Cisco ccna 3 instructor lab manual
California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services. This web site contains links to other sites.
Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site. Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.
We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way.
Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions. All rights reserved. Cisco Press. Join Sign In. View Larger Image. Part of the Lab Companion series. Book Sorry, this book is no longer in print.
Not for Sale. Description Sample Content Updates. Submit Errata. Overview Pearson Education, Inc. Collection and Use of Information To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including: Questions and Inquiries For inquiries and questions, we collect the inquiry or question, together with name, contact details email address, phone number and mailing address and any other additional information voluntarily submitted to us through a Contact Us form or an email.
Surveys Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Contests and Drawings Occasionally, we may sponsor a contest or drawing. Newsletters If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information ciscopress.
Tokyo show dialer e. Which dialer strings are associated with Dialer1? What is the last status for dial string in the Dialer0 readout? Use the show interface command and note that the output shows that the interface is spoofing.
This provides a mechanism for the interface to simulate an active state for internal processes, such as routing, on the router.
Tokyo Router config hostname Tokyo Tokyo config enable secret class Tokyo config isdn switch-type basic-ni Tokyo config ip route 0. Step 2 Define switch type and spid numbers To configure the switch type and spid numbers use the following commands. Step 3 Defining static routes for DDR Use static and default routes instead of dynamic routing, in order to reduce the cost of the dialup connection.
To configure a static route, the network address of the network that is going to be reached must be known. Moscow configure terminal Moscow config ip route 0. For the moment, declare that all IP traffic is interesting using the dialer-list command.
Moscow config dialer-list 1 protocol ip permit Moscow config interface dialer 0 Moscow config-if dialer-group 1 Sydney config dialer-list 1 protocol ip permit Sydney config interface dialer 0 Sydney config-if dialer-group 1 Tokyo configure terminal Tokyo config dialer-list 1 protocol ip permit Tokyo config interface dialer 1 Tokyo config-if description The Profile for the Moscow router Tokyo config-if dialer-group 1 Tokyo config-if interface dialer 2 Tokyo config-if description The Profile for the Sydney router Tokyo config-if dialer-group 1 Step 5 Configuring DDR dialer information Configure the correct dialer information so that the dialer profile and dialer interface function correctly.
Tokyo config interface dialer 1 Tokyo config-if ip address Next, the dial information must be configured to specify the remote name of the remote router in the Dialer Profile. The dial string, or phone number to use to contact this remote device must also be specified. Use the following commands to do this: Tokyo config interface dialer 1 Tokyo config-if dialer remote-name Moscow Tokyo config-if dialer string Tokyo config-if dialer string Tokyo config-if interface dialer 2 Tokyo config-if dialer remote-name Sydney Tokyo config-if dialer string Tokyo config-if dialer string - CCNA 4: WAN Technologies v 3.
To configure the dial information on Moscow, use the following: Moscow config-if interface dialer 0 Moscow config-if dialer remote-name Tokyo Moscow config-if dialer string Moscow config-if dialer string c.
To configure the dial information on Sydney, use the following: Sydney config-if interface dialer 0 Sydney config-if dialer remote-name Tokyo Sydney config-if dialer string Sydney config-if dialer string Step 7 Associate dialer profiles a.
Finally, associate the Dialer Profiles with the Dialer Interfaces that will be used, when needed. Create a Dialer Pool, and put the interfaces and the associated Dialer Profiles in a common pool. The commands for doing this are as follows: Tokyo config-if interface bri 0 Tokyo config-if dialer pool-member 1 Tokyo config-if interface dialer 1 Tokyo config-if dialer pool 1 Tokyo config-if interface dialer 2 Tokyo config-if dialer pool 1 b. On Moscow, the commands issued would be as follows: Moscow config-if interface bri 0 Moscow config-if dialer pool-member 1 Moscow config-if interface dialer 0 Moscow config-if dialer pool 1 c.
Use the same commands to configure the Sydney router. Step 8 Configure dialer timeouts a. Configure a dialer idle-timeout of 60 seconds for each of the dialer interfaces: Tokyo config interface dialer 1 Tokyo config-if dialer idle-timeout 60 Tokyo config-if interface dialer 2 Tokyo config-if dialer idle-timeout 60 b.
Repeat these commands on Moscow and Sydney. Step 9 View the Tokyo router configuration a. How many username statements are there? What authentication type is being used for PPP?
CHAP d. Which sections of the configuration list the authentication type? Interface Dialer e. Now, generate some interesting traffic across the DDR link from Moscow and Sydney to verify that connections are made correctly and the dialer profiles are functioning: Moscow ping If not troubleshoot the router configurations. What other information was displayed when the ping was issued? Yes Sydney ping If the pings were not successful troubleshoot the router configurations. Use the show dialer command to see the reason for the call.
This information is shown for each channel: Tokyo show dialer h. Which dialer strings are associated with Dialer, i. What is the last status for dial string in the Dialer2 readout?
Tokyo Tokyo configure terminal Tokyo config hostname Tokyo Tokyo config enable secret class Tokyo config isdn switch-type basic-ni Tokyo config interface fastethernet 0 Tokyo config-if ip address Tokyo config exit Tokyo copy running-config startup-config Moscow Router configure terminal Router config hostname Moscow Moscow config enable secret class Moscow config isdn switch-type basic-ni Moscow config interface fastethernet 0 Moscow config-if ip address Sydney config-if no shutdown Sydney config-if exit Sydney config-if ip route 0.
Lab 5. The network administrator must confirm that the router and Frame Relay switch are able to successfully communicate. Step 2 Configuring the serial interface a. In order to configure the serial interface, the Layer 2 Frame Relay frame type must be defined. To configure the frame type, use the following commands: Cork configure terminal Cork config interface serial 0 Cork config-if encapsulation frame-relay ietf b. Next the format of the Frame Relay management protocol must be configured.
To verify the configuration, use the show interface commands, related to Frame Relay. To view the serial interface configuration use the following command: Cork show interface serial 0 b. What is the state of the interface? What is the encapsulation type? What is the LMI type? To verify that the data-link connection identifiers DLCIs are defined on the switch use show frame-relay pvc. What DLCI numbers are available on the switch? Cork Router configure terminal Router config hostname Cork Cork config enable password cisco Cork config enable secret class Cork config line con 0 Cork config-line password cisco Cork config-line login Cork config-line line vty 0 4 Cork config-line password cisco Cork config-line login Cork config-line exit Cork config exit Cork copy running-config startup-config Cork Frame Relay Configuration Cork configure terminal Cork config interface serial 0 Cork config-if encapsulation frame-relay ietf Cork config-if frame-relay lmi-type ansi Cork config-if no shutdown Cork config-if exit Cork config exit Cork copy running-config startup-config - CCNA 4: WAN Technologies v 3.
The response should be: Erase of nvram: complete Now at the privileged EXEC mode, enter the command reload Router config reload The responding line prompt will be: System configuration has been modified. Step 2 Configuring the Washington serial interface First, define the Frame Relay frame type to be used on this link.
To configure the encapsulation type, use the command encapsulation frame-relay ietf. Disable keepalive messages since there is no Frame Relay switch in this configuration and consequently no Frame Relay DCE: Washington configure terminal Washington config-if interface serial 0 Washington config-if encapsulation frame-relay ietf Washington config-if no keepalive Washington config-if ip address When sending an Ethernet frame to a remote IP address, the remote MAC address must be discovered, so that the correct frame type can be constructed.
Frame Relay needs a similar mapping. Since there is no way of mapping the DLCI automatically with LMI disabled, this map must be created manually, using the frame-relay map command. The broadcast parameter also allows for IP broadcasts to use the same mapping for crossing this PVC: Washington config-if frame-relay map ip The bandwidth command is optional, but wise to use to verify bandwidth transmission.
Another option is to title the connection using the description command. Step 5 Configure Dublin router Configure the Dublin router using the following commands. Dublin configure terminal Dublin config-if interface serial 0 Dublin config-if encapsulation frame-relay ietf Dublin config-if no keepalive Dublin config-if no shutdown Dublin config-if ip address On the Washington router, type the command show frame-relay pvc: Washington show frame-relay pvc b.
What is the DLCI number reported? What is the PVC status? Static d. To view the Layer 2 to Layer 3 mapping, use the show frame-relay map command at the privileged EXEC mode prompt: Washington show frame-relay map b. What is the IP address shown? What state is interface serial 0 in? Washington show frame-relay map Serial0 up : ip From the Washington router, ping the Dublin router serial interface.
If the ping was not successful, troubleshoot the router configurations. Washington Router configure terminal Router config hostname Washington Washington config enable password cisco Washington config enable secret class Washington config line con 0 Washington config-line password cisco Washington config-line login Washington config-line line vty 0 4 Washington config-line password cisco Washington config-line login Washington config-line interface fastethernet 0 Washington config-if ip address Dublin Frame Relay Configuration Dublin configure terminal Dublin config interface serial 0 Dublin config-if encapsulation frame-relay ietf Dublin config-if no keepalive Dublin config-if no shutdown Dublin config-if ip address Step 2 Configure the Serial 0 Interfaces a.
First, the Frame Relay encapsulation type to be used on this link must be defined using the following commands: Amsterdam configure terminal Amsterdam config interface serial 0 Amsterdam config-if encapsulation frame-relay ietf Amsterdam config-if frame-relay lmi-type ansi b. Use a description field to store relevant information, such as the circuit number in case a line fault has to be reported: Amsterdam config-if description Circuit KPN Amsterdam config-if no shutdown c.
The same commands are used to configure the Berlin and Paris routers: Paris config interface serial 0 Paris config-if encapsulation frame-relay ietf Paris config-if frame-relay lmi-type ansi Paris config-if description Circuit FRT Paris config-if no shutdown Berlin config interface serial 0 Berlin config-if encapsulation frame-relay ietf Berlin config-if frame-relay lmi-type ansi Berlin config-if description Circuit DTK Berlin config-if no shutdown - CCNA 4: WAN Technologies v 3.
Step 3 Create subinterfaces on the Amsterdam router For each of the permanent virtual circuits PVCs , create a subinterface on the serial port. This subinterface will be a point-to-point configuration. For consistency and future troubleshooting, use the data-link connection identifier DLCI number as the subinterface number.
The commands to create a subinterface are as follows: Amsterdam config-if interface serial 0. In the online curricuclum, the prompt shows the interface mode, which is incorrect. On the Amsterdam router, issue the command show frame-relay pvc: Amsterdam show frame-relay pvc b. How many active local PVCs are there? What is the interface value?
Active e. Which DLCI is inactive? From this it can be seen that there are three DLCIs defined on this Frame Relay circuit, and only two of them are in use. This is the way the Adtran emulator has been configured. It is useful output, as it shows what would be seen if a DLCI is defined on the Frame Relay switch, but not configured on the router. It also shows that some packets have actually passed across the PVC. Look at the frame relay maps by typing the command show frame-relay map at the privileged EXEC mode prompt: Amsterdam show frame-relay map b.
What is the status of the links? The DLCIs are defined as what type? Point-to-Point d. No Amsterdam show frame-relay map Serial0. Which fields have non-zero counter values? Num Status Enq.
Sent, Num Status msgs Rcvd c. Use the show ip route command to verify that the PVCs are up and active: Amsterdam show ip route b. Is the routing protocol working? If not, troubleshoot the routers configurations. Ping the fastethernet interfaces. If the pings were not successful, troubleshoot the router configurations and repeat this step.
Amsterdam ping Amsterdam Router configure terminal Router config hostname Amsterdam Amsterdam config enable password cisco Amsterdam config enable secret class Amsterdam config line con 0 Amsterdam config-line password cisco Amsterdam config-line login Amsterdam config-line line vty 0 4 Amsterdam config-line password cisco Amsterdam config-line login Amsterdam config-line interface fastethernet 0 Amsterdam config-if ip address Berlin config interface serial 0 Berlin config-if encapsulation frame-relay ietf Berlin config-if frame-relay lmi-type ansi Berlin config-if description Circuit DTK Berlin config-if no shutdown Berlin config-if interface Serial 0.
Gateway config ip nat pool public-access The port NAT used. Gateway config access-list 1 permit Gateway config interface fastethernet 0 Gateway config-if ip nat inside Gateway config-if interface serial 0 Gateway config-if ip nat outside Step 11 Configuring Static Mapping d.
No route back Step 7 Define the pool of usable public IP addresses To define the pool of public addresses, use the ip nat pool command: Gateway config ip nat pool public-access Step 9 Define the NAT translation from inside list to outside pool To define the NAT translation, use the ip nat inside source command: Gateway config ip nat inside source list 1 pool public-access overload Step 10 Specify the interfaces The active interfaces on the router need to be identified as either inside or outside interfaces with respect to NAT.
Step 8 Define an access list that will match the inside private IP addresses To define the access list to match the inside private addresses, use the access list command: Gateway config access-list 1 permit Mar 02 AM Automatic Summary Briefly describe the article.
The summary is used in search results to help users find relevant articles. You can improve the accuracy of search results by including phrases that your customers use to describe this issue or topic. Article Number. Created By. Show actions for this object. Drop Files. Upload Files Or drop files. CCNA Security 2. View All Files.
Filter Feed Refresh this feed. The first item to check is the spelling and case of all passwords, keychain names and keys, and authentication list names. It is often a mismatch in case or spelling that causes total failure.
The best practice is to start with the most basic and work upward. First ask whether all the names and keys match up. Next, if the configuration uses a list or keychain and so on, check if the item referenced actually exists and is the same on all devices. Configuring something once on one device and then copying and pasting into the other device is the best way to ensure that the configuration is exactly the same. Next, when thinking about disabling or restricting services, ask what the services are used for and if they are needed.
Also ask what information the router should be sending out. Who should and should not receive that information. Finally, ask what the services enable the users to do, and do you want them to be able to do that. Generally, if you can think of a way that a service can be abused, you should take steps to prevent that. Task 3: Document the Corrected Network R1 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service finger no service udp-small-server no service tcp-small-server!
You will apply both standard and extended ACLs. On older routers, or versions of the IOS before R1 hostname R1! A typical best practice is to configure a standard ACL as close to the destination as possible. In this task, you are configuring a standard ACL.
The ACL is designed to block traffic from the This ACL will be applied inbound on the R3 serial interface. For this reason, add the permit any statement to the end of the ACL.
Connectivity tests should be successful before applying the ACL. R3 config-std-nacl deny This will allow you to see the access list log messages when the packet is denied. Since the ACL is designed to block traffic with source addresses from the R1 ping ip Target IP address: You see output similar to the following.
Each line of an ACL has an associated counter showing how many packets have matched the rule. Any other hosts, such as those on the Conduct another test from PC1 to PC3 to ensure that this traffic is not blocked. Extended ACLs can filter traffic based on more than just source address. Extended ACLs can filter on protocol, source, and destination IP addresses, and source and destination port numbers.
An additional policy for this network states that devices from the Computers on this LAN are not permitted to access the Internet. Therefore, these users must be blocked from reaching the IP address Because this requirement needs to enforce both source and destination, an extended ACL is needed. In this task, you are configuring an extended ACL on R1 that blocks traffic originating from any device on the A typical best practice for applying extended ACLs is to place them as close to the source as possible.
Before beginning, verify that you can ping Step 1: Configure a named extended ACL. From this prompt, add the necessary statements to block traffic from the Use the host keyword when defining the destination. R1 config-ext-nacl deny ip Add the permit statement to ensure that other traffic is not blocked. Extended ACLs are typically placed close to the source.
From PC1, ping the loopback interface on R2. These pings should fail, because all traffic from the If the destination is any other address, the pings should succeed. Confirm this by pinging R3 from the Note: The extended ping feature on R1 cannot be used to test this ACL, since the traffic will originate within R1 and will never be tested against the ACL applied to the R1 serial interface.
All other hosts are denied. Verify that you can telnet to R2 from both R1 and R3. Step 1: Configure the ACL. Configure a named standard ACL on R2 that permits traffic from Deny all other traffic. Enter line configuration mode for VTY lines 0—4. R2 config line vty 0 4 Use the access-class command to apply the ACL to the vty lines in the inbound direction. Note that this differs from the command used to apply ACLs to other interfaces.
Connection attempts should fail. R1 telnet You will be presented with a prompt for the VTY line password. R3 telnet User Access Verification Password: Why do connection attempts from other networks fail even though they are not specifically listed in the ACL? Any traffic not explicitly permitted is dropped. Task 6: Troubleshooting ACLs When an ACL is improperly configured or applied to the wrong interface or in the wrong direction, network traffic may be affected in an undesirable manner.
In an earlier task, you created and applied a named standard ACL on R3. Use the show running-config command to view the ACL and its placement. Recall that this ACL was designed to block all network traffic with a source address from the This time the ACL will be filtering outbound traffic, rather than inbound traffic. Remember to use the out keyword when applying the ACL. As an alternative, use an extended ping from R1. Notice that this time pings succeed, and the ACL counters are not incremented.
Confirm this by issuing the show ip access-list command on R3. Step 4: Restore the ACL to its original configuration. Remove the ACL from the outbound direction and reapply it to the inbound direction. Attempt to communicate to any device connected to R2 or R3 from R1 or its attached networks. Notice that all communication is blocked; however, ACL counters are not incremented.
Essentially, this will cause routes from R1 to be removed from the routing table. Router 2 hostname R2! Router 3 hostname R3! Note: If you use a , , or router, the router outputs and interface descriptions may appear different. Task 2: Perform Basic Router Configurations. R1 hostname R1 no ip domain-lookup enable secret class! R2 hostname R2 enable secret class no ip domain lookup! Deny and log all other connection attempts. Document your testing procedures. These tests should fail. Attempt to telnet to R1 from PC1.
Test should pass Attempt to telnet to R3 from PC3. Test should pass. The network administrator has noticed that students in these labs are playing games across the WAN with the remote students. Any other traffic should be denied and logged. Note: This may require multiple access lists. Verify your configuration and document your testing procedure. Why is the order of access list statements so important? If a packet matches a line, the matched action is performed and the actions after that are ignored.
Ping from PC1 to PC3. Ping from PC3 to PC1. Both should fail. Step 2: Test port 80 access. This should be successful. No routes should be lost. Confirm with show ip route. Step 4: Test ping to R2. Ping to R2 from R1 and PC1. Ping to R2 from R3 and PC3. Both should succeed. Step 5: Perform other ping tests to confirm that all other traffic is denied.
R3 hostname R3! Task 7: Clean Up Erase the configurations and reload the routers. Your department has been asked to examine the configuration, conduct tests and change the configuration as necessary to secure the customer routers. Log any attempts by other devices to access the VTY lines.
All other traffic should be allowed to and from R1 and R3. A minimum of ACL statements should be used and applied inbound on the R2 serial interfaces. OSPF is used to distribute routing information.
All passwords, except the enable secret password, are set to cisco. The enable secret password is set to class. Task 1: Load Routers with the Supplied Scripts [Instructor note: These commands can be loaded into the router by the instructor or by the students. They are not included in the student version of the lab. Document the steps you used to troubleshoot the network and note each error found. R2 hostname R2 enable secret class! R3 hostname R3 enable secret class no ip domain lookup!
One router is the DHCP server. The other router forwards DHCP requests to the server. When you have completed the configurations, verify the connectivity between the inside and outside addresses. Note: If you use a , , or series router, the router outputs and interface descriptions may look different. On older routers some commands may be different, or not exist. Step 2: Clear all existing configurations on the routers. Do not advertise the Note: Instead of attaching a server to R2, you can configure a loopback interface on R2 to use the IP address If you do this, you do not need to configure the Fast Ethernet interface.
Right mouse click on the Local Area Connection and select Properties. Click on the Properties button. Make sure the button is selected that says Obtain an IP address automatically. The goal for this lab is to have devices on the networks Step 1: Exclude statically assigned addresses. These IP addresses are usually static addresses reserved for the router interface, switch management IP address, servers, and local network printer. The ip dhcp excluded-address command prevents the router from assigning IP addresses within the configured range.
These addresses will not be assigned to any DHCP clients. R2 config ip dhcp excluded-address DHCP pools automatically associate with an interface based on the network statement. The router now acts as a DHCP server, handing out addresses in the R2 dhcp-config network R2 dhcp-config dns-server You are configuring the command for practice only.
Because devices from the network The commands are similar to the commands shown above: R2 config ip dhcp pool R1Fa1 R2 dhcp-config network When the devices providing these services exist on a different subnet than the clients, they cannot receive the broadcast packets.
Notice that ip helper-address must be configured on each interface involved. You can verify the DHCP server configuration in several different ways. You can then issue commands on the router to get more information. The show ip dhcp binding command provides information on all currently assigned DHCP addresses. For instance, the following output shows that the IP address The IP lease expires on September 14, at p. In this output, the pool R1Fa0 is configured on R1.
One address has been leased from this pool. The next client to request an address will receive The following is the debug output on R1 after connecting a host.
Notice that the highlighted portion shows DHCP giving the client an address of However, R2 translates private addresses into public addresses before sending traffic to ISP. R2 config ip route 0. A default route pointing to R2 should appear in the R1 routing table. The pings should be successful. Troubleshoot if the pings fail. The inside server attached to R2 is accessible by outside hosts beyond ISP. Statically assign the public IP address R2 config ip nat inside source static Before NAT can work, you must specify which interfaces are inside and which interfaces are outside.
Step 3: Verify the static NAT configuration. Step 1: Define a pool of global addresses. Create a pool of addresses to which matched source addresses are translated. R2 config ip access-list extended NAT R2 config-ext-nacl permit ip The following command tells the router which address pool to use to translate hosts that are allowed by the ACL. You have already specified the inside and outside interfaces for your static NAT configuration.
Now add the serial interface linked to R1 as an inside interface. Then use the show ip nat translations and show ip nat statistics commands on R2 to verify NAT. In this task, you will remove the pool and mapping statement configured in the previous task. Step 1: Remove the NAT pool and mapping statement. The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the interface keyword is used to identify the outside IP address.
Therefore, no NAT pool is defined. The overload keyword enables the addition of the port number to the translation. Task 9: Document the Network On each router, issue the show run command and capture the configurations. Exclude the first three addresses from each pool. Create two DHCP pools.
Configure each pool with a default gateway and a simulated DNS at Configure helper addresses so that broadcasts from client broadcasts are forwarded to the DHCP server. Use the exit interface as an argument. ISP config ip route Use the next-hop IP address as an argument. Statically map the inside server IP address to the public address Verify that the inside and outside interfaces are all correctly specified.
Task 7: Document the Network On each router, issue the show run command and capture the configurations. Task 8: Clean Up Erase the configurations and reload the routers.
Final Scripts! Make sure all clients have full connectivity.
0コメント