CCNA Discovery 2 Hoofdstuk 5

CCNA Discovery - Working at a Small-to-
Medium Business or ISP

5 Configuring Network Devices
5.0 Chapter Introduction
5.0.1 Introduction
Page 1:
5.0.1 - Introduction
One network infrastructure is now expected to support enhanced integrated applications, like voice
and video, for more users than ever before.
The underlying routing and switching technologies must provide the foundation for a wide range of
business applications.
Network engineers and technicians set up and configure the routers and switches that provide LAN
and WAN connectivity and services.
After completion of this chapter, you should be able to:

Configure a router with an initial configuration.
Use Cisco Security Device Manager to configure a Cisco ISR with LAN connectivity, Internet
connectivity, and NAT.
Configure a Cisco router for LAN connectivity, Internet connectivity and NAT using the Cisco I O
S C L I.
Configure a WAN connection from a customer premise to an ISP .
Describe, setup, and configure a stand-alone LAN switch.
5.1 Initial ISR Router Configuration

5.1.1 ISR
Page 1:
The Cisco Integrated Services Router (ISR) is one of the most popular networking devices to meet
the growing communications needs of businesses. The ISR combines features such as routing and
LAN switching functions, security, voice, and WAN connectivity into a single device. This makes
the ISR ideal for small to medium-sized businesses and for ISP-managed customers.
The optional integrated switch module allows small businesses to connect LAN devices directly to
the 1841 ISR. With the integrated switch module, if the number of LAN hosts exceeds the number
of switch ports, additional switches or hubs can be connected in a daisy chain to extend the number
of LAN ports available. If the switch module is not included, external switches are connected to the
router interfaces of the ISR.
The ISR routing function allows a network to be broken into multiple local networks using
subnetting and supports internal LAN devices connecting to the Internet or WAN.
5.1.1 - ISR
The diagram depicts four types of routers, as follows:
Cisco 800 series ISR
Designed for small offices and home-based users
1 WAN Supports
4 10 /100 Mbps
Combines data, security, and wireless services
Provides services at broadband speeds
Designed for medium to large businesses and enterprise branch offices
Supports up to 2 10/100/1000 Mbps router ports
Supports up to 112 10 /100 Mbps switch ports
Supports 240 Cisco IP phone users
Combines data, security, voice, video, and wireless service
Provides services at broadband speeds using DSL, cable and T1/E1 connections
Designed for small to medium businesses and small enterprise branch offices
Supports up to 8 10 /100 Mbps router ports
Supports 8 10 /100 Mbps switch ports
Combines data, security, and wireless services
Provides services at broadband speeds using DSL, cable and T 1 /E 1 connections
Designed for small to medium businesses and small enterprise branch offices
Supports up to 2 10/100/1000 Mbps router ports
Supports up to 64 10 /100 Mbps switch ports
Supports 96 Cisco IP phone users
Combines data, security, voice, video, and wireless services
Provides services at broadband speeds using multiple T 1 /E 1 connections
Page 2:
5.1.1 - ISR
The diagram depicts the front and rear view of a Series ISR: Model 1841.
Front view
The 1841 is a relatively low cost ISR designed for small to medium-sized businesses and small
enterprise branch offices. It combines the features of data, security, and wireless services with the
addition of a wireless module. The L E D's indicate the following information:
System Power L E D (SYS-PWR)

Indicates power is received and that the internal power supply is functional. L E D is solid green.
System Activity (SYS ACT)

A blinking L E D indicates the system is actively transferring packets.
Rear View
The 1841 ISR uses modules that allow for different configurations of ports. The following
components are found on the router:
Modular Slot 1 with a High-speed WAN Interface Card (H WIC)

Modular slots can be used for different types of interfaces. The H WIC shown here provides serial
connectivity over a wide-area network.
Console Port
This port is used to configure the ISR via a directly connected host.
Auxiliary Port
This port is used to configure the ISR via a modem connection.
Single Slot USB Port

The USB Flash feature allows users to store images and configurations and boot directly via USB
Flash memory.
Fast Ethernet Ports

These ports provide 10 /100 Mbps connectivity for local area networks.
Compact Flash Module

This removable module is used to store the Cisco I O S and other operating software for the ISR.
Modular Slot 0 with a Four Port Ethernet Switch

Modular slots can be used for different types of interfaces. The four port Ethernet card shown here
provides LAN connectivity to multiple devices.
Page 3:
The Cisco Internetwork Operating System (IOS) software provides features that enable a Cisco
device to send and receive network traffic using a wired or wireless network. Cisco IOS software is
offered to customers in modules called images. These images support various features for
businesses of every size.
The entry-level Cisco IOS software image is called the IP Base image. The Cisco IOS IP Base
software supports small to medium-sized businesses and supports routing between networks.
Other Cisco IOS software images add services to the IP Base image. For example, the Advanced
Security image provides advanced security features, such as private networking and firewalls.
Many different types and versions of Cisco IOS images are available. Images are designed to
operate on specific models of routers, switches, and ISRs.
It is important to know which image and version is loaded on a device before beginning the
configuration process.
5.1.1 - ISR
The diagram depicts a flow chart of I O S Software
A.IP Base flows to Advanced Security, IP Voice, and Service Provider Services.
B.Advanced Security flows to Advanced IP Services.
C.IP Voice flows to S P Services.
D.Service Provider Services flows to Enterprise Services.
E.S P Services flows to both Advanced IP Services and Enterprise Services.
F.Advanced IP Services flows to Advanced Enterprise Services.
G.Enterprise Services flows to Advanced Enterprise Services.
5.1.2 Physical Setup of the ISR
Page 1:
Each ISR is shipped with the cables and documentation needed to power up the device and begin
the installation. When a new device is received, it is necessary to unpack the device and verify that
all the hardware and equipment is included.
Items shipped with a new Cisco 1841 ISR include:
• RJ-45 to DB-9 console cable

• DB-9 to DB-25 modem adapter
• Power cord
• Product registration card, called the Cisco.com card
• Regulatory compliance and safety information for Cisco 1841 routers
• Router and Security Device Manager (SDM) Quick Start guide
• Cisco 1800 Series Integrated Services Router (Modular) Quick Start guide
5.1.2 - Physical Setup of the ISR

The diagram depicts components of a Cisco ISR.
Black power supply cord
Serial port adapter for converting a 25-pin serial port (DB-25) on a PC or a modem to a 9-pin serial
port (DB-9) in order to connect the console cable.
Cisco documentation and software CD.
Blue console cable to connect the PC or modem to the device console port in order to monitor or
configure the device.
Page 2:
To install a new Cisco 1841 ISR requires special tools and equipment, which most ISPs and
technician labs usually have available. Any additional equipment required depends on the model of
the device and any optional equipment ordered.
Typically, the tools required to install a new device include:
• PC with a terminal emulation program, such as HyperTerminal

• Cable ties and a No. 2 Phillips screwdriver
• Cables for WAN interfaces, LAN interfaces, and USB interfaces
It may also be necessary to have equipment and devices required for WAN and broadband
communication services, such as a modem. Additionally, Ethernet switches may be required to
connect LAN devices or expand LAN connectivity, depending on whether the integrated switch
module is included and the number of LAN ports required.

The diagram depicts components needed to set up the Cisco ISR.
PC with Terminal Emulation Program
Cable ties and Number 2 Phillips Screwdriver
WAN Interface Cable
LAN Interface Cable
U S B Interface Cable
Ethernet Switch
Modem
Page 3:
Before beginning any equipment installation, be sure to read the Quick Start guide and other
documentation that is included with the device. The documentation contains important safety and
procedural information to prevent accidental damage to the equipment during installation.
Follow these steps to power up an 1841 ISR.
1. Securely mount and ground the device chassis, or case.
2. Seat the external compact flash card.
3. Connect the power cable.
4. Configure the terminal emulation software on the PC and connect the PC to the console port.
5. Turn on the router.
6. Observe the startup messages on the PC as the router boots up.

The diagram depicts steps for setting up an ISR.
Step 1
Cisco routers and ISR's can be wall-mounted, set on a shelf or desktop, or installed in a rack.
Step 2
Seat the external compact flash memory card into the slot. Be certain that it is firmly seated and
verify that the eject button is fully extended. The eject button is usually located to the left of the
slot.
Step 3
Connect the power cable to the device and then to a reliable power source. Routers and networking
devices are usually connected to an uninterruptible power supply that contains a battery. This
ensures that the device does not fail if the electricity goes off unexpectedly.
Step 4
On a PC, configure the terminal emulating software with required settings for communication with
a Cisco router. Connect the PC running the emulation program to the console port of the ISR using
the console that came with the device.
Step 5
Turn the ISR on using the power switch located on the rear of the device.
Step 6
Observe the start-up messages as they appear in the terminal program window. These messages are
generated by the routers operating system.
5.1.3 Bootup Process
Page 1:
The router bootup process has three stages.
1. Perform Power-on self test (POST) and load the bootstrap program.
The POST is a process that occurs on almost every computer when it boots up. POST is used to test
the router hardware. After POST, the bootstrap program is loaded.
2. Locate and load the Cisco IOS software.
The bootstrap program locates the Cisco IOS software and loads it into RAM. Cisco IOS files can
be located in one of three places: flash memory, a TFTP server, or another location indicated in the
startup configuration file. By default, the Cisco IOS software loads from flash memory. The
configuration settings must be changed to load from one of the other locations.
3. Locate and execute the startup configuration file or enter setup mode.
After the Cisco IOS software is loaded, the bootstrap program searches for the startup configuration
file in NVRAM. This file contains the previously saved configuration commands and parameters,
including interface addresses, routing information, passwords, and other configuration parameters.
If a configuration file is not found, the router prompts the user to enter setup mode to begin the
configuration process.
If a startup configuration file is found, it is copied into RAM and a prompt containing the host name
is displayed. The prompt indicates that the router has successfully loaded the Cisco IOS software
and configuration file.
5.1.3 - Boot Up Process

The diagram depicts three stages of the boot up process.
Stage 1
ROMPOSTPerform PostPerform POST
ROMBootstrapLoad BootstrapExecute Bootstrap Loader
Console screen output:

System Bootstrap, Version 12.3 (8r)T8, RELEASE SOFTWARE (fcl)
Cisco 1841 (revision 5.0) with 114688K/1684K bytes of memory.
Stage 2
The I O S can be loaded from Flash or a TFTP server.
FlashCisco Internetwork Operating SystemLocate and load Operating system
TFTP ServerCisco Internetwork Operating SystemLocate and load Operating system

System Bootstrap, Version 12.3 (8r)T8, RELEASE SOFTWARE (fcl)
Self decompressing the image:

###
[OK]
Stage 3
The configuration file can be loaded from NV RAM, a TFTP server or the console.
NV RAM Configuration, then Locate, load, and execute the Configuration file or enter "setup"
mode
TFTP Server Configuration, then Locate, load, and execute the Configuration file or enter "setup"
mode
Console Configuration, then Locate, load, and execute the Configuration file (configuration
commands entered from the console host keyboard) or enter "setup" mode

System Bootstrap, Version 12.3 (8r) T8, RELEASE SOFTWARE (fcl)
Self decompressing the image:

###
[OK]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is subject to restrictions as set fourth in
subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR Sec .
52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software
clause at DFARS sec . 252.227-7013.
Cisco Systems, Inc.

170 West Tasman Drive
San Jose, California 95134-1706
Cisco I O S Software, 1840 Software (C1841-IP BASE-M), Version 12.3 (14) T7, RELEASE
SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 15-May-06 14:54 by pt_team
Image text-base: 0x6007D180, data-base: 0x61400000
Port Statistics for unclassified packets is not turned on.

Cisco 1841 (revision 5.0) with 114688K /16384K bytes of memory.
Processor board ID FTX0947Z18E
M860 processor: part number 0, mask 49
2 FastEthernet/IEEE 802.3 interface(s)
2 Low-speed serial (sync/async) network interface(s)
191K bytes of NV RAM/
31360K bytes of ATA CompactFlash (Read/Write)
Cisco I O S Software, 1841 Software (C1841-IP BASE-M), Version 12.3 (14) T7, RELEASE
SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c)1986-2006 by Cisco Systems, Inc.
Compiled Mon 15-May-06 14:54 by pt_team
---System Configuration Dialog---

Continue with configuration dialog? [yes/no]: no
Page 2:
To avoid the loss of data, it is important to have a clear understanding of the difference between the
startup configuration file and the running configuration file.
Startup Configuration File
The startup configuration file is the saved configuration file that sets the properties of the device
each time the device is powered up. This file is stored in non-volatile RAM (NVRAM), meaning
that it is saved even when power to the device is turned off.
When a Cisco router is first powered up, it loads the Cisco IOS software to working memory, or
RAM. Next, the startup configuration file is copied from NVRAM to RAM. When the startup
configuration file is loaded into RAM, the file becomes the initial running configuration.
Running Configuration File
The term running configuration refers to the current configuration running in RAM on the device.
This file contains the commands used to determine how the device operates on the network.
The running configuration file is stored in the working memory of the device. Changes to the
configuration and various device parameters can be made when the file is in working memory.
However, the running configuration is lost each time the device is shut down, unless the running
configuration is saved to the startup configuration file.
Changes to the running configuration are not automatically saved to the startup configuration file. It
is necessary to manually copy the running configuration to the startup configuration file.
When configuring a device via the Cisco command line interface (CLI) the command copy
running-config startup-config, or the abbreviated version copy run start, saves the running
configuration to the startup configuration file. When configuring a device via the Cisco SDM GUI,
there is an option to save the router running configuration to the startup configuration file each time
a command is completed.

The animation depicts the startup config being copied from NV RAM to the RAM.
Tip Popup Information

Warning: Making a spelling mistake when typing startup-config in the copy command could lead to
copying the running configuration to a different file name. This may result in the loss of
configuration changes when the router is reloaded.
Page 3:
After the startup configuration file is loaded and the router boots successfully, the show version
command can be used to verify and troubleshoot some of the basic hardware and software
components used during the bootup process. The output from the show version command includes:
• The Cisco IOS software version being used.

• The version of the system bootstrap software, stored in ROM memory, that was initially
used to boot the router.
• The complete filename of the Cisco IOS image and where the bootstrap program located it.
• Type of CPU on the router and amount of RAM. It may be necessary to upgrade the amount
of RAM when upgrading the Cisco IOS software.
• The number and type of physical interfaces on the router.
• The amount of NVRAM. NVRAM is used to store the startup-config file.
• The amount of flash memory on the router. Flash is used to permanently store the Cisco IOS
image. It may be necessary to upgrade the amount of flash when upgrading the Cisco IOS
software.
• The current configured value of the software configuration register in hexadecimal.
The configuration register tells the router how to boot up. For example, the factory default setting
for the configuration register is 0x2102. This value indicates that the router attempts to load a Cisco
IOS software image from flash and loads the startup configuration file from NVRAM. It is possible
to change the configuration register and, therefore, change where the router looks for the Cisco IOS
image and the startup configuration file during the bootup process. If there is a second value in
parentheses, it denotes the configuration register value to be used during the next reload of the
router.

The animation highlights the following information that is displayed when the show version
command is issued.
I O S Version
I O S (t) 2500 Software (C2500-I-L),Version 12.0 (17a), RELEASE SOFTWARE (fc1)
Bootstrap Version
ROM:system Bootstrap, Version 11.0 (10c), SOFTWARE BOOTFLASH :3000 Bootstrap Software
(I G S-BOOT-R), Version 11.0 (10c), RELEASE SOFTWARE (fc1)
I O S image file
System image file is "flash:c2500-i-l.120-17a.bin"
Model and CPU

Cisco 2500 (68030 processor (revision N)
Amount of RAM
With 2048K/2048K
Number and type of interfaces

1 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
Amount of NV RAM
32K bytes of non-volatile configuration memory.
Amount of flash
8192K bytes of processor board system flash (Read ONLY)
Configuration register
Configuration register is 0x2102
More Information Popup

The configuration register tells the router how to boot. There are many possible settings for the
configuration register. The most common ones are:
0x2102 - Factory default setting for Cisco routers (load the I O S image from flash and load the
startup config file from NV RAM)
0x2142 - Router ignores the contents of Non-Volatile RAM (NV RAM)
0x2120 - Router boots into ROMmon mode
Page 4:
There are times when the router does not successfully boot. This failure can be caused by a number
of factors, including a corrupt or missing Cisco IOS file, an incorrect location for the Cisco IOS
image specified by the configuration register, or inadequate memory to load a new Cisco IOS
image. If the router fails to boot the IOS, it then boots up in ROM monitor (ROMmon) mode.
ROMmon software is a simple command set stored in read only memory (ROM) that can be used to
troubleshoot boot errors and recover the router when the IOS is not present.
When the router boots up to ROMmon mode, one of the first steps in troubleshooting is to look in
flash memory for a valid image using the dir flash: command. If an image is located, attempt to
boot the image with the boot flash: command.
rommon 1>boot flash:c2600-is-mz.121-5
If the router boots properly with this command, there are two possible reasons why the Cisco IOS
image did not load from flash initially. First, use the show version command to check the
configuration register to ensure that it is configured for the default boot sequence. If the
configuration register value is correct, use the show startup-config command to see if there is a
boot system command that instructs the router to use a different location for the Cisco IOS image.

The diagram depicts the output of the show startup-config command. The boot system commands in
the startup config file determine the sequence the router uses to locate the I O S and boot.
Boot system flash 1841-ad v Ip services k9-mz.124-10b.bin

Boot system tftp 1841-ad v Ip services k9-mz.124-10b.bin 192.168.1.1
Boot system rom
Page 5:
Lab Activity
Power up an ISR and view the router system and configuration files using show commands.
Click the lab icon to begin.

Link to Hands-on Lab: Powering Up an Integrated Services Router
5.1.4 Cisco IOS Programs
Page 1:
There are two methods to connect a PC to a network device to perform configuration and
monitoring tasks: out-of-band management and in-band management.
Out-of-band Management
Out-of-band management requires a computer to be directly connected to the console port or

auxiliary port (AUX) of the network device being configured. This type of connection does not
require the local network connections on the device to be active. Technicians use out-of-band
management to initially configure a network device, because until properly configured, the device
cannot participate in the network. Out-of-band management is also useful when the network
connectivity is not functioning correctly and the device cannot be reached over the network.
Performing out-of-band management tasks requires a terminal emulation client installed on the PC.
In-band Management
Use in-band management to monitor and make configuration changes to a network device over a
network connection. For a computer to connect to the device and perform in-band management
tasks, at least one network interface on the device must be connected to the network and be
operational. Either Telnet, HTTP or SSH can be used to access a Cisco device for in-band
management. A web browser or a Telnet client program can be used to monitor the network device
or make configuration changes.
5.1.4 - Cisco I O S Programs

The diagram depicts an out-of-band and in-band router configuration.
Out-of-band Router Configuration

PC connected to router via console port. PC connected via PSTN link to router auxiliary port.
In-band Router Configuration

PC connected to router via Ethernet interface. PC connected via WAN or Internet to a serial
interface of a router.
Page 2:
The Cisco IOS command line interface (CLI) is a text-based program that enables entering and
executing Cisco IOS commands to configure, monitor, and maintain Cisco devices. The Cisco CLI
can be used with either in-band or out-of-band management tasks.
Use CLI commands to alter the configuration of the device and to display the current status of
processes on the router. For experienced users, the CLI offers many time-saving features for
creating both simple and complex configurations. Almost all Cisco networking devices use a similar
CLI. When the router has completed the power-up sequence, and the Router> prompt appears, the
CLI can be used to enter Cisco IOS commands.
Technicians familiar with the commands and operation of the CLI find it easy to monitor and
configure a variety of different networking devices. The CLI has an extensive help system that
assists users in setting up and monitoring devices.

The diagram depicts the output on a Hyper-Terminal showing the use of the command line interface
(C L I) to access the serial 0 /1 /0 interface of the router to configure it.
Router >
Router > enable
Router # configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router (config) # interface serial 0 /1 /0
Router (config-if) #
Page 3:
In addition to the Cisco IOS CLI, other tools are available to assist in configuring a Cisco router or
ISR. Security Device Manager (SDM) is a web-based GUI device management tool. Unlike CLI,
SDM can be used only for in-band management tasks.
SDM Express simplifies the initial router configuration. It uses a step-by-step approach to create a
basic router configuration quickly and easily.
The full SDM package offers more advanced options, such as:
• Configuring additional LAN and WAN connections

• Creating firewalls
• Configuring VPN connections
• Performing security tasks
SDM supports a wide range of Cisco IOS software releases and is available free of charge on many
Cisco routers. SDM is pre-installed on the flash memory of the Cisco 1800 Series ISR. If the router
has SDM installed, it is good practice to use SDM to perform the initial router configuration. This
configuration is done by connecting to the router via a preset network port on the router.

The diagram depicts the opening windows of the Cisco SDM Express and Cisco Router and
Security Device Manager (SDM).
Page 4:
Not all Cisco devices support SDM. In addition, SDM does not support all the commands that are
available through the CLI. Consequently, it is sometimes necessary to use the CLI to complete a
device configuration that is started using SDM. Familiarity with both methods is critical to
successfully support Cisco devices.

The diagram compares the following features of Cisco I O S C L I and Cisco SDM: user interface,
router configuration method, enterprise in Cisco device configuration, help features, router Flash
memory requirements, availability, and when used.
User Interface
Cisco I O S C L I:
Terminal emulation software
Telnet session
Cisco SDM:
Web-based browser
Router Configuration Method

Cisco I O S C L I:
Text-based Cisco commands
Cisco SDM:
G U I buttons and text boxes
Expertise in Cisco Device Configuration

Cisco I O S C L I:
Depends on configuration task
Cisco SDM:
Do not need knowledge of the C L I commands
Help Features
Cisco I O S C L I:
Command prompt based
Cisco SDM:
GUI based on-line help and tutorials
Router Flash Memory Requirements

Cisco I O S C L I:
Covered by I O S image
Cisco SDM:
6 MB of free memory
Availability
Cisco I O S C L I:
All Cisco devices
Cisco SDM:
Cisco 830 Series through Cisco 7301
When Used
Cisco I O S C L I:
Cisco Device does not support Cisco SDM
Configuration task not supported by Cisco SDM
Cisco SDM:
Performing the initial configuration on an SDM equipped device
Step through configuration of devices without C L I knowledge required
Page 5:

The diagram depicts an activity in which you must determine when to use C L I or SDM based on
the following descriptions.
Descriptions
One.Used to configure a Cisco router with both in-band and out-of-band management.
Two.Used for initial configuration of a Cisco router using a Web-based G U I.
Three.Used to configure a Cisco router with limited knowledge of I O S commands.
Four.Supported, by default, on all Cisco I O S routers.
5.2 Using Cisco SDM Express and SDM

5.2.1 Cisco SDM Express
Page 1:
When adding a new device to a network, it is critical to ensure that the device functions correctly.
The addition of one poorly configured device can cause an entire network to fail.
Configuring a networking device, such as a router, can be a complex task, no matter which tool is
used to enter the configuration. Therefore, follow best practices for installing a new device to
ensure that all device settings are properly configured and documented.
5.2.1 - Cisco SDM Express

The diagram depicts the best practices and details for Cisco SDM Express.
Best Practice 1:
Obtain and document all information before beginning the configuration.
Details:
Name assigned to device
Location where it will be installed
User names and passwords
Types of connections required (LAN and WAN)
IP address information for all network interfaces, including IP address, subnet mask, and default
gateway
DHCP server settings
Network Address Translation Settings
Firewall settings
Best Practice 2:
Create a network diagram showing how cables will be connected.
Details:
Label the diagram with the interface designation and address information
Best Practice 3:
Create a checklist of configuration steps.
Details:
Mark off each step as it is successfully completed
Best Practice 4:
Verify the configuration using a network simulation
Details:
Test before it is place on the running network
Best Practice 5:
Update the network documentation and keep a copy in a safe place.
Details:
Save on a server
Print and keep in a file cabinet
Page 2:
Cisco SDM Express is a tool bundled within the Cisco Router and Security Device Manager that
makes it easy to create a basic router configuration. To start using SDM Express, connect an
Ethernet cable from the PC NIC to the Ethernet port specified in the quick start guide on the router
or ISR being configured.
SDM Express uses eight configuration screens to assist in creating a basic router configuration:
• Overview
• Basic Configuration
• LAN IP Address
• DHCP
• Internet (WAN)
• Firewall
• Security Settings
• Summary
The SDM Express GUI provides step-by-step guidance to create the initial configuration of the
router. After the initial configuration is completed, the router is available on the LAN. The router
can also have a WAN connection, a firewall, and up to 30 security enhancements configured.
5.2.1 - Cisco SDM Express
The diagram depicts a router deployment using SDM Express, which is ideal for non-expert users.
The SDM disk will guide the user through the setup of the router.
5.2.2 SDM Express Configuration Options
Page 1:
The SDM Express Basic Configuration screen contains basic settings for the router that is being
configured. The following information is required:
• Host name - The name assigned to the router being configured.

• Domain name for the organization - An example of a domain name is cisco.com, but
domain names can end with a different suffix, such as .org or .net.
• Username and password - The username and password used to access SDM Express to
configure and monitor the router. The password must be at least six characters long.
• Enable secret password - The password that controls user access to the router, which
affects the ability to make configuration changes using the CLI , Telnet, or the console ports.
The password must be at least six characters long.
5.2.2 - SDM Express Configuration Options

The diagram depicts the Cisco SDM Express Wizard Window with the Basic Configuration option
highlighted.
Page 2:
The LAN configuration settings enable the router interface to participate on the connected local
network.
• IP address - Address for the LAN interface in dotted-decimal format. It can be a private IP
address if the device is installed in a network that uses Network Address Translation (NAT)
or Port Address Translation (PAT).
It is important to take note of this address. When the router is restarted, this address is the one used
to access SDM Express, not the address that was provided in the Quick Start guide.
• Subnet mask - Identifies the network portion of the IP address.

• Subnet bits - Number of bits used to define the network portion of the IP address. The
number of bits can be used instead of the subnet mask.
• Wireless parameters - Optional. Appear if the router has a wireless interface, and Yes was
clicked in the Wireless Interface Configuration window. Specifies the SSID of the wireless
network.
The diagram depicts the Cisco SDM Express Wizard Window with the LAN IP Address option
highlighted.
Page 3:
DHCP is a simple way to assign IP addresses to host devices. DHCP dynamically allocates an IP
address to a network host when the host is powered up, and reclaims the address when the host is
powered down. In this way, addresses can be reused when hosts no longer need them. Using SDM
Express, a router can be configured as a DHCP server to assign addresses to devices, such as PCs,
on the internal local network.
To configure a device for DHCP, select the Enable DHCP Server on the LAN Interface
checkbox. Checking this box enables the router to assign private IP addresses to devices on the
LAN. IP addresses are leased to hosts for a period of one day.
DHCP uses a range of allowable IP addresses. By default, the valid address range is based on the IP
address and subnet mask entered for the LAN interface.
The starting address is the lowest address in the IP address range. The starting IP address can be
changed, but it must be in the same network or subnet as the LAN interface.
The ending IP address is the highest address in the IP address range and it can be changed to
decrease the pool size. It must be in the same network as the IP starting address.

The diagram depicts the Cisco SDM Express Wizard Window with the DHCP option highlighted.
Page 4:
Additional DHCP configuration parameters include:
• Domain name for the organization - This name is given to the hosts as part of the DHCP
configuration.
• Primary domain name server - IP address of the primary DNS server. Used to resolve
URLs and names on the network.
• Secondary domain name server - IP address of a secondary DNS sever, if available. Used
if the primary DNS server does not respond.
Selecting Use these DNS values for DHCP clients enables the DHCP server to assign DHCP
clients with the configured DNS settings. This option is available if a DHCP server has been
enabled on the LAN interface.

The diagram depicts the Cisco SDM Express Wizard Window with the DHCP option highlighted
and the DNS section filled in.
Page 5:

The diagram depicts an activity in which you must match each configuration parameter from the
SDM Express to each type of information that must be entered.
Configuration Parameters.
A.Secondary DNS Server Address.
B.Domain Name.
C.Host Name.
D.Enable Secret Password.
E.Primary DNS Server Address.
F.Starting IP Address.
G.Subnet Bits.
Information
One.IP Address of server to use to resolve name if first configured server is not available.
Two.The registered name assigned to the organization, such as cisco.com.
Three.The name assigned to the device by an administrator.
Four.Controls user access to make configuration changes through Telnet or the console.
Five.The IP address of the first server hosts can use to resolve names.
Six.First IP address in the range assigned to hosts by the DHCP server.
Seven.Designates the portion of the IP address that represents the network and subnetwork.
5.2.3 Configuring WAN Connections Using SDM Express
Page 1:
Configuring an Internet (WAN) Connection
A serial connection can be used to connect networks that are separated by large geographic
distances. These WAN network interconnections require a telecommunications service provider
(TSP).
Serial connections are usually lower speed links, compared to Ethernet links, and require additional
configuration. Prior to setting up the connection, determine the type of connection and protocol
encapsulation required.
The protocol encapsulation must be the same at both ends of a serial connection. Some
encapsulation types require authentication parameters, like username and password, to be
configured. Encapsulation types include:
• High-Level Data Link Control (HDLC)

• Frame Relay
• Point-to-Point Protocol (PPP)
5.2.3 - Configuring WAN Connections Using SDM Express

The diagram depicts the three encapsulation types, HDLC, Frame Relay, and P P P, available on the
Add Serial 0 /1 /0 Connection window, and a brief description of each.
High-Level Data Link Control (HDLC)

A bit-orientated Data Link Layer protocol developed by the International Standards Organization (I
S O).
Frame Relay
A packet-switch Data Link Layer protocol that handles multiple virtual circuits, meaning that the
circuit connections are temporarily built up and torn down based on need. The D L C I is a required
number, supplied by the service provider to identify the virtual circuit.
Point-to-Point Protocol (P P P)
Commonly used to establish a direct connection between two devices. It can connect computers
using serial cable, phone line, trunk line, cellular telephone, specialized radio links, or fiber-optic
links. Most Internet service providers use PPP for customer dial-up access to the Internet. There are
features of PPP to allow authentication before a connection is made. PPP username and passwords
can be setup using SDM.
Page 2:
The WAN configuration window has additional WAN parameters.
Address Type List
Depending on the type of encapsulation selected, different methods of obtaining an IP address for
the serial interface are available:
• Static IP address - Available with Frame Relay, PPP, and HDLC encapsulation types. To
configure a static IP address, enter the IP address and subnet mask.
• IP unnumbered - Sets the serial interface address to match the IP address of one of the
other functional interfaces of the router. Available with Frame Relay, PPP, and HDLC
encapsulation types.
• IP negotiated - The router obtains an IP address automatically through PPP.
• Easy IP (IP Negotiated) - The router obtains an IP address automatically through PPP.
The diagram depicts an Add Serial 0 /1 /0 Connection window being configured using the
encapsulation type, HDLC, and the address type, IP Unnumbered.
Page 3:
Lab Activity
Configure an ISR using Cisco SDM Express

Link to Hands-on Lab: Configuring an ISR with Cisco SDM Express
5.2.4 Configuring NAT Using Cisco SDM
Page 1:
Either Cisco SDM Express or Cisco SDM can be used to configure a router.
SDM supports many of the same features that SDM Express supports; however, SDM has more
advanced configuration options. For this reason, after the router basic configuration is completed
using SDM Express, many users switch to SDM. For example, enabling NAT requires the use of
SDM.
The Basic NAT Wizard configures Dynamic NAT with PAT, by default. PAT enables the hosts on
the internal local network to share the single registered IP address assigned to the WAN interface. In
this manner, hosts with internal private addresses can have access to the Internet.
Only the hosts with the internal address ranges specified in the SDM configuration are translated. It
is important to verify that all address ranges that need access to the Internet are included.
Steps for configuring NAT include:
Step 1. Enable NAT configuration using SDM.
Step 2. Navigate through the Basic NAT Wizard.
Step 3. Select the interface and set IP ranges.

Step 4. Review the configuration.
5.2.4 - Configuring NAT Using Cisco SDM

The diagram depicts the steps to use Cisco SDM to configure dynamic NAT on a Cisco ISR Router.
Step 1. Enable NAT Configuration using SDM.

Choose Configure, then NAT, then Basic NAT. Then click Launch the selected task.
Step 2.Navigate through the Basic NAT Wizard.
Step 3. Choose the interface that connects to the Internet or the ISP .
This interface should have the public registered address assigned to it. Next, select the IP address
range of the internal network addresses that should be translated to the public registered address.
Step 4. Review Configuration.
Click Finish, if the configuration is satisfactory.
Page 2:
Lab Activity
Configure Dynamic NAT using the Cisco SDM basic NAT wizard.
5.2.4 - Configuring NAT Using Cisco SDM

Link to Hands-on Lab: Configuring Dynamic NAT with SDM
5.3 Configuring a Router Using IOS CLI

5.3.1 Command Line Interface Modes
Page 1:
Using the Cisco IOS CLI to configure and monitor a device is very different from using SDM. The
CLI does not provide step-by-step configuration assistance; therefore, it requires more planning and
expertise to use.
CLI Command Modes
The Cisco IOS supports two levels of access to the CLI: user EXEC mode and privileged EXEC
mode.
When a router or other Cisco IOS device is powered up, the access level defaults to user EXEC
mode. This mode is indicated by the command line prompt:
Router>
Commands that can be executed in user EXEC mode are limited to obtaining information about
how the device is operating, and troubleshooting using some show commands and the ping and
traceroute utilities.
To enter commands that can alter the operation of the device requires privileged level access.
Enable the privileged EXEC mode by entering enable at the command prompt and pressing Enter.
The command line prompt changes to reflect the mode change. The prompt for privileged EXEC
mode is:
Router#
To disable the privileged mode and return to user mode, enter disable at the command prompt.
Both modes can be protected with a password, or a username and password combination.
5.3.1 - Command Line Interface Modes

The diagram depicts HyperTerminal window Cisco I O S C L I Command Modes, focusing on the
user-mode prompt and privileged-mode prompt, as follows:
User-Mode Prompt: router >

Privileged-Mode Prompt: router #
Page 2:
Various configuration modes are used to set up a device. Configuring a Cisco IOS device begins
with entering privileged EXEC mode. From privileged EXEC mode, the user can access the other
configuration modes.
In most cases, commands are applied to the running configuration file using a terminal connection.
To use these commands, the user must enter global configuration mode.
To enter global configuration, type the command configure terminal or config t. Global
configuration mode is indicated by the command line prompt:
Router(config)#
Any commands entered in this mode take effect immediately and can alter the operation of the
device.
From global configuration mode, the administrator can enter other sub-modes.
Interface configuration mode is used to configure LAN and WAN interfaces. To access interface
configuration mode, from global configuration type the command interface [type] [number].
Interface configuration mode is indicated by the command prompt:
Router(config-if)#
Another commonly used sub-mode is the router configuration submode represented by the
following prompt:
Router(config-router)#
This mode is used to configure routing parameters.

The diagram depicts Hyper Terminal window Configuration Modes, focusing on the following
modes:
Command to Enter Global Configuration Mode: configure terminal

Command to Enter Interface Configuration Sub-Mode: interface fast ethernet 0 /1
Using the help command to search commands: IP address, question mark
Page 3:
E-Lab Activity
Using the Cisco CLI explore the various configuration modes.

Link to E-Lab: Entering Command Modes
5.3.2 Using the Cisco IOS CLI
Page 1:
The Cisco IOS CLI is full of features that help in recalling commands needed to configure a device.
These features are one reason why network technicians prefer to use the Cisco IOS CLI to configure
routers.
The context-sensitive help feature is especially useful when configuring a device. Entering help or
the ? at the command prompt displays a brief description of the help system.
Router# help
Context-sensitive help can provide suggestions for completing a command. If the first few
characters of a command are known but the exact command is not, enter as much of the command
as possible, followed by a ?. Note that there is no space between the command characters and the ?.
Additionally, to get a list of the parameter options for a specific command, enter part of the
command, followed by a space, and then the ?. For example, entering the command configure
followed by a space and a ? shows a list of the possible variations. Choose one of the entries to
complete the command string. Once the command string is completed, a <cr> appears. Press Enter
to issue the command.
If a ? is entered and nothing matches, the help list will be empty. This indicates that the command
string is not a supported command.
5.3.2 - Using the Cisco I O S C L I

The diagram depicts the Hyper Terminal window focusing on the following text:
Commands available to complete initial command fragment using a question mark for help: Router
# con, question mark, configure connect
Page 2:
Users sometimes make a mistake when typing a command. The CLI indicates if an unrecognized or
incomplete command is entered. The % symbol marks the beginning of an error message. For
example, if the command interface is entered with no other parameters, an error message displays
indicating an incomplete command:
% Incomplete command
Use the ? to get a list of the available parameters.
If an incorrect command is entered, the error message would read:
% Invalid input detected

It is sometimes hard to see the mistake within an incorrectly entered command. Fortunately, the CLI
provides an error indicator. The caret symbol (^) appears at the point in the command string where
there is an incorrect or unrecognized character. The user can return to the point where the error was
made and use the help function to determine the correct command to use.

The diagram depicts the Hyper Terminal window showing the difference between an incomplete
command and a misspelled command. Also shown is the use of help, question mark, after the main
command (with a space) to determine appropriate secondary entries.
Page 3:
Another feature of the Cisco IOS CLI is the ability to recall previously typed commands. This
feature is particularly useful for recalling long or complex commands or entries.
The command history is enabled by default and the system records 10 command lines in the history
buffer. To change the number of command lines the system records during a session, use the
terminal history size or the history size command. The maximum number of command lines is
256.
To recall the most recent command in the history buffer, press Ctrl-P or the Up Arrow key. Repeat
this process to recall successively older commands. To return to a more recent command in the
history buffer, press Ctrl-N or the Down Arrow key. Repeat this process to recall successively
more recent commands.
The CLI recognizes partially typed commands based on their first unique character. For example,
type int instead of interface. If a short cut, such as int is entered, pressing the Tab key will
automatically complete the entire command entry of interface.
On most computers, additional select and copy functions are available using various function keys.
A previous command string may be copied and then pasted or inserted as the current command
entry.

The diagram depicts the Hyper Terminal window showing the show history command and listing
previous commands issued.
Page 4:

The diagram depicts an activity in which you must match each keystroke combination to its
function.
Keystroke combinations.
A.Ctrl-P, or up-arrow key.
B.Ctrl-N, or down arrow key.
C.Show history.
D.Terminal history size number-of-lines.
E.TAB.
Definitions.
One.Steps backwards through the command history.
Two.Steps forward through the command history.
Three.Shows the contents of the command buffer.
Four.Sets the command buffer size.
Five.Completes a command entry.
Page 5:
Packet Tracer Activity
Explore the features of the Cisco IOS CLI.
Click the Packet Tracer icon to begin.

Link to Packet Tracer Exploration: Exploring the Cisco I O S C L I
5.3.3 Using Show Commands
Page 1:
The Cisco IOS CLI includes show commands that display relevant information about the
configuration and operation of the device.
Network technicians use the show commands extensively for viewing configuration files, checking
the status of device interfaces and processes, and verifying the device operational status. Show
commands are available whether the device was configured using the CLI or SDM.
The status of nearly every process or function of the router can be displayed using a show
command. Some of the more popular show commands are:
• show running-config
• show interfaces
• show arp
• show ip route
• show protocols
• show version
5.3.3 - Using Show Commands

The diagram depicts the following show commands.
Show running-config
R1 # show running-config
Some output omitted
Building configuration
Current configuration: 1063 bytes
Version 12.4
Service timestamps debug date time m sec
Service timestamps log date time m sec
No service password-encryption
Host name R 1
Enable secret 5 $1$i6w9$dvdpVM6zV10E^tSLdkR5/
No IP domain lookup
Interface FastEthernet 0 /0
Description LAN 192.168.1.0 default gateway
Ip address 192.168.1.1 255.255.255.0
Duplex auto
Speed auto
Interface FastEthernet 0 /1
No I P address
Shutdown
Duplex auto
Speed auto
Interface Serial 0 /0/ 0

Description WAN link to R 2
Encapsulation ppp
Clock rate 64000
No fair-queue
Interface Serial 0 /0 /1
No IP address
shutdown
Interface V lan 1
No IP address
Router rip
Version 2
Network 192.168.1.0
Network 192.168.2.0
Banner m o td ^C Unauthorized Access Prohibited ^ C
Ip http server
Line con 0
Password cisco
Login
Line a u x 0
Line v t y 0 4
Password cisco
login
Show interfaces
R1 # show interfaces
< Some output omitted >
FastEthernet0 /0 is up, line protocol is up
Hardware is Gt96k F E, address is 001b.5325.256e (b I a 001b.5325.256e
Internet address is 192.168.1.1 /24
M T U 1500 bytes, BW 100000 k bit, D L Y 100 u sec,
Reliability 255 /255, t x load 1 /255, r x load 1 /255
Encapsulation A R P A, loopback not set
Keep alive set (10 sec)
Full-duplex, 100Mb/s, 100Base TX/FX
ARP type: ARP, ARP timeout 04:00:00
Last input 00:00:17, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); total output drops: 0
Queueing strategy: fifo
Output queue: 0 /40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
196 packets input, 31850 bytes
Received 181 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watch dog
0 input packets with dribble condition detected
392 packets output, 35239 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet0/1 is administratively down, line protocol is down
Serial 0 /0 /0 is up, line protocol is up

Hardware is GT96K serial
MTU 1500 bytes, BW 1544 k bit, D L Y 20000 u sec,
Reliability 255 /255, tx load 1/255, rx load 1 /255
Encapsulation PPP, LCP Listen, loopback not set
Keepalive set (10 sec)
Last input 00:00:02, output 00:00:03, output hang never
Last clearing of "show interface" counters 00:51:52
Input queue: 0/75/0/0 (size/max/drops/flushes); total output drops: 0
Queueing strategy: fifo
Output queue: 0 /40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
401 packets input, 27437 bytes, 0 no buffer
Received 293 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
389 packets output, 26940 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 output buffer failures, 0 output buffers swapped out
6 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
Serial0/0/1 is administratively down, line protocol is down
Show arp
R1 # show arp
Protocol AddressAge (min) Hardware AddrTypeInterface
Internet 172.17.0.1-001b.5325.256eA R P A
FastEthernet 0 /0
Internet 172.17.0.212000b.db04.a5cdA R P A
FastEthernet0 /0
Show IP route
R1 # show IP route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - E I GRP, Ex - E I GRP external, O - O SPF, I A - O SPF inter area
N1 - O SPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - O SPF external type 1, E2 - O SPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - O D R, P - periodic downloaded static route
Gateway of last resort is not set

C192.168.1.0 /24 is directly connected, FastEthernet0/0
C192.168.2.0 /24 is directly connected, Serial0/0/0
R192.168.3.0 /24 [120 /1] via 192.168.2.2, 00:00:24, Serial0/0/0
Show protocols
R1 # show protocols
Global values :
Internet Protocol routing is enabled
FastEthernet0 /0 is up, line protocol is up
FastEthernet 0 /1 is administratively down, line protocol is down
FastEthernet 0 /1 /0 is up , line protocol is down
Serial 0 /0 /0 is up , line protocol is up
Serial 0 /0 /1 is administratively down, line protocol is down
V lan 1 is up, line protocol is down
Show version
R1# show version
< Some output omitted>
Cisco l O S Software , 1841 Software (C1841-AD V IP SERVICESK9-M) , Version
12.4(l O b) ,
RELEASE SOFTWARE (f c3)
Technical Support: http://www.cisco.com/tech support
copyright (c) 1986-2007 by Cisco Systems , Inc.
Compiled Fri 19-Jan-07 15 :15 by prod_reI_team
ROM: System Bootstrap, Version 12.4 (13r) T , RELEASE SOFTWARE (fc1)
R1 uptime is 43 minutes
System returned to ROM by reload at 22:05:12 U TC Sat Jan 5 2008
System image file is "flash:c1841-ad v I p servicesk9-mz.124-10b.bin"
Cisco 1841 (revision 6.0) with 174080K/22528K bytes of memory .
Processor board 10 FTX1111WOQF
6 FastEthernet interfaces
2 Serial (sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191 K bytes of N V RAM.
62720 K bytes of A T A CompactFlash (Read/Write)
Configuration register is O x 2l02
Page 2:
E-Lab Activity
Use the show run and show interface commands to answer questions about the router configuration.

Link to E-Lab: Viewing the Router Interface Information
Page 3:
Use Cisco IOS show commands on a router located at the ISP.

Link to Packet Tracer Exploration: Using the Cisco I O S Show Commands
5.3.4 Basic Configuration
Page 1:
The initial configuration of a Cisco IOS device involves configuring the device name and then the
passwords that are used to control access to the various functions of the device.
A device should be given a unique name as one of the first configuration tasks. This task is
accomplished in global configuration mode with the following command.
Router(config)# hostname [name]
When the Enter key is pressed, the prompt changes from the default host name, which is Router, to
the newly configured host name.
The next configuration step is to configure passwords to prevent access to the device by
unauthorized individuals.
The enable password and enable secret commands are used to restrict access to privileged EXEC
mode, preventing unauthorized users from making configuration changes to the router.
Router(config)# enable password [password]
Router(config)# enable secret [password]
The difference between the two commands is that the enable password is not encrypted by default.
If the enable password is set, followed by the enable secret password, the enable secret command
overrides the enable password command.
5.3.4 - Basic Configuration

The diagram depicts an example of a basic router configuration, including the following types of
commands: set device name, enable password, and enable encrypted password.
Set Device Name

Router (config) # host name Tokyo Router
Tokyo Router (config) #
Enable Password
Router (config) # enable password san-fran
Enable Encrypted Password

Router (config) # enable secret password1 2 3
Page 2:
Other basic configurations of a router include configuring a banner, enabling synchronous logging,
and disabling domain lookup.
Banners
A banner is text that a user sees when initially logging on to the router. Configuring an appropriate
banner is part of a good security plan. At a very minimum, a banner should warn against
unauthorized access. Never configure a banner that welcomes an unauthorized user.
There are two types of banners: message-of-the-day (MOTD) and login information. The purpose
for two separate banners is to be able to change one without affecting the entire banner message.
To configure the banners, the commands are banner motd and banner login. For both types, a
delimiting character, such as a #, is used at the beginning and at the end of the message. The
delimiter allows the user to configure a multiline banner.
If both banners are configured, the login banner appears after the MOTD but before the login
credentials.
Synchronous Logging
The Cisco IOS software often sends unsolicited messages, such as a change in the state of a
configured interface. Sometimes these messages occur in the middle of typing a command. The
message does not affect the command, but can cause the user confusion when typing. To keep the
unsolicited output separate from the typed input, the logging synchronous command can be entered
in global configuration mode.
Disabling Domain Lookup
By default, when a host name is entered in enable mode, the router assumes that the user is
attempting to telnet to a device. The router tries to resolve unknown names entered in enable mode
by sending them to the DNS server. This process includes any words entered that the router does not
recognize, including mistyped commands. If this capability is not wanted, the no ip domain-
lookup command turns off this default feature.

The diagram depicts a New Connection SSH HyperTerminal window showing the following banner
m o td # command:
R1 (config) # banner m o td #
Enter TEXT message. End with the character #.
*****
WARNING!! Unauthorized Access Prohibited! !
*****
#
Page 3:
There are multiple ways to access a device to perform configuration tasks. One of these ways is to
use a PC attached to the console port on the device. This type of connection is frequently used for
initial device configuration.
Setting a password for console connection access is done in global configuration mode. These
commands prevent unauthorized users from accessing user mode from the console port.
Route(config)# line console 0
Router(config)# password [password]
Router(config)# login
When the device is connected to the network, it can be accessed over the network connection. When
the device is accessed through the network, it is considered a vty connection. The password must be
configured on the vty port.
Route(config)# line vty 0 4
Router(config)# password [password]
Router(config)# login
0 4 represents 5 simultaneous in-band connections. It is possible to set a different password for each
connection by specifing specific line connection numbers, such as line vty 0.
To verify that the passwords are set correctly, use the show running-config command. These
passwords are stored in the running-configuration in clear text. It is possible to set encryption on all
passwords stored within the router so that they are not easily read by unauthorized individuals. The
global configuration command service password-encryption ensures that all passwords are
encrypted.
Remember, if the running configuration is changed, it must be copied to the startup configuration
file or the changes are lost when the device is powered down. To copy the changes made to the
running configuration back to the stored startup configuration file, use the copy run start
command.

The diagram depicts an example of a basic router configuration, including the following types of
commands: console password, which is the password for a host with an out-of-band direct
connection to the router console port, virtual terminal password, which is the password for a host
with an in-band connection to a router over the network, and perform password encryption.
Console Password Router (config) # line console 0

Router (config-line) # password cisco
Router (config-line) # login
Virtual Terminal Password Router (config) # line v t y 0 4

Router (config-line) # password cisco
Router (config-line) # login
Perform Password Encryption

Router (config) # service password-encryption
Page 4:
Use Cisco IOS CLI to perform an initial router configuration.

Link to Packet Tracer Exploration: Performing an Initial Router Configuration.
5.3.5 Configuring An Interface
Page 1:
To direct traffic from one network to another, router interfaces are configured to participate in each
of the networks. A router interface connecting to a network will typically have an IP address and
subnet mask assigned that is within the host range for the connected network.
There are different types of interfaces on a router. Serial and Ethernet interfaces are the most
common. Local network connections use Ethernet interfaces.
WAN connections require a serial connection through an ISP. Unlike Ethernet interfaces, serial
interfaces require a clock signal to control the timing of the communications, called a clock rate. In
most environments, data communications equipment (DCE) devices, such as a modem or
CSU/DSU, provide the clock rate.
When a router connects to the ISP network using a serial connection, a CSU/DSU is required if the
WAN is digital. A modem is required if the WAN is analog. These devices convert the data from the
router into a form acceptable for crossing the WAN, and convert data from the WAN into an
acceptable format for the router. By default, Cisco routers are data terminal equipment (DTE)
devices. Because the DCE devices control the timing of the communication with the router, the
Cisco DTE devices accept the clock rate from the DCE device.
Though uncommon, it is possible to connect two routers directly together using a serial connection.
In this instance, no CSU/DSU or modem is used, and one of the routers must be configured as a
DCE device to provide clocking. If the router is connected as the DCE device, a clock rate must be
set on the router interface to control the timing of the DCE/DTE connection.
5.3.5 - Configuring An Interface

The diagram depicts a router (D T E) connected to a CSU /DSU (D C E) which connects to another
CSU /DSU (D C E) across the Internet via a transmission line. The second CSU /DSU (D C E)
connects to a second router (D T E).
Page 2:
Configuring an interface on the router must be done in global configuration mode. Configuring an
Ethernet interface is very similar to configuring a serial interface. One of the main differences is
that a serial interface must have a clock rate set if it is acting as a DCE device.
The steps to configure an interface include:
Step 1. Specify the type of interface and the interface port number.
Step 2. Specify a description of the interface.
Step 3. Configure the interface IP address and subnet mask.

Step 4. Set the clock rate, if configuring a serial interface as a DCE.
Step 5. Enable the interface.
After an interface is enabled, it may be necessary to turn off an interface for maintenance or
troubleshooting. In this case, use the shutdown command.
When configuring the serial interface on a 1841, the serial interface is designated by 3 digits, C/S/P,
where C=Controller#, S=Slot# and P=Port#. The 1841 has two modular slots. The designation
Serial0/0/0 indicates that the serial interface module is on controller 0, in slot 0, and that the
interface to be used is the first one (0). The second interface is Serial0/0/1. The serial module is
normally installed in slot 0 but may be installed in slot 1. If this is the case, the designation for the
first serial interface would be Serial0/1/0 and the second would be Serial0/1/1.
For built in ports, such as the FastEthernet ports the designation is 2 digits, C/P, where
C=Controller#, and P=Port#. The designation Fa0/0 represents controller 0 and interface 0.

The diagram depicts basic configuration commands for a FastEthernet and Serial interface:
Router (config) # interface fastethernet 0 /0

Router (config-if) # description connection to Admin LAN
Router (config-if) # IP address 192.168.2.1 255.255.255.0
Router (config-if) # no shutdown
Router (config-if) # exit
Router (config) # interface serial 0 /0 /0
Router (config-if) # description connection to Router 2
Router (config-if) # IP address 192.168.1.125 255.255.255.0
Router (config-if) # clock rate 64000

On serial links that are directly interconnected, as in a lab environment, one side must be considered
a D C E and provide a clocking signal. The clock is enabled and speed is specified with the clock
rate command. The available clock rates in bits per second are 1200, 2400, 9600, 19200, 38400,
56000, 64000, 72000, 125000, 148000, 500000, 800000, 1000000, 1300000, 2000000, or 4000000.
Some bit rates might not be available on certain serial interfaces. This depends on the capacity of
each interface. The commands that are used to set a clock rate and enable a serial interface are in the
diagram.
Page 3:
E-Lab Activity
Configure the serial interfaces on two routers.

Click the icon to begin.

Link to E-Lab: Configuring a Serial Interface on Routers for Communication.
Page 4:
Configure the Ethernet and Serial interfaces of a router.

Link to Packet Tracer Exploration: Configuring Ethernet and Serial Interfaces.
Page 5:
Lab Activity
Configure basic settings on a router using the Cisco IOS CLI.

Link to Hands-on Lab: Configuring Basic Router Settings with the Cisco I O S C L I.
5.3.6 Configuring a Default Route
Page 1:
A router forwards packets from one network to another based on the destination IP address specified
in the packet. It examines the routing table to determine where to forward the packet to reach the
destination network. If the router does not have a route to a specific network in its routing table, a
default route can be configured to tell the router how to forward the packet. The default route is
used by the router only if the router does not know where to send a packet.
Usually, the default route points to the next hop router on the path to the Internet. The information
needed to configure the default route is the IP address of the next hop router, or the interface that the
router uses to forward traffic with an unknown destination network.
Configuring the default route on a Cisco ISR must be done in global configuration mode.
Router(config)# ip route 0.0.0.0 0.0.0.0 [next-hop-IP-address]
or
Router(config)# ip route 0.0.0.0 0.0.0.0 [interface-type] [number]
5.3.6 - Configuring a Default Route

The diagram depicts the configuration of a default route.
Router 1 S 0 /0 /0 interface, with IP address 192.168.1.4, is connected to Router 2 S 0 /0 /1

interface, with IP address 192.168.1.5.
Configure a Default Route

Router 1 (config) # IP route 0.0.0.0 0.0.0.0 192.168.1.5
OR
Router 1 (config) # IP route 0.0.0.0 0.0.0.0 S 0 /0 /0
Page 2:
Configure a default route on routers in a medium-sized business network topology.
5.3.6 - Configuring a Default Route

Link to Packet Tracer Exploration: Configuring a Default Route.
5.3.7 Configuring DHCP Services
Page 1:
The Cisco IOS CLI can be used to configure a router to function as a DHCP server.
Using a router configured with DHCP simplifies the management of IP addresses on a network. The
administrator needs to update only a single, central router when IP configuration parameters change.
Configuring DHCP using the CLI is a little more complex than configuring it using SDM.
There are eight basic steps to configuring DHCP using the CLI.
Step 1. Create a DHCP address pool.
Step 2. Specify the network or subnet.
Step 3. Exclude specific IP addresses.
Step 4. Specify the domain name.
Step 5. Specify the IP address of the DNS server.
Step 6. Set the default gateway.
Step 7. Set the lease duration.
Step 8. Verify the configuration.
5.3.7 - Configuring DHCP Services

The diagram depicts eight steps used to configure DHCP services.
Step 1: Create DHCP Address Pool

Router (config) # ip dhcp pool LAN-address
Router (dhcp-config) #
Navigate to the privileged EXEC mode, enter the password if prompted and then enter the global
configuration mode. Now create a name for the DHCP server address pool. More than one address
pool can exist on a router. The Cisco I O S C L I will enter the DHCP pool configuration mode. Use
these commands:
Router> enable
Router(dhcp-config) #
This example created an address pool named LAN-address.
Step 2: Specify the Network or Subnet

Router (dhcp-config) # network 172.16.0.0 255.255.0.0
Specify the network or subnet network number and the subnet mask of the DHCP address pool. Use
this command:
Router (dhcp-config) # network 172.16.0.0 255.255.0.0
Depending on the version of I O S, the subnet mask may also be specified using the prefix
convention /16.
Step 3: Exclude IP Addresses

Router (config) # ip dhcp excluded-address 172.16.1 .100 172.16.1 .103
Recall that the DHCP server assumes that all other I P addresses in a DHCP address pool subnet are
available for assigning to DHCP clients. Exclude addresses from the pool so the DHCP server does
not allocate those I P addresses. If a range of addresses is to be excluded, only the starting address
and ending address need to be entered. Use this command:
Router (config) # ip dhcp excluded-address 172.16.1 .100 172.16.1 .103

The example shown excludes the four addresses, 172.16.1 .100, 172.16.1 .101, 172.16.1 .102, and
172.16.1 .103 from being given out to hosts by DHCP. These addresses can be statically assigned by
the administrator.
Step 4: Specify the Domain Name

Router (dhcp-config) # domain-name cisco.com
Now specify the domain name for the client. Use this command:
Router(dhcp-config)# domain-name cisco.com
Clients in this example will receive the domain name cisco.com as part of their DHCP
configuration. Domain name is an optional DHCP configuration parameter and is not necessary for
DHCP to function. The network administrator can provide information as to whether or not a
domain name is necessary.
Step 5: DNS Server IP Address

Router (dhcp-config) # dns-server 172.16.1 .103 172.16.2 .103
Now specify the IP address of a DNS server that is available to a DHCP client. One P address is
required. Up to eight IP addresses can be configured on one line. If listing more than one DNS
Server list the servers in order of importance. Use this command:
Router (dhcp-config) # dns-server 172.16.1 .103 172.16.2 .103
In this example, there are two DNS servers that clients can use, a primary server and a secondary
server. At least one DNS server must be configured for hosts to resolve host names and U RLs in
order to access services on the network.
Step 6: Set the Default Gateway

Router (dhcp-config) # default-router 172.16.1 .100
Now specify the IP address of the default router for the DHCP clients on the network. Typically this
will be the LAN I P of the router. This command will set the default gateway for the client devices
on the network that will be using DHCP. After a DHCP client has booted, the client begins sending
packets to its default router. The IP address must be on the same subnet as the client I P addresses
given out by the router. One I P address is required. Use this command:
Router (dhcp-config) # default-router 172.16.1 .100
Clients in this example use the router interface 172.16.1 .100 as their default gateway.
Step 7: Set the Lease Duration

Router (dhcp-config) # lease {days [hours] [minutes] | infinite}
Router (dhcp-config) # end
DHCP gives out IP address information each time a host powers on and connects to the network.
The default time that a client IP address is reserved for a specific host is one day. If the host does
not renew its address, then the reservation ends and the IP address is again available to be given out
through DHCP. It is possible to change the lease timer to a longer period of time, if necessary. This
is the last step in configuring a DHCP service on a router. Use the end command to finish the DHCP
configuration and return to the Global configuration mode. Use these commands:
Router (dhcp-config) # lease {days [hours] [minutes] | infinite}
Router (dhcp-config) # end
Step 8: Verify the Configuration

Router# show running-config
Verify the DHCP configuration by viewing the running-configuration. To do this use the command:
Router # show running-config
Here is an example of the DHCP part of the configuration running on a DHCP enabled router:
ip dhcp pool LAN-addresses

domain-name cisco.com
network 172.16.0.0 255.255.0.0
ip dhcp excluded-address 172.16.1 .100 172.16.1 .103
dns-server 172.16.1 .103 172.16.2 .103
default-router 172.16.1 .100
lease infinite
When the configuration is correct, copy the running-configuration to the startup-configuration.
Page 2:
Configure a router as a DHCP server for attached clients.

Link to Packet Tracer Exploration: Configuring a Cisco Router as a DHCP server
Page 3:
Lab Activity
Use the Cisco SDM and IOS CLI to configure a router as a DHCP server.

Link to Hands-on Lab: Configuring DHCP with SDM and the Cisco I O S C L I
5.3.8 Configuring Static NAT Using Cisco IOS CLI
Page 1:
NAT enables hosts with internal private addresses to communicate on the Internet. When
configuring NAT, at least one interface must be configured as the inside interface. The inside
interface is connected to the internal, private network. Another interface, usually the external
interface used to access the Internet, must be configured as the outside interface. When devices on
the internal network communicate out through the external interface, the addresses are translated to
one or more registered IP addresses.
There are occasions when a server located on an internal network must be accessible from the
Internet. This accessibility requires that the server has a specific registered address that external
users can specify. One way to provide this address to an internal server is to configure a static
translation.
Static NAT ensures that addresses assigned to hosts on the internal network are always translated to
the same registered IP address.
Configuring NAT and static NAT using the Cisco IOS CLI requires a number of steps.
Step 1. Specify the inside interface.
Step 2. Set the primary IP address of the inside interface.
Step 3. Identify the inside interface using the ip nat inside command.
Step 4. Specify the outside interface.
Step 5. Set the primary IP address of the outside interface.
Step 6. Identify the outside interface using the ip nat outside command.
Step 7. Define the static address translation.

Step 8. Verify the configuration.
5.3.8 - Configuring Static NAT Using Cisco I O S C L I

The diagram depicts the steps used to configure static NAT using Cisco I O S C L I.
Step 1: Specify the inside interface

To begin configuring NAT services on a Cisco router navigate to the privileged EXEC mode, enter
the password if prompted to and then enter the global configuration mode. Specify which interface
is connected to the inside local network. Doing this enters the interface configuration mode. Use
these commands:
Router> enable
Router# configure terminal
Step 2: Set the primary IP address of the inside interface

Router (config-if) # ip address 172.31.232.182 255.255.255.0
Use this command to set the primary IP address for the inside interface:
Step 3: Identify the inside interface using the IP nat inside command
Router (config-if) # ip nat inside
Now identify this interface as the interface connected to the inside of the network and then exit the
configuration of the inside interface and return to configuration mode. Use these commands:
Router (config-if) # ip nat inside
Step 4: Specify the outside interface

Router (config) # interface serial 0 /0
Configure the outside interface. Specify the interface connecting to the Internet Service Provider
and return to the interface configuration mode. Use this command:
Step 5: Set the primary IP address of the outside interface

Now identify this interface as the interface connected to the outside of the network and then exit the
configuration of the outside interface and return to configuration mode. Use these commands:
Step 6: Identify the outside interface using the IP nat outside command
Router (config-if) # ip nat outside
Now identify this interface as the interface connected to the outside of the network and then exit the
configuration of the outside interface and return to configuration mode. Use these commands:
Router (config-if) # ip nat outside
Step 7: Define the static address translation

Router (config) # ip nat inside source static 172.31.232.14 209.165.202.130
Router (config) # exit
Use this command to create the translation:

Router (config) # I P nat inside source static 172.31.232.14 209.165.202.130
In this example, a server with the inside address 172.31.232.14 is always translated to the external
address 209.165.202.130. Use this command to create the translation. When finished, exit the global
configuration mode.
Step 8: Verify the configuration

show running-config
Verify the static NAT configuration. Use this command:

show running-config
Here is an example:
interface fastethernet 0 /0
ip address 172.31.232.182 255.255.255.0
ip nat inside
interface serial 0 /0
ip address 209.165.201.1 255.255.255.252
ip nat outside
ip nat inside source static 172.31.232.14 209.165.202.130
Be sure to save the running-configuration to the startup-configuration.
Page 2:
There are several router CLI commands to view NAT operations for verification and
troubleshooting.
One of the most useful commands is show ip nat translations. The output displays the detailed
NAT assignments. The command shows all static translations that have been configured and any
dynamic translations that have been created by traffic. Each translation is identified by protocol and
its inside and outside local and global addresses.
The show ip nat statistics command displays information about the total number of active
translations, NAT configuration parameters, how many addresses are in the pool, and how many
have been allocated.
Additionally, use the show run command to view NAT configurations.
By default, if dynamic NAT is configured, translation entries time out after 24 hours. It is
sometimes useful to clear the dynamic entries sooner than 24 hours. This is especially true when
testing the NAT configuration. To clear dynamic entries before the timeout has expired, use the
clear ip nat translation * command in the enable mode. Only the dynamic translations are
removed from the table. Static translations cannot be cleared from the translation table.

The diagram depicts a man sitting at his workstation verifying NAT operations by entering the show
I P nat translations and using the router C L I interface.
The output from the show IP nat statistics command displays detailed NAT assignments. The
command shows all static translations that have been configured and any dynamic translations that
have been created by traffic. Each translation is identified by a protocol, and its inside and outside
local and global addresses.
The show IP nat statistics command displays information about the total number of active
translations, NAT configuration parameters, how many addresses are in the pool, and how many
have been allocated.
Page 3:
Configure static NAT on a router.

Link to Packet Tracer Exploration: Configuring Static NAT on a Cisco Router.
Page 4:
Lab Activity
Configure PAT using Cisco SDM and static NAT using Cisco IOS CLI.

Link to Hands-on Lab: Configuring PAT with SDM and Static NAT using Cisco I O S Commands.
5.3.9 Backing Up a Cisco Router Configuration
Page 1:
After a router is configured, the running configuration should be saved to the startup configuration
file. It is also a good idea to save the configuration file in another location, such as a network server.
If the NVRAM fails or becomes corrupt and the router cannot load the startup configuration file,
another copy is available. There are multiple ways that a configuration file can be saved.
One way configuration files can be saved to a network server is using TFTP. The TFTP server must
be accessible to the router via a network connection.
Step 1. Enter the copy startup-config tftp command.
Step 2. Enter the IP address of the host where the configuration file will be stored.
Step 3. Enter the name to assign to the configuration file or accept the default.
Step 4. Confirm each choice by answering yes.
The running configuration can also be stored on a TFTP server using the copy running-config tftp
command.
To restore the backup configuration file, the router must have at least one interface configured and
be able to access the TFTP server over the network.
Step 1. Enter the copy tftp running-config command.
Step 2. Enter the IP address of the remote host where the TFTP server is located.
Step 3. Enter the name of the configuration file or accept the default name.
Step 4. Confirm the configuration filename and the TFTP server address.
Step 5. Using the copy run start command, copy the running-configuration to the startup-
configuration file to ensure that the restored configuration is saved.
When restoring your configuration, it is possible to copy the tftp file to the startup configuration
file. However, this does require a router reboot in order to load the startup configuration file into the
running configuration.
5.3.9 - Backing Up a Cisco Router Configuration

The diagram depicts the process of copying the configuration to and from a TFTP server by saving
and restoring a configuration.
Saving a Configuration HyperTerminal window
Router # copy startup-config tftp

Address or name of remote host [ ]? 10.1 0.10.1
Destination filename [router-config]? tokyo.2
Write file tokyo.2 to 10.1 0.10.1 [confirm]
Writing tokyo.2 !!!!!! [OK]
Router #
Restoring a Configuration HyperTerminal window

Router # copy tftp running-config
Address or name of remote host [ ]? 131.108.2.155
Source filename [ ]? tokyo.2
Destination filename [running-config]? y
Accessing tftp://131.108.2.155/ tokyo.2
Page 2:
Another way to create a backup copy of the configuration is to capture the output of the show
running-config command. To do this from the terminal session, copy the output, paste it into a text
file, and then save the text file.
The following steps are used to capture the configuration from a HyperTerminal screen.
Step 1. Select Transfer.
Step 2. Select Capture Text.
Step 3. Specify a name for the text file to capture the configuration.
Step 4. Select Start to start capturing text.
Step 5. Use the show running-config command to display the configuration on the screen.
Step 6. Press the spacebar when each "-More -" prompt appears.
After the complete configuration has been displayed, the following steps stop the capture.
Step 1. Select Transfer.
Step 2. Select Capture Text.
Step 3. Select Stop.
After the capture is complete, the configuration file must be edited to remove extra text, such as the
"building configuration" Cisco IOS message. Also, the no shutdown command must be added to
the end of each interface section. Click File > Save to save the configuration. The configuration file
can be edited from a text editor such as Notepad.
The backup configuration can be restored from a HyperTerminal session. Before the configuration
is restored, any other configurations should be removed from the router using the erase startup-
config command at the privileged EXEC prompt. The router is then restarted using the reload
command.
The following steps copy the backup configuration to the router.
Step 1. Enter router global configuration mode.
Step 2. Select Transfer > Send Text File in HyperTerminal.
Step 3. Select the name of the file for the saved backup configuration.
Step 4. Restore the startup configuration with the copy run start command

The diagram depicts a Hyper Terminal window with the Transfer dropdown selected, then Capture
Text, then Stop, to stop menu item open. Output from commands previously entered are captured.
Page 3:
Back up the running configuration to a TFTP server.


Link to Packet Tracer Exploration: Backing Up a Cisco Router Configuration to a TFTP Server.
Page 4:
Lab Activity
Use HyperTerminal to save and load the running configuration.

Link to Hands-on Lab: Managing Router Configuration Files Using HyperTerminal.
Page 5:
Lab Activity
Use TFTP to save and load the running configuration.

Link to Hands-on Lab: Managing Router Configuration Files Using TFTP
5.4 Connecting the CPE to the ISP

5.4.1 Installing the CPE
Page 1:
One of the main responsibilities of an on-site network technician is to install and upgrade
equipment located at a customer home or business. Network devices installed at the customer
location are called customer premises equipment (CPE) and include devices such as routers,
modems, and switches.
The installation or upgrade of a router can be disruptive for a business. Many businesses rely on the
Internet for their correspondence and have e-commerce services that must be accessed during the
day. Planning the installation or upgrade is a critical step in ensuring successful operation.
Additionally, planning enables options to be explored on paper, where it is easy and inexpensive to
correct errors.
The ISP technical staff usually meets with business customers for planning. During planning
sessions, the technician determines the configuration of the router to meet customer needs and the
network software that may be affected by the new installation or upgrade.
The technician works with the IT personnel of the customer to decide which router configuration to
use and to develop the procedure that verifies the router configuration. From this information, the
technician completes a configuration checklist.
The configuration checklist provides a list of the most commonly configured components. It
typically includes an explanation of each component and the configuration setting. The list is a tool
for ensuring that everything is configured correctly on new router installations. It is also helpful for
troubleshooting previously configured routers.
There are many different formats for configuration checklists, including some that are quite
complex. ISPs should ensure that support technicians have, and know how to use, router
configuration checklists.
5.4.1 - Installing the C P E

The diagram depicts blank work order form with a brief description of the following fields.
Date and Work Order

Used to record the date that the configuration checklist is issued
Used to record a number used to track the contract work
ISP Contact
The name and telephone number of the ISP representative if any questions or concerns arise
Customer
The name of the company or customer.
Customer Contact
The name and telephone number of the person at the customer site responsible for the project.
Router Manufacturer and Model
The router manufacturer and model number
Router Serial Number
The router serial number
Configured Basic Parameters
Check here to confirm that basic router parameters are configured.
Cisco SDM can be used to configure basic parameters, if supported by the device.
Configured Global Parameters
Check here to confirm that the global parameters are configured.
Including: host name of the router, a privilege mode password, and disabling the router from
recognizing typing mistakes as commands.
Configured Fast Ethernet LAN Interfaces
Check here to confirm that the Fast Ethernet LAN interfaces have been configured.
Configured WAN Interfaces
Check here to confirm that the WAN interfaces have been configured
Configured Command-Line Access to the Router
Check here to confirm that the parameters used to control Cisco I O S C L I access to the router
have been configured.
This includes: the interval of time that the EXEC command interpreter waits until user input is
detected.
Configured Static Routes
Check here to confirm that the static routes are configured.
An ISP may use a separate sheet to detail each static route configured.
Static routes are manually configured on the router and must be changed manually if new routes are
required.
Configured Dynamic Routing Protocols
Check here to confirm that the dynamic routing protocols are configured.
In dynamic routing, the network protocol adjusts the path automatically, based on network traffic or
topology. Changes in dynamic routes are shared with other routers in the network.
Configured Security Features
Check here to confirm that security features on the router are configured.
The Cisco SDM configuration tool makes it easy to configure the basic security features.
To configure security features using the Cisco I O S C L I requires an in-depth knowledge of the
Cisco I O S security commands.
Page 2:
When new equipment is required, the devices are typically configured and tested at the ISP site
before being installed at the customer site. Anything that is not functioning as expected can be
replaced or fixed immediately. If a router is being installed, the network technician makes sure that
the router is fully configured and that the router configuration is verified.
When the router is known to be configured correctly, all network cables, power cables, management
cables, manufacturer documentation, manufacturer software, configuration documentation, and the
special tools needed for router installation are assembled. An inventory checklist is used to verify
that all necessary equipment needed to install the router is present. Usually, the network technician
signs the checklist, indicating that everything has been verified. The signed and dated inventory
checklist is included with the router when it is packaged for shipping to the customer premises.
The router is now ready to be installed by the on-site technician. It is important to find a time that
provides the minimum amount of disruption. It may not be possible to install or upgrade network
equipment during normal business hours. If the installation will cause the network to be down, the
network technician, the ISP sales person, and a representative of the company prepare a router
installation plan. This plan ensures that the customer experiences a minimum of disruption in
service while the new equipment is installed. Additionally, the router installation plan identifies who
the customer contact is and what the arrangements are for access to the site after business hours. As
part of the installation plan, an installation checklist is created to ensure that equipment is installed
appropriately.

The diagram depicts images of the installation planning process with the customer and installation
of the router following the plan.
Page 3:
The on-site network technician must install the router at the customer premises using the router
installation plan and checklist. When installing customer equipment, it is important to complete the
job in a professional manner. This means that all network cables are labeled and fastened together
or run through proper cable management equipment. Excess lengths of cable are coiled and secured
out of the way.
Documentation should be updated to include the current configuration of the router, and network
diagrams should be updated to show the location of the equipment and cables installed.
After the router is successfully installed and tested, the network technician completes the
installation checklist. The completed checklist is then verified by the customer representative. The
verification of the router installation often involves demonstrating that the router is correctly
configured and that services that depend on the router work as expected.
When the customer representative is satisfied that the router has been correctly installed and is
operational, the customer signs and dates the checklist. Sometimes there is a formal acceptance
document in addition to the checklist. This procedure is often called the sign-off phase. It is critical
that the customer representative signs off on the job, because the ISP can then bill the customer for
the work.

The diagram depicts images of the completion of the checklist and review of the installation with a
customer representative. Obtaining the customer acceptance of the new equipment and approval of
the installation is also depicted.
Page 4:
Installation Documentation
When customer equipment is configured and installed on the customer premises, it is important to
document the entire process. Documentation includes all aspects of equipment configuration,
diagrams of equipment installation, and checklists to validate the correct installation. If a new
configuration is needed, the documentation is compared with the previous router configuration to
determine if and how the new configuration has changed. Activity logs are used to track
modifications and access to equipment. Properly maintained activity logs help when
troubleshooting problems.
The technician starts documenting the work during router installation. All cables and equipment are
correctly labeled and indicated on a diagram to simplify future identification.
The technician uses the installation and verification checklist when installing a router. This checklist
displays the tasks to be completed at the customer premises. The checklist helps the network
technician avoid errors and ensures that the installation is done efficiently and correctly.
A copy of the final documentation is left with the customer.

The diagram depicts images related to router installation documentation.
Verify Checklists
Document any installation modifications that were not part of the original installation plan. Clearly
label all cables for future identification. Finally, verify the install by using the installation checklist.
Update Network Diagrams

Update any network diagrams to include any changes made during the installation. This is an
example of a network diagram created using Microsoft Visio.
Prepare Activity Logs

Use activity logs to document when modifications are made so they can be used to determine if a
configuration activity has contributed to a network problem.
5.4.2 Customer Connections over a WAN
Page 1:
New equipment at the customer site must be connected back to the ISP to provide Internet services.
When customer equipment is upgraded, it is sometimes necessary to also upgrade the type of
connectivity provided by the ISP.
Wide Area Networks
When a company or organization has locations that are separated by large geographical distances, it
may be necessary to use the telecommunications service provider (TSP) to interconnect the LANs at
the different locations. The networks that connect LANs in geographically separated locations are
referred to as wide area networks (WANs).
TSPs operate large regional networks that can span long distances. Traditionally, TSPs transported
voice and data communications on separate networks. Increasingly, these providers are offering
converged information network services to their subscribers.
Individual organizations usually lease connections through the TSP network. Although the
organization maintains all the policies and administration of the LANs at both ends of the
connection, the policies within the communications service provider network are controlled by the
ISP.
ISPs sell various types of WAN connections to their clients. WAN connections vary in the type of
connector used, in bandwidth, and in cost. As small businesses grow, they require the increased
bandwidth offered by some of the more expensive WAN connections. One of the jobs at an ISP or
medium-sized business is to assess what type of WAN connection is needed.
5.4.2 - Customer Connections over a WAN

The diagram depicts two LANs connected via a WAN link using CSU/DSU equipment.
Page 2:
There are three types of serial WAN connections.
Point-to-Point
A point-to-point connection is a predefined communications path from the customer premises

through a TSP network. It is a dedicated circuit with fixed bandwidth available at all time. Point-to-
point lines are usually leased from the TSP. These lines are often called leased lines. Point-to-point
connections are typically the most expensive of the WAN connection types, and are priced based on
the bandwidth required and the distance between the two connected points. An example of a point-
to-point WAN connection is a T1 or E1 link.
Circuit-Switched
A circuit-switched connection functions similarly to the way a phone call is made over a telephone
network. When making a phone call to a friend, the caller picks up the phone, opens the circuit, and
dials the number. The caller hangs up the phone when finished and the closes the circuit. An
example of a circuit-switched WAN connection is an ISDN or dialup connection.
Packet-Switched
In a packet-switched connection, networks have connections into the TSP switched network. Many
customers share this TSP network. Instead of the circuit being physically reserved from source to
destination, as in a circuit-switched network, each customer has its own virtual circuit. A virtual
circuit is a logical path between the sender and receiver, not a physical path. An example of a
packet-switched network is Frame Relay.
5.4.2 - Customer Connections over a WAN

The diagram depicts the following types of WAN connections: point-to-point, circuit-switched, and
packet-switched.
Point-to-Point
A host is connected to a switch which is connected to a router, which is connected to another router
via a WAN link, which is connected to a switch, which is connected to a host.
Circuit-Switched
An I S D N circuit-switched network showing three customer sites connected using D C E
equipment. The I S D N circuit switched network is represented by a cloud of switches with paths
(circuits) connecting the customer sites together. These circuits are established as needed and
disassembled when not.
Packet-Switched
Customer A, Site 1, 2, and 3 and Customer B, Site 1 and 2 are all connected to each other via D C E
equipment. Any of these sites can communicate with any of the other sites. Paths of traffic flow
may not be the same for all packets in a message. The Frame Relay network circuits are virtual and
are shared with other customers.
5.4.3 Choosing a WAN Connection
Page 1:
When choosing a WAN, the decision is largely dependent on the bandwidth and cost of the WAN
connection. Smaller businesses are not able to afford some of the more expensive WAN connection
options, such as SONET or ATM WAN connections. They usually install the less expensive DSL,
cable, and T1 connections. In addition, higher bandwidth WAN connections may not be available in
geographically isolated locations. If the offices supported are close to an urban center, there are
more WAN choices.
Another factor that affects the decision on which WAN to choose is how the business plans to use
the connection. If the business provides services over the Internet, it may require higher upstream
bandwidth. For example, if a business hosts a web server for an e-commerce business, it needs
enough upstream bandwidth to accommodate the number of external customers that visit its site. On
the other hand, if the business uses an ISP to manage its e-commerce site, the business does not
need as much upstream bandwidth.
For some businesses, the ability to get a service level agreement (SLA) with their WAN connection
affects their decision. Less expensive WAN connections like dialup, DSL, and cable typically do not
come with an SLA, whereas more expensive connections do.
5.4.3 - Choosing a WAN Connection

The diagram depicts a table with information about various types of WAN connections.
Connection: Dialup
Bandwidth: Up to 56 Kbps
Cost: Low
Connection: Frame Relay

Bandwidth: 128 Kbps - 512 Kbps
Cost: Low - Medium
Connection: DSL (note 1)

Bandwidth: 128 Kbps -6+ MbpsÃÂÃÂ¹
Cost: Low
Connection: Cable (note 1)

Bandwidth: 128 Kbps -10+ MbpsÃÂÃÂ¹
Cost: Low
Connection: Fractional T1
Bandwidth: 64 Kbps - 1.544 Mbps
Cost: Low - Medium
Connection: T1/E1
Bandwidth: 1.544/2.048 Mbps
Cost: Medium
Connection: Fractional T3
Bandwidth: 1.544Mbps - 44.736 Mbps
Cost: Medium - High
Connection: T3/E3
Bandwidth: 44.736/34.368 Mbps
Cost: High
Connection: SONET
Bandwidth: 51.840 Mbps - 9953.280 Mbps
Cost: High - Very High
Connection: ATM
Bandwidth: 622 Mbps
Cost: Very High
* This list is a small subset of available options available from an ISP or Telco provider. Availability
varies by provider and location.
Note: Upstream bandwidth is typically slower than the listed downstream bandwidth
Page 2:
There are many things to consider when planning a WAN upgrade. The ISP initiates the process by
analyzing the customer needs and reviewing the available options. A proposal is then generated for
the customer. The proposal addresses the existing infrastructure, the customer requirements, and
possible WAN options.
Existing Infrastructure
This is an explanation of the current infrastructure being used by the business. It helps the customer
understand how the existing WAN connection provides services to their home or business.
Customer Requirements
This section of the proposal describes why a WAN upgrade is necessary for the customer. It outlines
where the current WAN connection does not meet the customer needs. It also includes a list of
requirements that the new WAN connection must meet to satisfy the current and future customer
requirements.
WAN Options
This is a list of all the available WAN choices with the corresponding bandwidth, cost, and other
features that are applicable for the business is included in the proposal. The recommended choice is
indicated, including possible other options.
The WAN upgrade proposal is presented to the business decision-makers. They review the
document and consider the options. When they have made their decision, the ISP works with the
customer to develop a schedule and coordinate the WAN upgrade process.

The diagram depicts a man explaining WAN connection options.
Page 3:
Lab Activity
Complete a WAN upgrade plan based on the business scenario presented.

Link to Hands-on Lab: Planning a WAN upgrade
5.4.4 Configuring WAN Connections
Page 1:
How a WAN is configured depends on the type of WAN connection required. Some WAN
connections support Ethernet interfaces. Other WAN connections support serial interfaces.
Leased-line WAN connections typically use a serial connection, and require a channel service unit
and data service unit (CSU/DSU) to attach to the ISP network. The ISP equipment needs to be
configured so that it can communicate through the CSU/DSU to the customer premises.
For a serial connection, it is important to have a preconfigured clock rate that is the same on both
ends of the connection. The clock rate is set by the DCE device, which is typically the CSU/DSU.
The DTE device, typically the router, accepts the clock rate set by the DCE.
The Cisco default serial encapsulation is HDLC. It can be changed to PPP, which provides a more
flexible encapsulation and supports authentication by the remote device.
5.4.4 - Configuring WAN Connections

The diagram depicts a WAN connection between a customer ISR router and customer CSU/DSU,
and between an ISP ISR router and an ISP CSU/DSU using P P P encapsulation.
Customer Cisco ISR router connects to a customer CSU/DSU, which is connected to a WAN cloud.
The WAN cloud connects to ISP CSU/DSU, which is connected to the ISP Cisco ISR Router.
Customer Cisco ISR Router

Router > enable
Enter configuration commands, one per line. End with CNTL/Z,
Router (config-if) # encapsulation ppp
ISP Cisco ISR Router

Router > enable
Enter configuration commands, one per line. End with CNTL/Z,
Router (config-if) # encapsulation ppp
Page 2:
Configure a serial WAN connection from a Cisco ISR to a CSU/DSU at an ISP.
5.4.4 - Configuring WAN Connections

Link to Packet Tracer Exploration: Configuring a PPP Connection Between a Customer and an ISP .
5.5 Initial Cisco 2960 Switch Configuration
5.5.1 Standalone Switches
Page 1:
Although the integrated swith module of the 1841 ISR is adequate for connecting a small number of
hosts to the LAN, it may be necessary to add larger, more capable switches to support additional
users as the network grows.
A switch is a device that directs a stream of messages from one port to another based on the
destination MAC address within the frame. A switch cannot route traffic between two different local
networks. In the context of the OSI model, a switch performs Layer 2 functions. Layer 2 is the Data
Link Layer.
Several models of Ethernet switches are available to meet various user requirements. The Cisco
Catalyst 2960 Series Ethernet switch is designed for the networks of medium-sized businesses and
branch offices.
The Catalyst 2960 Series of switch are fixed-configuration, standalone devices that do not support
modules or flash card slots. Because the physical configuration cannot change, fixed-configuration
switches must be chosen based on the required number and type of ports. 2960 Series switches can
provide 10/100 Fast Ethernet and 10/100/1000 Gigabit Ethernet connectivity. These switches use
Cisco IOS software and can be configured using a GUI-based Cisco Network Assistant or through
the CLI.
5.5.1 - Standalone Switches

The diagram depicts several switches and information about each.
Cisco 2960 Fast Ethernet Switch

8 Fast Ethernet ports
One dual purpose Gigabit Ethernet uplink port
The Gigabit Ethernet uplink port can support a 10 /100 /1000 copper cable or a fiber based S F P
connector.
This switch does not require a fan
Cisco 2960 Gigabit Ethernet Switch

7 Gigabit Ethernet ports
One dual purpose Gigabit Ethernet uplink port
The Ethernet uplink port can support a 10 /100 /1000 copper cable or a fiber based small form-
factor pluggable (S F P) connector.
This switch does not require a fan
Cisco Catalyst 2960-24TT

24 10 /100 ports
2 10 /100 /1000 uplink ports
Cisco Catalyst 2960-24TC

24 10 /100 ports
2 dual-purpose uplink ports
Cisco Catalyst 2960-48TT
48 10 /100 ports
2 10 /100 /1000 uplink ports
Cisco Catalyst 2960-48TC

44 10 /100 /1000 ports
Cisco Catalyst 2960G-24TC

24 10 /100 /1000 ports
Cisco Catalyst 2960G-48TC

44 10 /100 /1000 ports
Page 2:

The diagram depicts the front and rear view of a switch. Brief descriptions are given for various
components of the switch.
2960 Series Switch

Cisco Catalyst 2960 Series Intelligent Ethernet Switches are suitable for small and medium-sized
networks. They provide 10 /100 Fast Ethernet and 10 /100 /1000 Gigabit Ethernet LAN
connectivity.
Front View
Status L E D's
SYST L E D
Shows whether the system is receiving power and is working properly.
Green: The system is working properly.
Amber: The system is receiving power but is not working properly.
RPSLED
The redundant power system (R P S) L E D shows the R P S status.
Green: The R P S is connected and ready to provide back-up power, if required.
Blinking green: The R P S is connected but is unavailable because it is providing power to another
device.
Amber: The R P S is in standby mode or in a fault condition.
Blinking amber: The internal power supply in a switch has failed, the R P S is providing power to
the switch.
Mode Button and Port Status L E D

Port L E D's display information about the switch and about the individual ports.
Mode Button
The mode button is used to select one of the port modes: status mode, duplex mode, or speed mode.
To select or change a mode, press the Mode button until the desired mode is highlighted. The
purpose of the L E D is dependent upon the port mode setting.
Port Status, or STAT, the Default Port Mode

Off: No link, or port was administratively shut down.
Green: Link present.
Blinking green: Port is transmitting or receiving data.
Alternating green-amber: Link fault. Error frames can affect connectivity, and errors such as
excessive collisions, C R C errors, and alignment and jabber errors are monitored for a link-fault
indication.
Amber: Port is blocked by Spanning Tree Protocol (S T P) and is not forwarding data.
Blinking amber: Port is blocked by STP but continues to transmit and receive inter-switch
information messages.
Duplex L E D
Port duplex mode, or D U P L X, is either full duplex or half duplex.
Off: Port is operating in half duplex.
Green: Port is operating in full duplex.
Speed L E D
SPEED mode: The 10 /100 ports, 10 /100 /1000 ports and S P F module ports operating speeds.
For 10 /100 ports:

Off: Port is operating at 10 Mbps
Green: Port is operating at 100 Mbps.
For 10 /100 /1000 ports:
Off: Port is operating at 10 Mbps.
Green: Port is operating at 100 Mbps.
Blinking green: Port is operating at 1000 Mbps.
10 /100 and 10 /100 /1000 Ports

The 10 /100 Ethernet ports can be set to support speeds of 10 or 100 Mbps. The 10 /100 /1000 ports
operate at 10, 100, or 1000 Mbps
S F P Ports
A Gigabit capable Ethernet S F P port can be used to support fiber and copper transceivers modules.
The fiber transceivers support fiber-optic cables. The copper transceivers support Category 5 cables
with R J-45 connectors.
The ability to plug into the Gigabit Ethernet S F P ports allows the fiber and copper transceivers to
be easily replaceable in the field should a connection go bad.
Rear View
All of the Ethernet ports are located on the front of the 2960. The back of the 2960 contains the
power plug, the console port, and the fan ventilation.
Console Port
Used to connect the switch to a PC by means of a R J-45-to-D B-9 cable.
Used for out-of-band management tasks.
Page 3:
All switches support both half-duplex or full-duplex mode.
When a port is in half-duplex mode, at any given time, it can either send or receive data but not
both. When a port is in full-duplex mode, it can simultaneously send and receive data, doubling the
throughput.
Both the port and the connected device must be set to the same duplex mode. If they are not the
same, a duplex mismatch occurs, which can lead to excessive collisions and degraded
communication.
The speed and duplex can be set manually, or the switch port can use autonegotiation.
Autonegotiation allows the switch to autodetect the speed and duplex of the device that is connected
to the port. Autonegotiation is enabled by default on many Cisco switches.
For autonegotiation to be successful, both devices must support it. If the switch is in autonegotiation
mode and the connected device does not support it, the switch uses the speed of the other device
(10, 100, or 1000) and is set to half-duplex mode. Defaulting to half duplex can create problems if
the non-autonegotiating device is set to full duplex.
If the connected device does not autonegotiate, manually configure the duplex settings on the
switch to match the duplex settings on the connected device. The speed parameter can adjust itself,
even if the connected port does not autonegotiate.

The diagram depicts a half-duplex and a full-duplex transmission.
Half-Duplex
A server and a switch exchange information. Only one device can send at any one time.
Full-Duplex
A server and a switch- exchange information. Both devices can send and receive at the same time.
Page 4:
Switch settings, including the speed and duplex port parameters, can be configured using the Cisco
IOS CLI. When configuring a switch using the Cisco IOS CLI, the interface and command structure
is very similar to the Cisco routers.
As with the Cisco routers, there is a variety of choices for the Cisco IOS image for switches. The
IP-base software image is supplied with the Cisco Catalyst 2960 switch. This image provides the
switch with basic switching capabilities and IP services. Other Cisco IOS software images supply
additional services to the IP-base image.
The diagram depicts Image of a flowchart. IP Services provided by the IP Base flow to Enterprise
Services and Advanced IP Services, which then both flow to Advanced Enterprise Services.
5.5.2 Power Up the Cisco 2960 Switch
Page 1:
Powering up a Cisco 2960 switch is similar to powering up a Cisco 1841 ISR.
The three basic steps for powering up a switch include:
Step 1. Check the components.
Step 2. Connect the cables to the switch.
Step 3. Power up the switch.
When the switch is on, the power-on self-test (POST) begins. During POST, the LEDs blink while a
series of tests determine that the switch is functioning properly.
POST is completed when the SYST LED rapidly blinks green. If the switch fails POST, the SYST
LED turns amber. When a switch fails POST, it is necessary to return the switch for repairs.
When all startup procedures are finished, the Cisco 2960 switch is ready to configure.
5.5.2 - Power Up the Cisco 2960 Switch

The diagram depicts steps to power up a switch.
Step 1 - Check the Components

Ensure all the components that came with the Cisco 2960 switch are available. These include the
console cable, power cord, Ethernet cable, and switch documentation.
Step 2 - Connect the Cables to the Switch

Connect the PC to the switch with a console cable and start a terminal emulation session. Connect
the A C power cord to the switch and to a grounded A C outlet.
Step 3 - Power up the switch

Some Cisco switch models do not have an on/off switch. The 2960 switch powers up as soon as the
power cord is connected to the electrical power.
Page 2:
Lab Activity
Power up a Cisco 2960 switch.
5.5.2 - Power Up the Cisco 2960 Switch

Link to Hands-on Lab: Powering Up a Switch.
5.5.3 Initial Switch Configuration
Page 1:
There are several ways to configure and manage a Cisco LAN switch.
• Cisco Network Assistant

• Cisco Device Manager
• Cisco IOS CLI
• CiscoView Management Software
• SNMP Network Management Products
Some of these methods use IP connectivity or a web browser to connect to the switch, which
requires an IP address. Unlike router interfaces, switch ports are not assigned IP addresses. To use
an IP-based management product or Telnet session to manage a Cisco switch, it is necessary to
configure a management IP address on the switch.
If the switch does not have an IP address, it is necessary to connect directly to the console port and
use a terminal emulation program to perform configuration tasks.
5.5.3 - Initial Switch Configuration

The diagram depicts brief descriptions of various network management options.
Cisco Network Assistant

PC-based network management G U I application optimized for LANs of small and medium-sized
businesses
Offers centralized management of Cisco switches through a user-friendly G U I
Used to configure and manage groups of switches or standalone switches
Available at no cost and can be downloaded from Cisco website
Device Manager
Web browser based software that is stored in the switch memory
Web interface that offers quick configuration and monitoring
Used to fully configure and monitor a switch
Access through a web browser or by using Telnet or S S H from a remote PC
Cisco I O S C L I
Based on Cisco I O S software and enhanced to support desktop-switching features
Used to fully configure and monitor the switch and members in a group of switches from the C L I
Access by connecting the PC directly to the switch console port or by using Telnet from a remote
PC
CiscoView
Displays the switch image used to set configuration parameters and to view switch status and
performance information
Purchased separately and it can be a standalone application or part of a Simple Network
Management Protocol (S N M P) platform
Simple Network Management Protocol

Managed from an S N M P-compatible management station
Examples of S N M P-compatible management stations are H P OpenView or SunNet Manager
Typically utilized at large companies
Page 2:
The Cisco Catalyst 2960 switch comes preconfigured and only needs to be assigned basic security
information before being connected to the network.
The commands to configure the host name and passwords on the switch are the same commands
used to configure the ISR. To use an IP-based management product or Telnet with a Cisco switch,
configure a management IP address.
To assign an address to a switch, the address must be assigned to a virtual local area network VLAN
interface. A VLAN allows multiple physical ports to be grouped together logically. By default, there
is one VLAN, preconfigured in the switch, VLAN1, that provides access to management functions.
To configure the IP address assigned to the management interface on VLAN 1, enter global
configuration mode.
Switch>enable
Switch#configure terminal
Next, enter the interface configuration mode for VLAN 1.
Switch(config)#interface vlan 1
Set the IP address, subnet mask, and default gateway for the management interface. The IP address
must be valid for the local network where the switch is installed.
Switch(config-if)#ip address 192.168.1.2 255.255.255.0
Switch(config-if)#exit
Switch(config)#ip default-gateway 192.168.1.1
Switch(config)#end
Save the configuration by using the copy running-configuration startup-configuration

command.

The diagram depicts C L I commands used to configure some basic switch parameters.
Switch> enable
Switch # configure terminal
Switch (config) # interface v lan 1
Switch (config-if) # ip address 192.168.1.2 255.255.255.0
Switch (config-if) # no shut down
Switch (config-if) # exit
Switch (config) # ip default-gateway 192.168.1.1
Switch (config) # end
Switch # copy running-config startup-config
Page 3:
E-Lab Activity
Configure the basic settings on a Cisco Catalyst switch.

Link to E-Lab: Configuring a Cisco 2960 Switch.
Page 4:
Perform a basic switch configuration.

Link to Packet Tracer Exploration: Performing an Initial Switch Configuration.
5.5.4 Connecting the LAN Switch to the Router
Page 1:
Connect the Switch to the Network
To connect the switch to a router, use a straight-through cable. LED lights on the switch and router
indicate that the connection is successful.
After the switch and router are connected, determine if the two devices are able to exchange
messages.
First, check the IP address configuration. Use the show running-configuration command to verify
that the IP address of the management interface on the switch VLAN 1 and the IP address of the
directly connected router interface are on the same local network.
Then test the connection using the ping command. From the switch, ping the IP address of the
directly connected router interface. Repeat the process from the router by pinging the management
interface IP address assigned to the switch VLAN 1.
If the ping is not successful, verify the connections and configurations again. Check to ensure that
all the cables are correct and that the connections are seated.
After the switch and router are successfully communicating, individual PCs can be connected to the
switch using straight-through cables. These cables can be directly connected to the PCs, or can be
used as part of the structured cabling leading to wall outlets.
5.5.4 - Connecting the LAN Switch to the Router

Hosts H 1, H 2, and H 3 are connected to a 2960-24TT switch. The switch is connected to an 1841
router.
Link between H3 and 2960-24TT Switch

Connect PC's to the switch using a straight-through Ethernet cable.
Green Lights of 2960-24TT Switch
The port lights on the switch will blink green when the connection is up and running.
Link between 1841 and 2960-24TT Switch

Connect the router to the switch using a straight-through Ethernet cable.
Page 2:
Switch ports can be an entry point to the network by unauthorized users. To prevent this, switches
provide a feature called port security. Port security limits the number of valid MAC addresses
allowed per port. The port does not forward packets with source MAC addresses that are outside the
group of defined addresses.
There are three ways to configure port security.
Static
MAC addresses are manually assigned using the switchport port-security mac-address [mac-
address] interface configuration command. Static MAC addresses are stored in the address table
and added to the running configuration.
Dynamic
MAC addresses are dynamically learned and stored in the address table. The number of addresses
learned can be controlled. By default, the maximum number of MAC addresses learned per port is
one. Addresses that are learned are cleared from the table if the port is shutdown or if the switch is
restarted.
Sticky
Similar to dynamic, except that the addresses are also saved to the running configuration.
Port security is disabled by default. If port security is enabled, a violation will result in the port
being shutdown. For example, if dynamic port security is enabled and the maximum number of
MAC addresses per port is one, the first address learned becomes the secure address. If another
workstation attempts to access the port with a different MAC address, a security violation occurs.
There is a security violation when either of these situations occurs:
• The maximum number of secure MAC addresses has been added to the address table, and a
device with a MAC address that is not in the address table attempts to access the interface.
• An address learned or configured on one secure interface is seen on another secure interface
in the same VLAN.
Before port security can be activated, the port must be set to access mode with the switchport
mode access command.

The diagram depicts the following configuration commands for port security: configure static port
security, configure dynamic port security, and configure sticky port security.
Configure Static Port Security

Cisco I O S C L I Command Syntax
Enter global configuration mode:

S 1 # configure terminal
Specify the type and number of the physical interface to configure, for example fastEthernet F A 0 /
18. And enter interface configuration mode: S1 (config) # interface fastEthernet 0 /18
Set the interface mode to: access. An interface in the dynamic desirable default mode cannot be
configured as a secure port:
S 1 (config) # switchport mode access
Enable port security on the interface:

S 1 (config-if) # switchport-security
mac-address
Return to privileged EXEC mode:

S 1 (config-if) # end
Configure Dynamic Port Security

Enter global configuration mode.
Specify the type and number of the physical interface to configure, for example fastEthernet F A 0 /
18. And enter interface configuration mode: S 1 (config) # interface fastEthernet 0 /18
Set the interface mode to: access. An interface in the dynamic desirable default mode cannot be
configured as a secure port:
S 1 (config ) # switchport mode access


Configure Sticky Port Security

Enter global configuration mode.
Specify the type and number of the physical interface to configure.

S 1 (config) # interface fastEthernet 0/18
Set the interface mode to: access.

S 1 (config) # switchport mode access

Set the maximum number of secure addresses to 50.

S 1 (config-if) # switchport port-security maximum 50
Enable sticky learning of MAC address

S 1 (config-if) # switchport port-security
Mac-address sticky


Port security is similar to MAC-address filtering on the Linksys device. Only secure MAC
addresses, learned dynamically or manually configured, are permitted to send and receive messages
over the network.
Page 3:
To verify port security settings for the switch or the specified interface, use the show port-security
interface interface-id command. The output displays the following:
• Maximum allowed number of secure MAC addresses for each interface

• Number of secure MAC addresses on the interface
• Number of security violations that have occurred
• Violation mode
Additionally, the show port-security address command displays the secure MAC addresses for all
ports, and the show port-security command displays the port security settings for the switch.
If static port security or sticky port security is enabled, the show running-config command can be
used to view the MAC address associated with a specific port. There are three ways to clear a
learned MAC address that is saved in the running configuration:
• Use the clear port-security sticky interface [port-number] access to clear any learned
addresses. Next, shutdown the port using the shutdown command. Finally, re-enable the
port using the no shutdown command.
• Disable port security using the no switchport port-security interface command. Once
disabled, re-enable port security.
• Reboot the switch.
Rebooting the switch will only work if the running configuration is not saved to the startup
configuration file. If the running configuration is saved to the startup configuration file, that will
eliminate the need for the switch to relearn addresses when the system reboots. However, the
learned MAC address will always be associated with a particular port unless the port is cleared
using the clear port-security command or disabling port security. If this is done, be sure to re-save
the running configuration to the startup configuration file to prevent the switch from reverting to the
original associated MAC address upon reboot.
If there are any ports on a switch that are unused, best practice is to disable them. It is simple to
disable ports on a switch. Navigate to each unused port and issue the shutdown command. If a port
needs to be activated, enter the no shutdown command on that interface.
In addition to enabling port security and shutting down unused ports, other security configurations
on a switch include setting passwords on vty ports, enabling login banners, and encrypting
passwords with the service password-encryption command. For these configurations, use the same
Cisco IOS CLI commands as those used to configure a router.

The diagram depicts terminal windows that contains the information when verifying port security
settings and verifying secure MAC addresses.
Verify Port Security Settings

Switch # show port-security interface fastEthernet 0 /18
The output is available in the Hands-on Lab: Configuring the Cisco 2960 switch.
Verify Secure MAC Addresses

Switch # show port security address
Secure Mac Address Table
V lanMac Address TypePortsRemaining Age (mins)
99050.B A A6.06 C ESecureConfigured F A 0 /18-
Total Addresses in System (excluding one mac per port):0
Max addresses limit in System (excluding one mac per port):8320
Page 4:
Configure and connect the switch to the LAN using a configuration checklist.

Link to Packet Tracer Exploration: Connecting a Switch
Page 5:
Lab Activity
Configure and connect the Cisco 2960 switch.

Link to Hands-on Lab: Configuring the Cisco 2960 Switch
5.5.5 Cisco Discovery Protocol
Page 1:
Cisco Discovery Protocol (CDP) is an information-gathering tool used on a switch, ISR, or router to
share information with other directly connected Cisco devices. By default, CDP begins running
when the device boots up. It then sends periodic messages, known as CDP advertisements, onto its
directly connected networks.
CDP operates at Layer 2 only and can be used on many different types of local networks, including
Ethernet and serial networks. Because it is a Layer 2 protocol, it can be used to determine the status
of a directly connected link when no IP address has been configured, or if the IP address is
incorrect.
Two Cisco devices that are directly connected on the same local network are referred to as being
neighbors. The concept of neighbor devices is important to understand when interpreting the output
of CDP commands.
Information gathered by CDP includes:
• Device identifiers - Configured host name

• Address list - Layer 3 address, if configured
• Port identifier - Directly connected port; for example, serial 0/0/0
• Capabilities list - Function or functions provided by the device
• Platform - Hardware platform of the device; for example, Cisco 1841
The output from the show cdp neighbors and show cdp neighbors detail commands displays the
information that a Cisco device collects from its directly connected neighbors.
Viewing CDP information does not require logging in to the remote devices. Because CDP collects
and displays a lot of information about directly connected neighbors, and no login is required, it is
usually disabled in production networks for security purposes. Additionally, CDP consumes
bandwidth and can impact network performance.
5.5.5 - Cisco Discovery Protocol

The diagram depicts a host, H 2, connected to a switch with network address 172.16.1.0 /24, which
is connected to the F A 0 /0 of router, R 2, with the IP address 172.16.1 .1/ 24. R 2 is connected via
S 0 /0 /0 with the address 172.16.2.2 /24 to S 0 /0 /1 of router R 1 with the address 172.16.2 .1 /24.
R 1 is connected via F A 0 /0 with the address 172.16.3.1 /24 to a switch, which is connected to
host, H 1. R 2 is connected via S 0 /0 /1 D C E with the address 192.168.1.2 /24 to router, R 3, with
the address 192.168.1.1 /24. R 3 is connected via F A 0 /0 with address 192.168.2.1 /24 to a switch,
which is connected to host, H 3.
Show C D P Neighbors
R3 # show c d p neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Hose, I - I GMP, r - Repeater, P - phone
Device IDLocal IntrfceHoldtimeCapabilityPlatformPort ID

Switch F A S 0 /0133S IWS-C2950-2F A S 0 /11
R 2 S e r 0 /0 /149R S I Cisco 1841 S e r 0 /0 /1
Show C D P Neighbors Detail

R 3 # show c d p neighbors detail
Device I D: R 2
Entry address(es):
IP address: 192.168.1.2
Platform: Cisco 1840, Capabilities: Router Switch I G M P
Interface: Serial 0 /0 /1, port ID (outgoing port): Serial 0 /0 /1
Holdtime : 161 sec
Version:
Cisco I S O Software, 1840 Software (C1841-AD V I PSERVICESK-9M), Version 12.4 (10b),
RELEASE SOFTWARE (fc3)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco System, Inc.
Compiled Fri 19-Jun-07 15:15 by prod_rel_team
Advertisement version: 2
VTP Management Domain:
Device ID: s 3
Entry address(es):
Platform: Cisco WS-C2950-24, Capabilities: Switch I G M P
Interface: FastEthernet 0 /0, Port I D (outgoing port): FastEthernet 0 /11
Holdtime : 148 sec
Version:
Cisco Internetwork Operating System Software
I S O c2950 Software (c2950-I6Q4L2-M), Version 12.1 (9) E A1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by Cisco System, Inc.
Compiled Wed 24-Apr-02 06:57 by antonio
Advertisement version: 2
Protocol Hello: OUI=0x0000C, protocol ID=0x0112; payload l e n=27,
Value=00000000FFFFFFFF0
10231FF000000000000000AB769F6C0FF0000
VTP Management Domain: "C C N A3"
Duplex: full
R3#
Show Disabling and Enabling C D P

To disable CDP globally use
R 3 (config) # no c d p run
or, to disable CDP on only an interface

R3 (config-if) # no cdp enable
If C D P is disabled globally, it must be enabled globally and per interface with the following two
commands:
Router (config), c d p run
Router (config-if), c d p enable
Page 2:
Use the CDP show commands to discover information about devices in the network.
5.5.5 - Cisco Discovery Protocol

Link to Packet Tracer Exploration: Using C D P as a Network Discovery Tool
5.6 Chapter Summary

5.6.1 Summary
Page 1:
5.6.1 - Summary
Diagram 1, Image
The diagram depicts the components of a router.
Diagram 1 text
The key components on a Cisco 1841 ISR are:
H WIC slots
Compact flash module
U S B port
Dual 10 /100 fast Ethernet ports
Console and auxiliary ports
System Power L E D
The router bootup process has three stages:

1.Performing the POST.
2.Locating and Loading the I O S software.
3.Locating and executing the startup configuration file.
There are two possible methods to connect a PC to a network device for configuration and
monitoring tasks, in-band and out-of-band management.
Diagram 2, Image
The diagram depicts packaging for Cisco Router and Security Device Manager (SDM), and Cisco
SDM Express software.
Diagram 2 text
Cisco Router and Security Device Manager (SDM) is a graphical user interface (G U I) tool that can
be used to configure, monitor, and maintain Cisco devices. Cisco SDM is the recommended way to
configure a new Cisco ISR.
The Cisco I O S command line interface (C L I) is a text-based program that enables the entering
and executing of Cisco I O S commands to configure, monitor, and maintain Cisco devices. The
Cisco I O S C L I is used for the advanced configuration of Cisco devices and to configure older
devices that do not support SDM.
The configuration checklist job aid is an important tool to help ensure that the customer gets the
configuration they want.
Diagram 3, Image
The diagram depicts a Cisco SDM Express Wizard form.
Diagram 3 text
SDM Express is a tool bundled within the Cisco Router and Security Device Manager that makes it
easy to create a basic router configuration.
SDM is a more advanced G U I interface with more configuration options available.
Both SDM and SDM Express use G U I-based configuration Wizards to simplify the configuration
of the Cisco devices.
Some of the features that can be configured include: basic configuration, LAN IP configurations,
DHCP, WAN IP configurations and NAT.
Diagram 4, Image
The diagram depicts output in an S S H HyperTerminal window.
Diagram 4 text
The C L I does not provide step-by-step configuration assistance; therefore it requires more
planning and expertise to complete.
The privileged exec, global config and interface modes are all used when configuring a router using
the Cisco I O S C L I.
Context-sensitive help can provide suggestions for completing a command as well as determining
additional command parameters.
Diagram 5, Image
The diagram depicts output in an S S H HyperTerminal window.
Diagram 5 text
The I O S show commands are a fundamental tool for verifying and troubleshooting router
configurations.
The startup configuration file is stored on the device in NV RAM and is loaded into working
memory and begins device operation.
The running configuration is the set of commands that is currently active in the device RAM.
I O S C L I can be used to configure basic router setting including router name, password, and
banners. It can also be used to configure serial and Ethernet interfaces, DHCP, and NAT.
Diagram 6, Image
The diagram depicts a WAN.
Diagram 6 text
A WAN connection is a type of network connection that can send a network signal over long
distances.
There are three types of serial WAN connections: point-to-point, circuit switched and packet
switched. Choosing the correct WAN involves planning and consideration.
Cisco devices can be configured remotely across a WAN connection using Telnet or S S H. S S H is
the preferred method.
Some WAN connections support Ethernet interfaces. Other WAN connections support serial
interfaces.
Diagram 7, Image
The diagram depicts components of a switch.
Diagram 7 text
The key components of a Cisco Catalyst 2960 Series Switch are:
24 10 /100 Ethernet Ports
Port Status L E D's
Mode button
Console port
Dual Purpose 10 /100 /1000 or S F P port
Cisco I O S LAN-based Software Image
The 2960 supports port autonegotiation of duplex and speed.
Diagram 8, Image
The diagram depicts switch configuration information.
Diagram 8 text
When configured with an IP address, interface V LAN 1 allows you to remotely manage the switch
using S S H or other TCP/IP applications such as network management software.
A basic switch configuration includes switch name and encrypted passwords used to access the
switch and the Cisco C L I configuration commands.
Port security limits the number of valid MAC addresses allowed per port and can be configured
statically, dynamically, or dynamic sticky.
5.7 Chapter Quiz

5.7.1 Quiz
Page 1:
Take the chapter quiz to check your knowledge.
Click the quiz icon to begin.
5.7.1 - Quiz
Chapter 5 Quiz: Configuring Network Devices
1.When configuring an ISR device using Cisco SDM Express Wizard, what does setting the Enable
Secret Password field accomplish?
a.ensures that authorization must be granted before accessing the Internet.
b.blocks unauthorized users from accessing the LAN.
c.controls access to user executable mode.
d.controls access to privileged mode.
2.When using Cisco SDM, which WAN encapsulation type can be configured to require a username
and password before a connection is granted?
a.high-level data link control (HDLC).
b.frame relay.
c.point-to-point protocol (P P P).
d.A T M P V C.
3.What speed and duplex setting will result on a Catalyst switch if it is set to auto-negotiate speed
and duplex and is connected to a 100 Mbps port on a device that does not support auto-negotiation?
a.10 half duplex
b.10 full duplex
c.100 half duplex
d.100 full duplex
4.Which method can be used to configure a Cisco Catalyst switch before an IP address has been
applied to the management interface?
a.Cisco I O S C L I using V lan 1.
b.Cisco I O S C L I using console port.
c.Cisco device manager using console port.
d.CiscoView software using V lan 1.
5.What is a secure way that a client can connect to a device in-band for the purpose of remote
monitoring and administration?
a.Telnet
b.HTTP
c.S S H
d.console port
6.Which type of wide area network (WAN) connection uses packet switched networks?
a.I S D N
b.dial-up
c.frame relay
d.point-to-point
7.A small company with two offices in the same building is requesting advice on WAN connections.
Which two questions would give a technician information to base a recommendation? (Choose
two.)
a.What operating system is being used?
b.How much money has the customer budgeted to spend on the WAN connection?
c.What type of e-mail client software is used by the employees?
d.Are the computers laptops or workstations?
e.Are the company web servers located in the building or at the ISP?
8.What is one fundamental difference between Cisco's C L I versus the SDM interface?
a.The SDM interface can be used with both in-band and out-of-band management.
b.The C L I interface can be used with both in-band and out-of-band management.
c.The SDM interface requires a terminal emulation program on the PC.
d.The C L I interface cannot be used over a Telnet connection.
9.Which two statements describe the command history feature? (Choose two.)
a.It requires configuration of a history buffer before it can be used.
b.It displays the most recently entered command strings in the current mode.
c.It saves the output from the most recent show commands.
d.It displays the last five commands that were entered in global configuration mode.
e.It can be accessed by using the up and down arrow keys.
10.Which router mode displays a prompt of Router#?

a.global configuration mode
b.privileged EXEC mode
c.setup mode
d.user EXEC mode
11.In which two cases would out-of-band management of a router be required? (Choose two.)
a.when accessing a customer router from the ISP to monitor the normal operation.
b.to access and configure the router before the IP network is operational.
c.to correct an error that has shutdown the network interfaces on a router.
d.when the NAT translation configuration settings are incorrect.
e.to back up the running configuration on a tftp server.
12.Which two statements describe the result of entering the ip route 0.0.0.0 0.0.0.0 192.168.1.1
command on a router? (Choose two.)
a.The router is not able to reach the 192.168.1.0 network.
b.All packets received by the router are sent to the address 192.168.1.1.
c.The remote network 192.168.1.0 can be reached using any interface.
d.A default static route is added to the routing table.
e.If a route to a destination network is not known, the packet is sent to 192.168.1.1.
13.Identify the category where each command belongs.

Commands
enable
ip address 172.16.1.1 255.255.255.0
show ip route
ping
no shutdown
configure terminal
show interfaces
interface fastethernet 0 /0
Categories
a.Used to change router modes or sub-modes.
b.Used by administrator to verify or monitor router operation.
c.Affects the operation of the network.
14.What is the purpose of assigning an IP address to the interface V LAN 1 on the Cisco switch?
a.to be able to telnet to the switch to manage and configure it.
b.to enable the switch to route between networks.
c.to create a new IP local network on the switch.
d.to permit IP packets to be forwarded by the switch.
15.Match each step of the router bootup process to the correct order of operation.
Operations
locate the I O S
load the bootstrap program
load the I O S
load the configuration file/enter setup mode
locate the configuration file
perform POST
Steps
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6

CCNA Discovery 2 Hoofdstuk 5

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CCNA Discovery 2 Hoofdstuk 5

Transféré par

Droits d'auteur :

Formats disponibles

CCNA Discovery - Working at a Small-to-

Medium Business or ISP

After completion of this chapter, you should be able to:

5.1 Initial ISR Router Configuration

System Power L E D (SYS-PWR)

System Activity (SYS ACT)

Modular Slot 1 with a High-speed WAN Interface Card (H WIC)

Single Slot USB Port

Fast Ethernet Ports

Compact Flash Module

Modular Slot 0 with a Four Port Ethernet Switch

The diagram depicts a flow chart of I O S Software

5.1.2 Physical Setup of the ISR

Items shipped with a new Cisco 1841 ISR include:

• RJ-45 to DB-9 console cable

5.1.2 - Physical Setup of the ISR

• PC with a terminal emulation program, such as HyperTerminal

5.1.2 - Physical Setup of the ISR

Follow these steps to power up an 1841 ISR.

1. Securely mount and ground the device chassis, or case.

2. Seat the external compact flash card.

3. Connect the power cable.

5. Turn on the router.

6. Observe the startup messages on the PC as the router boots up.

5.1.3 Bootup Process

2. Locate and load the Cisco IOS software.

5.1.3 - Boot Up Process

Console screen output:

Console screen output:

Self decompressing the image:

Console screen output:

Self decompressing the image:

Cisco Systems, Inc.

Port Statistics for unclassified packets is not turned on.

---System Configuration Dialog---

Startup Configuration File

5.1.3 - Boot Up Process

Tip Popup Information

• The Cisco IOS software version being used.

5.1.3 - Boot Up Process

Model and CPU

Number and type of interfaces

More Information Popup

rommon 1>boot flash:c2600-is-mz.121-5

5.1.3 - Boot Up Process

Boot system flash 1841-ad v Ip services k9-mz.124-10b.bin

Click the lab icon to begin.

5.1.3 - Boot Up Process

Out-of-band management requires a computer to be directly connected to the console port or

5.1.4 - Cisco I O S Programs

Out-of-band Router Configuration

In-band Router Configuration

5.1.4 - Cisco I O S Programs

• Configuring additional LAN and WAN connections

5.1.4 - Cisco I O S Programs

5.1.4 - Cisco I O S Programs

Router Configuration Method

Expertise in Cisco Device Configuration

Router Flash Memory Requirements

5.1.4 - Cisco I O S Programs

5.2 Using Cisco SDM Express and SDM

5.2.1 - Cisco SDM Express

5.2.2 SDM Express Configuration Options