Berusaha, Berdoa, Bersyukur: CCNA Discovery 2 chapter 5

lab 5.1.2 Powering Up an Integrated Service Router

step 5: Reflection

Is there anything about this is risky? Jawab:

of what is intended are: static electricity problems if the router is not

grounded properly, powering up the router during an electrical storm, or damage to the memory card if the card is inserted incorrectly.

Why do the router cover, all modules, and cover palates to be installed?

Jawab

These parts help to ensure adequate cooling of the internal components of the router by routing air over the correct path through the router.

How many ruoters can you safely stack on top of each other?

1) 0

2) 1

3) 2

4) 3

Jawab: 0

Lab 5.2.3 Configuring an ISR with SDM Express

Objectives

· Configure basic router global settings – router name, users, and login passwords – using Cisco SDM Express.

· Configure LAN and Internet connections on a Cisco ISR using Cisco SDM Express.

Background / Preparation

Cisco Router and Security Device Manager (SDM) is a Java-based web application and a device-management tool for Cisco IOS Software-based routers. The Cisco SDM simplifies router and security configuration through the use of smart wizards, which allows you to deploy, configure, and monitor a Cisco router without requiring knowledge of the command-line interface (CLI). The Cisco SDM is supported on a wide range of Cisco routers and Cisco IOS Software releases. Many newer Cisco routers come with SDM preinstalled. If you are using an 1841 router, SDM (and SDM Express) is pre-installed.

This lab assumes the use of a Cisco 1841 router. You can use another router model as long as it is capable of supporting SDM. If you are using a supported router that does not have SDM installed, you can download the latest version free of charge from the following location: http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm

From the URL shown above, view or download the document “Downloading and Installing Cisco Router and Security Device Manager.” This document provides instructions for installing SDM on your router. It lists specific model numbers and IOS versions that can support SDM, and the amount of memory required.

Cisco SDM Express is a component of SDM. SDM Express automatically runs a GUI wizard that allows you to perform an initial basic configuration of a Cisco router using a browser and the web interface of the router. SDM Express will only be activated when the router is in its factory-default state. In this lab, you will use Cisco SDM Express to configure LAN and Internet connections on a Cisco ISR.

The following resources are required:

· Cisco 1841 ISR router with SDM version 2.4 installed (critical – see Note 2 in Step 1)

· Cisco 1841 ISR router configured with factory default settings and with a serial port add-in module (critical – see Notes 1 and 3 in Step 1)

· (Optional) Other Cisco router model with SDM installed

· Windows XP computer with Internet Explorer 5.5 or higher and SUN Java Runtime Environment (JRE) version 1.4.2_05 or later (or Java Virtual Machine (JVM) 5.0.0.3810). (See Note 3 in Step 1)

· Straight-through or crossover category 5 Ethernet cable

· Access to PC network TCP/IP configuration

Step 1: Configure the PC to connect to the router and then launch Cisco SDM

Power up the router.
Power up the PC.
Disable any popup blocker programs. Popup blockers prevent SDM Express windows from displaying.
Connect the PC NIC to the FastEthernet 0/0 port on the Cisco 1841 ISR router with the Ethernet cable.

NOTE: An SDM router other than the 1841 may require connection to different port in order to access SDM.

Configure the IP address of the PC to be 10.10.10.2 with a subnet mask of 255.255.255.248.
SDM does not load automatically on the router. You must open the web browser to reach the SDM. Open the web browser on the PC and connect to the following URL: http://10.10.10.1

NOTE 1 – If browser connection to router fails: If you cannot connect and see the login screen, check your cabling and connections and make sure the IP configuration of the PC is correct. The router may have been previously configured to an address of 192.168.1.1 on the Fa0/0 interface. Try setting the IP address of the PC to 192.168.1.2 with a subnet mask of 255.255.255.0 and connect to http://192.168.1.1 using the browser. If you have difficulty with this procedure, contact your instructor for assistance.

If the startup-config is erased in an SDM router, SDM will no longer come up by default when the router is restarted. It will be necessary to build a basic router configuration using IOS commands. Refer to the procedure at the end of this lab or contact your instructor.

g. In the Connect to dialog box, enter cisco for the username and cisco for the password. Click OK. The main SDM web application will start and you will be prompted to use HTTPS. Click Cancel. In the Security Warning window, click Yes to trust the Cisco application.

h. In the Welcome to the Cisco SDM Express Wizard window, read the message and then click Next.

i. Verify that you are using the latest version of SDM. The initial SDM screen that displays immediately after the login shows the current version number. It is also displayed on the main SDM screen shown below, along with IOS version. NOTE 2: If the current version is not 2.4 or higher, notify your instructor before continuing with this lab. You will need to download the latest zip file from the URL listed above and save it to the PC. From the Tools menu of the SDM GUI, use the Update SDM option to specify the location of the zip file and start the update.

NOTE 3 – If SDM Express Wizard fails to start: If you connect to the router and SDM Express starts but the SDM Express Setup Wizard shown above does not start automatically, the router may be partially configured and needs to be reset to its factory defaults. If the SDM Express main screen is displayed, choose the Reset to Factory Defaults option, repeat Steps 1a through 1e, and log in again. If the full SDM application starts (not SMD Express), choose the Reset to Factory Defaults option from the File menu on the main SDM screen, repeat Steps 1a through 1e, and log in again. If you have difficulty with this procedure, contact your instructor for assistance.

Also note that the Windows XP computer you are using must have Internet Explorer 5.5 or higher and SUN Java Runtime Environment (JRE) version 1.4.2_05 or later (or Java Virtual Machine (JVM) 5.0.0.3810). If it does not, SDM will not start. You will need to download and install JRE on the PC before continuing with the lab.

Step 2: Perform initial basic configuration

a. In the Basic Configuration window, enter the following information. When you complete the basic configuration, click Next to continue.

· In the Host Name field, enter CustomerRouter.

· In the Domain Name field, enter the domain name customer.com.

· Enter the username admin and the password cisco123 for SDM Express users and Telnet users. This password gives access to SDM locally, through the console connection, or remotely using Telnet.

· Enter the enable secret password of cisco123. This entry creates an encrypted password that prevents casual users from entering privileged mode and modifying the configuration of the router using the CLI.

b. From the Router Provisioning window, click the radio button next to SDM Express and then click Next.

Step 3: Configure the LAN IP address

In the LAN Interface Configuration window, choose FastEthernet0/0 from the Interface list. For interface FastEthernet 0/0, enter the IP address of 192.168.1.1 and subnet mask of 255.255.255.0. You can also enter the subnet mask information in a different format: entering a count of the number of binary digits or bits in the subnet mask, such as 255.255.255.0 or 24 subnet bits.

Step 4: De-select DHCP server

At this point, do not enable the DHCP server. This procedure is covered in a later section of this course. In the DHCP server configuration window, ensure that the Enable DHCP server on the LAN interface check box is cleared before proceeding. Click Next to continue.

Step 5: Configure the WAN interface

a. In the WAN Configuration window, choose Serial0/0/0 interface from the list and click the Add Connection button. The Add Connection window appears.

NOTE: With the 1841 router, the serial interface is designated by 3 digits – C/S/P, where C=Controller#, S=Slot# and P=Port#. The 1841 has two modular slots. The designation Serial0/0/0 indicates that the serial interface module is on controller 0, in slot 0, and that the interface to be used is the first one (0). The second interface is Serial0/0/1. The serial module is normally installed in slot 0 but may be may be installed in slot 1. If this is the case, the designation for the first serial interface on the module would be Serial0/1/0 and the second would be Serial0/1/1.

b. From the Add Serial0/0/0 Connection dialog box, choose PPP from the Encapsulation list. From the Address Type list, choose Static IP Address. Enter 209.165.200.225 for the IP address and 255.255.255.224 for the Subnet mask. Click OK to continue. Notice that this subnet mask translates to a /27, or 27 bits for the mask.

c. Notice that the IP address that you just set for the serial WAN interface now appears in the Interface List. Click Next to continue.

d. Enter the IP address 209.165.200.226 as the Next Hop IP Address for the Default Route. Click Next to continue.

e. Ensure that the check box next to Enable NAT is cleared. This procedure is covered in a later section of this course. Click Next to continue.

Step 6: Enable the firewall and security settings

a. Depending on the router IOS version, the next step may be Firewall Configuration. In the Firewall Configuration window, click the radio button that enables the firewall and then click Next. The Security Configuration window appears

b. Leave all the default security options checked in the Security Configuration window and then click Next.

Step 7: Review and complete the configuration

a. If you are not satisfied with the Cisco SDM Express Summary, click Back to fix any changes and then click Finish to commit the changes to the router

b. Click OK after reading the Reconnection Instructions. Save these instructions to a file for future reference, if desired. NOTE: Before the next time you connect, you will need to change the IP address of the PC to be compatible with the new address that you configured to FastEthernet 0/0. The Reconnection instructions are shown below.

Step 8: Reflection

What feature makes configuring the router easy? Jawab: Using a GUI interface with the SDM Express Wizard makes configuration easy because the wizard prompts you for all the information you need to initially configure a Cisco 1841 router.

b. Summarize the steps that are configured by the Cisco SDM Express? Jawab:

Configure:

Name for router

Domain name for organization

New administrator username and password

Encrypted password to make modifications to configuration

Static LAN address

Static WAN address

Default gateway address

DHCP

NAT

Enable firewall protection

Enable standard security options

Save configuration

Lab 5.2.5 Configuring Dynamic NAT with SDM

Objective

· Configure Network Address Translation (NAT) using Port Address Translation (PAT) on a Cisco ISR router with the Cisco SDM Basic NAT Wizard.

Background / Preparation

Cisco SDM is the full SDM product, and SMD Express is a subset. SDM will be activated automatically when the router has been previously configured and is not in its factory default state. In this lab, you will use the Cisco SDM Basic NAT Wizard to configure Network Address Translation using a single external global IP address. This address can support connections to the Internet from many internal private addresses.

NOTE: You must complete Lab 5.2.3, “Configuring an ISR with SDM Express,” on the router to be used before performing this lab. This lab assumes that the router has been previously configured with basic settings using SDM Express.

The following resources are required.

Cisco 1841 ISR router with SDM version 2.4 installed and with basic configuration completed (critical – see Note 2 in Step 1)
(Optional) Other Cisco router model with SDM installed
Windows XP computer with Internet Explorer 5.5 or higher and SUN Java Runtime Environment (JRE) version 1.4.2_05 or later (or Java Virtual Machine (JVM) 5.0.0.3810).
Straight-through or crossover category 5 Ethernet cable
Access to PC network TCP/IP configuration

Step 1: Establish a connection from the PC to the router

Power up the router.
Power up the PC.
Disable any popup blocker programs. Popup blockers prevent SDM windows from displaying.
Connect the PC NIC to the FastEthernet 0/0 (Fa0/0) port on the Cisco 1841 ISR router with the Ethernet cable.

NOTE: An SDM router other than the 1841 may require connection to different port in order to access SDM.

Configure the IP address of the PC to be 192.168.1.2 with a subnet mask of 255.255.255.0.
SDM does not load automatically on the router. You must open the web browser to reach the SDM. Open the web browser on the PC and connect to the following URL: http://192.168.1.1

NOTE 1 – If browser connection to router fails” If you cannot connect and see the login screen, check your cabling and connections and make sure the PC’s IP configuration is correct. If the router was not previously configured, it may still be in the default state with an IP address of 10.10.10.1 on the Fa0/0 interface. Try setting the IP address of the PC to 10.10.10.2 with a subnet mask of 255.255.255.248 and connect to http://10.10.10.1 using the browser. If you have difficulty with this procedure, contact your instructor for assistance.

SDM Routers - If the startup-config is erased in an SDM router, SDM will no longer come up by default when the router is restarted. It will be necessary to build a basic router configuration using IOS commands. Refer to the procedure at the end of this lab or contact your instructor

In the Connect to dialog box, enter admin for the username and cisco123 for the password. These were configured in the previous lab. Click OK. The main SDM web application will start and you will be prompted to use HTTPS. Click Cancel. In the Security Warning window, click Yes to trust the Cisco application.
Verify that you are using the latest version of SDM. The initial SDM screen that displays immediately after the login shows the current version number. It is also displayed on the main SDM screen shown below, along with IOS version.

NOTE 2: If the current version is not 2.4 or higher, notify your instructor before continuing with this lab. You will need to download the latest zip file from the URL listed above and save it to the PC. From the Tools menu of the SDM GUI, use the Update SDM option to specify the location of the zip file and install the update

Step 2: Configure SDM to show Cisco IOS CLI commands.

a. From the Edit menu in the main SDM window, select Preferences.

b. Check the Preview commands before delivering to router check box. With this check box checked, you can see the Cisco IOS CLI commands that you will use to perform a configuration function on the router before these commands are sent to the router. You can learn about Cisco IOS CLI commands this way.

Step 3: Launch the Basic NAT Wizard

a. From the Configure menu, click the NAT button to view the NAT configuration page. Click the Basic NAT radio button and then click Launch the selected task.

b. In the Welcome to the Basic NAT Wizard window, click Next.

Step 4: Select the WAN interface for NAT

a. Choose the WAN interface Serial0/0/0 from the list. Check the box for the IP address range that represents the internal network of 192.168.1.0 to 192.168.1.255. This is the range that requires conversion using the NAT process.

b. Click Next and, once you have read the Summary of the Configuration, click Finish.

c. In the Deliver Configuration to Router window, review the CLI commands that were generated by the Cisco SDM. These are the commands that will be delivered to the router to configure NAT. The commands can also be manually entered from the CLI to accomplish the same task. Check the box for Save running config. to router’s startup config. NOTE: By default, the commands that you just generated will only update the router’s running configuration file when delivered. If the router is restarted, the changes you made will be lost. Checking this box will update the startup config file as well, and when the router is restarted, it will load the new commands into the running config.

If you choose to not save the commands to the startup config at this time, use the File > Write to Startup config option in SDM or use the copy running-config startup-config command from the CLI using a terminal or Telnet session.

d. Click Deliver to finish configuring the router.

e. In the Commands Delivery Status window, notice the text that says that the running config was successfully copied to the startup config. Click OK to exit the Basic NAT wizard.

f. The final NAT screen shows that the Inside Interface is Fa0/0 and the outside interface is S0/0/0. The internal private (Original) addresses will be translated dynamically to the external public address

Step 5: Reflection

If a PC or a LAN within your organization does not require Internet access, what do you think would be one way to stop the PC from gaining access to the Internet? Jawab:

Suggested answer: Remove the IP address of that PC or that network from the list of networks to be converted by NAT.

b. Consider the skills that you need to configure NAT using Cisco IOS CLI commands. What do you think the benefits and disadvantages are to using the Cisco SDM? Jawab:

Suggested answer: Cisco SDM lets you configure router functions quickly and easily. Because Cisco SDM hides the CLI commands, it would be hard to learn what the CLI commands and the command uses are. Because you can configure Cisco SDM to show you the Cisco IOS CLI commands, you can learn about the commands as you use Cisco SDM.

c. Why do you think that the default, after the commands have been generated, is to only update the router’s running configuration file when delivered? Why not always update the startup config file as well? What are the advantages and disadvantages of one over the other? Jawab:

If changes are made to the running config and they result in problems or do not produce the desired result, it might be useful to be able to just restart the router and have it revert back to its original state based on the startup config. The disadvantage of not updating the startup config file at the same time in SDM is that you must remember to do it later or the changes will belost when the router is restarted.

Lab 5.3.5 configuring basic router settings with IOS CLI

step 1 : configure host IP setting

a. Make sure that the PCs are connected according to the topology diagram

b. Configure static IP addresses on them sa follows

Step 2: log in to each router and configure a host name an password

c. Configure a host name for each of the two routers. Repeats this process for router R2

d. Configure a console password and enable login for each of the two routers. Repeats this process for router R2

e. Configure the password on the virtual terminal lines for each of the two routers. Repeats this process for router R2

f. Configure the enable and and enable secret password for each of the two routers.

Step 3: show the router running configuration

a. From the privteged EXEC prompt issue the show running-config command this command can be abbreviated as shrun

b. Is there an encrypted password? Jawab: ya

c. Are there any other password? Jawab ; ya

d. Are any of the other password encrypted? Jawab ; tidak

Step 4: configure the serial interface on R1

Step 5: display information about the serial interface on R1

a. Enter the show interface command on R1. Refer to the router interface summary chart.

b. List at least three details discovered by issuing this command.

Serial 0/0 is: down

Line protocol is: down

Internet address is: 172.17.0.1/16.

Encapsulation: HDLC

To what OSI layer is the encapsulation referring? Data Link

c. If the serial interface was configured, why did the show interface serial 0/0 say that the interface is down?

Jawab : The other end of the serial link has not been configured

Step 6: configure the serial interface on R2

Step 7: display information about the serial interface on R2

a. Enter the show interface command on R1. Refer to the router interface summary cahrt.

b. List at least three details discovered by issuing this command

Serial 0 is: up

Line protocol is: up

Internal address is: 172.17.0.1/16.

Enscapsulation: HDLC

To what OSIlayer is the Encapsulation referring? Data Link

c. Why did the show interface serial 0/0 say that the interface is up? Jawab : Both ends of the serial link have now been configured.

Step 8: verify that the serial conection is functioning

a. Use the ping command to test connectivity to the other router. From R1 ping the The R2router serial interface.

Does the ping work? Jawab : ya

b. From R2 ping the R1 router serial interface

Does the ping work? Jawaba: ya

c. If the answer is no for either question. Troubleshoot the router configuration to find the error. Then ping the interface again until the answer to both question is yes.

Step 9: configure the fastEthernet interface on R1

Step 10: display information about the fastEthernet interface on R1

a. Enter the show interface command on R1. Refer to the router interface summary chart

b. List at least three details discovered by issuing this command

fastEthernet 0 is: up

line protocol is: up

internet address is: 172.16.0.1/16.

enscapsulation: ARPA

to what OSI layer is the Enscapsulation referring? Data Link

c. Why did the show interface fastEthernet 0/0 say that the interface is up? Jawab : The cable from FastEthernet 0/0 is attached to the switch, so there is a valid link connection.

Step 11: configure the FastEthernet interface on R2

Step 12: display information about the fastEthernet interface on R2

a. Enter the show interface FastEthernet 0/0 command on R1 refer to the router interface summary chart.

b. List at least three details discovered by issuing this command.

fastEthernet 0/0 is:up

line protocol is:up

internet address is: 172.18.0.1/16.

enscaptulation: ARPA (default Ethernet)

to what OSI layer is the Enscaptulation referring? Data Link

Why did the show interface fasEthernet 0/0 say that the interface is up? Jawab: The cable from FastEthernet 0/0 is attached directly to the PC NIC with a crossover cable, so there is a valid link connection.

Step 13: save the configuration on both routers

Step 14: check the overall router configurations

Step 15: verify that the fastEthernet connection is functioning

a. Open command prompt window.

b. Use the ping command to test connectivity

Does the ping work? Jawab : ya

c. From PC1, ping the R2 router FastEthernet interface

Does the ping work? Jawab: ya

d. If the answere is no for either question. Troubleshoot the router configuration to find the error. Then ping the interface again until the answere to both questions is yes.

Step 16: (optional challenge) test connectivity

a. From PC1, ping the R1 router FastEthernet interface (default gateway)

Does the ping work? Jawab: ya

b. From the PCI command prompt use the ping command to test end to end connectivity from PC1

Does the ping work? Jawab: tidak

Step 17: (optional challenge) configure static and default routers

Lab 5.3.8 Configuring NAT and DHCP with IOS CLI

Objectives

· Configure a Customer router and host for DHCP.

· Configure a customer premise router for overloaded NAT, also known as Port Address Translation (PAT).

· Verify DHCP and NAT translations from within the customer network to ISP.

Background / Preparation

Set up a network similar to the one shown in the topology diagram. Any router that meets the interface requirements displayed in that diagram – such as 800, 1600, 1700, 1800, 2500, and 2600 routers, or a combination – may be used. Refer to the Router Interface Summary table at the end of the lab to correctly determine the interface identifiers to be used, based on the equipment in the lab. Depending on the router model, output may vary somewhat from that shown in this lab. The steps in this lab are intended to be executed on each router unless you are specifically instructed otherwise.

The following resources are required:

· Two routers, one with an Ethernet and Serial interface and the other with a Serial interface

· One Windows XP computer

· Straight-through Category 5 Ethernet cable (PC1 to switch)

· Null Serial cable

· Console cables (from PC 1 to routers R1 and R2)

· Access to the PC command prompt

· Access to PC network TCP/IP configuration

From the PC, start a HyperTerminal session with the router.

NOTE: Go to the “Erasing and reloading the router” instructions at the end of this lab. Perform those steps on all routers in this lab assignment before continuing.

NOTE: SDM Routers - If the startup-config is erased in an SDM router, SDM will no longer come up by default when the router is restarted. It will be necessary to build a basic router configuration using IOS commands. Refer to the procedure at the end of this lab or contact your instructor.

Step 1: Cable and configure the routers

Based on the topology diagram, connect the PC, switch, and routers using the appropriate cabling.
Configure each router with the following parameters: hostname, console access and password, vty access and password, and enable secret password. If necessary, refer to Lab 5.3.5, “Configuring Basic Router Settings with IOS CLI,” for instructions on setting hostname, passwords, and interface addresses.
Configure the router interfaces with the appropriate IP address and mask. Make sure that the interfaces are in usable condition and can ping a directly connected interface or host.
Configure the ISP router with a loopback address to be used to test the customer router. The loopback address represents a distant network.

ISP(config)#interface loopback 0

ISP(config-if)#ip address 209.165.200.1 255.255.255.224

Step 2: Configure a default route on the customer router

On the customer router, configure a default route pointing toward the ISP. All packets destined for networks that are not in the customer routing table are forwarded to the ISP router, which has a much larger routing table and connections to other Internet providers. Notice how this default route uses the neighbor router IP address as the last number.

Customer(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.226

Why is a default route not used on the ISP? A default route on the ISP router would be a bad configuration if it pointed toward a customer site. Any routes not found in the ISP routing table would be automatically sent to the customer router. Of course, the customer router would not know what to do with the packet and would send the packet to the default route of the customer router, which is the ISP. A routing loop would occur.

Step 3: Configure and test the DHCP pool

On the customer router, configure a DHCP pool for the internal clients.

Customer(config)#ip dhcp excluded-address 192.168.1.1

Customer(config)#ip dhcp pool INTERNAL

Customer(dhcp-config)#network 192.168.1.0 255.255.255.0

Customer(dhcp-config)#domain-name abc-xyz-widgets.inc

Customer(dhcp-config)#default-router 192.168.1.1

On the customer host PC, click Start > Control Panel > Network Connections to verify that the NIC is configured for DHCP. If necessary, open a command prompt and issue the ipconfig /release and ipconfig /renew commands.
On the customer host PC, open a command prompt. Click Start > Run, and then type cmd and press Enter. Alternatively, click Start > All Programs > Accessories > Command Prompt. Issue the ipconfig /all command.
What IP address is issued to the PC? 192.168.1.2 is usually issued
What is the MAC address of the host PC?
From the host PC, ping the default gateway (the router Ethernet interface). Does the ping succeed? Ya Troubleshoot as necessary and do not proceed until the ping is successful.

Step 4: Display DHCP binding on the customer router

To see the IP address and host hardware (MAC) address combination assigned by the DHCP server in the router, issue the show ip dhcp binding command on the customer router.

Customer#show ip dhcp binding

IP address Client-ID/ Lease expiration Type

Hardware address

192.168.1.2 0100.0bdb.04a5.cd May 26 2007 11:19 AM Automatic

Do the IP address and Hardware address displayed match those recorded for the host PC in Step 3?

Jawab: Yes. Note that the router adds Hex 01 to the beginning of the host physical (MAC) address. The remaining 12 digits should match the host PC MAC.

Step 5: Configure NAT/PAT

On the customer router, use the access-list command to identify the addresses that need to be translated. The network number is stated, but instead of a normal mask that usually comes next, a wildcard mask is used (0.0.0.255).

Customer(config)#access-list 1 permit 192.168.1.0 0.0.0.255

On the customer router, define where NAT looks for the IP addresses it needs to translate (source list 1 refers to access list 1 that you just created). Also define which interface IP address to use as the real address for each packet that comes through the FastEthernet interface destined for the Serial interface. The overload parameter at the end of the command shown below means that the serial port IP address is used and that port numbers are used to track the packets. Approximately 4,000 addresses can realistically be translated using this method, even though it is technically possible to translate even more.

Customer(config)#ip nat inside source list 1 interface serial 0/0 overload

Apply NAT to the inside and outside interfaces.

Customer(config)#interface serial 0/0

Customer(config-if)#ip nat outside

Customer(config-if)#exit

Customer(config)#interface fastethernet 0/0

Customer(config)#ip nat inside

Customer(config)#end

Step 6: Test NAT/PAT

From the host PC command prompt, ping the ISP router loopback address.

ping 209.165.200.1

Was the ping successful? Ya, If not, perform appropriate troubleshooting.
On the customer router, issue the command to verify the NAT translation.

Customer#show ip nat translation

Pro Inside global Inside local Outside local Outside global

icmp 209.165.200.225:512 192.168.1.2:512 209.165.200.1:512 209.165.200.1:512

List the following IP addresses:

What is the inside global IP address shown? Jawab: 209.165.200.225:xxxx (where the x’s are a port number)

What is the inside local IP address shown? Jawab: 192.168.1.2:xxxx (where the x’s are a port number)

What is the outside local IP address shown? Jawab: 209.165.200.1:xxxx (where the x’s are a port number)

What is the outside global IP address shown? Jawab: 209.165.200.1:xxxx (where the x’s are a port number)

On the ISP router, configure the router to show all ICMP packets that come into the router.

ISP#debug ip icmp

ICMP packet debugging is on

From the host PC command prompt, issue a continuous ping.

ping 209.165.200.1 –t

On the ISP router, notice the debug output.

ISP#

00:49:10: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:11: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:12: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:13: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:14: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:15: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

00:49:16: ICMP: echo reply sent, src 209.165.200.1, dst 209.165.200.225

What is the source IP address of the ICMP reply? Jawab: 209.165.200.1
What is the destination IP address of the ICMP reply?awab 209.165.200.225
Does this debug prove or disprove the fact that internal IP addresses are hidden and how can you tell? Jawab: that NAT is working because no private IP address is shown in the debug, but one of the IP addresses from the NAT pool is shown.
On the host PC, stop the ping by pressing CTRL-X.
On the ISP router, stop the debug process. Note that the router takes a few moments for the output to quit displaying.

ISP#undebug all

Step 7: Clear NAT Translations

From the customer host PC command prompt, open a Telnet session to the ISP router.

telnet 209.165.200.226

This Telnet session will create another translation on the customer router.

On the customer router, issue the command to verify the NAT translation.

Customer#show ip nat translation

Pro Inside global Inside local Outside local Outside global

tcp 209.165.200.225:1297 192.168.1.2:1297 209.165.200.226:23 209.165.200.226:23

The port number on the inside addresses may be different, because they are randomly generated source port numbers.

Close the command window on the customer host PC to terminate the Telnet session.
On the customer router, issue the command to verify the NAT translation.
Is the translation for the customer host PC still active on the customer router? Ya, NAT translations remain active for different periods of time, depending on the type of translation. TCP NAT translations can remain active for up to 24 hours by default. Port translations have shorter time limits, but can still remain active for minutes, even hours after the session between the two hosts has timed out. The default timeouts for UDP range from 1 minute to 5 minutes. For more information on NAT timeouts, view the Cisco IOS Network Address Translation Overview white paper on the Cisco.com website.

http://cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

f. On the customer router, issue the command to clear all NAT translations active in the router.

Customer#clear ip nat translation *

Verify that the translation for the customer host PC is no longer active on customer router.

Step 8: Reflection

What would be an advantage of using the NAT method shown in this lab over a static configuration as shown in the curriculum? Jawab : but one solution is that more hosts can automatically be NAT’ed without having to configure static translations for each one.
List an instance of when a company might not use NAT/PAT. Jawab: when a company has devices that must have untranslated IP addresses such as a Web or DNS servers.

Lab 5.4.2 Powering Up a Switch

Step 1: Position and ground the switch (Optional)

Step 2: Connect the computer to the switch

Step 3: Configure the PC terminal emulation program

Step 4: Power up the switch

Step 5: Troubleshoot a non-working switch

Step 6: Reflection

a. Which LED shows after the POST completes successfully and what color does it show?

Status LED blinks green
Speed LED blinks green
Status LED blinks amber
System LED is solid green

Answer: System LED is solid green

b. What is the minimum amount of space required around the Cisco 2960 switch ventilation openings?

1 inch (2.54 cm)
2 inches (5.08 cm)
3 inches (7.6 cm)

Answer: 3 inches (7.6 cm)

Lab 5.4.4 Configuring the Cisco 2960 Switch

Objectives

· Configure initial switch global settings

· Configure hosts PCs and attach them to the switch

· Configure a router and attach it to the switch

· Configure a switch management VLAN IP address.

· Configure basic port security.

· Configure port duplex and speed settings.

Background / Preparation

This lab focuses on the basic configuration of the Cisco 2960 switch using Cisco IOS commands. The information in this lab applies to other switches, however, command syntax may vary. The Cisco Catalyst 2960 switch comes preconfigured and only needs to be assigned basic security information before being connected to a network. To use an IP-based management product or Telnet with a Cisco switch, you must configure a management IP address.

In this lab, you will configure VLAN 1 to provide IP access to management functions. You will also test connectivity from a host to the switch to verify the management IP address. In addition, you will configure port security, port speed, and duplex settings.

The following resources are required:

· Cisco 2960 switch or other comparable switch

· Router with Ethernet interface to connect to switch

· Three Windows-based PCs, one with a terminal emulation program

· RJ-45-to-DB-9 connector console cable

· Three straight-through Ethernet cables

· Access to the PC command prompt

· Access to PC network TCP/IP configuration

NOTE: Go to the “Erasing and Reloading the Switch” instructions at the end of this lab. Perform those steps on the switch in this lab assignment before continuing.

NOTE: Go to the “Erasing and reloading the router” instructions at the end of this lab. Perform those steps on all routers in this lab assignment before continuing.

Step 1: Connect the hosts to the switch and configure them.

a. Connect Host-A to Fast Ethernet switch port Fa0/1, and connect Host-B to port Fa0/4. Configure the hosts to use the same IP subnet for the address and mask as on the switch, as shown in the topology diagram above.

b. Do NOT connect Host-C to the switch yet.

Step 2: Connect the router to the switch and configure the router.

NOTE: If necessary, refer to Lab 5.3.5, “Configuring Basic Router Settings with IOS CLI,” for instructions on setting hostname, passwords, and interface addresses.

Connect the router to Fast Ethernet switch port Fa0/3.

Configure router with a hostname of CustomerRouter.

Configure console access and password, vty access and password, and enable secret password.

Configure the router Fa0/0 interface as shown in the topology diagram above.

Step 3: Perform an initial configuration on the switch.

a. Configure the hostname of the switch as CustomerSwitch:

Switch#Config Terminal

Switch(config)#hostname CustomerSwitch

Set the privilege exec mode password to cisco:

CustomerSwitch(config)#enable password cisco

Set the privilege exec mode secret password to cisco123:

CustomerSwitch(config)#enable secret cisco123

Set the console password to cisco123:

CustomerSwitch(config)#line console 0

CustomerSwitch(config-line)#password cisco123

Configure the console line to require a password at login:

CustomerSwitch(config-line)#login

Set the vty password to cisco123:

CustomerSwitch(config-line)#line vty 0 15

CustomerSwitch(config-line)#password cisco123

Configure the vty to require a password at login:

CustomerSwitch(config-line)#login

CustomerSwitch(config-line)#end

Step 4: Configure the management interface on VLAN 1.

Enter global configuration mode. Remember to use the new password.

CustomerSwitch>enable

CustomerSwitch#configure terminal

Enter the interface configuration mode for VLAN 1:

CustomerSwitch(config)#interface vlan 1

Set the IP address, subnet mask, and default gateway for the management interface. The IP address must be valid for the local network where the switch is installed.

CustomerSwitch(config-if)#ip address 192.168.1.5 255.255.255.0

CustomerSwitch(config-if)#exit

CustomerSwitch(config)#ip default-gateway 192.168.1.1

CustomerSwitch(config)#end

Step 5: Verify configuration of the switch.

Verify that the IP address of the management interface on the switch VLAN 1 and the IP address of Host-A are on the same local network. Use the show running-configuration command to check the IP address configuration of the switch:

CustomerSwitch#show running-configuration

Building configuration...

Current configuration : 1283 bytes

version 12.2

no service pad

hostname CustomerSwitch

enable secret 5 $1$XUe/$ch4WQ/SpcFCDd2iqd9bda/

interface FastEthernet0/1

*** Output Omitted ***

interface FastEthernet0/24

interface Vlan1

ip address 192.168.1.5 255.255.255.0

no ip route-cache

ip default-gateway 192.168.1.1

ip http server

line con 0

password cisco123

login

line vty 0 4

password cisco123

login

line vty 5 15

password cisco123

login

end

b. Save the configuration using the following command:

CustomerSwitch#copy running-configuration startup-configuration

Step 6: Verify connectivity using ping and Telnet.

To verify that the switch and router are correctly configured, ping the router Fa0/0 interface (default gateway) IP address from the Switch CLI.
Were the pings successful? Jawab: ya
To verify that the hosts and switch are correctly configured, ping the switch IP address from Host-A.
Were the pings successful? Jawab: ya
If the ping is not successful, verify the connections and configurations again. Check to ensure that all cables are correct and that connections are seated. Check the host, switch and router configurations.
Open a command prompt on Host-A, and enter the telnet command followed by the IP address assigned to switch management VLAN 1.
Enter the vty password configured in Step 3. What was the result? Jawab: Gained remote IP access to the switch CLI.
At the switch prompt, issue the show version command.

CustomerSwitch>show version

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(0.0.16)FX, CISCO

DEVELOPMENT TEST VERSION

Compiled Tue 17-May-05 01:43 by yenanh

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M), Version 12.2 [lqian-flo_pilsner 100]

Switch uptime is 3 days, 20 hours, 8 minutes

System returned to ROM by power-on

System image file is "flash:c2960-lanbase-mz.122-0.0.16.FX.bin"

cisco WS-C2960-24TC-L (PowerPC405) processor with 61440K/4088K bytes of memory.

Processor board ID FHH0916001J

Last reset from power-on

Target IOS Version 12.2(25)FX

1 Virtual Ethernet interface

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:0B:FC:FF:E8:80

Motherboard assembly number : 73-9832-02

Motherboard serial number : FHH0916001J

Motherboard revision number : 01

System serial number : FHH0916001J

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C2960-24TC-L 12.2(0.0.16)FX C2960-LANBASE-M

Configuration register is 0xF

What is the Cisco IOS version of this switch? 12.2(25)FX
Type quit at the switch command prompt to terminate the Telnet session.

Step 7: Determine which MAC addresses that the switch has learned.

From the Windows command prompt, determine the Layer 2 addresses of the PC network interface card for each host by using the ipconfig /all command.

Host-A:

Host-B:

Host-C:

Determine which MAC addresses the switch has learned by using the show mac-address-table command at the privileged exec mode prompt:

CustomerSwitch#show mac-address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 000b.be7f.ed40 STATIC CPU

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All 0100.0cdd.dddd STATIC CPU

1 000b.db04.a5cd DYNAMIC Fa0/1

1 000c.3076.8380 DYNAMIC Fa0/3

1 000d.1496.36ad DYNAMIC Fa0/4

Total Mac Addresses for this criterion: 7

How many dynamic addresses are there? Jawab: Three (Host-A, Host-B and router)
Do the MAC addresses match the host MAC addresses? Jawab: They should
Review the options that the mac-address-table command has by using the ? option:

CustomerSwitch(config)#mac-address-table ?

address address keyword

aging-time aging-time keyword

count count keyword

dynamic dynamic entry type

interface interface keyword

multicast multicast info for selected wildcard

notification MAC notification parameters and history table

static static entry type

vlan VLAN keyword

| Output modifiers

<cr>

Set up a static MAC address on the Fast Ethernet interface 0/4. Use the address that was recorded for Host-B in Step 7. The MAC address XXXX.YYYY.ZZZZ is used in the example statement only.

CustomerSwitch(config)#mac-address-table static XXXX.YYYY.ZZZZ interface fastethernet 0/4 vlan 1

Verify the MAC address table entries:

CustomerSwitch#show mac-address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 000b.be7f.ed40 STATIC CPU

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All 0100.0cdd.dddd STATIC CPU

1 000b.db04.a5cd DYNAMIC Fa0/1

1 000c.3076.8380 DYNAMIC Fa0/3

1 000d.1496.36ad STATIC Fa0/4

How many total MAC addresses are there now? 3

What type are they? Jawab: Two dynamic (Fa0/1 and Fa0/3) and one static (Fa0/4) - Other static addresses are assign to the switch CPU internally)

Step 8: Configure basic port security.

Determine the options for setting port security on Fast Ethernet interface 0/4.

CustomerSwitch#configure terminal

CustomerSwitch(config)#interface fastEthernet 0/4

CustomerSwitch(config-if)#switchport port-security ?

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addrs

violation Security Violation Mode

b. To allow the switch port FastEthernet 0/4 to accept only one device, configure port security as follows:

CustomerSwitch(config-if)#switchport mode access

CustomerSwitch(config-if)#switchport port-security

CustomerSwitch(config-if)#switchport port-security mac-address sticky

CustomerSwitch(config-if)#end

c. Check the port security settings.

CustomerSwitch#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/4 1 0 0 Shutdown

---------------------------------------------------------------------------

d. What is the security action for port fa0/4? Jawab: Shutdown

e. What is the maximum secure address count? Jawab : 1

f. Display the running configuration

NOTE: Some output omitted in following display.

CustomerSwitch#show running-config

Building configuration...

Current configuration : 1452 bytes

version 12.2

hostname CustomerSwitch

interface FastEthernet0/1

interface FastEthernet0/2

interface FastEthernet0/3

interface FastEthernet0/4

switchport mode access

switchport port-security

switchport port-security mac-address sticky

interface FastEthernet0/5

*** Output Omitted ***

mac-address-table static 000b.db04.a5cd vlan 1 interface FastEthernet0/4

end

g. Are there statements that directly reflect the security implementation in the listing of the running configuration? Jawab: Yes – security commands previously entered

Step 9: Connect a different PC to the secure switch port.

a. Disconnect Host-B from FastEthernet 0/4 and connect Host-C to the port. Host-C has not yet been attached to the switch. Ping the switch address 192.168.1.5 to generate some traffic.

Record any observations at the PC and the switch terminal session. Jawab: PC should not be able to ping and switch console should generate error messages indicating the port is being shutdown..

01:11:12: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/4, putting

Fa0/4 in err-disable state

01:11:12: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, cause

d by MAC address 000c.3076.8380 on port FastEthernet0/4.

01:11:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, chang

ed state to down

01:11:14: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to down

a. To see the configuration information for just FastEthernet port 0/4, enter the following command at the privileged EXEC mode prompt:

CustomerSwitch#show interface fastethernet 0/4

What is the state of this interface?

FastEthernet0/4 is down and line protocol isdown .

Step 10: Reactivate the port.

If a security violation occurs and the port is shut down, use the no shutdown command to reactivate it.

CustomerSwitch(config)#interface fastEthernet 0/4

CustomerSwitch(config-if)#no shutdown

Try reactivating this port a few times by switching between the original port 0/4 host and the new one. Plug in the original host, type the no shutdown command on the interface, and ping using the Command prompt. You must ping multiple times or use the ping 192.168.1.5 –n 200 command, which sets the number of ping packets to 200, instead of 4.
Switch hosts and try again.

Step 11: Set speed and duplex options for a port.

Switch port settings default to Auto-duplex and Auto-speed. If a computer with a 100 Mbps NIC is attached to the port, it automatically goes into full-duplex 100 Mbps mode. If a hub is attached to the switch port, it normally goes into half-duplex 10 Mbps mode.
Issue the show interfaces command to see the setting for ports Fa0/1 and Fa0/5. This command generates a large amount of output. Press the Space bar until you can see all the information for these ports. What are the duplex and speed settings for these ports?

Port Fa0/2 Full-duplex, 100 Mbps

Port Fa0/4 Full-duplex, 100 Mbps

Port Fa0/5 Auto-duplex, Auto-speed

It is sometimes necessary to set the speed and duplex of a port to ensure that it operates in a particular mode. You can set the speed and duplex with the duplex and speed commands while in interface configuration mode. To force Fast Ethernet port 5 to operate at half duplex and 10 Mbps, issue the following commands:

Switch>enable

Switch#Config Terminal

Switch(config-if)#interface fastEthernet 0/5

Switch(config-if)#speed 10

Switch(config-if)#duplex half

Switch(config-if)#end

Switch#

Issue the show interfaces command again. What is the duplex and speed setting for Fa0/5 now? Jawab : Half-duplex, 10 Mbps

Step 12: Exit the switch.

a. Type exit to leave the switch and return to the welcome screen:

Switch#exit

b. Once the steps are completed turn off all the devices. The remove and store the cables and adapter.

Step 13: Reflection.

Which password needs to be entered to switch from user mode to privilege exec mode on the Cisco switch, and why? Jawab: The secret password of cisco123 needs to be entered. When a secret password is defined, the regular password is disabled.

b. Which symbol is used to show a successful ping in the Cisco IOS software? Jawab: The ! (exclamation mark) represents a successful ping response.

c. What is the benefit of using port security? Jawab: Controls how many and which PCs can be attached to a switch port.

d. What other port-related security steps could be taken to further improve switch security? Jawab:

Could disable unused ports.

Lab 5.5.4 Planning a WAN Upgrade

Step 1: Identify the business requirements for the WAN upgrade

Step 2: List available WAN options for the business

Step 3: Identify the best WAN connection option for the business

Step 4: Group discussion

Recommendation

The following WAN connection is recommended to satisfy the requirements: jawab:

A T1 WAN connection is recommended because it meets the minimum requirements for bandwidth and

availability and has the lowest cost per month of the WAN connections that meet or exceed the minimum

requirements.

Lab 5.5.5 configuring a remote router using SSH

Step 1: Configure the ISR to accept SSH connections using SDM

Step 2: (optional) configure SSH on non-SDM router

h. fill in the following information based on the output of the show ip ssh command:

SSH verson enable: 1.5

Authentication timeout: default is 120 seconds

Authentication retries: default is 3 tries

Step 3: Configure the SSH client and connect the PC to the ISR

Step 4: Check the configuration of the Cisco 1841 ISR

Step 5: Log out of the Cisco 1841 ISR

Step 6: reflection

a. when companing telnet and SSH, what are some advantages and disadvantages?

Jawab: Telnet advantages: universally available (Windows, Linux, UNIX, MAC), no server or client config necessary. Biggest advantage of SSH over Telnet is that SSH is secure and Telnet is not.

b. What is the default port for SSH? SSH: 22,

What is the default port for telnet? Telnet 23

c. What cisco IOS software version was displayed in the running.config? jawab: 1841 is probably 12.4

Berusaha, Berdoa, Bersyukur

foto

Rabu, 24 November 2010

CCNA Discovery 2 chapter 5

Tidak ada komentar:

Posting Komentar