Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

LAB 11 – VLANs and TRUNKING (Catalyst 1900 Switches)

1. In this lab, you will set up VLANs on the Catalyst 1900 switches and test them by
pinging between router4 and PC1. Router4 is connected to e0/1 on switch1 and PC1 is
connected to e0/1 on switch2. Switch1 and switch2 are interconnected through their
fa0/26 Fast Ethernet ports.
2. Using winipcfg on PC1, configure an IP address of 195.10.1.2/24 and a default
gateway of 195.10.1.1
(if not already configured from a previous lab).
c:> winipcfg

3. Verify you can presently ping between PC1 and router4. If you cannot ping
successfully, check that router4’s Ethernet0 IP address is 195.10.1.1/24 and that the
interface is enabled. Also, using the winipcfg utility, check that the PC has a configured
IP address of 195.10.1.2/24.
c:> ping 195.10.1.1

4. On switch1 and switch2, issue the show vlan command. You should note that, by
default, all switch ports are in VLAN1. Because router4, PC1, and the switch-to-switch
link are all in VLAN1, should be able to ping between PC1 and router4.
1900swx# show vlan

5. On switch1 and switch2, set up a VTP domain called bigdomain. Verify it has been
created with the show vtp command.
a. Question: what VTP operating mode are the switches in?
1900swx(config)# vtp domain bigdomain
1900swx(config)# exit
1900swx# show vtp

6. On switch1 and switch2, create VLAN 10, calling it ccnavlan. Issue the show vlan
command to verify it was successfully created.
a. Question: do you see any ports connected to VLAN 10. If not, why not?
1900swx(config)# vlan 10 name ccnavlan
1900swx(config)# exit
1900swx# show vlan

7. On switch1 and switch2, assign the e0/1 ports to the new VLAN you created. Router4
and PC1 are attached to these ports. Issue the show vlan command on both switches to
verify these ports have been moved to VLAN10. Also, issue the show vlan-membership
command. This is another command that shows VLAN assignments by port on the
1900.
Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

1900swx(config)# interface e0/1
1900swx(config-if)# vlan-membership static 10
1900swx(config-if)# ctrl-z
1900swx# show vlan
1900swx# show vlan-membership

8. Now that both router4 and PC1 are in VLAN10, try to ping from the PC1 to router4. It
should fail.
a. Question: if both devices are in the same VLAN, why should the pings fail?
c:> ping 195.10.1.1

9. Make the link between switch1 and switch2 a trunk line capable of carrying traffic for
any VLAN. Use the show trunk a command to verify trunking is enabled on port fa0/26
on both switches (it should say “Trunking: on”)
a. Question: what trunking protocol does the 1900 use – ISL or 802.1Q?
1900swx(config)# interface fa0/26

1900swx(config-if)# trunk on
1900swx(config-if)# ctrl-z
1900swx# show trunk a

10. Now ping between PC1 and router4. The pings should succeed because both devices
are in the same VLAN and the inter-switch link is a trunk line capable of carrying traffic
for any VLAN.
c:> ping 195.10.1.1


Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

LAB 12 - CATALYST 2950 SWITCH CONFIGURATION

1. In this lab, you will configure basic IOS commands on switch3 and switch4 which are
Catalyst 2950 switches.
2. From the NetSim tool bar, select Switch3 (Catalyst 2950). Press enter to get into the
user prompt mode.
Enter enable to get into privileged mode. Type ? to see a list of privileged mode
commands. Enter disable to go back to user mode.
enter
> enable
# ?
# disable
>

3. On switch3, go into privileged mode and then into global configuration mode. Assign
Switch3 a host name of 2950sw3. Use exit or ctrl-z to get out of configuration mode.
> enable
# configure terminal

(config)# hostname 2950sw3
2950sw3(config)# exit
2950sw3#

4. On switch3, type show running-config to see the active configuration.
a. Question: Do you need to issue copy running-config startup-config on the Catalyst
2950 to save the running configuration?
2950sw3# show running-config

5. On switch3, type copy running-config startup-config to save the active configuration to
NVRAM. Display the saved configuration in NVRAM with the show startup-config
command.
2950sw3# copy running-config startup-config
2950sw3# show startup-config

6. On switch3, erase the saved configuration and reload the box.
2950sw3# erase startup-config
2950sw3# reload

7. On switch3, go into privileged mode and then into global configuration mode.
Reassign the switch a hostname of 2950sw3 and an enable password of ‘cisco’
(unencrypted). Assign the switch an IP address of 197.10.1.99 with a subnet mask of
255.255.255.0. Assign the switch a default gateway of 197.10.1.1 (router3’s Ethernet
address).
Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

> enable
# configure terminal
(config)# hostname 2950sw3
2950sw3(config)# enable password cisco

2950sw3(config)# interface vlan1
2950sw3(config-if)# ip address 197.10.1.99 255.255.255.0
2950sw3(config-if)# no shutdown
2950sw3(config-if)# exit
2950sw3(config)# ip default-gateway 197.10.1.1

8. On switch3, issue the show interface vlan1 command to verify that the IP address,
mask, and default gateway are correct.
2950sw3# show interface vlan1

9. On switch3, issue the show interfaces command.
a. Question: What is the Spanning Tree (802.1D) state of interface fa0/1?
b. Question: What is the duplex setting for interface fa0/2?
2950sw3# show interfaces

10. From the NetSim tool bar, select Switch 4 (Catalyst 2950). Configure it with a
hostname of 2950sw4 and an enable password of cisco (the enable password should be
encrypted when displaying the configuration file). Assign an IP address of
197.10.1.100/24 and a default gateway of 197.10.1.1.
> enable
# configure terminal
(config)# hostname 2950sw4
2950sw4(config)# enable secret cisco
2950sw4(config)# interface vlan1
2950sw4(config-if)# ip address 197.10.1.100 255.255.255.0
2950sw4(config-if)# no shutdown
2950sw4(config-if)# exit
2950sw4(config)# ip default-gateway 197.10.1.1

On switch4, issue the show version command.

2950sw4# show version

11. On switch4, issue the show spantree command.
a. Question: what is the address of the root bridge?
b. Question: what is the port cost of fa0/1?
c. Question: what is the maxage interval?
d. Question: what is the hello interval?
2950sw4# show spanning-tree

12. On switch4, issue the show mac-address-table command. This shows which devices
are attached to which switch ports.
Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

2950sw4# show mac-address-table

13. On switch4, permanently assign a device with MAC address 4444-4444-4444 to port
fa0/5. Issue the show mac-address-table command to verify the device is in the table as a
permanent entry.
2950sw4(config)# mac-address-table static 4444-4444-4444 vlan 1 int fa0/5
2950sw4(config)# exit
2950sw4# show mac-address-table

14. On switch4, configure port security for port fa0/9. The switch will ‘sticky-learn’ the
MAC address of the device connected to port fa0/9 and will only allow that device to
connect to the port in the future.
2950sw4(config)# interface fa0/9
2950sw4(config-if)# switchport port-security
2950sw4(config-if)# switchport port-security maximum 1



Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

LAB 13 – VLANs and TRUNKING (Catalyst 2950 Switches)

1. In this lab, you will set up VLANs on switch3 and switch4 (Catalyst 2950
switches) and test them by pinging between router3 and PC2. Router3 is connected to
Fa0/1 on switch3 and PC2 is connected to Fa0/1 on switch4. Switch3 and switch4 are
interconnected through their fa0/12 Fast Ethernet ports.
2. On PC2 using winipcfg, configure an IP address of 197.10.1.2/24 and a default
gateway of 197.10.1.1.
c:> winipcfg

3. Verify you can presently ping between PC2 and router3. If you cannot ping
successfully, check that router3’s FastEthernet0 IP address is 197.10.1.1/24 and that the
interface is enabled. Also, using the winipcfg utility, check that PC2 has a configured IP
address of 197.10.1.2/24.
c:> ping 197.10.1.1

4. On switch3 and switch4, issue the show vlan command. You should note that, by
default, all switch ports are in VLAN1. Because router3, PC2, and the switch-to-switch
link are all in VLAN1, you should be able to ping between PC2 and router3.
2950swx# show vlan

5. On switch3 and switch4, set up a VTP domain called classroom. Verify it has been
created with the show vtp status command.
2950swx# vlan database
2950swx(vlan)# vtp domain classroom
2950swx(vlan)# ctrl-z
2950swx# show vtp status


6. On switch3 and switch4, create VLAN 20, calling it 2950vlan. Issue the show vlan
command to verify it was successfully created.
a. Question: do you see any ports connected to VLAN 20. If not, why not?
2950swx# vlan database
2950swx(vlan)# vlan 20 name 2950vlan
2950swx(vlan)# exit
2950swx# show vlan


7. On switch3 and switch4, assign the fa0/1 ports to the new VLAN you created. Router3
and PC2 are attached to these ports. Issue the show vlan command on both switches to
verify these ports have been moved to VLAN20.
Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

2950swx(config)# interface fa0/1
2950swx(config-if)# switchport mode access
2950swx(config-if)# switchport access vlan 20
2950swx(config-if)# ctrl-z
2950swx# show vlan

8. Now that both router3 and PC2 are in VLAN20, try to ping from PC2 to router3. It
should fail.
a. Question: if both devices are in the same VLAN, why should the pings fail?
c:> ping 197.10.1.1

9. Make the link between switch3 and switch4 a trunk line capable of carrying traffic for
any VLAN.
Use the show interface fa0/12 switchport command to verify trunking is enabled on port
fa0/12 on both switches.
a. Question: what trunking protocol does the 2950 use – ISL or 802.1Q?

2950swx(config)# interface fa0/12
2950swx(config-if)# switchport mode trunk
2950swx(config-if)# ctrl-z
2950swx# show interface fa0/12 switchport

10. Now ping between PC2 and router3. The pings should succeed because both devices
are in the same VLAN
and the inter-switch link is a trunk line capable of carrying traffic for any VLAN.
c:> ping 197.10.1.1



Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

LAB 14 – IP ACCESS-LISTS

1. In this lab, you will build standard and extended IP access-lists to filter traffic coming
inbound on router1’s serial0 interface.
2. Insure you can ping router2 (160.10.1.2) from both router3 and router4. The path to
router2 is through router1’s serial0 interface. If you cannot successfully ping router2,
check that IP addresses have been assigned, all interfaces are up, and that a dynamic
routing protocol (RIP, IGRP, EIGRP, or OSPF) is running on all routers.
router3# ping 160.10.1.2
router4# ping 160.10.1.2

3. On router1, build a standard IP access-list that permits traffic from subnet 175.10.1.0,
but blocks traffic from all other devices. Apply this access-list to router1’s serial0
interface for inbound traffic.
a. Question: is a ‘deny any’ statement required in the access-list?
b. Question: what does the mask 0.0.0.255 mean in the access-list?

c. Question: can any number be assigned to a standard IP access-list?
router1(config)# access-list 1 permit 175.10.1.0 0.0.0.255
router1(config)# interface serial0
router1(config-if)# ip access-group 1 in

4. Test your access-list by ping’ing from router3 and router4 to router2. The pings from
router3 (in subnet 175.10.1.0)
should succeed while the pings from router4 (in subnet 180.10.1.0) should fail.
5. On router1, build an extended IP access-list that will allow Telnet traffic from host
175.10.1.2 (router3), and
ICMP traffic from host 180.10.1.2 (router4), but that will block everything else.
Remove the previous access-list and apply this new one to router1’s serial0 interface.
a. Question: what are two ways you can specify a host address in an extended IP access-
list?
b. Question: what is the number range for extended IP access-lists?
c. Question: how would you permit RIP routing updates?
router1(config)# access-list 100 permit tcp host 175.10.1.2 any eq telnet
router1(config)# access-list 100 permit icmp host 180.10.1.2 any
router1(config)# interface serial0
router1(config-if)# no ip access-group 1 in
router1(config-if)# ip access-group 100 in

6. Test access-list 100 by pinging and telneting from router3 & router4 to router2.
Router3 (175.10.1.2) should be able to telnet to router2, but not ping to it. Router4
(180.10.1.2) should be able to ping to router2, but not telnet to it.
Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

router3# ping 160.10.1.2
router3# telnet 160.10.1.2
router4# ping 160.10.1.2

rotuer4# telnet 160.10.1.2


Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

LAB 15 - NAT/PAT

1. In this lab, you will configure NAT/PAT function on router1. You will configure three
forms of translation: static network address translation, dynamic translation, and
overloading (port address translation). Remember to disable the access lists your
configured in the previous lab before continuing this lab.
2. On router1, configure NAT to statically translate router2’s Ethernet address
160.10.1.2 to 169.10.1.2.
router1(config)# ip nat inside source static 160.10.1.2 169.10.1.2
router1(config)# interface ethernet0
router1(config-if)# ip address 160.10.1.1 255.255.255.0
router1(config-if)# ip nat inside
router1(config-if)# interface serial0
router1(config-if)# ip address 175.10.1.1 255.255.255.0
router1(config-if)# ip nat outside
router1(config-if)# no shut

3. Test the static NAT translation by telnet’ing from router2 to router3. Once into
router3, issue the show users command. The output of this command should show that
169.10.1.2 (the translated IP address) is the logged-in device.
router2# telnet 175.10.1.2

router3# show users

4. Display the NAT Translation table on router1. The output of the display should show

that the inside local IP address (160.10.1.2) is translated to the inside global IP address
(169.10.1.2).
a. Question: does the “inside global IP address” normally represent a public or a private
IP address?
router1# show ip nat translations

5. On router1, remove the previous static NAT commands and configure NAT to
translate router2’s Ethernet address to a dynamically assigned address. You will utilize a
pool of public addresses in the range of 169.10.1.50 to 169.10.1.100.
a. Question: if the pool of dynamically assigned addresses only contains one IP address
entry, what’s another term for this form of NAT translation?
router1(config)# no ip nat inside source static 160.10.1.2 169.10.1.2
router1(config)# ip nat pool pool1 169.10.1.50 169.10.1.100 netmask 255.255.255.0
router1(config)# ip nat inside source list 1 pool pool1
router1(config)# access-list 1 permit 160.10.1.0 0.0.0.255

6. Test the dynamic NAT translation function by telneting from router2 to router3. Once
into router3, issue the show users command. The output of this command should show
Copyright (c) 1998-2004 Boson Software, Inc. All Rights Reserved.

that the logged-in device is 169.10.1.50 (the translated address). Also, display the NAT
translation table on router1 using the show ip nat translations command.
router2# telnet 175.10.1.2
router3# show users
|router1# show ip nat translations

7. Remove the previous NAT commands. Configure NAT overloading (port address
translation) on router1 to translate router2’s Ethernet address
(160.10.1.2) to the serial0 interface address (175.10.1.1) on router1.
router1(config)# ip nat inside source list 1 interface serial0 overload

router1(config)# interface Ethernet 0
router1(config-if)# ip address 160.10.1.1 255.255.255.0
router1(config-if)# ip nat inside
router1(config-if)# interface serial 0
router1(config-if)# ip address 175.10.1.1 255.255.255.0
router1(config-if)# ip nat outside
router1(config-if)# exit
router1(config)# access-list 1 permit 160.10.1.0 0.0.0.255

8. Test the overloading (PAT) function by Telnet’ing from router2 to router3. Issue the
show users command on router3. It should show that the logged-in device is 175.10.1.1
(the translated IP address). Also, issue the show ip nat translations command on router1
to display the NAT translation table.
router2# telnet 175.10.1.2
router3# show users
router1# show ip nat translations

9. Remove all NAT/PAT configuration commands from router1 before continuing on
with the CCNA labs.