Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 99 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
99
Dung lượng
1,53 MB
Nội dung
CISCO CCNA Certification ICND1 Lab Guide Version 2.0 Issue 1.01 www.firebrandtraining.com ICND1 Interconnecting Cisco Networking Devices, Part Version 2.0 Lab Guide Issue v1.01 Page Table of Contents Physical Topology Diagram Lab 1-1: Switch Startup and Initial Configuration Visual Topology Command List Task 1: Reload and check that the Switch is set to factory defaults Task 2: Defining a hostname and enabling a management IP address Task 3: Using context-sensitive help Task 4: Changing default CLI parameters Lab 1-2: Troubleshooting Switch Media Issues Visual Topology Command List Task 1: Lab setup Task 2: Connectivity issues between the PC and the Switch Task 3: Connectivity issues between the Switch and the Router Lab 2-1: Router startup and Initial Configuration Visual Topology Command List Task 1: Router hardware and software inspection Task 2: Create the initial Router configuration Task 3: Changing default CLI parameters Task 4: Neighbour discovery using CDP Page Lab 2-2: Internet connections Visual Topology Command List Task 1: Defining static IP addresses and setting a static default route Task 2: Configure NAT Task 3: Configure PAT Lab 3-1: Improving Device Security Visual Topology Command List Task 1: Device password protection Task 2: Remote access using Telnet and SSH Task 3: Limiting remote access based on source IP addresses Task 4: Creating a login banner page Lab 3-2: Device Hardening Visual Topology Command List Task 1: Managing unused ports on a Switch Task 2: Using Switchport port-security Task 3: Disable unused services Lab 3-3: Using ACLs to filter IP based traffic Visual Topology Command Line Task 1: Configuring an ACL (Access Control List) Page Lab 4-1: Enhancing a Switched Network Visual Topology Command Line Task 1: Creating a VLAN and assigning Switchports Task 2: Configure a Trunk connection on a Router Lab 4-2: Using a Router to provide DHCP Services Visual Topology Command Line Task 1: Setting-up DHCP address Pools Task 2: Excluding static IP addresses from a DHCP Pool Task 3: Testing the DHCP Service Lab 4-3: Implementing OSPF Visual Topology Command Line Task 1: Setting-up a Routed WAN connection Task 2: Configuring OSPF Lab 5-1: Configure basic IPv6 Visual Topology Command Line Task 1: Enabling IPv6 Page Lab 5-2: Configure IPv6 Routing Visual Topology Command Line Task 1: Enable OSPFv3 Lab Answer Keys: Page Page Lab 1-1: Switch Startup and Initial Configuration Command List Command ? or help Clock set Configure Terminal Copy run start Delete name Do command Enable End Erase startup-config Exit Terminal history size number Hostname name Interface Vlan IP address address & mask Line console Logging synchronous Reload Show clock Show flash: Description Lists available commands in your current mode Sets the system clock Enters global configuration mode Saves your dynamic running config to NVRAM Deletes a file Allows for the execution of commands located in a different mode Enters privileged EXEC mode from user EXEC mode Terminates configuration mode Erases the startup-configuration from NVRAM Exits current configuration mode Sets the number of lines held in the history buffer Sets a system name and is displayed within the system prompt Enters the interface configuration (SVI) for Vlan and allows you to set the management IP address for the switch Set an IP address and also the network/subnet mask Enters line console configuration mode Prevents unsolicited messages from interfering when typing in your commands Restarts the device Displays the system clock Displays the contents of the flash memory Page Show startup-config Show terminal Show version Displays the startup-config saved in NVRam Displays the current settings for the terminal Displays hardware and software information Task 1: Reload and check that the Switch is set to factory defaults Step 1: Assign an IP address to your PC using the details listed in the visual topology diagram The PC should be fitted with two network adapters check with the instructor if you are unsure which network adapter should be configured Step 2: Access the Switch Console port using the method and information provided by the instructor At the Switch> prompt (if you see any other prompt or are asked for a password contact the instructor), enter the erase startup-config command and make a note of the result Why did this fail? Step 3: From the user prompt type in the command which enters privilege exec-mode Does the system prompt change and if so, how? Now try and execute the Erase startup-config command, once again make a note of the output Do you see a different console message? Step 4: Switches hold information about logical VLANs in a database stored in their flash memory and it is necessary to delete this database to reset the Switch back to factory defaults PLEASE BE VERY CAREFUL WHEN USING THE DELETE COMMAND From Privilege mode type in the following command and follow the system messages (if you are unsure what to do, contact the instructor before answering any of the system messages) Page Switch#Delete flash:vlan.dat Step 5: Use the appropriate command to verify that the Switch doesn't have a current startup-configuration and use the appropriate show command to display information about the device hardware and software parameters Step 6: Reload the Switch Please note the Switch may take a few minutes to reload Task 2: Defining a hostname and enabling a management IP address Step 1: Change the hostname of the Switch to either SW1 or SW2 Step 2: Assign your Switch a management IP address from the values identified in the visual topology diagram at the beginning of the lab exercise Step 3: Verify connectivity between your PC and the Switch using the Ping command, remember that your PC might have a personal firewall installed which could prevent the Switch from Pinging the PC Was the Ping successful ? If not, investigate and correct the problem Task 3: Using context-sensitive help Step 1: Access the privilege mode on your Switch and enter ? to list the available commands Step 2: Using the ? navigate through the series of command options to set the system time to the current time and date Note that the system will support abbreviated commands provided they are unique and using the Tab key will automatically complete the command Step 3: Use a command to show the current time and date Step 4: Type in the following command at the privilege command prompt ! The next set of commands will configure the links to the core office Page Lab 3-3: Using ACLs to filter IP based traffic Task 1: Configuring an ACL (Access Control List) Step 2: Create a loopback interface using the following commands R1 only R1>en R1#conf t R1(config)#interface loopback0 R1(config-if)#ip address 1.1.1.1 255.255.255.255 R1(config-if)#no shut Note we are using a 32 bit mask R2 only R2>en R2#conf t R2(config)#interface loopback0 R2(config-if)#ip address 2.2.2.2 255.255.255.255 R2(config-if)#no shut Step 3: From your PC check that you can ping the IP address of the loopback interface you have just created and also your default gateway This should work! If the ping fails check the following Does your PC have the correct IP address ? hint ipconfig Can you ping your default gateway ? If not check that the router interface is up/up Step 4: Create an extended ACL named PING that will prevent your PC from successfully pinging the default gateway, however you should be allowed to ping the loopback interface and all other IP traffic should be permitted through the router Page 84 R1 only R1#conf t R1(config)#ip access-list extended PING R1(config-ext-nacl)#deny icmp 10.1.1.101 0.0.0.0 10.1.1.1 0.0.0.0 echo R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#int fa0/0 or R1(config-ext-nacl)#int gi0/0 R1(config-if)ip access-group PING in R2 only R2#conf t R2(config)#ip access-list extended PING R2(config-ext-nacl)#deny icmp 10.1.1.102 0.0.0.0 10.1.1.2 0.0.0.0 echo R2(config-ext-nacl)#permit ip any any R2(config-ext-nacl)#int fa0/0 or R2(config-ext-nacl)#int gi0/0 R2(config-if)ip access-group PING in Step 5: Test your ACL and use the appropriate show commands to display the content of the configured ACL and write down your results below Rx#show access-list PING Page 85 Are access-list names case sensitive ? YES Step 6: Once you have proved that the ACL works correctly then remove it from your configuration R(config-if)#no ip access-group PING in R(config-if)#exit R(config)#no ip access-list ext PING Step 7: Save your configuration R(config)#exit R#copy run start Page 86 Lab 4-1: Enhancing a Switched Network Task 1: Creating a VLAN and assigning Switchports Step 2: Access the CLI on the switch Step 3: Create vlan on your switch and name it SALES SW>en SW#conf t SW(config)#vlan SW(config-vlan)#name SALES Step 4: Re-assign interface fa0/1 to vlan SW(config-vlan)#int fa0/1 SW(config-if)#switchport mode access SW(config-if)#switchport access vlan Step 5: Configure Fa0/12 as a trunk connection SW(config-if)#int fa0/12 SW(config-if)#switchport mode trunk Step 7: From your PC try and Ping the IP address of your switch This should fail! Why ? Because the IP address of the switch is assigned to Vlan and the port connected to the PC is now in Vlan (logically separated) Routing is required between the two Vlan's Page 87 Task 2: Configure a Trunk connection on a Router Now that we have configured the switch to support a trunk connection between itself and the router, the next stage involves us setting up the router so it understands the IEEE 802.1Q frame encapsulation Step 1: Access the CLI on the router Step 2: Navigate to the interface mode which connects the router to the switch Hint fa0/0 or gi0/0 R>en R#conf t R(config)#int fa0/0 or R(config)#int gi0/0 Step 3: Shutdown the interface R(config-if)#shut Step 4: Remove any current IP address using the no ip address command R(config-if)#no ip address Step 5: Create a new sub-interface using the following command R(config)interface fa0/0.1 or R(config)interface gi0/0.1 Step 6: Assign an ip address of 10.1.1.1 255.255.255.0 R(config-subif)#ip address 10.1.1.1 255.255.255.0 Step 7: Issue the following command to support IEEE 801.1Q encapsulation linking it to vlan and make this the native vlan R(config-subif)#encap dot1q native Step 8: Create a second sub-interface Page 88 R(config)#interface fa0/0.2 or R(config)#interface gi0/0.2 Step 8: Assign an ip address of 10.2.2.1 255.255.255.0 R(config-subif)#ip address 10.2.2.1 255.255.255.0 Step 9: Setup IEEE 802.1Q encapsulation with a link to vlan R(config-subif)#encap dot1q What is the difference between the native vlan and a non-native vlan ? Native is untagged across a trunk connection, default id vlan Step 10: Issue the no shutdown command on the physical interface, this will automatically enable all sub-interfaces R(config-subif)#exit R(config)#int fa0/0 or R(config)#int gi0/0 R(config-if)#no shut Step 11: Check your PC can ping its default gateway Step 12: Try and ping the IP address of the switch, this should now be successful If it fails then check the following The switch will need a default gateway set to 10.1.1.1 because the path of the ping from the PC to the switch is via the router Explanation: The port attached to the PC has been assigned to Vlan but the IP address of the switch is still in vlan 1, therefore the Ping packet will travel from the PC to its default gateway (the router) because the source IP address and the destination IP address are not located in the same IP subnet The router upon receiving the Ping packet will direct it to subinterface fa0/0.2 or gi0/0.2 because it's been linked to vlan 2, it will then examine the destination IP address after stripping the layer header and redirect it out of sub-interface fa0/0.1 or gi0/0.1 but it will need to rebuild a new layer header before going across the trunk to the switch Page 89 Lab 4-2: Using a Router to provide DHCP Services Task 1: Setting-up DHCP address Pools Step 2: Configure a DHCP pool named SALES R>en R#conf t R(config)#ip dhcp pool SALES Step 3: Adding the IP network/subnet to the DHCP pool R(dhcp-config)#network 10.2.2.0 255.255.255.0 Step 4: Adding the default gateway and dns server options to the DHCP pool R(dhcp-config)#default-router 10.2.2.1 R(dhcp-config)#dns-server 8.8.8.8 R(dhcp-config)#exit Task 2: Excluding static IP addresses from a DHCP Pool Step 1: Limiting the scope of the DHCP pool R(config)#ip dhcp excluded-address 10.2.2.1 10.2.2.9 R(config)#ip dhcp excluded-address 10.2.2.21 10.2.2.254 Task 3: Testing the DHCP Service Step 2: From the PC command prompt verify your IP address IPconfig /all Step 3: Access the CLI on the router and execute the following command to display current IP address allocation R(config)#exit R#show ip dhcp binding Page 90 Lab 4-3: Implementing OSPF This lab exercise requires two students to work together to complete the tasks Use the visual topology diagram to ascertain the correct IP addressing plan for your PC, Router and Switch Task 1: Setting-up a Routed WAN connection Step 1: Access the CLI on both your switch and router Step 2: Clear down their current configuration and reload the devices using the erase startup-config and reload commands Make sure you this on both the router and the switch If the system indicates that the system configuration has been modified and you want to save ? Answer no Confirm the reload Step 3: The devices have been set back to factory defaults (well almost) ignore and abort the setup dialogue options Using the information in the visual topology diagram, setup the correct IP addresses and hostnames on all devices Page 91 Hint Switch>en Switch#conf t Switch(config)#hostname SW1 SW1(config)#interface vlan SW1(config-if)#ip address 10.1.1.10 255.255.255.0 SW1(config-if)#no shut Router>en Router#conf t Router(config)#hostname R1 R1(config)#interface fa0/0 R1(config-if)#ip address 10.1.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#interface fa0/1 R1(config-if)#ip address 172.16.1.17 255.255.255.240 R1(config-if)#no shut Check that the interfaces are up/up, troubleshoot any discrepancies Remember to set a static IP address on the PC interface and check connectivity between the PC and its default router Task 2: Configuring OSPF By default routers not run any dynamic routing protocols, however routing between IPv4 locally connected interfaces is enabled by default Step 1: Execute the relevant show command to display the contents of the routing table R#sh ip route The table displays only two connected subnets and therefore this router only has paths for subnets 10.1.1.0 and 172.16.1.16 Page 92 Step 2: Enter OSPF configuration mode and use a process id of R(config)#Router ospf Step 3: Enable both interfaces for ospf and place them in the backbone area R1 only R1(config-router)#network 10.1.1.1 0.0.0.0 area R1(config-router)#network 172.16.1.17 0.0.0.0 area R2 only R2(config-router)#network 10.2.2.1 0.0.0.0 area R2(config-router)#network 172.16.1.18 0.0.0.0 area Step 4: Check the contents of the routing table Do you see any additional entries? Yes you now see an OSPF advertised route from the neighbouring router Step 6: Save the configuration on both the switch and router R#copy run start Page 93 Lab 5-1: Configure basic IPv6 Task 1: Enabling IPv6 Step 1: Access the CLI on your router and enable IPv6 unicast routing R>en R#conf t R(config)#ipv6 unicast-routing Step 2: Assign the following IPv6 addresses R1 only R1(config)#interface fa0/1 or R1(config)#interface gi0/1 R1(config-if)#ipv6 address 2001:DB8:D123:ABCD::1/64 R1(config-if)#no shut R1(config-if)#interface loopback R1(config-if)#ipv6 address 2001:A:B:C::100/64 R2 only R2(config)#interface fa0/1 or R2(config)#interface gi0/1 R2(config-if)#ipv6 address 2001:DB8:D123:ABCD::2/64 R2(config-if)#no shut R2(config-if)#interface loopback R2(config-if)#ipv6 address 2001:C:B:A::200/64 Page 94 Step 3: Issue the show ipv6 interface command R(config-if)#end R#sh ipv6 interface Where did the link-local address come from ? Automatically assigned by the system What are the IPv6 addresses starting with FF02: ? IPv6 multicast addresses Step 4: Save your running configurations R#copy run start Page 95 Lab 5-2: Configure IPv6 Routing Task 1: Enable OSPFv3 Step 1: Access the CLI of the router and check that you still have the IPv6 addresses configured on your router, if not, rectify R>en R#sh ipv6 int brief Step 2: Ping the IPv6 address of the other routers fa0/1 or gi0/1 interface If you have correctly configured both end of the directly connected link, then this should be successful Step 3: Ping the IPv6 address located on the other router, this should fail because it is not directly connected and just like in IPv4 no dynamic routing protocols are enabled by default to advertise it out Step 4: Enter OSPFv3 configuration mode and assign the following router ID's R1 only R1#conf t R1(config)#ipv6 router ospf R1(config-router)#Router-ID 1.1.1.1 R2 only R2#conf t R2(config)#ipv6 router ospf R2(config-router)#Router-ID 2.2.2.2 Do you need to configure unique router ID's ? Yes, each ospf router needs a unique router ID Step 5: Enter the configuration mode for the interface directly connecting the two routers together, fa0/1 or gi0/1 R(config-router)#int fa0/1 Page 96 or R(config-router)#int gi0/1 R(config-if)# Step 6: Enable OSPFv3 on the interface and check you have an OSPF adjacency R(config-if)#ipv6 ospf area R(config-if)#exit R#sh ipv6 ospf nei Step 7: Try pinging the loopback IPv6 address of the other router Why would it fail? OSPF is not advertising the loopback interfaces Step 8: Enable OSPFv3 on the loopback interface and ask the other student to try and ping it, because you are now advertising it via OSPFv3 this should work R#conf t R(config)#int loop R(config-if)# ipv6 ospf area Page 97 Page 98 .. .ICND1 Interconnecting Cisco Networking Devices, Part Version 2.0 Lab Guide Issue v1.01 Page Table... console password to return to user EXEC mode Step 5: Create a local user account with a username of ccna and a secret password of cisco Step 6: Change the security method used on the console port... words your default gateway R1 10.1.1.1 or R2 10.1.1.2 Page 27 Click open and enter the username ccna and password cisco Enter the command to gain access to the privilege mode and type in the secret