Professional Documents
Culture Documents
switch setup
Introduction
A new switch just purchased from Cisco contains no default configuration in it. You need to
configure the switch with setup mode using the setup mode or from scratch using the command line
interface (CLI) before connecting it in your network environment. As a Cisco certified technician, it is
very important to know the basic Cisco switch configuration commands to improve the
performances and the security of your internetwork.
Lab instructions
This lab will test your ability to configure basic settings such as hostname, motd banner, encrypted
passwords, and terminal options on a Packet Tracer 6.2 simulated Cisco Catalyst switch.
4. Configure the password for privileged mode access as "cisco". The password must be md5
encrypted
5. Configure password encryption on the switch using the global configuration command
7. Configure the IP address of the switch as 192.168.1.2/24 and it's default gateway IP
(192.168.1.1).
8. Test telnet connectivity from the Remote Laptop using the telnet client.
Network diagram
Solution
Configure Switch hostname as LOCAL-SWITCH
hostname LOCAL-SWITCH
Configure the password for privileged mode access as "cisco". The password must be md5
encrypted
enable secret cisco
Configure password encryption on the switch using the global configuration command
service password-encryption
Configure the IP address of the switch as 192.168.1.2/24 and it's default gateway IP
(192.168.1.1).
interface Vlan1
ip address 192.168.1.2 255.255.255.0
ip default-gateway 192.168.1.1
2. PC "192.168.1.4" seems to be unable to ping other PCs in the network. Check switch
configuration.
TIP : How many broadcast domains are there in this network ?
4. Configure those two links as trunk lines without using trunk negotiation between switches
Network diagram
<img
src=/images/labs/lab2-networkdiagram.png alt="Packet Tracer 5.3 - Switch interfaces configuration
lab network diagram" title="Packet Tracer 5.3 - Switch interfaces configuration lab network diagram"
style="border: 1px solid black;" border=0 />
Solution
Connect to Switch0 using console interface and configure each Switch0 fastethernet
switchport for operation.
Switch(config)#interface FastEthernet0/1
PC "192.168.1.4" seems to be unable to ping other PCs in the network. Check switch
configuration.
Switch(config)#interface FastEthernet0/4
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 1
<img
src=/images/labs/lab2-networkdiagram-solution.png alt="Packet Tracer 5.3 - Switch interfaces
configuration lab solution" title="Packet Tracer 5.3 - Switch interfaces configuration lab solution"
style="border: 1px solid black;" border=0 />
Configure those two links as trunk lines without using trunk negotiation between switches
On every interface that has to be configured for trunk operation, configure the following settings
Switch(config)#interface GigabitEthernet1/X
Switch(config-if)#switchport mode trunk
Verify interface operational mode using the "show interface GigabitEthernet1/X switchport
command" :
Name: Gig1/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Port
Gig1/2
Mode
on
Encapsulation Status
802.1q
trunking
Native vlan
1
Port
Gig1/2
Port
Gig1/2
4.Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name "SERVERS"
Network diagram
<img
src=/images/labs/lab3-networkdiagram.png border=0 />
Solution
Configure the VTP-SERVER switch as a VTP server
VTP-SERVER(config)#vtp mode server
Verify the VTP configuration using the "show vtp status command"
VTP-SERVER#show vtp status
VTP Version
:2
Configuration Revision
:4
:7
: Server
: TESTDOMAIN
: Disabled
: Disabled
: Disabled
: 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11
:2
Configuration Revision
:4
:7
: Client
: TESTDOMAIN
: Disabled
: Disabled
: Disabled
: 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11
interface GigabitEthernet1/2
switchport mode trunk
Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name "SERVERS"
On the VTP server switch, configure the following commands
VTP-SERVER(config)#vlan 10
VTP-SERVER(config-vlan)#name STUDENTS
VTP-SERVER(config)#vlan 50
VTP-SERVER(config-vlan)#name SERVERS
VLAN Name
Status
Ports
default
active
10 STUDENTS
50 SERVERS
1002 fddi-default
1003 token-ring-default
1004 fddinet-default
1005 trnet-default
active
active
active
active
active
active
Lab instructions
This lab will test your ability to configure port security on Cisco TM 2960 switch interfaces.
1. Configure port security on interface Fa 0/1 of the switch with the following settings :
- Port security enabled
- Mode : restrict
- Allowed mac addresses : 3
- Dynamic mac address learning.
2. Configure port security on interface Fa 0/2 of the switch with the following settings :
- Port security enabled
- Mode : shutdown
- Allowed mac addresses : 3
- Dynamic mac address learning.
3. Configure port security on interface Fa 0/3 of the switch with the following settings :
- Port security enabled
- Mode : protect
- Static mac address entry : 00E0.A3CE.3236
4. From LAPTOP 1 :
Try to ping 192.168.1.2 and 192.168.1.3. It should work.
Try to ping 192.168.1.4 and 192.168.1.5. It should work.
Network diagram
Solution
Coming soon
Network diagram
<img src=/images/labs/lab6topology.jpg alt="Packet Tracer 6.2 basic router setup lab topology"/>
Solution
1. Configure the laptop terminal software
The terminal software in not correctly configured on the laptop. You have to change the settings to
9600 / 8 / None / 1 to connect to the router's console. Remerber this tip as it could help you answer
CCENT questions or achieve CCENT simlet.
1. Use the connected laptops to find the DCE and DTE routers. You can connect to the routers
using CLI.
2. Configure the routers with the following parameters :
- Clock : 250000
- HDLC link between the routers
- DCE IP : 192.168.10.5/30
- DTE IP : 192.168.10.6/30
3. Check IP connectivity between the two routers using the ping command.
Network diagram
<img
src=/images/labs/lab11-networkdiagram.png border=0 alt="Packet Tracer 5.3 - HDLC configuration
lab network diagram" title="Packet Tracer 5.3 - HDLC configuration lab network diagram"
style="border: 1px solid black;"/>
This lab will test your ability to configure PPP on a serial link. Practicing this labs will help you to get
ready for your CCNA certification exam.
1. Use the connected laptops to find the DCE and DTE routers. You can connect to the routers
using CLI.
2. Configure the routers with the following parameters :
- Clock : 250000
- PPP link between the routers
- DCE IP : 192.168.10.5/30
- DTE IP : 192.168.10.6/30
3. Check IP connectivity between the two routers using the ping command.
Network diagram
<img
src=/images/labs/lab12-networkdiagram.png border=0 alt="Packet Tracer 5.3 - PPP configuration
lab network diagram" title="Packet Tracer 5.3 - PPP configuration lab network diagram"
style="border: 1px solid black;"/>
Lab instructions
SSL VPN technology can be configured in three ways :
Clientless SSL VPN is a technology allowing limited but secure access to internal network
ressources from any location using a web browser. No specific VPN client is needed, a remote user
only needs an SSL-enabled web browser to access http- or https-enabled web servers on the
internal network. This technology is available on ASA 5505 firewall and has been implemented in
Packet Tracer 6.1 network simulator.
Outside IP : 192.168.1.1/24
Inside IP : 192.168.2.1/24
User login : test
User password : test.test
Website IP : site 1
Solution
1. Create the bookmark site1 to the URL http://192.168.2.3 on the ASA 5505 firewall
2. Apply the following configuration to the firewall :
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
webvpn
enable outside
<img src=/images/labs/lab17-ipsecvpn-asa.jpg alt="Packet Tracer 6.1 lab 17 - ASA 5505 site to site
IPSEC VPN network diagram" title="Packet Tracer 6.1 lab 17- ASA 5505 site to site IPSEC VPN
network topology" width=738 border=0 height=492 />
Lab download
Lab
name :
Difficulty
:
Price :
Link :
Medium
Free
<img style="float: left;"
src=/images/download_icon.png alt="Download
packet tracer 6.1 site-to-site ipsec vpn lab"
width=25 height=25 />
Lab instructions
This lab will show you how to configure site-to-site IPSEC VPN using the new Packet Tracer 6.1
ASA 5505 firewall. By default, the ASA 5505 firewall denies the traffic entering the outside interface
if no explicit ACL has been defined to allow the traffic. This default behaviour helps protecting the
enterprise network from the internet during the VPN configuration.
In this lab, a small branch office will be securely connected to the enterprise campus over the
internet using a broadband DSL connection. Not routing protocol traffic is needed between the two
sites.
Solution
ASA configuration
Campus network - ASA 5505 IPSEC VPN headend device configuration .
interface Vlan1
nameif inside
security-level 100
ip address 172.16.254.254 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.17 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.129.0 255.255.255.0 134.95.56.18 1
route inside 172.16.0.0 255.255.128.0 172.16.254.253 1
!
Use show crypto isakmp sa to shows the Internet Security Association Management Protocol
(ISAKMP) security associations (SAs) built between the two firewalls. and show crypto ipsec sa to
check IPSEC security associations and monitor encrypted traffic statistics
ASA-CAMPUS-VPN#show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
: L2L
Rekey : no
Role
: Initiator
State : QM_IDLE
interface: outside
Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001
Lab instructions
Coming soon
If you try to configure a third vlan to host your DMZ,the ASA device will return the following error
because of the limited licence :
ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a
"no forward" command on this interface or on 1 interface(s) with nameif already configured.
Explanation :
You have to limit communications between two vlan interfaces to make the creation of the third vlan
interface possible. This can be done for example using the command no forward interface vlan 1
on the "interface vlan 3" to deny communications betwen the inside network and the DMZ
The "security plus" licence bundle which remove this limitation is not available in Packet Tracer 6.1.1
simulator.
Lab Solution
Coming soon
vvg