network life easier. Learn to display and change the history file to pass the exam. Both are good.

Password Encryption

Few topics receive more attention these days than security. Encryption is a vital part of security. With the right IOS and hardware, many functions can be encrypted on a devices, from the actual data being transmitted, the data included in a vty session, and some elements of the configuration.

In this section, we discuss password encryption. We will cover session, or vty connection, encryption in a later lab.

You have seen one example of password encryption with the enable secret password. The enable secret password is encrypted (okay, for you real nit-picky hedgelings, it actually a hash of the password, but it works pretty much the same). However, the rest of the passwords: console, vty, are in clear text, as shown in the following example.
labsw1#sho run
Building configuration...

Current configuration : 1203 bytes
!
version 12.1
no service password-encryption
!
hostname labsw1
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
enable password pass1
!
ip name-server 192.168.1.3
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
(lines omitted)
!
interface Vlan1
ip address 192.168.1.75 255.255.255.0
!
banner motd ^C This is a private network and not available for private
access. If you are not authorized, you can and will be prosecuted to the
fullest extent of the law.^C
line con 0
password cisco
login
!
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

To encrypt the display of the passwords, use the command:
labsw1(config)#service password-encryption

Exit configuration mode and display the configuration again to see the encrypted passwords.

labsw1#sho run
Building configuration...

Current configuration : 1236 bytes
!
version 12.1
service password-encryption
!
hostname labsw1
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
enable password 7 08314D5D1A48
!
ip name-server 192.168.1.3
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3

(lines omitted)
!
line con 0
password 7 0822455D0A16
login
!
line vty 0 4
password 7 0822455D0A16
login
line vty 5 15
password 7 0822455D0A16
login

A switch or router configuration can have other "passwords" that are important to encrypt. The services password-encryption command will also encrypt those passwords.

DNS

DNS is a potential exam question, and more importantly, it is one of the most important aids in managing a network. You are probably very aware of how important DNS is in navigating the Internet. You can remember google.com, yahoo.com , and hopefully hedgehogtech.blogspot.com, but you might have some difficulty remembering the IP addresses of those sites.

If you are unfamiliar with DNS, DNS is the process that allows you to use a word or name instead of the IP address of a site, or in our case, a device in the network. If you have not worked in a network environment, you may not be aware that most, probably all, enterprise networks maintain their own DNS for managing their networks. It is more common to use a name like labsw1 and PC1 than to use 192.168.1.75 or 192.168.1.2.

Before you can configure your switch or router to use DNS, you must first create a DNS server and connect it to the network. If you are using a hardware lab, you will need DNS server software. (Note: any difficulty with this section will probably be configuring the DNS software. The switch/router commands are very simple.)

If you are using Packet Tracer, you will need to use the generic server and configure DNS. The DNS entry contains both the name of the device, PC1, and the IP address of the device, 192.168.1.2, as well as labsw1 - 192.168.1.75.

For this exercise:

Install a DNS server in your network. Unless you have unlimited funds and space, you will probably install it on PC1. Note the IP address of the system supporting DNS, such as 192.168.1.2. Connect the server and PC1 to VLAN 1 interfaces: Fa0-9 – Fa0/24 (depending on the model of your switch). You should know the reason for using VLAN 1 interfaces from Lab 8: the devices connected to a switch must be in the same VLAN as the VLAN interface to use the VLAN 1 interface. With the current switch configuration,the switch can only use services on VLAN 1, since VLAN 1 is the management interface.

Create two entries in the DNS server: PC1 – 192.168.1.2, and labsw1 - 1921.68.1.75

Configure the switch to use the DNS server with the global configuration command:
labsw1(config)# ip name-server 192.168.1.2

Exit configuration mode and ping PC1 from labsw1
labsw1#ping pc1 (or pc1.workgroup, if you are using Dual Server)

You are successful when you can ping PC1 from labsw1.

You should also configure all equipment in our lab to use the DNS server: PCs, switches, and routers. It will make life easier. When you have configured the PC for your lab DNS server, ping labsw1 from the PC.

In most networks, you will use the same DNS server for the entire network. All Cisco devices will be configured with the same command: ip name-server x.x.x.x. If your lab includes a DNS server, we strongly recommend that you update the DNS entries as equipment is added to the lab. It is just as helpful in a lab as it is in an actual network.

Since adding PCs and servers to a Packet Tracer network is easy and cheap(see if your network simulator supports a DNS server), we recommend that you create a DNS server that is not part of the “normal” lab devices, and give it an IP address such as 192.168.1.240. Unfortunately, you cannot configure the dns-server with its own IP address as the DNS server, as you can with most real DNS servers. You can, however, configure all other devices to use the DNS server.

Testing DNS

Make sure your DNS entries are correct. Always ping a device by name, such as pc1, labsw1, etc. Look for the following errors:

Ping request could not find host pc4. Please check the name and try again. – This error means that no DNS entry exists for the device.

Request timed out – This error can often be the result of an incorrect IP address. The ping process will display the IP address that is being pinged. If the ping request times out, check the IP address of the DNS entry and make sure it is correct. If the entry is correct, make sure that device is actually addressed correctly. Finally, check to make sure that the cabling is correct, that the device is in the right vlan, and the port is up, up. If the ping to the DNS name fails, ping to the IP address. If the address ping is successful, it is probably a mistake in the DNS entry. Usually the IP address is mistyped.

When completed, save the running configuration to the startup configuration and to the TFTP server.

Note to the ambitious: DNS management is a very profitable career choice. Getting a CCNA® is very helpful toward learning and supporting DNS, so these CCNA® studies are by no means wasted if you decide to move in a DNS support direction. You have to understand IP to successfully manage DNS. The most common DNS software is BIND, which is free in FreeBSD and many Linux distributions. It ain’t so easy to learn, which is why someone will pay you well if you have these skills. Kinda like getting a CCNA, CCNP, CCIE, etc.

Multiple Switch Labs

2009-07-23T14:10:00.005-05:00

Lab 11 - Dynamic Trunking Protocol (DTP)
Lab 12 - Configuring Trunk Ports
Lab 13 - Cisco Discovery Protocol
Lab 14 - Ethernet Address Management in a Multi-switch Network - Internal Addresses
Lab 15 - Ethernet Address Management in a Multi-switch Network - End Device Address Management
Lab 16 - New Switch Configuration

CCNA® Lab 8 - Testing the VLAN Configuration

2009-07-23T09:52:00.024-05:00

Goal

● Verify VLAN configuration and function

Requirements:

● Cisco switch configured with Lab 1-3, Lab 5 configurations
● 2 PCs with Ethernet ports, one with COM port. PCs should be configured with the IP addresses shown above.
● Cisco rollover cable
● 2 Ethernet cables

Review broadcast domain

● A broadcast is a data transmission to all devices that communicate at Layer 2, or the Datalink layer.
● All devices in a broadcast domain “hear” all broadcasts. (This explanation is very brief and incomplete. Insure that you fully understand broadcasts, broadcast domains, how bridges/switches process broadcasts.)
● A VLAN is a broadcast domain. It is a group of ports that can communicate at Layer 2, or will “hear” a broadcast from one of the devices connected to an interface in the same VLAN.
● Cisco switches initially have one VLAN, VLAN 1, and all ports are in VLAN 1. Creating new VLANs creates new broadcast domains.

In Lab 7, four new broadcast domains, or VLANs, were created:

● VLAN 200
● VLAN 201
● VLAN 202
● VLAN 203

VLAN 1, the default VLAN, still exists. VLAN 1 is automatically defined by the IOS, and cannot be deleted. It can be made irrelevant by assigning all ports to other VLANs, but it will still exist. Verify that the VLANs still exist from Lab 7, and the following port assignments have been made.
1. testlabsw1 # show vlan


VLAN Name                       Status    Ports
---- -------------------------- --------- -------------------------------
1    default                    active    Fa0/9, Fa0/10, Fa0/11, Fa0/12
200  Acct                       active    Fa0/1, Fa0/5
201  Admin                      active    Fa0/2, Fa0/6
202  Backbone                   active    Fa0/3, Fa0/7
203  VLAN0203                   active    Fa0/4, Fa0/8
.
(lines omitted)

Testing the configuration
The test consists of using the ping command. The test has two parts:

● Test for a successful ping between the devices in the same VLAN
● Test for a failure to ping between the devices in different VLANs

It may sound strange to test for failure, or an unsuccessful ping, but it really isn’t. If you can ping between VLANs (200 to 201, for example), then either the configuration is wrong, or VLANs do not really create separate broadcast domains.

A final test step is to ping the switch interface VLAN 1 IP address (192.168.1.75) from each VLAN. Before beginning this exercise, display the status of the VLAN1 IP address:
labsw1# show interface vlan 1

Vlan1 is up, line protocol is down
.
.

(Interface VLAN 1 is not complete functional. Why not? Review Lab 2, step 22 and discussion.)

Before beginning these exercises, verify that the PCs are configured with the following IP addresses: PC1 – 192.168.1.2, PC2 – 192.168.1.3. Connect PC1 and PC2 to the switch interfaces as shown in the chart below, and ping from PC1 to PC2.

labsw1# clear mac-address-table

(Note: if you cannot ping from PC1 to PC2 after you move the connections to new interfaces in the same VLAN, use the clear mac-address-table dynamic command and test again. Just make sure that the interfaces are in the same VLAN.)

It is not necessary to issue every ping described in this section. However, it is important that you understand that pings are successful between computers in the same VLAN and unsuccessful between computers in different VLANs. If you like, chose a subset of the interfaces to perform the tests. It is also important to show the status of interface VLAN after each cable move and note when it goes "up, up" (More in Lab 9).

               
                                                        Ping  
                                          Interface    Result  
  PC1    PC1    PC2     PC2     Ping       VLAN1      Interface
  Int    VLAN   Int     VLAN   Result     Status        VLAN1
-------  ----   ------   ----  --------   -------     -------
 Fa0/1    200   Fa0/5    200
 Fa0/2    201   Fa0/5    200
 Fa0/2    201   Fa0/6    201
 Fa0/3    202   Fa0/6    201 
 Fa0/3    202   Fa0/7    202
 Fa0/4    203   Fa0/7    202
 Fa0/4    203   Fa0/12    1
 Fa0/9     1    Fa0/12    1
 Fa0/10    1    Fa0/12    1
 Fa0/11    1    Fa0/12    1

The results of the testing should show that a ping test is successful when both devices are in the same VLAN, and unsuccessful when the devices are in different VLANs.

Why is a ping attempt to the IP address of interface VLAN 1 successful from ports Fa0/9 through Fa0/12, but unsuccessful from all other interfaces?

Two conditions must exist before the VLAN 1 IP address will respond to a ping.

The VLAN 1 interface must be “up, up” before it will respond to a ping. Interface VLAN 1 remained in an “up, down” status until a physical interface associated with VLAN 1, Fa0/9 - Fa0/12, was active, or in “up, up” status. When a computer was connected to an interface in VLAN 1, a physical path to VLAN 1 was created, and VLAN 1 became “up, up” or active. The VLAN 1 interface became active in Step 8: however, it was not possible to ping the VLAN 1 IP address from Fa0/4. Only when PC1 was connected to Fa0/9, VLAN 1, was it possible to ping 192.168.1.75 from PC1.

PC1 could successfully ping the VLAN 1 IP address after it was connected to an interface in VLAN 1: Fa0/9 – Fa0/12. The reason is a VLAN interface is associated with the VLAN that it is named for. VLAN 1 can only be contacted from an interface in VLAN 1. An interface in VLAN 200 cannot communicate with the VLAN 1 IP address. Interface VLAN 1 is a part of VLAN 1, and can only be contacted from one of the ports in VLAN 1: Fa0/9, Fa0/10, Fa0/11, Fa0/12.

CCNA® Lab 7 - Vlan Creation and VLAN Interface Assignment

2009-07-22T13:00:00.039-05:00

Lab 7 Goals

● Understand VLANs and broadcast domains
● Create VLANs
● Assign interfaces to the new VLANs

Lab Requirements

● Switch configured with Lab 2 configuration
● PC configured with
IP address 192.168.1.2 255.255.255.0
● Cisco rollover (console) cable
● Ethernet cable

For this lab, use the console port to manage the switch.

VLANs are a feature of Cisco® switches. VLANs (Virtual LANs) allow multiple broadcast domains to be configured on one or more switches, configuring a set of switch interfaces as a broadcast domain. This lab will create VLANs and assign interfaces to those new VLANs.

Broadcast Domain Review

● A broadcast is a data transmission to all devices that communicate at Layer 2, or the Datalink layer. Remember the example of the ARP request in the previous lab. A broadcast has a destination address of all binary 1’s, or hex address of ffff.ffff.ffff.
● All devices in a broadcast domain “hear” all data transmissions, broadcasts. (This explanation is very brief and incomplete. Insure that you fully understand broadcasts, broadcast domains, how bridges/switches process broadcasts.)
● A VLAN is a broadcast domain. It is a group of ports configured on one or more switches by a network administrator that can communicate at Layer 2. The ports in a VLAN will “hear” a broadcast from one of the devices in the same VLAN.
● Cisco switches initially have one VLAN: VLAN 1. All ports are in VLAN 1. VLAN 1 can be shut down, but it cannot be deleted.

(All future labs will show commands in enable mode. The commands to access enable mode will not be shown in future exercises.)

As noted above, a VLAN is a group of switch ports configured as a single broadcast domain. To display the VLAN port assignment, use the "show vlan" command. The example below shows all ports in the same VLAN, VLAN1. VLAN 1 is a default VLAN created on every Cisco switch. The default, or out-of-the-box, configuration assigns all interfaces on the switch to VLAN 1. By default, all interfaces are in the same broadcast domain, VLAN 1. (Note: The VLANs 1002 – 1005 are special purpose VLANs that have no function in these labs.)


1.  labsw1# show vlan

VLAN Name                    Status    Ports
---- ------------------- --------- -------------------------------
1    default             active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                   Fa0/5, Fa0/6, Fa0/7, Fa0/8,
                                   Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                   (lines deleted)
1002 fddi-default        active
1003 token-ring-default  active
1004 fddinet-default     active
1005 trnet-default       active

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

VLAN data, as well as other important configuration data, is not stored in the "running-config" or the "startup-config." It is stored in a file called "vlan.dat." The contents of the vlan.dat cannot be easily displayed, but the file can be verified with the command "show flash." Before starting this exercise, verify that no "vlan.dat" file exists.

Labsw1# show flash
The only file should be the IOS. If a vlan.dat file exists, remove it.
Labsw1# erase vlan.dat

Follow the prompts to delete. Verify that the file has been removed by using the "show vlan" command and/or the "show flash" command.

VLAN Creation and Naming

This lab will create additional VLANs and assign ports to those VLANs. The VLAN process has two parts:

● VLAN creation
● Interface VLAN assignment

VLANs are created by assigning a number between 2 – 4096. VLANs are also named, but the names have no function and serve only as documentation. Custom VLAN names are optional. If the VLANs are not named, the switch will create names: VLAN0200, VLAN0201, etc. This lab will create and name the following VLANs. Follow these commands to create the following VLANs:

200 – Acct
201 – Admin
202 – Backbone

2950 Switch Commands (native IOS commands)

2. labsw1# configuration terminal
3. labsw1 (config)# vlan 200
4. labsw1 (config-vlan)# name Acct
5. labsw1 (config-vlan)# vlan 201
6. labsw1 (config-vlan)# name Admin
7. labsw1 (config-vlan)# vlan 202
8. labsw1 (config-vlan)# name Backbone
9. labsw1 (config-vlan)# [Ctrl-Z] (exit configuration mode)

2912/2924 Switch Commands

This is the first area where the 2912/2924 switches differs from the native IOS switches. VLAN creation must be done in “vlan database” mode, not configuration mode. Vlan database mode is accessed by using the command "vlan database." To exit vlan database mode, use "exit" command. VLAN database mode is also available on the 2950/2960 switches, but configuration mode is the preferred method. Notice the (minor) differences in the commands 1a-5a.
2a. labsw1# vlan database
3a. labsw1 (vlan)# vlan 200 name Acct
4a. labsw1 (vlan)# vlan 201 name Admin
5a. labsw1 (vlan)# vlan 202 name Backbone
6a. labsw1 (vlan)# exit (exit vlan database mode)

Display the new VLANs:

10. labsw1 # show vlan


VLAN Name                       Status    Ports
---- -------------------------- --------- -------------------------------
1    default                    active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                          Fa0/5, Fa0/6, Fa0/7, Fa0/8,
                                          Fa0/9, Fa0/10, Fa0/11, Fa0/12
200  Acct                       active
201  Admin                      active
202  Backbone                   active
.
(lines omitted)

VLANs 200, 201 and 202 have been created and named: however, no interfaces have been assigned to the new VLANs. All interfaces are still in VLAN 1, the default VLAN. Interface VLAN assignment requires interface-specific commands. Assigning an interface to a VLAN will also configure the interface as an access port, preventing it from becoming a trunk port dynamically. (See discussion of access ports vs. trunk ports below). To assign a port to a VLAN use the interface specific command "switchport access vlan [vlan-number]."

(Note: An interface can be configured as an access port by the command: "switchport mode access." This command will configure the port as an access port, and the port will remain in VLAN 1.)

Use the commands below to configure labsw1 with the following VLAN port assignments. Notice that VLAN 203 is used, but VLAN 203 has not been created and named. Notice how the switch responds when an interface is assigned to VLAN 203.

Fa0/1 - VLAN 200
Fa0/2 - VLAN 201
Fa0/3 – VLAN 202
Fa0/4 – VLAN 203
Fa0/5 – VLAN 200
Fa0/6 – VLAN 201
Fa0/7 – VLAN 202
Fa0/8 – VLAN 203

11. labsw1# configuration terminal
12. labsw1 (config)# interface fa0/1
13. labsw1 (config-if)# switchport access vlan 200
14. labsw1 (config-if# switchport mode access
15. labsw1 (config-if) # interface fa0/2
16. labsw1 (config-if) # switchport access vlan 201
17. labsw1 (config-if# switchport mode access
18. labsw1 (config-if) # interface fa0/3
19. labsw1 (config-if) # switchport access vlan 202
20. labsw1 (config-if# switchport mode access
21. labsw1 (config-if) # interface fa0/4
22. labsw1 (config-if) # switchport access vlan 203
23. labsw1 (config-if# switchport mode access
Note: The switch will automatically create a VLAN when a port is assigned to undefined VLAN, in this case, 203. Note the response from the switch:
% Access VLAN does not exist. Creating vlan 203
24. labsw1 (config-if) # interface fa0/5
25. labsw1 (config-if) # switchport access vlan 200
26. labsw1 (config-if# switchport mode access
27. labsw1 (config-if) # interface fa0/6
28. labsw1 (config-if) # switchport access vlan 201
29. labsw1 (config-if# switchport mode access
30. labsw1 (config-if) # interface fa0/7
31. labsw1 (config-if) # switchport access vlan 202
32. labsw1 (config-if# switchport mode access
33. labsw1 (config-if) # interface fa0/8
34. labsw1 (config-if) # switchport access vlan 203
35. labsw1 (config-if# switchport mode access
36. labsw1 (config-if) # [Crtl-Z]

Display the VLAN information to see the VLAN port assignments:
37. labsw1 # show vlan


VLAN Name                       Status    Ports
---- --------------- --------- -------------------------------
1    default         active    Fa0/9, Fa0/10, Fa0/11, Fa0/12
200  Acct            active    Fa0/1, Fa0/5
201  Admin           active    Fa0/2, Fa0/6
202  Backbone        active    Fa0/3, Fa0/7
203  VLAN0203        active    Fa0/4, Fa0/8
.(lines omitted)

VLAN 203 has been created and named: VLAN0203.

Before saving the changes, use the "show flash" command again.

38. labsw1#show flash

Directory of flash:/

1 -rw- 4414921 c2960-lanbase-mz.122-25.FX.bin
2 -rw- 796 vlan.dat

64016384 bytes total (59600667 bytes free)

Note that the "vlan.dat" file was created automatically when the VLANs were created. Use the show running-config command to see the VLAN assignments on each interface, but also notice that there are no entries in the running configuration for the individual VLANs. As noted earlier, the file cannot be viewed, but its existence can be verified by the command "show flash." (Note: Your switch may include other files as well.)

Save the configuration.
39. labsw1 # copy running-config startup-config

Access ports and trunk ports

Switch interfaces can be configured as access ports or they can be configured as trunk ports. Access ports connect devices that are not switches: computers, routers, printers, etc.

Trunk ports are used to connect switches, creating a “switch fabric.” A switch fabric is a set of switches that allow multiple switches to function as a single switch. Trunk ports between switches carry data for multiple VLANs, and will be covered in more detail in future labs.

The most important difference between an access port and a trunk port:

Access ports carry data within a single VLAN
Trunk ports carry data for multiple VLANs

CCNA® Lab 6 - Cleanup

2009-07-22T11:49:00.013-05:00

Lab 6 Goal
● Configure the same password for all switch access: console, vty, enable

Lab Requirements

● Switch configured with Lab 2 configuration
● PC configured with
IP address 192.168.1.2 255.255.255.0
● Cisco rollover (console) cable
● Ethernet cable

Yes, hedgelings, it's time to clean up the configuration. It is easier use a single password for all access: console, vty, and enable secret. It is important to remember, however, that these are distinct and different passwords, even if you use the same value like we are going to do. This change is just to make access easier.

Connect PC1 to labsw1 using an Ethernet cable and/or the console cable. An Ethernet connection is preferred for all configured devices. Access labsw1 using the telnet command from PC1.

1. PC> telnet 192.168.1.75
Trying 192.168.1.75 ...

User Access Verification
Password: [pass1]
2. labsw1> enable
Password: [pass5]
3. labsw1# configure terminal
4. labsw1(config)# enable secret cisco (or some other password easy for you to remember)
5. labsw1(config)#line cons 0
6. labsw1(config-line)#password cisco
7. labsw1(config-line)#login
8. labsw1(config-line)#line vty 0 15
9. labsw1(config-line)#password cisco
10. labsw1(config-line)#login
11. labsw1(config-line)#Crtl Z
12. labsw1# copy run start

Verify your changes:

13. labsw1# show running-config

Building configuration...

Current configuration : 1030 bytes
!
version 12.1
no service password-encryption
!
hostname labsw1
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
enable password pass1
!
ip name-server 192.168.1.3
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface Vlan1
ip address 192.168.1.75 255.255.255.0
!
line con 0
password cisco
login
!
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

14. labsw1# exit

Test all connectivity: telnet and console to verify the changes. The password for all connections is now "cisco", or whatever password you chose for your lab.

CCNA® Lab 5 - Ethernet Address Management

2009-07-21T17:57:00.039-05:00

Lab 5 Goals

● Understand Ethernet MAC addressing
● Understand Address Resolution Protocol
● Observe how Cisco® switches use MAC addresses

Requirements:
Cisco switch with Lab 1-3 configuration
2 PCs with Ethernet ports, one with COM port. IP addresses shown above.
Cisco rollover cable
2 Ethernet cables

Understanding Ethernet MAC addresses and frames is critical to managing Cisco switches. The CCNA exam will cover Layer 2 switching, and Ethernet MAC addressing is a critical component for the exam. The following points need to be memorized:

• Ethernet is a Layer 2 protocol.
• Ethernet addresses are composed of 48 bits, written as 12 hexadecimal digits.

An Ethernet address is composed of 2 parts:

• 24 bits (six hexadecimal digits) for vendor identification, also called the “Organizationally Unique Identifier”, or OUI
• 24 bits (six hexadecimal digits) for card or interface identification

Example: 00-19-D2-49-1E-ED

• 00-19-D2 is the vendor identifier for the card manufacturer, Intel
• 49-1E-ED is the card identifier

Each Ethernet device has the address permanently encoded on, or “burned in” to the card or interface. The MAC Address is also called the “BIA” or “burned-in address.” The BIA, or local address, is included in every Ethernet frame as the “source address”, or the address of the device transmitting the data.

Commands to display BIA MAC addresses:

Windows: ipconfig /all

Linux: ifconfig or ifconfig -a

Cisco: show version, show interface Fa0/x

The display of the Ethernet MAC Address is different for each operating system (O/S)

Windows: 00-19-D2-49-1E-ED

Linux: 00:19:D2:49:1E:ED

Cisco uses different formats: 00:19:D2:49:1E:ED or 0019.D249.1EED

Cisco gives each switch an overall Ethernet address, and each interface on the switch with a unique address based on the overall address. These addresses are displayed by the show version command, and the show interface Fa0/x command. The addresses are related, varying only in the last byte. The value of the last hexadecimal digits increments by the port number. Example:

Switch Ethernet Address : 00:0F:90:41:9B:00

Interface Fa0/1 : 000f.9041.9b01
Interface Fa0/2 : 000f.9041.9b02
Interface Fa0/3 : 000f.9041.9b03
.
Interface Fa012 : 000f.9041.9b0c

These addresses are critical to multi-switch networks for Spanning Tree (to follow soon), but are not important to the end devices (workstations, servers, routers, etc.) that use the switches. Cisco uses “transparent switching”, which was based on “transparent bridging”. “Transparent” means that the workstations, servers, and routers attached to a switch are unaware of the function of the switch infrastructure. They are only concerned with the MAC addresses of the end devices, not the switches that carry the data.

Switches use the same process to learn Ethernet addresses that all Ethernet devices use: reading the source address field of every Ethernet frame that it receives. A switch create a table of the known MAC addresses and the interfaces that support the connected devices. To display the MAC Address table:

testlabsw1# show mac-address-table

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
All 000f.9041.9b00 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 0011.9354.7230 DYNAMIC Fa0/2
1 0018.18df.3281 DYNAMIC Fa0/1
402 0000.0c07.acc6 DYNAMIC Fa0/6
402 000e.0cc7.04d2 DYNAMIC Fa0/16
402 0012.1ea2.6cb0 DYNAMIC Fa0/19
402 0060.2e02.aee3 DYNAMIC Fa0/15
402 0080.8c02.70e1 DYNAMIC Fa0/23
402 00e0.1eae.cdc8 DYNAMIC Fa0/14
402 c288.6060.0d83 DYNAMIC Fa0/12
403 0000.0c07.ac03 DYNAMIC Fa0/3
403 000e.0c5c.d8b0 DYNAMIC Fa0/10
403 0010.db65.66c0 DYNAMIC Fa0/8
403 0018.19c1.0ac1 DYNAMIC Fa0/9
404 0011.9354.7241 DYNAMIC Fa0/4
410 0011.9354.7242 DYNAMIC Fa0/5

There are two types of addresses: Static and Dynamic. The “Static” addresses are internal to the switch. The “Dynamic” addresses are the MAC addresses of the devices connected to the ports. Our primary concern is the dynamic addresses. The switch learns addresses “dynamically” by reading the source addresses of frames that entered the switch. The switch uses these MAC addresses to create the MAC addresses table, or the list of addresses and the ports from which those addresses entered the switch. The switch then uses the MAC address table to deliver, or forward, data. The switch reads the Destination Address in each Ethernet frame, and delivers the data to the port associated with the Ethernet address. A example from the above table:

403 0000.0c07.ac03 DYNAMIC Fa0/3
403 000e.0c5c.d8b0 DYNAMIC Fa0/10
403 0010.db65.66c0 DYNAMIC Fa0/8
403 0018.19c1.0ac1 DYNAMIC Fa0/9

The process of delivering an Ethernet frame to the correct port is called “Frame Forwarding”. The process:

The computer on FA0/3 creates a frame of data with the MAC address of the destination device: 0018.19c1.0ac1, in the Destination field.

The computer puts its own MAC address in the Source field: 0000.0c07.ac03

The source computer sends the Ethernet frame to the switch.

The switch reads the destination address field, 0018.19c1.0ac1

The switch then checks the MAC address table to find the interface for that device: Fa0/9

The switch forwards the Ethernet frame to interface Fa0/9

MAC Address learning

If a new device with MAC address 0071.0c24.bd03 is connected to interface Fa0/7, the switch will have no information about the device until it transmits data for the first time. When the new device transmits data the first time,

the switch reads the source address in the Ethernet frame

the switch checks the MAC Address Table to see if the MAC address exists in the table. It does not.

Since it is a new device, the switch does not have the address in the MAC Address table for it. When the device transmits data for the first time, the switch will create a new entry in the MAC address table:

403 0071.0c24.bd03 DYNAMIC Fa0/7

The switch uses this information to deliver data to this device.

Exercise:

Before starting the lab, configure two PCs with the IP addresses shown in the diagram: 192.168.1.2 255.255.255.0 and 192.168.1.3 255.255.255.0. Do not connect the PCs to the Ethernet ports on the switch until Step 4 below.

1.Use the console connection, display the switch internal MAC address:

testlabsw1#show version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
.
(lines omitted)
.
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:09:43:CB:30:00
Motherboard assembly number: 73-5781-09
.
(lines omitted)

Record the switch MAC Address: ____________________________

Note: Packet Tracer does not report on the internal switch MAC addresses in the show mac-address-table display. While this feature makes it easier to identify MAC addresses, be aware that it is not a normal display for an actual switch. The Packet Tracer display is more like show mac-address-table dynamic. If you are using a real switch, the dynamic display will be more useful for this lab.

If there are dynamically learned MAC address, clear the MAC address table, and verify no dynamic MAC addresses are in the table.

labsw1# clear mac-address-table dynamic

3. Display and record the MAC addresses of PC1 and PC2, using the ipconfig /all command:

PC1: __________________________
Port: _________________

PC2: __________________________
Port: ________________

4. Using Ethernet cables, connect PC1 and PC2 to labsw1. The lights on the interfaces should turn green, indicating that the connections are good. Record the interfaces above (Fa0/1, Fa0/2, etc.) Using the console connection, verify that the PC MAC addresses do not appear in the MAC Address table:

testlabsw1#sho mac-address-table dymanic
Mac Address Table
-------------------------------------------

If there are addresses in the table, clear the MAC Address Table
clear mac-address-table dynamic

5. From PC1, ping the IP address of PC2:
C:>\ping 192.168.1.3

6. After the ping has completed successfully, display the MAC address table again. The MAC addresses of PC1 and PC2 should be in the MAC Address table, as well as the interfaces used.

labsw1#sho mac-address-table

So how did it work? You should see both MAC addresses listed in the MAC Address Table. Make sure you understand this process.

ARP - Address Resolution Protocol

When you issued the ping from PC1 for the first time, you probably got a response like this:

Request timed out.
Reply from 192.168.1.3: bytes=32 time=16ms TTL=255
Reply from 192.168.1.3: bytes=32 time=31ms TTL=255
Reply from 192.168.1.3: bytes=32 time=32ms TTL=255

The first reply is where the entire process of MAC Address learning happened. The process:

1.The ping command is typed and entered: ping 192.168.1.3. The system will issue four ping commands, with 5 second timeout between each unsuccessful ping. The timer starts for the first ping.

2.PC1 checks its ARP cache to find the MAC address for 192.168.1.3. (Windows command: arp –a). There is no entry for 192.168.1.3.

3.PC1 needs to get a MAC address for 192.168.1.3. To learn the address, PC1 issued an ARP (Address Resolution Protocol). An ARP request is a broadcast frame that says “Who has IP address 192.168.1.3?” The Ethernet frame from PC1 has all “1’s” in the Destination Address field (broadcast) and its own MAC address in the Source Address field: 0010.11d7.d0c0.

4.While the ARP request is processing, so does timer for the ping.

5.Switch labsw1 reads the ARP request and learns that MAC address 0010.11d7.d0c0 is on interface FA0/1.

6.Switch labsw1 updates the MAC Address table with

1 0010.11d7.d0c0 DYNAMIC Fa0/1

7.Switch labsw1 then forwards the ARP broadcast out all active interfaces (up, up), except for FA0/1. In this case, only FA0/2 is "up, up".

8.PC2 sees the ARP request, knows that it has IP address 192.168.1.3, and replies back to PC1 to notify PC1 that it has the requested IP address. It uses the PC1 MAC address for the destination, and its own MAC address for the source Address: 00D0.BA00.D536. The frame is transmitted to switch labsw1.

9.Switch labsw1 reads the source MAC address table and discovers that the MAC address for PC2 is new. The switch updates the MAC Address Table with the PC2 MAC address on interface FA0/2:
1 00d0.ba00.d536 DYNAMIC Fa0/2

10.Now switch labsw1 has a MAC Address Table that looks like:

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0010.11d7.d0c0 DYNAMIC Fa0/1
1 00d0.ba00.d536 DYNAMIC Fa0/2

11. Switch labsw1 reads the Destination Address field and finds MAC Address 0010.11d7.d0c0. Switch labsw1 reads the MAC Address table and sees that 0010.11d7.d0c0 is on interface FA0/1.

12.Switch labsw1 forwards the Ethernet frame out interface FA0/1.

13.By now, the first ping request has timed out. It returns

Request timed out.

14.PC1 now has a MAC address for PC2. PC1 creates the second ping request using the MAC address of PC2 as the Destination MAC address. PC1 transmits the frame to switch labsw1.

15.Switch labsw1 looks at the Destination MAC Address, refers to the table, and transmits the frame out interface FA0/2.

16.PC2 sees the ping request from PC1, creates a reply using PC1’s MAC address as the destination and its own address as the source. PC2 transmits the reply to labsw1.

17.Labsw1 forwards the reply to PC1 based on the MAC address table.

18.This process is repeated until PC1 has issued all of the ping requests. Since all devices: PC1, PC2 and labsw1, know about the MAC addresses, each ping and reply is processed in less than 2 seconds, and the requests do not time out.

Reply from 192.168.1.3: bytes=32 time=16ms TTL=255
Reply from 192.168.1.3: bytes=32 time=31ms TTL=255
Reply from 192.168.1.3: bytes=32 time=32ms TTL=255

Summary

Two critical processes have been demonstrated in Lab 5:
Address management: address learning, MAC address updates, data forwarding
ARP: Address Resolution Protocol

These are critical processes, both for the CCNA® exam, as well as for managing a Cisco network. Repeat this lab as often as needed to fully understand these processes.

Ethernet Roundup

2009-07-19T13:25:00.006-05:00

Lab 5 will introduce switch management of Ethernet addresses for forwarding and filtering decisions. Understanding everything about Ethernet is critical to passing the CCNA® exam. There is a lot of quality information about Ethernet available on the Internet, and we will not try to reinvent very good wheels that are already turning. If you have a CCNA® study guide such as Cisco's or Sybex's books, they also have excellent discussions of Ethernet.

We have included our high level discussion of Ethernet addressing.

We also recommend

Wikipedia - 10Base5

Wikipedia - 10Base2

Wikipedia - 10BaseT

Collision domains and CSMA-CD (Collision domains are back by popular demand! Included free of charge in every wireless network! Sort of.) Here are documents used at Hedgehog Tech on these subjects. These are intended for people with little experience with Ethernet broadcasts and collisions.

Broadcast domains

Collision Domains

Cisco Router-Switch Memory

2009-06-29T10:08:00.009-05:00

Any discussion of managing devices configurations must start with a discussion of memory on Cisco devices.

If all steps were followed in Labs 1 and 2, the switch, labsw1, has two copies of the configuration: the running configuration (running-config) and the startup configuration stored on the switch (startup-config). The startup configuration is stored on the switch even with the switch is powered down. The running configuration only exists when the switch is powered on, and the startup-config is loaded into RAM. These two configurations are stored in different memory on the switch.

Types of Memory

Cisco devices have four types of memory:

• ROM
• Flash memory
• NVRAM - Non-volatile RAM
• RAM, sometimes called DRAM (Dynamic Random Access Memory)

ROM is the least exciting and holds very important low level processes. One such process is the POST process used at bootup: Power On Self Test.

Flash memory holds a copy of the IOS. It is not affected by a loss of power, wihch insures that a copy of IOS is available at bootup.

NVRAM, Non-volatile RAM, stores the startup configuration. It is not affected by power loss, which insures that a copy of the startup configuration is available at bootup.

RAM memory is where all of the work of switching and routing take place. The IOS loads into RAM, then the startup configuration, and finally, the device begins to do its work. All information held in RAM is lost when power is lost or the device is reloaded.

Understanding how memory is used during the boot process may also be on the exam. The (simple) boot process for routers and switches:

Power-on self-test (POST)

Read IOS into RAM from Flash memory

Read startup-config into DRAM from NVRAM

At this point, the device has a running configuration.

Cisco emphasizes that there are two configurations in the router or switch. The two configurations are the startup-config and the running-config. Normally, the data in these two file should be the same; however, it is important to remember that commands entered in configuration mode (configure terminal) are made to the running-config, not to the startup-config. If changes are made, but not saved, the running-config and the startup-config are not the same, and the changes will not available when the switch or router or switch is rebooted.

Changes made to the running-config are saved to the startup-config by the command "copy running-config startup-config". This command copies the running configuration from DRAM to NVRAM. The saved configuration will be used at the next reboot.

CCNA® Lab 4 - TFTP Server and Configuration Backup

2009-06-29T06:30:00.049-05:00

Lab 4 Goals

● Explain locations for Cisco® device configuration
● Back up switch configuration to an external TFTP server
● Configure switch using the external configuration

Requirements

● Cisco switch configured with basic configuration from Labs 2 and 3
● PC with COM port, Ethernet port, TFTP server software
● Cisco rollover cable
● Ethernet cable

Process

● Connect the rollover cable and the Ethernet cable to PC1
● Configure the PC to the IP address shown above: 192.168.1.3 255.255.255.0
● Power on the switch and manage the switch using the console connection

Background

Cisco considers three device configuration files for the same device:

The running-config that resides in RAM and actually controls the device functions

The startup-config that resides in NVRAM, and is loaded when the device boots

An external copy of the configuration, stored on a TFTP server

The problem is that these configuration files are not automatically synchronized, and therefore, there can be differences between the configurations. As you have seen in Labs 2 and 3, configuration changes are made to the running-config. They are not saved until the command "copy running-config startup-config" backs up the running configuration. If changes are not saved, the "old" configuration will load the next time the device boots, and the device will not function as it is supposed to. Usually, a process that a customer considers very important stops working.

This can be an exciting time in a network, with much loud discussion about why a customer isn't working as they should. The customer expresses their concern to management, usually loudly, and management expresses their concerns to the technicians, usually loudly. Then a technician remembers that changes were made, finds the work order or change document, and makes the changes. Eventually the customer and management calm down and may even forget that the problem happened. Until the next time someone forgets to save changes made to a device.

Unfortunately, this happens more often than you might think. The solution to this problem is simple: save the changed configuration with the command "copy running-config startup-config".

While the problem above was caused by incomplete procedures and carelessness, a larger problem occurs when a device fails completely. If the only configurations are stored on the device as the running and startup configurations, the only method of recovering the configuration is to type it all in again, hoping that someone remembers everything that should be in the configuration. Life is not usually so kind. Technicians do not document their processes so well. After all, these were the same technicians that forgot to back up the configuration to the startup-config.

Cisco provided a solution. The IOS has the capability to move configurations between the router or switch, and an external server. This process uses an IP protocol called Trivial File Transfer Protocol: TFTP. Because the protocol is TFTP, the server is usually called a TFTP server (even though there can be other applications running on the server).

This lab will use TFTP to backup up a configuration and to restore the configuration to labsw1. The TFTP server should be connected to labsw1, which has the configuration from Labs 2 and 3. If you have have a hardware lab, you must have a TFTP server. The IP address for the TFTP server is 192.168.1.3 255.255.255.0. If you are using Packet Tracer, install a generic server, configure it with IP address 192.168.1.3 255.255.255.0, and make sure that TFTP is "on."

Backing up the configuration to a TFTP server

The format for all copy commands is the same:

copy [existing-location] [target-location]

For the copy command used in previous labs

• the existing location was the running-config
• the target location was the startup-config

The command to save the configuration is

copy running-config startup-config

Saving a configuration to a TFTP server uses the same format. To copy the running configuration to the TFTP server:

copy running-config tftp

To restore a configuration from a TFTP server to a new device, a similar copy command is used. The existing location is the TFTP server, and target location is the startup-config (never, never, copy a configuration to the running config. The configuration is merged with the existing configuration, and may cause problems).

The TFTP copy process

The process is always done in the router or switch. Before starting the copy process, it is advisable to test connectivity with a ping from the router or switch to IP address of the TFTP server:

1. labsw1>ping 192.168.1.3 If the test fails, check equipment configuration and connectivity."
2. labsw1> enable (Enter the enable password when prompted)"
3. labsw1 # copy run tftp

Copying a configuration to a TFTP server will result in two prompts. The first prompt is for the IP address or DNS name of the server(DNS not yet covered). The IP address is 192.168.1.3.

4. Address or name of remote host []? 192.168.1.3
5. Destination filename [labsw1-confg]?

Pressing Enter will accept the default name “labsw1-config”. The name can be changed if desired, for example, to labsw1."

6. Destination filename [labsw1-config]? labsw1
!!!!!!!!!

“!!!!!!!” is an indication that the copy process is working successfully. If the attempt was unsuccessful, the indication would be “....” If the copy is unsuccessful, check connectivity by a ping from the PC to the switch, and by verifying the function and configuration of the TFTP server software. Ping the IP address of the TFTP server to verify connectivity.

Depending on your system, it is possible to view the stored configuration on the TFTP server. The file is an ASCII file, and it will reside in the directory that you specified for the TFTP files. From a command prompt on the PC, use the "type" or "more" command to view the file. Notice that it is the same as the show running-config display on the switch.

Packet Tracer will show that the file was copied, but does not allow you to view the contents of the file. Verify the existence of the file by using Config > Services > TFTP. The file should be near the bottom of the list.

Test the restoration of the configuration from the TFTP server. To test, it is necessary to delete the startup configuration and reload the switch. Reloading the switch after deleting the startup configuration will return the switch to factory defaults. To delete the startup configuration:

7. labsw1# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
Press Enter to confirm
[OK]
Erase of nvram: complete
03:52:58: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvramload
8. labsw1#reload

You may be presented with the following prompt:

System configuration has been modified. Save? [yes/no]:

Replying “yes” to save the configuration will be the same as the command “copy run start.” The goal is to reload the switch with no configuration. Reply “no”.

Proceed with reload? [confirm] Press Enter
03:53:05: %SYS-5-RELOAD: Reload requested

When the reload is complete, you will see

Press RETURN to get started!

Press Enter, and the switch will prompt:

Switch >

Before the configuration can be restored from the TFTP server, the switch must be configured with enough information that it can communicate with the TFTP server. For this lab, the interface VLAN 1 configuration must be restored.

9. Switch> enable
10. Switch# configuration terminal
11. Switch (config)#interface VLAN 1
12. Switch (config-if)# IP address 192.168.1.75 255.255.255.0
13. Switch (config-if)# no shutdown
14. Switch (config-if)#Crtl-Z
Switch#

At this point, the switch should be able to communicate with the TFTP server. To test the configuration, ping the IP address of the TFTP server::

15. Switch # ping 192.168.1.3

The ping should be successful.

Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 31/31/31 ms

If the ping is successful, it will be possible to restore the configuration. From the switch:

16. Switch# copy tftp start

The information required to complete the copy is the same information above. Respond to the prompt with the information provided.

17. Address or name of remote host []? 192.168.1.3
18. Source filename []? labsw1 (Note: name must exactly match the name of the file saved above in Step 3.)
19. Destination filename [startup-config]? Press Enter to accept
Accessing tftp://192.168.1.3/labsw1-config...
Loading labsw1 from 192.168.0.3 (via Vlan1): !!!!
[OK - 1459 bytes]
[OK]
1459 bytes copied in 18.456 secs (79 bytes/sec)

Switch#

The copy was successful. The startup configuration can be viewed before reloading

20. Switch# show startup-config

The startup configuration should contain the same information created in Labs 2 and 3. Reload the switch to move the startup configuration into the running configuration.

21. Switch# reload

The switch will reload with the labsw1 configuration. Test the passwords, etc., and verify that the configuration is the one that was created in Labs 1 and 2.

Note: This lab is a very simple example of using a TFTP server. The server is in the same network/subnet as the switch. That will not be true in most networks. Missing from this example is a default gateway, required for most enterprise networks. The default gateway is related to routing, and will be covered in later labs.

Cisco CCNA® Commands - Appendix A

2009-06-28T17:12:00.001-05:00

Appendix A is used to document the commands used in the labs, and it will grow as new commands are introduced in the labs. The goal is to document every command used, but not every command available. It is possible to print every IOS command available, but it is highly recommended that you get a new print cartridge and several reams of paper before you begin. There are a lot of commands.
These commands need to be memorized and understood. They will be used on the exam, and they will be used in any position managing Cisco devices. You got to know the commands.

Enable command

The enable command is required to access the higher functions of Privileged EXEC mode. Enable mode is usually protected by a password (see below). Privileged EXEC mode is indicated by the pound sign (#) in the prompt.
Show commands

Show commands are used to display information about the router or switch.

Command	Purpose
show running-config	Displays the active, or current, configuration. The running configuration exits in RAM and is lost when the router or switch is rebooted.
show startup-config	Displays the stored configuration. The startup configuration is stored in Flash memory and is loaded into RAM when the router or switch is rebooted.
show version	Displays the version of the IOS, as well as information about the hardware configuration of the router or switch.
show interface [Interface type] [Inteface x/y]	Displays status of any interface: Serial, Ethernet, VLAN, loopback, etc. The most common physical interfaces for a router are serial and Ethernet/Fast Etherenet/Gigabit Ethernet. The most common physical interfaces for a switch are Fast Ethernet/Gigabit Ethernet.
show ip interface brief	Displays a summary of the status of all interfaces on a router or switch.
show vlan	Displays all VLANs on a switch and the ports assigned to each VLAN.

Configuration Commands
Configuration commands are used to change the configuration of a router or switch. When configuration mode is invoked by the configuration terminal command, the router or switch is in global configuration mode. Commands entered in global configuration mode either

•Affect the entire router or switch
•Enter a specific configuration mode, such as interface configuration mode, line configuration mode, etc.

Command	Purpose
configure terminal	Invokes global configuration mode in the Command Line Interface (CLI). Indicated by (config) in the prompt.
hostname [text]	Creates a custom host name. The hostname value can be any alpha-numeric value,but must start with an alpha character. The hostname is documentation; that is, it does not affect the function of the router or switch.
enable password [text]	Creates an enable password required to access Privileged EXEC mode. Used to prevent unauthorized access to higher level functions, such as configuration changes. The enable password is stored in clear text and is considered vulnerable.
enable secret [text]	Creates an encrypted password required to access Privileged EXEC mode. Used to prevent unauthorized access to higher level functions, such as configuration changes. An enable secret password will have priority over an enable password. Enable secret passwords are considered more secure.
line console 0	Used to access console configuration mode.
line vty 0 15	Accesses vty configuration mode. vty provides remote, telnet management. In line vty mode, all following configurations for vty apply to all 16 lines (0 – 15)(Note: older versions of IOS may be limited to 5 sessions: line vty 0 4)
password [text]	Used to configure all management lines: console, vty, auxilliary (aux one routers only. Creates a password required to access the router or switch
login	Used to configure all management lines: console, vty, auxilliary (aux one routers only.Requires the use of the password created by the password command.
Crtl-Z	Control key + “z” key. Terminates configuration mode

Interface Configuration Mode
Interface configuration mode is accessed from global configuration. Interface configuration mode is invoked when an interface is specified in Global Configuration Mode.

Command	Purpose
interface [type][slot#/port#]	The interface types installed on a router or switch can be displayed by using the "show ip interface brief" command. For an explanation of slot and port...
description [text]	Documentation for the interface. Does not affect interface function.
speed [10, 100, 1000]	Disables auto-negotiation for interface data transfer rate on Ethernet/Fast Ethernet/Gigabit Ethernet iterface and configures the interface for a single speed. Each interface has a maximum speed: Ethernet: 10Mbps, Fast Ethernet: 100Mbps, Gigabit: 1,000MBPS. An interface can run at lower speeds, but cannot exceed maximum rate for the interface (An Ethernet interface cannot run 10Mbps, a Fast Ethernet can run 10Mbps or 100Mbps, but it cannot run 1,000Mbps, etc.)
duplex [full half]	Establishes duplex for data transfer. Half duplex can transmit and receive, but not at the same time. Full duplex can transmit and receive at the same time. Full duplex mode disables CSMA-CD.
ip address [x.x.x.x y.y.y.y]	Assigns an IP address to an interface. Note: all router interfaces can be assigned an IP address. One layer 2 switches such as the 2950, only the VLAN interface can be assigned an IP address.
shutdown/ no shutdown	Shutdown disables an interface in IOS. It will not activate and transfer data. No shutdown reverses the shutdown command, allowing the interface to activate if all connectivity requirements are met.

Configuration Management Command
The following commands are used to store configurations, delete configurations and load configurations. All configuration commands must be entered in Privileged EXEC (enable) mode.

Command	Purpose
copy	The copy command is used to copy router and switch configurations to different locations. The command requires two locations or qualifiers: • the location of the configuration to be copied: running-config, startup-config, TFTP (server). • the location where the configuration will be stored: running-config, startup-config, TFTP (server). Example: copy running-config startup-config copies the active configuration in RAM to Flash memory. The running-config exists in RAM, the startup-config exists in Flash. TFTP indicates a remote TFTP server to store the configuration. Using the command to save the startup-config or to copy to a TFTP server overwrites the existing configuration. Used the copy command to copy to the running configuration merges the changes with the existing running-config.
erase startup-config	Command erases the startup-config. Used to restore router or switch to factory defaults.

Command

Purpose

copy

The copy command is used to copy router and switch configurations to different locations. The command requires two locations or qualifiers:

• the location of the configuration to be copied: running-config, startup-config, TFTP (server).

• the location where the configuration will be stored: running-config, startup-config, TFTP (server).

Example: copy running-config startup-config

copies the active configuration in RAM to Flash memory.

The running-config exists in RAM, the startup-config exists in Flash. TFTP indicates a remote TFTP server to store the configuration. Using the command to save the startup-config or to copy to a TFTP server overwrites the existing configuration. Used the copy command to copy to the running configuration merges the changes with the existing running-config.

erase startup-config

Command erases the startup-config. Used to restore router or switch to factory defaults.

CCNA® Labs - Software for Your Lab

2009-06-28T17:06:00.011-05:00

• TFTP server
• Syslog server
• DNS

If you don’t know what these are, you will. In fact, we will be using TFPT in the Lab 4, the next lab. Syslog and DNS will be covered in later labs.

This section applies to labs that are using Cisco routers and switches instead of a simulator. If you are using a simulator, these functions may be included in the software. Packet Tracer, for example, has TFTP support and DNS support, but it does not include a syslog server. To install these services in Packet Tracer, first chose a generic server from the End Devices and connect it to the switch. Then verify in the Config section that TFTP and DNS are “on.”

The following software is used in the Hedgehog labs, and provides support for all three services: TFTP, syslog and DNS, as well as two services not needed: FTP and DHCP. The software is free, and, so far, has presented no performance problems on the PC that supports them (more on this below). There are other software packages that perform the same functions very well, and are also free. If you are running Linux or UNIX in your lab, support for these functions is included in the operating system. Usually a few configuration changes are all that are needed to start the services. If you are running an Apple system, well.......

3CDaemon v.2 for Win32 from 3Com – TFPT, syslog, and FTP server support

Dual DHCP DNS Server from Sourceforge – DHCP and DNS

Both software packages are free, and come with no nagging messages. We run both packages on a system that is considerable slower than any new PC on the market today:

• Dell PC 2.4Ghz single processor
• 512meg of RAM
• Windows 2000

The system has experienced no performance issues even when other programs such as putty and a web browser are used, too.

3CDaemon v.2 for Win32 from 3Com is easy to configure. Create directories for the TFTP files and the syslog files in My Documents, or any directory that is easy to remember. Configure the services to use these directories, and the task is complete. We recommend that you name the directories tftp, or something similar, and syslog, or something similar.

Dual DHCP DNS server is a bit quirky, but works as advertised. When installed, it reads the Workgroup value from the System configuration, usually “Workgroup” and makes it the domain name. When using DNS, it is necessary to use the fully qualified name, such as "pc1.workgroup." Not quite as convenient as other DNS, but the price is right, and it works well in spite of this one quirk.

It also requires a static IP address instead of a dynamic address from DHCP. The software simply will not run if the PC has a dynamic address. Actually, that makes a lot of sense. If you are unfamiliar with DNS, understand that all devices in your lab require the IP address of the DNS server. If the address changes each time you reboot the PC running these services, you would need to reconfigure every device in your lab each time you rebooted the machine, which is inconvenient, wouldn't you say?

When configuring the static IP address for the DNS server, use the same static IP address for the DNS server. In other words, have the system point to itself so it will perform DNS services for your lab. Otherwise, the server will read another public DNS server, which has not been configured for your lab.

CCNA® Single Switch Labs

2009-06-28T17:02:00.013-05:00

As the name indicates, Single Switch Labs require a single switch. The skills learned in these labs will be applied to every switch in this program, and more importantly, to every Cisco switch in an enterprise network. So learn these lessons well. The information presented in these labs will be tested on the exam.
Lab 1: Initial Console Port Access
Lab 2: Basic Configuration
Lab 3: Testing the Configuration
CCNA Labs: Software for Your Lab
Lab 4: TFTP Server and Configuration Backup
Lab 5: MAC Address Management
Lab 6: Cleanup
Lab 7: Vlan Creation and VLAN Interface Assignment
Lab 8: Testing the VLANs
Lab 9: Configuration Issues
Lab 10: New Switch Configuration

CCNA Lab 3 - Testing the Configuration

2009-06-28T16:50:00.015-05:00

Lab 3 Goals

● Test vty connectivity and switch management
● Create an enable secret password
● Save the configuration

Lab Requirements

● Switch configured with Lab 2 configuration
● PC configured with
IP address 192.168.1.2 255.255.255.0
● Cisco rollover (console) cable
● Ethernet cable

In Lab 2, the switch was configured with several passwords:

● enable password - pass1
● Console password - pass3
● vty password - pass4

Configure a PC with IP address 192.168.1.2 255.255.255.0. Connect the PC to labsw1, Fast Ethernet 0/1. When the light on the interface turns green, you are ready to start. Test the connectivity with a ping from the PC to the switch VLAN 1 IP address: 192.168.1.75.

1. PC>ping 192.168.1.75

You should receive the following response:

Pinging 192.168.1.75 with 32 bytes of data:
Reply from 192.168.1.75: bytes=32 time=32ms TTL=255
Reply from 192.168.1.75: bytes=32 time=32ms TTL=255
Reply from 192.168.1.75: bytes=32 time=32ms TTL=255
Reply from 192.168.1.75: bytes=32 time=31ms TTL=255
Ping statistics for 192.168.1.75:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 32ms, Average = 31ms

If the ping is unsuccessful, verify your configuration and cabling. The interface that is connected to the PC and interface VLAN 1 should be " up, up". When the ping is successful, telnet to the switch:

2. PC> telnet 192.168.1.75

You will be prompted for a password. Use the vty password created in Lab 2: pass4. If the vty password (or any other password) is entered incorrectly (or if a mistake was made when creating the vty password), the telnet session will prompt for the password three times before it will terminate with the message [Connection to 192.168.1.75 closed by foreign host]. Performing the test in the console session will allow you to correct the configuration and retest.

Testing the Privileged Exec, or enable, Mode

Enable mode allows all access to the switch. Since enable mode is very powerful, it is usually secured by a password. The enable password configured In Lab 2 is pass1.

3. labsw1 > enable

You will be prompted for the enable password. Enter the enable password created in Lab 2: "pass1."

4. Password: pass1 (The password will not be displayed)

When the password has been entered correctly, the prompt will show:

labsw1 #

The pound sign (#) indicates that enable access has been granted.

Create enable secret password

The purpose of this and the following test is to demonstrate that a vty, or telnet, connection has the same control as a console connection. Configurations can be changed and managed from a vty connection exactly like a console connection.

The enable password created in Lab 2 is considered insecure. Cisco has created a method of bypassing all security, the Password Recovery Procedure. If the Password Recovery Process is used, the enable password could be displayed by using the “show running-config” or “show startup-config” command. The password, “pass1", is in clear text. Verify that the enable password is in clear text is by using the “show running-config” command.

A more secure process is to create an enable secret password instead of the enable password. The enable secret password will be encrypted in all displays, and cannot by determined by using the Password Recovery Process. To create an enable secret password,

5. labsw1 # configure terminal
6. labsw1(config) # enable secret pass5
7. labsw1 (config) # Crtl-Z

Now verify that the enable secret password has been created and that it is encrypted:

8. labsw1 # show running-config

Partial output below

Current configuration : 1350 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname labsw1
!
enable secret 5 $1$ADGV$w/H8cfK035rDMajX
enable password pass1
!

(Lines omitted)

Now two enable passwords exist: however, only one can be used. If an enable secret password has been created, it will always be the default password. The enable password, "pass1" in this example, will no longer work.
Test this change, exit enable mode with the "disable" command:

9. labsw1 # disable

The prompt, “>” indicates that the access has returned to User Exec Mode.

labsw1 >

Access Privilege Exec mode again by entering the enable command:

10. labsw1 > enable
11. Password:

First, test the change by entering the enable password created in Lab 2: "pass1." It should not work. The Password prompt will be displayed again. This time, enter the enable secret password created in Step 6: "pass5." Enable access should be granted:

labsw1 #

It is best to remove the enable password, since it no longer functions. Removing a configuration is usually accomplished by adding a "no" to the beginning of the command. You saw an example of this in Lab 2 with the "shutdown" command. The shutdown command was removed or reversed by using the "no shutdown" command. As stated earlier, most of the time, the "no" option at the beginning of a command reverses or removes the configuration. Access "configuration mode" and use the no command to remove the enable password.

12. labsw1# configuration terminal
13. labsw1(config) # no enable password
14. labsw1# (config)# Crtl-Z

Verify that the enable password has been removed:

15. labsw1# show running-config

Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname labsw1
!
enable secret 5 $1$M9aV$.WWzTZpZ1xlWQQZ0KOsax0
!
.
(Lines omitted)

Save the new configuration.

16. labsw1# copy running-config startup-config

Terminate the vty session

17. labsw1# exit

CCNA® Lab 2 - Basic Configuration

2009-06-28T12:55:00.059-05:00

Lab 2 Goals

• Connect to the switch using the console port
• Create a basic configuration

Lab Requirements

• PC
• Cisco console (rollover) cable
• Cisco Catalyst switch: 2950 or 2900-XL

The following lab assumes that the switch does not have a stored configuration (called startup-config). Connect to the console port and power on the switch. When the boot process is complete, the display should read:

Switch>

The following commands are used to display configuration and status information, and create a basic switch configuration. You should recognize changes in the prompt that occur as you progress through the exercise. Some of the following commands will produce more than one screen of display. The word “More” indicates that the display has more than one page. Use the Space Bar to advance the display one page or use the Enter key to advance one line. Practice using both the Space Bar and the Enter key to advance the display.

1. Switch> show ip interface brief

Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES manual down down
FastEthernet0/2 unassigned YES manual down down
FastEthernet0/3 unassigned YES manual down down
FastEthernet0/4 unassigned YES manual down down
FastEthernet0/5 unassigned YES manual down down
FastEthernet0/6 unassigned YES manual down down
FastEthernet0/7 unassigned YES manual down down
FastEthernet0/8 unassigned YES manual down down
FastEthernet0/9 unassigned YES manual down down
FastEthernet0/10 unassigned YES manual down down
FastEthernet0/11 unassigned YES manual down down
FastEthernet0/12 unassigned YES manual down down

Lines omitted

Vlan1 unassigned YES manual administratively down

2. Switch>enable

switch#

Notice the change in prompt when the enable command is used: #.

Before configuring the switch, it is important to recognize the default, or “factory” or “out-of-the-box” configuration. The following step will show the default configuration. The default configuration may change with a new IOS, and your switch may be slightly different. To display the active, or running configuration:

3. Switch# show running-config
Building configuration...

Current configuration : 1123 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!

Lines omitted. Press the space bar to advance one screen, press Enter to advance one line.

interface Vlan1
no ip address
no ip route-cache
shutdown
!
ip http server
!
line con 0
line vty 5 15

The following commands will create a "basic configuration" for the switch. Text displayed in [brackets] is a variable, and can be any acceptable text (brackets should not be used in the configuration).

Most configuration commands are implemented immediately when the Enter key is pressed. This is easily seen with hostname command. The prompt changes as soon as Enter is pressed.

This exercise uses multiple passwords. Later, we will use the same password, but understand that the switch considers each password to be unique, even if the same value is used for each password.

● The enable password protects the switch from unauthorized changes
● The console password protects the switch from unauthorized console acccess.
●The vty password protects the switch from unauthorized telnet, or remote access.

4. Switch# configure terminal
5. Switch(config)# hostname [labsw1]
6. labsw1 (config)# enable password [pass1]
7. labsw1 (config)# line console 0
8. labsw1 (config-line) # password [pass3]
9. labsw1 (config-line) # login
10.labsw1 (config-line) # line vty 0 15
11.labsw1 (config-line) # password [pass4]
12.labsw1 (config-line) # login

It should be obvious what the password command does, but it is not so obvious what the login command does. The login command makes the password a requirement for the console. Without the login command, access could be granted without requiring a password.

Interface Configuration

The following commands are typical configuration commands for the Ethernet interfaces. Ethernet is used generically, and is the most common term used for these interfaces. Understand the interfaces used on your switch. The interfaces on the 2900-XL and the 2950 switches are Fast Ethernet.Technically:

• Ethernet means 10 Megabits per second and half duplex.
• Fast Ethernet means 100 Megabits per second and full duplex, but Fast Ethernet can also run 10 Megabits and half duplex.
• Gigabit Ethernet means 1,000 Megabits, or Gigabit, and full duplex. A Gibabit Ethernet interface will run all lower speeds, and both full and half duplex.

All Ethernet, FastEthernet, and Gigabit Ethernet interfaces will automatically synchronize speed and duplex with a device attached to the interface. However, configuring a speed and duplex on an interface disables automatic synchronization, forcing the interface to run only at the configured speed and duplex.

13. labsw1 (config-if) # interface FastEthernet 0/1
14. labsw1 (config-if) # description [Supported device]
15. labsw1 (config-if) # speed 100
16. labsw1 (config-if) # duplex full
17. labsw1 (config-if) # interface VLAN 1
18. labsw1 (config-if) # description [Management interface]
19. labsw1 (config-if) # ip address [192.168.1.75 255.255.255.0]
20. labsw1 (config-if) #no shutdown

The following message should be displayed after the “no shutdown” command has been entered:
00:37:24: %LINK-3-UPDOWN: Interface Vlan1, changed state to up

21. labsw1 (config-if)# Crtl-Z (Exit configuration mode. Press Control key and Z simultaneously. Or use exit, exit)

22. labsw1# show ip interface brief

Compare the status of interface VLAN 1 with the Step 1 display.

Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES unset down down
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/3 unassigned YES unset down down

Lines omitted

Vlan1 192.168.1.75 YES manual up down

The physical interfaces on the switch, Fast Ethernet 0/1-24, do not become active, or “up, up”, until an active, powered-on Ethernet device, such as a PC, is connected to it. Interface VLAN 1 is a logical (non-physical) interface used to manage the switch. The only purpose for interface VLAN 1 is to support a vty or a remote telnet connection. It has an ““up, down” status, not quite ready for use. The reason that the VLAN1 interface is not “up, up”, or completely functional, is that no physical path exists to provide access to the interface. None of physical interfaces are “up, up.” At least one interface must be “up, up” to provide a physical path to the switch.

A critical skill is to understand each interface status and to know how to correct an error status.

• “Up, up” status indicates that the interface is active and will transfer data.

• “Down, down” status indicates that the interface is not connected to a device, or the device has no power. Actually, “down, down” indicates the interface sees no power from another Ethernet device. If a device is connected to a “down, down” interface, it will activate, or go “up, up.”

• “Up, down” status indicates that the interface is not fully functional.

• “Administratively down” status indicates that the interface has been configured with “shutdown” to prevent it from being used to transfer data.

The display from Step 3 shows that interface VLAN 1 is configured with a "shutdown command, which results in the interface status of "administratively down". Think of "administratively down" as being shutdown by a network administrator. The "shutdown" was reversed by a no shutdown" configuration. The result is that interface VLAN 1 attempts to activate, but cannot.

In this lab, nothing has been connected to the Ethernet interfaces, so no interface provides a path into or out of the switch. Bringing up at least one of the physical interfaces will cause the physical interface and the VLAN 1 interface to change to ““up, up”. This can be accomplished by connecting a PC to one of the Ethernet interfaces. Connect a computer to interface Fast Ethernet 0/1, and use “show ip interface brief” command again to see the interface status changes.

(Packet Tracer requires that the Ethernet configurations of the computer match the switch interface configuration. In this lab, interface FastEthernet 0/1 has been configured for 100 Meg, full duplex. The interface of the computer must be configured the same for the port to go "up, up.": 100Meg, full duplex. In real life, modern computer Ethernet interfaces will auto-discover these values.)
Compare the displays from Step 1, Step 22 and Step 23.

23. labsw1# show ip interface brief

Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/3 unassigned YES unset down down
. (lines omitted)
Vlan1 192.168.1.75 YES manual up up
• In Step 1, Fast Ethernet 0/1 is "down, down" and interface VLAN 1 is "administratively down" because is configured as "shutdown."
• In Step 22, after the "no shutdown" configuration was made to interface VLAN 1 in Step 20, interface VLAN 1 is "up, down."
• In Step 23, after a computer is connected to interface Fast Ethernet 0/1, interface Fast Ethernet 0/1 is "up, up," and interface VLAN 1 is "up, up."

The display below shows the changes in the Fast Ethernet 0/1 configuration:

24. labsw1 # show interface FastEthernet 0/1

FastEthernet0/1 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0009.43cb.3001 (bia 0009.43cb.3001)
Description: Supported device: PC 192.168.1.26
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 100BaseTX
input flow-control is unsupported output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:03, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
. (lines omitted)

Compare with the new switch configuration with the configuration from Step 2.

25. labsw1 # show running-config

Building configuration...

Current configuration : 1350 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname labsw1
!
enable password pass1
!
ip subnet-zero
.
(lines omitted)
.
interface FastEthernet0/1
description Supported device: PC 192.168.1.26
speed 100
duplex full
!
interface FastEthernet0/2
!
interface FastEthernet0/3
(Lines omitted>
!
interface Vlan1
description Management interface
ip address 192.168.1.75 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
password pass3
login
line vty 0 4
password pass4
login
line vty 5 15
password pass4
login
!
!
end

Save the configuration

The configuration must be saved if the configuration is to be used after a reload or power down/up. The command is entered from enable mode:

26. labsw1# copy running-config startup-config

More on configuration management later.

This ends Lab 2. This is a critical lab. It was titled “Basic Switch Configuration” because it will be used for all future Cisco equipment configurations (meaning that this is also the “Basic Router Configuration”, with a few changes). Memorizing and absorbing this information is critical. Review as much as required, and then review some more. You have fully grasped the information when you can complete all steps without this guide, and you know what each step does.

It is highly advisable that this lab be repeated many times. To repeat the lab, delete the saved configuration:

erase startup-config

Then power the switch off/on the switch to bring it up in the original default configuration. The switch can also be rebooted with the reload command. When prompted to save the configuration, reply “no”. Press enter to continue with the reload.

The before-and-after comparisons may seem tedious, but they are a critical skill. The CCNA exam will have questions that measure your ability to recognize configuration errors. Before you can identify a configuration mistake, you have to recognize a correct configuration. It can get even tougher in a network management position. Many times you have to compare two configurations and identify the problem. There is no substitute for understanding device configurations.

You may continue with the Lab 3 before powering the switch off or disconnecting the console cable.

CCNA® Lab 1 - Console Port Access

2009-06-28T12:20:00.040-05:00

Lab 1 Goals

● Connect to the switch using the console port
● View the boot process
● Basic commands

Lab Requirements

● PC
● Cisco console (rollover) cable
● Cisco Catalyst switch: 2950 or 2900-XL

Process

Using the Cisco console cable, connect the PC COMM port to the switch console port. Make sure that your terminal program is configured for 8N1 (8 data bits, No stop bits, 1 parity bit).

Power on the switch. Very soon, text should be displayed on your PC. If no text is displayed, review your PC COMM port configuration.

It is important to understand the boot sequence. You should observe it enough times to be familiar with the messages and what they mean. Below are some critical displays with explanations.

Loading the IOS

Loading "flash:/c2950-i6q4l2-mz.121-22.EA4.bin"...
########################################################################## [OK]
Restricted Rights Legend

Things to recognize:
1. The boot sequence loads IOS from Flash memory. This is true for all Cisco IOS devices.
2. The version of IOS being loaded (your version will probably be different).
3. The “#’s” indicate the load progress.
4. [OK] indicates that the IOS load was successful.

Hardware Summary

The boot process provides a summary of the hardware configuration of the switch, shown below.

Cisco WS-C2950-24 (RC32300) processor (revision C0) with 21039K bytes of memory.
Processor board ID FHK0610Z0WC
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00E0.F928.5566
Motherboard assembly number: 73-5781-09
Power supply part number: 34-0965-01
Motherboard serial number: FOC061004SZ
Power supply serial number: DAB0609127D
Model revision number: C0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FHK0610Z0WC

Note the following information:

1. Switch model: WS-C2950-24

2. 24 FastEthernet/IEEE 802.3 interfaces – the number of interfaces or connections that the switch supports.

3. Memory 21039K (RAM), and 32K flash-simulated non-volatile configuration memory. Non-volatile memory is similar to a hard drive on a computer. It stores information to be used by the switch. The information is retained when the device is powered down. RAM is the same as RAM on a computer.

4. Base MAC address: 00E0.F928.5566 – All of Layer 2 switching is dependent on MAC addresses. Become familiar with the MAC addresses of all types of equipment.

If the switch has no saved, or startup, configuration, you may be prompted to enter initial configuration dialog. For now, enter "no." Messages may appear on the screen, but at some point, the messages will stop. Press Return to access the switch.

Notice that the prompt is “Switch>.” A prompt of “Switch>” usually means that the switch has not been configured, or more correctly, has the default (out-of-the-box) configuration. The “>” indicates that you are in User EXEC mode, the least powerful access mode. To view the commands available in User Exec mode, enter “?”.

User Exec mode is limited to protect the switch from unauthorized changes. A more powerful mode is supported by IOS: Privilege EXEC mode. In the next lab, we will set passwords to limit access to Privilege EXEC mode. For now, access Privilege Exec mode by using the “enable” command.

Switch>enable
Switch#

The prompt now has a pound sign: #. This indicates Privilege EXEC mode. If you are experienced with UNIX/Linux, it is similar to root access, which is also indicated by the pound sign. Privilege EXEC mode is usually called “enable mode” by experienced techs. It may be called either enable mode or Privilege EXEC mod on the exam. Enable mode supports all commands that are available in User EXEC mode, as well as many other commands. Display the commands available in Privilege EXEC mode by entering “?”. All access is available in Privilege Exec mode, including configuration commands.

Notice “–More—“ at the bottom of the display, indicating that additional information is available. To display the remaining information, use “Enter” to display one line at a time, or use the space bar to display one screen at a time. This process is used for all displays that are larger than one screen. Practice using both.

As indicated above, all techs need to understand switch and router configurations. This includes understanding a configuration and its function, but it is also means to recognized when a component has not been configured. The following exercise will display the configuration of a switch that has not been customized. Understand that all devices have a configuration, but the default configuration may lack critical features. The following commands are important, not only for the exam, but more importantly, for managing a Cisco network. Learn the commands and the information they produce.

Switch#show running-config

The following display may be slightly different in your switch, depending on the model and IOS version. However, you will see these same elements, but perhaps in a different part of the display.

Building configuration...

Current configuration : 863 bytes
!
version 12.1
no service password-encryption
!
hostname Switch
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
(Interfaces 13-24 omitted)
!
interface Vlan1
no ip address
shutdown
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
End

Note the following:

The hostname is Switch, which is the same as the prompt. The hostname value is the system prompt.

The FastEthernet interfaces have no visible configuration. Actually, each has a configuration which are all automatic features. Issues such as automatic speed and duplex negotiation, as well as some trunk port negotiation values have been set, but are not displayed.

Compare the Vlan1 interface with the FastEthernet interfaces. Unlike switch FastEthernet interfaces, the Vlan1 interface can be configured with an IP address, but has not been configured with one. The Vlan1 interface has also been shut down.

The FastEthernet interfaces do not support IP addresses, and they have not been shut down.

There are three entries for lines: con 0, vty 0 4, and vty 5 15. (You may not have vty 5 15 on your model.)

Console and vty lines are used to manage the switch. The connectivity is different but the access authority (what you can do) is the same for either type of connection.

● Con 0 is the console line. There is a single console port, con 0. It is a physical line.
● Vty lines are virtual tty, or terminal, connections. vty lines support remote connections, either telnet or ssh.
● There are 16 vty lines for this switch: 0 through 4, and 5 through 15, or actually line 0 to line 15. These define the number of simultaneous connections that can be made to the switch. 16 simultaneous telnet sessions can be established to this switch.

What's the difference between interfaces, lines and ports? “Port” is not officially a part of Cisco vocabulary, even though everyone says "ports" when talking about the console port or data interfaces, as in, “What port is it on?” The difference between an interface and a line is the type of data that the interface or line supports. An interface, such as interface FastEthernet 0/1, is used to transport user data, such as IP, HTTP, etc. Lines are used for device management. Summary: Interface = data, lines = management access.

Switch# show version

The “show version“ command will display the version of IOS installed on the switch (or router), but it will display more than just the IOS version. It will also display most of the information that was shown during the boot process:

Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 18-May-05 22:31 by jharirba
Image text-base: 0x80010000, data-base: 0x80562000

ROM: Bootstrap program is is C2950 boot loader

Switch uptime is 35 seconds (How long the system has been available)
System returned to ROM by power-on (How the system was booted: power or system reload)

Cisco WS-C2950-24 (RC32300) processor (revision C0) with 21039K bytes of memory.
Processor board ID FHK0610Z0WC
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 000C.CF90.9B8A
Motherboard assembly number: 73-5781-09
Power supply part number: 34-0965-01
Motherboard serial number: FOC061004SZ
Power supply serial number: DAB0609127D
Model revision number: C0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FHK0610Z0WC
Configuration register is 0xF

You have seen most of this information before during the boot process. One piece of information that is available from the show version command is the method by which it was rebooted, and the amount of time that the switch has been up. In this situation, the switch was powered on:

Switch uptime is 35 seconds
System returned to ROM by power-on

If the switch is booted by using the reload command, the display would show

Switch uptime is 45 minutes
System returned to ROM by reload at 09:22:58 edt Sun Feb 28, 2009

Interface displays

The status of interfaces can be displayed individually, or a summary of the status of all interfaces can be displayed. Interface status and statistics are some of your most important troubleshooting tools. It is critical to understand this display.

Switch#show interface FastEthernet Fa0/1

Note: this display contains a lot of information, all of it relevant in different troubleshooting situations, but not all of it is relevant here. Sections of the display are not shown.

FastEthernet0/1 is down, line protocol is down (disabled)
Hardware is Lance, address is 0010.112b.e701 (bia 0010.112b.e701)
MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
. [Lines deleted]
956 packets input, 193351 bytes, 0 no buffer
Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
2357 packets output, 263570 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

The interface status is shown in the first line. In this display, the interface is "down, down". The remaining lines at the end of the display are data volume and errors. This information is critical in many troubleshooting exercises.

The show ip interface brief command shows a summary of the status of all interfaces.

Switch# show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/1 unassigned YES manual down down
FastEthernet0/2 unassigned YES manual down down
FastEthernet0/3 unassigned YES manual down down
FastEthernet0/4 unassigned YES manual down down
FastEthernet0/5 unassigned YES manual down down
FastEthernet0/6 unassigned YES manual down down
FastEthernet0/7 unassigned YES manual down down
FastEthernet0/8 unassigned YES manual down down
FastEthernet0/9 unassigned YES manual down down
FastEthernet0/10 unassigned YES manual down down
FastEthernet0/11 unassigned YES manual down down
FastEthernet0/12 unassigned YES manual down down

[Lines omitted]

Vlan1 unassigned YES manual administratively down down

In this display, all FastEthernet interfaces are "down, down". The status of the VLAN1 interface is "administratively down".

VLANs

VLANS will be discussed in significant detail in future labs, but each switch comes out of the box with VLAN 1.

Switch>show vlan


VLAN Name                     Status    Ports
---- -------------------- --------- -------------------------------
1    default              active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                    Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                    Fa0/9,Fa0/10, Fa0/11,Fa0/12
                                    Fa0/13,Fa0/14,Fa0/15,Fa0/16
                                    Fa0/17,Fa0/18,Fa0/19,Fa0/20
                                    Fa0/21,Fa0/22,Fa0/23,Fa0/24
1002 fddi-default         active    
1003 token-ring-default   active    
1004 fddinet-default      active    
1005 trnet-default        active    
 
VLAN Type SAID MTU Parnt RngNo BrdgeN Stp BrdgMode Trns1 Trns2
---- ----- ---------- ----- ------ ------ -------- ---- -------- 
1    enet  100001     1500  -      -      -        0      0
1002 enet  101002     1500  -      -      -        0      0
1003 enet  101003     1500  -      -      -        0      0
1004 enet  101004     1500  -      -      -        0      0
1005 enet  101005     1500  -      -      -        0      0

All FastEthernet interfaces are in VLAN1, which is indicated as the default VLAN. The VLANs 1002-1005 are also default VLANS with a special purpose. If you are not familiar with VLANs, they will be covered in future labs.

Using Cisco IOS Commands

If you are just starting with Cisco IOS, you may feel that the commands are long and tedious. To help with that problem, Cisco has written the IOS to accept abbreviated commands as long as the commands are unique; that is, they cannot be confused with another command. You only have to enter enough letters to uniquely identify the command.

For example, we used the enable command above. What is the shortest command possible for enable? If the letter “e” is entered (the smallest number of letters possible), the switch returns the following:

Switch#e
% Ambiguous command: "e"

Why is “e” ambiguous? Other commands start with “e” and the switch does not know which one you want. To find the other commands that begin with “e”, enter

Switch#e? (no space between “e” and ?)

The switch returns

Switch#e?
enable erase exit

• "en" is unique for "enable"
• "er" is unique for "erase"
• "ex" is unique for "exit"

There is no magic formula for determining the smallest number of characters that make a command unique. A command that you will be using very often in these labs is the “configure terminal” command. What is the smallest number of characters for this command? Find out by using “c?”, “co?”, “con?”. You find that the smallest number of characters needed to make the configure command unique is “conf”. Test for the shortest number of characters for “configure terminal” by using “conf t?” (no space after “t”). Terminal requires only “t”, because the only command that follows “configure” that begins with “t” is “terminal.”

Every command can be abbreviated. You will develop a set of abbreviations that you are comfortable with as you work with IOS devices.

Another use of the “?” is to find the qualifiers for a particular command. For example, the options for the configure command can be displayed by

Switch#configure ? (space between configure and “?”)
terminal Configure from the terminal

The options for configure are “terminal” and carriage return(cr) (or Enter). Using (cr) will produce the following

Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CNTL/Z.

"Terminal" is the default, but you can also configure from "memory" or "network."

A final thing to understand about commands is that a command can be completed by using the tab key. Enter “conf” and press tab, and the switch will complete the command as “configure.” Practice these commands to begin to develop your Cisco “keyboarding” skills.

Lab 2 will configure your switch with a basic configuration.

Cisco® Password Recover Procedure

2009-06-28T12:08:00.005-05:00

So you got your equipment from ebay, and you can't access the equipment by using the console port. This thing keeps asking for a password. You tried test, password, cisco, and nothing works. Now what?

This is your first test.

Cisco has provided a solution: Password Recovery Procedure. As you can see, they have documented the process for every device they made. In a nutshell, the process for most devices is:

connect to the console port

power the device on

do something to interrupt the normal boot process, usually enter a Break character in the first 60 seconds

This process is not really a beginner level skill; however, Cisco has provided excellent instructions, and any hedgeling should be able to follow them. Eventually.

But the process has problems. Not the process, per se, but finding the right key strokes for the Break character can be a wee challenge, if the process calls for a Break sequence.

Here is the process we have developed here at the Institute*:

Create two profiles for your terminal program: putty or Hyperterm:

• the normal "9600 8N1" profile for normal console access

• one with "2400 8N1", for using with the Password Recover Procedure

Name the normal profile something catchy like Cisco. Name the second program something easy to remember like Break.

Start your terminal program with the Break profile (2400 8N1).

Connect to the console port and power on the router.

As soon as the fan starts to turn, start hitting the space bar until you see gibberish on the screen.

Stop the Break profile and start the Cisco profile (9600 8N1). Press enter. The router should respond with ">rommon". Follow the procedure as described in the Password Recovery Procedure.

At some point, you will be instructed to enter “copy start run”. Don’t do it. You do not want the old configuration in the router. Instead, enter “write erase” to delete the stored configuration. If the device is a switch, make sure that you remove any VLAN configuration: "delete flash:vlan.dat". Follow the prompts to complete.

Whatever you do, make sure that you finish the Password Recovery Procedure. Otherwise, the router may not boot correctly, cause a multitude of problems. Of course, you can always do it again and make it work.

Check your hardware to make sure you use the correct process.

*If this process appears as a test question, Cisco is looking for a Break sequence, not a work around like we have shown.

Cisco® Token Ring Only Routers

2009-06-28T11:09:00.003-05:00

Actually, this is not about routers that have Token Ring Interfaces, but routers whose only LAN interface is Token Ring. There are routers that have both Ethernet and Token Ring interfaces, and are good candidates for your lab. All routers should also have serial interfaces.

The concepts described herein will probably be above any newbie hedgeling, but we are going to give it a shot.

IP networks and subnets are added to a network by giving a router interface an IP address from the new IP network/subnet. In effect, that makes the router interface the "door" to the new IP network/subnet. When the interface goes active, or "up, up," the router supporting that interface will broadcast the new IP network/subnet to the entire network. All routers in the network will create a route to the new IP network/subnet based on the rules of the routing protocol that is being used.

A routing table is a map. It contains routes to all of the networks/subnets in your network, and uses the routes as a map to deliver packets to an IP network/subnet. It’s kind of like, “The destination IP address for that packet is in that IP network/subnet. The routing table say that my path to that network/subnet is through that interface.” And the router transmits the packet on the specified interface to a neighboring router, the neighboring router does the same thing, and eventually the packet gets delivered.

The problem is that a network/subnet will not exist in the larger network until the interface is active, or "up, up." When an interface goes active, the router will advertise that the new IP network/subnet is in the network. All physical interfaces, serial, Ethernet or Token Ring, must be electrically activated to go "up, up." With serial interfaces and Ethernet interfaces, it’s easy. Connect the serial interface correctly to a serial interface on another router, and you can get the interface to activate. For an Ethernet interface, connect it to a switch port and the Ethernet interface can be activated.

To use a Token Ring interface, you must connect to the interface to a Token Ring MSAU, another piece of equipment that is no longer used by anyone. Otherwise, the Token Ring interface will not activate, and might as well not exist. So never buy a Token Ring router, right?

Maybe not.

Routers also support a virtual interface called a loopback interface. A loopback interface can be activated without a physical connection. In other words, it is treated by the network as a live interface even thought it does not have a physical connection. It can be given an IP address and the router will advertise the IP network/subnet associated with the IP address. It acts like an Ethernet interface, except it doesn’t actually transmit data.

Which is okay sometimes. Managing routing tables is a major challenge in Cisco networking, whether you are preparing for an exam or running a network. Using a loopback interface allows you to add a new IP network/subnet to the network, and watch the address propagate through the network. A loopback interface is as good as a physical interface for that. Or better, since you can set it up easily. As long as the router has serial interfaces to connect it to the overall network, it will work fine for learning routing protocols and routing table processes. It does not need a LAN interface, so a router that only has a Token Ring LAN interface will work very well for this situation.

Yes, we said that it was okay to get a Token Ring router with four serial ports to serve as your Frame Relay switch. Routers with four serial ports are desirable for this reason, and the price goes up accordingly. If you get a router with Token Ring LAN interface (only) with four serial ports, you can manage the frame relay configurtion by connecting to the console port. Frame relay is a big deal in the Cisco world, both on the CCNA exam as well as in enterprise networks. So any router with four serial ports is good for your lab. Just be a careful shopper. Compare the price to a router with four serial ports AND Ethernet, such as a Cisco 2500 model with those interfaces, or perhaps a Cisco 2600 with those interfaces.

The bottom line: yes, a Token Ring router will work in your lab.

The bottomer line: if you didn’t understand this, don’t get a router that has only a Token Ring LAN interface.

The very bottomest line: If you decide to get a router with a Token Ring interface, don't rely on Token Ring only routers. Make sure you have some routers with Ethernet interfaces.

Building your CCNA® Lab - Routers and Switches

2009-06-28T10:03:00.022-05:00

This is a long post, so be warned. If you have little or no experience with Cisco equipment, much of this can be confusing. If you have friends or acquaintances with Cisco experience, discuss this with them. However, there are two types of people to avoid:

• Those who tell you that you don't need a lab because they achieved X,Y and Z without buying anything, and only an idiot needs a lab.
• Those who must have the newest, latest and greatest of everything, and tell you that you are not only an idiot, but undoubtedly a broke idiot if you can't buy 7200 routers and 6500 switches.

Both of these types are telling you about themselves instead of what you need.

Hedgelings, you need a lab.

The days of the paper CCNA (when you could pass the CCNA exam by reading “paper” or books) are gone. Cisco made the exam tougher to weed out candidates who have limited hands-on experience, so plan on building a lab. Education has a cost, both money and time. You are making an investment in your future. If you get a CCNA cert, your expenses will be worth it. (And worth even more if you get a CCNP, CCVP, CCIE.) Consider the following options:

Option 1. Purchase a network simulator designed for the CCNA or CCNP exam. There are some very good simulators on the market. Do your research and make sure you get the best one you can afford.

WARNING: There is a free simulator on the Internet: GNS3, which is really Dynamips with GNS3. It's a great program. Truly spectacular. And totally unsuitable for hedgelings just starting their studies. Configuring the software is a major challenge, both hardware, like interfaces and memory, as well as the IOS. And you must have real, honest-to-goodness IOS from Cisco to make it work. Way beyond the scope of a CCNA program. Plus, the emphasis is on routing, so it is not adequate for CCNA switch exercises. Did I mention that it is not easy to set up? After you get your CCNA, consider getting it for a CCNP, CCVP, or even some CCIE stuff.

Option 2. Enroll in a Cisco Network Academy program at your local community college. This option has a lot going for it.

A teacher/trainer

A very decent network simulator from Cisco: Packet Tracer. Registered Network Academy students can download the simulator as a part of the course. Very decent simulator, my young hedgehogs, very decent. And included in the cost of the course.

Access to actual Cisco equipment in the class.

Did I mention Packet Tracer? It’s pretty darned good.

Option 3. Purchase used Cisco equipment

This is the best and worst option. Nothing, like nothing, beats actual hardware. Since it is real Cisco hardware, it performs exactly like … real Cisco hardware. The problem is knowing what to get, when to get it, and what to do with it. Not only will you need routers and switches, but you will need a variety of cables to make it work. And you might decide that you need more memory to run newer IOS versions. And then you want a terminal server… and the list goes on and on.

Below is our recommended hardware list for CCNA candidates (all of these can be found on ebay, who has not yet decided to advertise with us. Wazzupwiddat?) Do not buy more equipment than what is listed here. More equipment WILL NOT get you a higher score on the test. Be wise with your money and time.

Cisco switches

You need three. You might get by with 2, and we will do our best to show you how to learn everything with 2, but 3 is better. The switches to consider are the 2950 and the 2900-XL switches. Both are available in 12 and 24 port models. All are available on ebay for reasonable prices, whatever reasonable means.

The 2950 is the more modern and more desirable switch, and it will cost more. The 2950 switch uses native IOS, the same IOS used by routers, with additional support for switching commands. What does that really mean? It means that all configuration commands are entered in configuration mode instead of vlan database mode. The difference in the command sets are minor, and you can probably pass the exam if you did all of the switching labs with 2900-XL switches. But the Headgehog recommends at least one 2950 switch.

Our recommendation:

● 1 - 2950 Catalyst switch

● 2 - 2900-XL Catalyst switches: 2912 or 2924

If you can afford three 2950 switches, great. Get them. If finances are a serious problem, you can sorta, kinda, almost, get by with 2900-XL switches. And you might need only two switches. Sorta. Kinda. Almost. We will do our best to explain things using two switches, but three is better.

Avoid 1700, 1900, or 5000 switches. You can find these cheap. Like, real cheap, and they function well as switches. But their command sets are very different, so avoid them, no matter how much money you can save.

Routers

Almost any router will work. The issue is cost. New router models cost more than older router models, but older models are usually more than adequate for a CCNA lab. We recommend Cisco 2500 routers whenever possible, but there are other candidates, too. Cisco 2500 routers have at least one LAN interface and two serial interfaces, and will also work in a CCNP lab, if you decide to continue your certifications.

● 3 – 2501 routers with Ethernet transceivers, or any 2500 routers with 10BaseT interfaces. Most 2500 routers have a LAN interface and two serial interfaces, though models with four serial interfaces are highly desirable (see next recommendation). Do your research. 2501 routers, or any router with an AUI Ethernet interface, will need transceivers, which can add about $15 to the cost of each router.

● 1 router with 4 serial interfaces. You will need 4 serial interfaces for your Frame Relay labs. If you don’t know what Frame Relay is, don’t worry. You will.

Affordable routers with four serial ports:

● 2520 series router with 2 synch/2 asynch/synch serial interfaces (This can even be a 2521 Token Ring router, the only time to consider a Token ring router (if the price is right. Shop wisely.)

● 2600 router with 4 serial interfaces.

● 4000-4500 router with 4 serial interfaces

If you can afford four 2600 routers, great. Get them. The price goes up. 2600 routers are modular, and many vendors sell the modules separately. You can add the interfaces you need, or better, buy routers that already have them. When looking for 2600 routers, DO NOT buy routers with a WIC–DSU-T1 interface or any interface with DSU in the name. These are great interfaces when you have a T1 circuit (If your burrow has T1 circuits, then, wow). Instead, look for routers with the following serial interface cards, or purchase the interfaces later.

● WIC-1T (single serial interface. 2 cards are better than 1)

● NM-4E (4 serial interfaces)

● NM-8E (8 serial interfaces)

WIC-2T cards have 2 serial interfaces in one card, but they require a different cable. They work great, but the cost will go up.

All 2600 routers include an Ethernet interface as a part of the basic model. The later models have Fast Ethernet, or 100BaseT, interfaces. There is one important lab that requires a Fast Ethernet interface: Ethernet sub-interfaces. If you get a 2600 router, try to get one with a Fast Ethernet (100BaseT) interface.

Cables

● At least 3 serial crossover (DTE-DCE) cables

● At least 3 Ethernet crossover cables

● Enough Ethernet cables to connect your PC(s) and routers to the network

● 1 Cisco rollover (console) cable

You can probably find Ethernet crossover cables at any decent consumer electronics store that sells computers, Internet routers, etc. You can find serial crossover cables on ebay. Buy the shortest ones you can find. Cabling becomes a mess in a lab environment, and short cables help control the confusion.

Avoid (almost) any router that only has a Token Ring LAN interface. The only exception is a 2521 with four serial ports, if the price is right. You can make them work in your network, but making them work is not always simple. Cheap, probably. Easy, maybe not.

A last word on 2500 routers. The 2500 family of routers has been in end-of-life/end-of-support for a long time. That may sound bad, but it’s really not. They will perform about 99% of everything you need for the CCNA labs. Cisco also did us a really big favor by continuing to update the 2500 IOS. With 16Meg RAM and 16Meg NVRAM (non-volatile RAM), you can run very up-to-date IOS, including IPv6 support. If you need to upgrade the memory, bundles of memory (16/16) can be found on ebay for about $25-$50. The newest IOS is not needed for most of the CCNA labs. In fact, you can probably learn everything you need with minimum memory and old IOS. However, $25 to run the latest and greatest IOS is pretty cheap. Look for routers with 16/16 memory. The difference in cost is usually less than $25.

4000-4500 routers are also modular, but are often sold without interfaces. The only reason to buy a 4000 or 4500 router is to get four serial interfaces. If you can’t verify that it has four serial interfaces, don’t buy it. They have limited value beyond the CCNA, or to serve as a Frame Relay switch in a CCNP study. Again, it may be smarter to spend more money on other routers. But they work well if you get the interfaces you need, and they can be cheap.

Very Important Notee

If you buy equipment from ebay, it will most assuredly have a configuration in it, including passwords that will prevent you from gaining access to the equipment. Count on it. There is a solution.

The last hardware item to consider for your lab is a serial, or COM, port for your PC. If you have a new PC, particularly a laptop, it probably does not have a serial port.

YOU HAVE TO HAVE A COMM PORT.

You will need a USB serial adapter. This is one area where we advise much caution, young hedgelings. Yes, you will find them cheap, cheap, I tell you, cheap, on ebay. And they will not work. At least, the ones we got did not. Spend the $25-$40 and buy a brand name adapter. It will have drivers for your operating system, and a help desk to help you if you can’t figure it out.

Software

Your lab experience will be greatly improved with the right software. You will need an asynchronous terminal program. If your operating system is Windows XP, you should have Hyperterm in Accessories > Communications. It is a fine program. If your operating system is Linux, you may have minicom, or you can install minicom, another fine program. If you are running one of the Apple systems, good luck. And finally, if you are running Windows Vista, you have no asynchronous terminal program. After all, if your new(ish) computer didn’t have a COMM port, you don’t need a terminal program.

For any and all Windows platforms, we recommend putty. It supports asynch connectivity as well as telnet and ssh. And best of all, it is free. We can’t even find a bleg for money on the website. If you find one, drop a few shekels in the cup. It’s that good. And if you need a very decent ssh program at work, use putty. It’s that good.

We also recommend a TFTP server, syslog server and DNS. These packages are also free and work well.

3CDaemon v.2 for Win32 from 3Com

Dual DHCP DNS Server v6.42

For more information on these packages, see here.

Financing Your Habit

If cost is an issue (and when is it not?), consider sharing the cost with other CCNA candidates. Naturally, all of the equipment will need to be in one location, but that’s not the end of the world. Assuming that everyone in the group has Internet access (and really, if you didn’t have the Internet, you wouldn’t be reading this), a lab can be set up to allow everyone to work remotely. We will show some ways that provide various levels of access. But the person who keeps the labs will have a slightly higher electricity bill and a bit more noise from the equipment.

Summary

However you get a lab, get a lab. You have to have a lab.

You. Have. To. Have. A. Lab.