3. Basic Device Configuration(Lab 1)
CLIConfigurationModes
The basic CLI modes that we will be referring below are as following:
Router> <– User EXEC Mode(?)
Router# <– Privileged EXEC mode
Router(config)# <– Global Configuration Mode
Router(config-if)# <– Interface Configuration Mode
Router(config-line)# <– Line Configuration Mode
6. How to change Hostname
Pres Enter to start and type enable to get to the privilege mode.
Switch>enable
Type configure terminal to enter the global configuration mode.
Switch# configure terminal
Change the hostname by typing hostname switch-name.
switch(config)# hostname SW
sw (config)#exit
sw#show running-config
7. Console and vty password
The console password is used for authentication
when accessing the device's Command Line Interface
(CLI) through the console port.
The console password is used to secure physical
access to the device.
Its restrict unauthorized users from accessing and
configuring the device through the console port.
8. Console and vty password
is used for authentication when accessing the device's
CLI remotely through a virtual terminal connection.
VTY connections are established over the network
using protocols such as Telnet or SSH.
The VTY password is used to authenticate remote
users who are trying to access the device's CLI.
9. Configuring Console Password
Enter to global configuration mode
S1(config)# line console 0
S1(config-line)# password cisco
S1(config-line)#login
S1(config-line)#exit
S1(config)#exit
S1#show running-config
10. Configuring the Enable Password
Enter into the global configuration mod
S1(config)#Enable password cisco1
Or
S1(config)#Enable secret cisco1
S1(config)#exit
S1#show running-config
11. Configuring VTY password
Remote Access cont.…
Enter into global configuration mode
S1(config)#Line vty 0 15
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#exit
S1(config)#exit
S1# show runn
Access from pc’s CMD: ping 10.10.10.1
12. Configuring Enable Password
Enter into global configuration mode
S1(config)#service password-encryption
S1(config)#show run
Then you will see all passwords are encrypted
13. SSH (Secure Shell) and Telnet
used for remote access to network devices
Telnet: Telnet is an unencrypted protocol used for
remote terminal access to network devices.
It allows a user to establish a text-based session with
a remote device and execute commands remotely.
SSH: SSH is a secure replacement for Telnet.
It provides encrypted communication between the
client and the server, ensuring confidentiality and
integrity of the data transmitted.
15. Configuring ssh password…
Steps to configure ssh password
Change the host name
Assign the Ip address for all devices
Assign the domain-name
generate the rsa key for the encryption purpose
Create user name and password for user and enable
Apply ssh configuration
21. VLAN- Virtual Local Area Network
Virtual Local Area Networks (VLANs) separate
an existing physical network into multiple
logical networks. Thus, each VLAN creates its
own broadcast domain.
Communication between two VLANs can only
occur through a router that is connected to both.
22. VLAN- Types
In short, there are 2 types of VLANs:
Port-based VLANs (untagged)
With port-based VLANs, a single physical switch is simply divided into
multiple logical switches. The following example divides an eight-port
physical switch (Switch A) into two logical switches.
Tagged VLANs
With tagged VLANs, multiple VLANs can be used through a single switch
port. Tags containing the respective VLAN identifiers indicating the VLAN
to which the frame belongs are attached to the individual Ethernet frames as
they exit the port. If both switches understand the operation of tagged
VLANs, the reciprocal connection can be accomplished using one single
cable connecting from a “trunk” port.
23. VLAN- Types
VLAN-1 (Default VLAN)
Data VLAN: is a VLAN dedicated to carrying user data traffic. It is used
to segregate and isolate different types of network traffic, such as user devices,
servers, or specific applications.
Management VLAN: is a VLAN specifically designated for
managing network devices, such as switches, routers, or wireless access points.
Native VLAN: The native VLAN is a VLAN that is assigned to an
802.1Q trunk port without tagging the frames with a VLAN ID.
27. VLAN- Virtual Local Area Network
VLAN Configuration (SW-1)
Switch(config)#VLAN 10
Switch(config)#name Staff
28. VLAN- Virtual Local Area Network
Assigning Ports to VLAN (SW-1)
SWA(config)#interface fastethernet0/2
SWA(config-if-range)#switchport mode access
SWA(config-if-range)#switchport access vlan 10
SWA(config-if-range)#exit
29. VLAN- Virtual Local Area Network
Assigning trunk Ports to VLAN (SW-0)
SWA(config)#interface fastethernet0/10
SWA(config-if-range)#switchport mode trunk
SWA(config-if-range)#switchport trunk allowed vlan 1,10,99
SWA(config-if-range)#exit
30. VLAN- Virtual Local Area Network
Assigning trunk Ports to VLAN (SW-1)
SWA(config)#interface fastethernet0/10
SWA(config-if-range)#switchport mode trunk
SWA(config-if-range)#switchport trunk allowed vlan 1,10,99
SWA(config-if-range)#exit
31. Management VLAN
Create vlan mngt
Assign the ip address for all device
Sw# vlan 99
Sw#name mnget
Sw#interface fa0/2-52
Sw#sw mode acess
Sw#sw acc valn99
___________________________________
Step 2
Assign the ip address to switch
Sw#interface vlan 99
Sw#ip address 192.168.50.1 255.255.255.0
Sw# no shut
32. Step 3
Create the vty password and enable password.
Step 4
Sw#ping the device of vlan mngt otr vlan99
step 5
Access the switch from the device
…. Telenet switch address
….. telnet 192.168.50.1
User pass
Enable pass
35. VLAN- Virtual Local Area Network
Native VLAN
The VLAN services developed with backward compatibility to support old
devices that does not support VLANs is called native VLAN. It is associated
with Trunk port.
SWA(config)#vlan 100
SWA(config)#name Native
SWA(config)#exit
SWA(config)#interface f0/10 (trunk port)
SWA(config)#switchport trunk native vlan 100
SWA(config)#show int f0/10 switchport
SWA(config)# show int trunk
36. Inter-VLAN Routing
Inter-VLAN routing can be defined as a way to forward traffic
between different VLAN by implementing a router in the
network.
As we learnt previously, VLANs logically segment the switch
into different subnets, when a router is connected to the
switch, an administrator can configure the router to forward
the traffic between the various VLANs configured on the
switch.
There are two ways in which inter-VLAN routing can be
accomplished.
Traditional inter-VLAN routing
Router-on-a-stick
Multilayer switching
37. Traditional inter-VLAN routing
In this type of inter-VLAN routing, a router is usually
connected to the switch using multiple interfaces.
One for each VLAN.
The interfaces on the router are configured as the
default gateways for the VLANs configured on the
switch.
The ports that connect to the router from the switch
are configured in access mode in their corresponding
VLANs.
40. Traditional inter-VLAN routing
VLAN Configuration
Switch(config)#VLAN 20
Switch(config)#name RED
Switch(config)#VLAN 30
Switch(config)#name BLUE
43. Inter-VLAN routing using router-on-a-stick
In the second type of inter-VLAN routing which is Router-
on-a-stick, the router is connected to the switch using a
single interface.
The switchport connecting to the router is configured as a
trunk link.
The single interface on the router is then configured
with multiple IP addresses that correspond to the VLANs
on the switch. On the router, the physical interface is
divided into smaller interfaces called sub-interfaces
Configure link between Routerand Switchas trunk.
Create sub-interfaces and configure IP
.
Configure sub-interfaces with encapsulation802.1q
46. Inter-VLAN routing using router-on-a-stick
VLAN Configuration
SWA -->VLAN 10 name Gray
SWA -->VLAN 20 name Red
SWA -->VLAN 30 name Blue
SWA -->VLAN 40 name Green
50. Inter-VLAN Routing using Multilayer switching
46
Normally, Routers are used to divide broadcast
domain and switches (at layer 2) Operates in a single
broadcast domain but Switches can also divide
broadcast domain by using the concept of VLAN (Virtual
LAN).
Vlan is logical grouping of devices in same or different
broadcast domain. By default, all the switch ports are in
Vlan 1.
As the single broadcast domain is divided into multiple
broadcast domains, Routers or layer 3 switches are used
for intercommunication between the different Vlans.
51. Inter-VLAN Routing using Multilayer switching
Switch Virtual Interface (SVI)
Multilayer switches support Switch Virtual Interfaces (SVIs),
logical interfaces that can perform routing.
SVI is a logical interface on a multilayer switch which
provides layer 3 processing for packets to all switch ports
associated with that VLAN.A single SVI can be created for a
Vlan.
SVI for layer 3 switch provides both management and
routing services while SVI on layer 2 switch provides only
management services like creating vlans or telnet/SSH
services.
47
52. Inter-VLAN Routing using Multilayer switching
Switch Virtual Interface (SVI)
They behave like a physical interface of a router: they have an
IP address, and they insert a connected route into the
routing table. However, they are completely virtual.
In Router on a stick method, both switch and router
are needed but while using layer 3 switch, a single switch
will perform inter-vlan routing as well as the layer 2
functions (Vlan), therefore this method is cost effective
and also less configuration is needed.
48
55. Inter-VLAN Routing using Multilayer switching
Creating SVI interface and configuring it
IP Routing is the set of protocols that determine the path that data foll
order to travel across multiple networks from its source to its destination
Switch# show ip route
Switch# int vlan 10 //configure SVI interface
Switch# ip address 192.168.1.1 255.255.255.0
Switch# int vlan 20
Switch# ip address 192.168.2.1 255.255.255.0
Switch# ip routing
Switch# show ip route
Verify the end to end connectivity
51
56. Port Security
Switch security feature that allows us to limit
the number of MAC addresses learned on a per
port basis.
Can be configured to limit a port to
specificMAC addresses.
57. Port Security
Can be configured to limit a port to a set number of
dynamically learned MAC address.
Useful to protect against end users plugging in rogue
equipment (PCs, hubs, switches)
57
58. Port Security
Secure MACs have two techniques
Static: manually configure a specific MAC address on a
port. Switchport port-security mac-address hh.hh.hh
Sticky: switch automatically learns secure addresses on a
port. Address added to the secure address table and
running-configuration.
Command : -
Switchport port-securitymac- address sticky
58
59. Port Security
While secure MAC addresses have been learned on a port
and another unsecured MAC attempts to communicate on
the port, Violation is triggered.
There are 3 types. Switchport port-security Violation
Protect: least severe. Frame from unsecured MACs not
forwarded.
Restrict: medium severity. Frame from unsecured MACs
not forwarded -----
Shutdown: most severe. Port moved to err-disabled state
59
61. Steps to configure port security
Steps
1. Enable port security on ports
2. Set maximum (how many device)is access
ports
3. Secure port mac- address of device is
dynamically learn.
4. Set violation
5. Disable all remaining usable ports.
63. Verify port security
1. Ping pc to server
2. Do show running to show the status
3. Attach the rouge pc to unused ports.
4. Enable port of rouge pc and ping pc1 and server. Then
disable the port
Command interface fa 0/3
No shut down
Then disable port of rouge pc
4. Disconnect port from pc1 and connect to rouge pc and
check unping with server.
5. Disconnect rouge pc and reconnect to pc1 and ping with
server.
6. Why pc1 ping server and not with rouge pc?
64. Port Security
Check
S1(config)# show run
S1(config)# show mac-address-tale
S1(config)# show port-security
S1(config)# show port-security interface f0/1
Check connectivity between pc0 and server
Check connectivity between pc1 and server on the same port
Server reply
S1(config)# show run
S1(config)# show mac-address-table
61
65. Port Security
Check
S1(config)# show run
S1(config)# show mac-address-table
S1(config)# show port-security
S1(config)# show port-security interface f0/1
Check connectivity between pc0 and server
Check connectivity between pc1 and server on the same port
Server doesn’t reply to pc1, this is because of port
security
63
66. How to re-enable ports?
Commands
Interface fa 0/1
S1(config)# Shutdown
S1(config)# No shutdown
67. ACL
132
Access Control Lists “ACLs” are network traffic
filters that can control incoming or outgoing traffic.
Powerful tool for network control
Filter packets flow in or out of router interfaces
Restrict network use by certain users or devices
Deny or permit traffic
ACLs work on a set of rules that define how to
forward or block a packet at the router’s interface.
There are two types,
Standard Access List
Extended Access List
68. ACL
133
Standard Access List
A Standard ACL can use only the source IP address in an IP
packet to filter the network traffic. Standard access lists are
typically used to permit or deny an entire host or network.
They cannot be used to filter individual protocol or services
such as FTP and Telnet. In the technical explanation, the
standard ACL supports only source address.
standard access lists – allow you to evaluate only the
source IP address of a packet. Standard ACLs are not as
powerful as extended access lists, but they are less CPU
intensive for the device.
By using numbers 1-99 or 1300-1999, router will understand it as
a standard ACL and the specified address as source IPaddress.
69. ACL
134
Configuring ACL
R1(config)# access-list ACL_NUMBER permit|denyhost
IP_ADDRESS WILDCARD_MASK
Once the access list is created, it needs to be applied to an interface
on the device where you want the traffic filtered. You must also
specify which direction of traffic you want the access list applied to.
Two directions are available:
inbound – ACL is applied to the traffic coming into theinterface.
outbound – the ACL is applied to the traffic leaving theinterface.
R1(config)# ip access-group ACL_NUMBER in|out