Professional Documents
Culture Documents
hostname LOCAL-SWITCH
service password-encryption
line con 0
password ciscoconsole
logging synchronous
login
history size 15
exec-timeout 6 45
line vty 0 15
exec-timeout 8 20
password ciscotelnet
logging synchronous
login
history size 15
Configure the IP address of the switch as 192.168.1.2/24 and it's
default gateway IP (192.168.1.1).
interface Vlan1
ip default-gateway 192.168.1.1
Lab instructions
This lab will test your ability to configure speed, duplex, and vlan settings on a
cisco switch interfaces.
4. Configure those two links as trunk lines without using trunk negotiation
between switches
Network diagram
Solution
Connect to Switch0 using console interface and configure each Switch0
fastethernet switchport for operation.
Switch(config)#interface FastEthernet0/1
Switch(config)#interface FastEthernet0/2
Switch(config)#interface FastEthernet0/3
switchport mode access
duplex full
speed 100
Switch(config)#interface FastEthernet0/4
On every interface that has to be configured for trunk operation, configure the
following settings
Switch(config)#interface GigabitEthernet1/X
Name: Gig1/2
Switchport: Enabled
Administrative Mode: trunk
Negotiation of Trunking: On
Lab instructions
The aim of this lab is to check your ability to configure VTP and VLAN on a small
network of four switches. This lab will help you to prepare your ICND1 exam.
Network diagram
Solution
Configure the VTP-SERVER switch as a VTP server
Verify the VTP configuration using the "show vtp status command"
Verify the VTP configuration using the "show vtp status command"
interface GigabitEthernet1/1
switchport mode trunk
interface GigabitEthernet1/2
switchport mode trunk
VTP-SERVER(config-vlan)#name STUDENTS
VTP-SERVER(config)#vlan 50
VTP-SERVER(config-vlan)#name SERVERS
Use the "show vlan brief" on each switch to check propagation of the 2 VLANS.
Introduction
A growing challenge for network administrators is to be able to control who is
allowed - and who isn't - to access the organization's internal network. This
access control is mandatory for critical infrastructure protection in your network.
It is not on public parts of the network where guest users should be able to
connect.
Port security is a Cisco feature implemented in Catalyst switches which will help
network engineers in implementing network security on network boundaries. In
its most basic form, the Port Security feature writes the MAC address of the
device connected to the switch edge port and allows only that MAC address to
be active on that port. If any other MAC address is detected on that port, port
security feature shutdown the switch port. The switch can be configured to send
a SNMP trap to a network monitoring solution to alert that the port is disabled
for security reasons.
Lab instructions
This lab will test your ability to configure port security on CiscoTM 2960 switch
interfaces.
1. Configure port security on interface Fa 0/1 of the switch with the following
settings :
- Mode : restrict
2. Configure port security on interface Fa 0/2 of the switch with the following
settings :
- Mode : shutdown
3. Configure port security on interface Fa 0/3 of the switch with the following
settings :
- Mode : protect
4. From LAPTOP 1 :
Solution
Coming soon
Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP,
Networking Academy, Linksys are registered trademarks of Cisco Systems, Inc. or its
affiliates in the U.S. o
Lab instructions
This lab will test your ability to configure HDLC on a serial link. Practicing this
labs will help you to get ready for your CCNA certification exam.
1. Use the connected laptops to find the DCE and DTE routers. You can connect
to the routers using CLI.
2. Configure the routers with the following parameters :
- Clock : 250000
- HDLC link between the routers
- DCE IP : 192.168.10.5/30
- DTE IP : 192.168.10.6/30
3. Check IP connectivity between the two routers using the ping command.
Network diagram
Lab instructions
This lab will test your ability to configure PPP on a serial link. Practicing this labs
will help you to get ready for your CCNA certification exam.
1. Use the connected laptops to find the DCE and DTE routers. You can connect
to the routers using CLI.
- Clock : 250000
- PPP link between the routers
- DCE IP : 192.168.10.5/30
- DTE IP : 192.168.10.6/30
3. Check IP connectivity between the two routers using the ping command.
Network diagram
Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP,
Networking Academy, Linksys are registered trademarks of Cisco Systems,
Packet Tracer lab 16 :
Clientless SSL VPN
3.461538461538511111 Rating 3.46 (39 Votes)
Network diagram
Lab instructions
SSL VPN technology can be configured in three ways :
Outside IP : 192.168.1.1/24
Inside IP : 192.168.2.1/24
User login : test
User password : test.test
Website IP : site 1
Solution
1. Create the bookmark site1 to the URL http://192.168.2.3 on the ASA 5505
firewall
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
webvpn
enable outside
object network LAN
subnet 192.168.2.0 255.255.255.0
!
object network LAN
nat (inside,outside) dynamic interface
!
group-policy group1 internal
group-policy group1 attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value site1
username test password D35rLrqYJOMRHDCX encrypted
username test attributes
vpn-group-policy group1
!
!
Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco
Packet Tracer lab 17 - Site to
site IPSEC VPN with ASA 5505
2.57511111 Rating 2.58 (40 Votes)
Network diagram
Lab download
Lab Lab 17 - Site to site IPSEC VPN with
name : ASA 5505
Difficulty : Medium
Price : Free
Link :
Lab instructions
This lab will show you how to configure site-to-site IPSEC VPN using the new
Packet Tracer 6.1 ASA 5505 firewall. By default, the ASA 5505 firewall denies the
traffic entering the outside interface if no explicit ACL has been defined to allow
the traffic. This default behaviour helps protecting the enterprise network from
the internet during the VPN configuration.
In this lab, a small branch office will be securely connected to the enterprise
campus over the internet using a broadband DSL connection. Not routing
protocol traffic is needed between the two sites.
Solution
ASA configuration
Campus network - ASA 5505 IPSEC VPN headend device configuration .
interface Vlan1
nameif inside
security-level 100
ip address 172.16.254.254 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.17 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.129.0 255.255.255.0 134.95.56.18 1
route inside 172.16.0.0 255.255.128.0 172.16.254.253 1
!
access-list BRANCH01_TRAFFIC extended permit tcp object CAMPUS_NETWORK object
BRANCH01_NETWORK
access-list BRANCH01_TRAFFIC extended permit icmp object CAMPUS_NETWORK object
BRANCH01_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK
object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object BRANCH_NETWORK
object CAMPUS_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address BRANCH01_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.18
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.18 type ipsec-l2l
tunnel-group 134.95.56.18 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.129.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.18 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.0.0 255.255.128.0 134.95.56.17 1
!
access-list PRIVATE_TRAFFIC extended permit tcp object BRANCH01_NETWORK object
CAMPUS_NETWORK
access-list PRIVATE_TRAFFIC extended permit icmp object BRANCH01_NETWORK object
CAMPUS_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK
object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object CAMPUS_NETWORK
object BRANCH_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address PRIVATE_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.17
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.17 type ipsec-l2l
tunnel-group 134.95.56.17 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
interface: outside
current_peer 134.95.56.18
path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
spi: 0x04B729EA(79112682)
0x00000000 0x0000001F
spi: 0x6386132D(1669731117)
IV size: 16 bytes
0x00000000 0x00000001
current_peer 134.95.56.18
path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x6386132D(1669731117)
spi: 0x04B729EA(79112682)
IV size: 16 bytes
0x00000000 0x0000001F
spi: 0x6386132D(1669731117)
IV size: 16 bytes
0x00000000 0x00000001
Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP,
Networking Academy, Linksys are registered trademarks of Cisco Systems, Inc. or its
affiliates in the U.S. or certain ot
Lab instructions
Configure the ASA firewall to allow HTTP traffic from the laptop (inside network)
to the HTTP server located on the other side of the firewall. The traffic will be
deeply inspected by the firewall to make sure it contains real HTTP instead of
rogue traffic.
All the communication from the outside to the inside network have to remain
denied. Only the statefull sessions established from the inside network have to
be allowed by the firewall.
Interfaces and vlans default configuration is provided below. The default vlan
security levels have been manually added in the picture.
Lab Solution
The default ASA 5505 firewall behavior is to allow traffic to flow from interfaces
with higher security levels ("inside" interfaces) to interfaces with lower security
levels ("outside" interfaces, but to deny traffic on the other way. Access-lists
must be configured to allow the traffic flow from lower security levels to higher
security levels.
class-map HTTP
match default-inspection-traffic
policy-map TestPolicy
class HTTP
inspect http
CBAC tutorial
Cisco's Context-Based Access Control (CBAC) is a security component similar to
reflexive ACL available in ISR routers. This feature has been implemented in
Packet Tracer since version 5.3
Lab Topology
Lab instructions
Coming soon
Lab Solution
Step 1 : Activate security license on ISR 2911
routers
Router>enable
Router#configure terminal
LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
If you use the product feature beyond the 60 day evaluation period, you
must submit the appropriate payment to Cisco for the license. After the
governed solely by the Cisco end user license agreement (link above),
terminated and you do not receive any notice of the expiration of the
Cisco for your use of the product feature beyond the evaluation period.
software on all Cisco products you purchase which includes the same
for each software feature you use past the 60 days evaluation period,
purchase 1000 licenses for use past the 60 day evaluation period.)
% use 'write' command to make license boot config take effect on next boot
%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C2900 Next
reboot level = securityk9 and License = securityk9
Router(config)#exit
Router#
Router#write
Building configuration...
[OK]
Router#reload
Router>enable
ipbasek9 no no no yes no
Router#
Router(dhcp-config)#default-router 192.168.1.1
Router(config)#interface GigabitEthernet0/0
Router(config-ext-nacl)#exit
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Interface Configuration
Interface GigabitEthernet0/2
Router#
Trademark notice : This web site and/or material is not affiliated with, endorsed by, or
sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP,
Networking Academy, Linksys are registered trademarks of Cisco Systems, Inc. or its
affiliates in the U.S. or certain o