This article describes how to configure switch port security on Cisco Switches. It provides guidelines, procedures, and configuration examples. To practice and learn to configure port security on Cisco switch, just download the port security packet tracer lab or create your own lab and follow the switch port security configuration guideline.

Download Switch Port Security Configuration Packet Tracer Lab.

Port Security Guidelines and Restrictions

Follow these guidelines when configuring port security.

• A secure port cannot be a trunk port.
• A secure port cannot be a destination port for Switch Port Analyzer (SPAN).
• A secure port cannot belong to an EtherChannel port-channel interface.
• A secure port and static MAC address configuration are mutually exclusive.

Configure Switch Port Security

These sections describe how to configure port security using the Packet Tracer – Configuring Switch Port Security Lab.

In this activity, you will configure and verify port security on a switch. Port security allows you to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic to the port.

Part 1: Configure Port Security

a. Access the command line for S1 and enable port security on Fast Ethernet ports 0/1 and 0/2.

SW1>enable 
SW1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface range fastEthernet 0/1-2
SW1(config-if-range)#switchport mode access 
SW1(config-if-range)#
SW1(config-if-range)#switchport port-security 
SW1(config-if-range)#

b. Set the maximum so that only one device can access the Fast Ethernet ports 0/1 and 0/2.

SW1(config-if-range)#switchport port-security maximum 1
SW1(config-if-range)#

c. Secure the ports so that the MAC address of a device is dynamically learned and added to the running configuration.

SW1(config-if-range)#switchport port-security mac-address sticky 
SW1(config-if-range)#

d. Set the violation so that the Fast Ethernet ports 0/1 and 0/2 are not disabled when a violation occurs, but packets are dropped from an unknown source.

SW1(config-if-range)#switchport port-security violation restrict 
SW1(config-if-range)#

e. Disable all the remaining unused ports. Hint: Use the range keyword to apply this configuration to all the ports simultaneously.

SW1(config)#interface range fastEthernet 0/3-24, gigabitEthernet 0/1-2
SW1(config-if-range)#shutdown

It’s all and enough to configure switch port security on this lab. Let’s test it.

Part 2: Verify Port Security

Try to test your switch port security configuration with ping command and testing with the rogue laptop on the lab

• a. From PC1, ping PC2.
• b. Verify port security is enabled and the MAC addresses of PC1 and PC2 were added to the running configuration with “show run” command.
• c. Attach Rogue Laptop to any unused switch port and notice that the link lights are red.
• d. Enable the port and verify that Rogue Laptop can ping PC1 and PC2. After verification shut down the port connected to Rogue Laptop.
• e. Disconnect PC2 and connect Rogue Laptop to PC2’s port. Verify that Rogue Laptop is unable to ping PC1.
• f. Display the port security violations for the port Rogue Laptop is connected to.
• g. Disconnect Rouge Laptop and reconnect PC2. Verify PC2 can ping PC1.
• h. Why is PC2 able to ping PC1, but the Rouge Laptop is not?

That’s all, you need to learn about to configure switch port security on Cisco switches. If you need to study more about switch port security, try to read a book or simply read the below materials.

Default Port Security Configuration

Overview of Configure Switch Port Security

You can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.

After the maximum number of secure MAC addresses is configured, they are stored in an address table. To ensure that an attached device has the full bandwidth of the port, configure the MAC address of the attached device and set the maximum number of addresses to one, which is the default.

A security violation occurs if the maximum number of secure MAC addresses has been added to the address table and a workstation whose MAC address is not in the address table attempts to access the interface.

You can configure the interface for one of these violation modes, based on the action to be taken if a violation occurs:

• Restrict—A port security violation restricts data, causes the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. The rate at which SNMP traps are generated can be controlled by the SNMP-server enable traps port-security trap-rate command. The default value (“0”) causes an SNMP trap to be generated for every security violation.
• Shutdown—A port security violation causes the interface to shut down immediately. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode.

You can also customize the time to recover from the specified error-disable cause (default is 300 seconds) by entering the errdisable recovery interval command.

Source: Cisco

Related Search Queries:

• Cisco port security violation
• Switchport port-security maximum 2
• Cisco port security violation options
• Switchport port-security violation restrict vs protect
• Port security configuration in packet tracer
• Switchport port-security mac-address sticky
• Port security in networking
• Port security pdf
• Switchport port-security maximum
• Switchport port-security violation restrict vs protect
• Cisco port security violation options
• Switchport port-security mac-address sticky

The post How to Configure Switch Port Security on Cisco Switches? appeared first on TECHNIG.

Short and complete guide to configure SSH on Cisco router and switch for secure remote connection. The Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best-known example application is for remote login to computer systems by users.

SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.

The typical use of SSH Protocol

The protocol is used in corporate networks for:

• providing secure access for users and automated processes
• interactive and automated file transfers
• issuing remote commands
• managing network infrastructure and other mission-critical system components.

Configure SSH on Cisco Router or Switch

To configure SSH on Cisco router, you need to do:

1. Enable SSH on Cisco router.
2. Set Password for SSH.
3. Force remote access to use SSH.
4. Enable Password Encryption.
5. Add domain name Server (DNS).
6. Add Username and Password.

Let’s enable and configure SSH on Cisco router or switch using the below packet tracer lab. The configure on a packet tracer lab and real Cisco devices are the same. Just try to learn and do it what the SSH remote authentication needs.

Download the packet tracer lab or create your own lab. SSH Configuration Packet Tracer Lab.

In this example, I just enable and configure SSH on SW1 and trying to access it from PC1. It’s enough to learn how to configure SSH on Cisco router.

R1>
R1>enable 
R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#ip domain-name Technig.com
R1(config)#crypto key generate rsa 
The name for the keys will be: R1.Technig.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#
*Mar 1 0:5:57.974:  %SSH-5-ENABLED: SSH 1.99 has been enabled 
R1(config)#
R1(config)#username Admin password Technig
R1(config)#line vty 0 4
R1(config-line)#login local 
R1(config-line)#transport input ssh 
R1(config-line)#exit
R1(config)#ip ssh version 2
R1(config)#ip ssh authentication-retries 3
R1(config)#
R1(config)#ip ssh time-out 120
R1(config)#exit
R1#

That’s all. Let’s check the process one by one.

1. I have set DNS domain name with “IP domain-name” command.
2. Then configure the router to use RSA key pair with modulus size of 1024 bites for remote service authentication with “crypto key generate rsa” command.
3. Add username “Admin” with Password of “Technig” for ssh authentication.
4. Enabled ssh with “line vty 0 4” command.
5. Configure ssh to use local username and password with “login local” command. Remember that you can set a username and password for ssh with “username Admin password Technig” command as well. But here we configure ssh to use local username and password.
6. Configure the router to accept only ssh connection with “transport input ssh” command.
7. Configure ssh to version 2 using “IP ssh version 2” and set the authentication times to 3 with “IP ssh authentication-retries 3” command.
8. Finally set the ssh timeout to 120 seconds with “IP ssh time-out 120” command.

Related Article: Install SSH on CentOS 8.x and Red Hat Linux

The final step is to test the connectivity of ssh from PC1 with “ssh -l Admin 192.168.1.1” command for command prompt.

C:\>ssh -l Admin 192.168.1.1
Open
Password: 


R1>en
R1>enable 
Password: 
R1#

OK, the ssh works perfectly.

The post How to Configure SSH on Cisco Router or Switch? appeared first on TECHNIG.

If you faced with the below error when you try to configure banner motd on Cisco switch or router. You can easily fix Cisco Motd banner ASCII art using this MOTD Banner configuration guide.

SW1(config-line)#motd-banner !No Access for You?!
^
% Invalid input detected at '^' marker.

It means that you did not type the banner motd command correctly. Let’s test it and configure banner motd on Cisco switch and router using packet tracer.

What is MOTD Banner?

A banner is a message presented to a user who is using the Cisco switch. The type of banner you configured for use determines when this message is shown. You can configure three main types of banners on your Cisco switch, as shown here:

• The message of the Day (MOTD): This type of login message has been around for a long time on Unix and mainframe systems. The idea of the message is to display a temporary notice to users, such as issues with system availability.

  However, because the message displays when a user connects to the device before login, most network administrators are now using it to display legal notices regarding access to the switch, such as unauthorized access to this device is prohibited and violators will be prosecuted to the full extent of the law and other such cheery endearments.

• Login: This banner is displayed before login to the system, but after the MOTD banner is displayed. Typically, this banner is used to display a permanent message to the users.

• Exec: This banner displays after the login is complete when the connecting user enters User EXEC mode. Whereas all users who attempt to connect to the switch see the other banners, only users who successfully log on to the switch see this banner, which can be used to post reminders to your network administrators.

SW1#enable 
SW1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#banner motd #Admin Access only!#
SW1(config)#

Now, the Motd banner has configured on a Cisco switch. Let’s test it what is going on?

Press RETURN to get started!
Admin Access Only
User Access Verification
Password: 

Yes, you can see the message that prompts you before user authentication.

Related Search Queries:

Motd banner examples
Cisco MOTD banner ASCII art
Why should every switch have a motd banner?
Show banner motd
Cisco banner motd examples
Banner motd packet tracer
Cisco banner motd multiple lines
Banner exec

The post How to Configure Banner MOTD on Cisco Switch and Router? appeared first on TECHNIG.

It’s a simple way you can learn to configure PAP and CHAP in Cisco router using this packet tracer lab. Just download the lab or create your own lab with packet tracer and follow the instruction to easy configure PAP and CHAP authentication protocols in a Cisco router.

Configure PAP and CHAP in Cisco Router

In this activity, you will practice configuring PPP encapsulation on serial links. You will also configure PPP PAP
authentication and PPP CHAP authentication.

Part 1: Review Routing Configurations

Step 1: View running configurations on all routers.

• While reviewing the router configurations, note the use of both static and dynamic routes in the topology.

Step 2: Test connectivity between computers and the web server.

• From PC and Laptop, ping the web server at 209.165.200.2. Both ping commands should be successful.
  Remember to give enough time for STP and EIGRP to converge.

Part 2: Configure PPP as the Encapsulation Method

Step 1: Configure R1 to use PPP encapsulation with R3.

Enter the following commands on R1:

R1(config)# interface s0/0/0
R1(config-if)# encapsulation ppp

Step 2: Configure R2 to use PPP encapsulation with R3.

Enter the appropriate commands on R2:

R2(config)# interface s0/0/1
R2(config-if)# encapsulation ppp

Step 3: Configure R3 to use PPP encapsulation with R1, R2, and ISP.

Enter the appropriate commands on R3:

R3(config)# interface s0/0/0
R3(config-if)# encapsulation ppp
R3(config)# interface s0/0/1
R3(config-if)# encapsulation ppp
R3(config)# interface s0/1/0
R3(config-if)# encapsulation ppp

Step 4: Configure ISP to use PPP encapsulation with R3.

a. Click the Internet cloud, then ISP. Enter the following commands:

Router(config)# interface s0/0/0
Router(config-if)# encapsulation ppp

b. Exit the Internet cloud by clicking Back in the upper left corner or by pressing Alt+left arrow.

Step 5: Test connectivity to the web server.

PC and Laptop should be able to ping the web server at 209.165.200.2. This may take some time as
interfaces start working again and EIGRP reconverges.

Part 3: Configure PPP Authentication

Step 1: Configure PPP PAP Authentication Between R1 and R3.

Note: Instead of using the keyword password as shown in the curriculum, you will use the keyword secret to
provide a better encryption of the password.

a. Enter the following commands into R1:

R1(config)# username R3 secret class
R1(config)# interface s0/0/0
R1(config-if)# ppp authentication pap
R1(config-if)# ppp pap sent-username R1 password cisco

b. Enter the following commands into R3:

R3(config)# username R1 secret cisco
R3(config)# interface s0/0/0
R3(config-if)# ppp authentication pap
R3(config-if)# ppp pap sent-username R3 password class

Step 2: Configure PPP PAP Authentication Between R2 and R3.

Repeat step 1 to configure authentication between R2 and R3 changing the usernames as needed. Note that
each password sent to each serial port matches the password expected by the opposite router.

R2(config-if)# username R3 secret class
R2(config)# interface s0/0/1
R2(config-if)# ppp authentication pap
R2(config-if)# ppp pap sent-username R2 password cisco

R3(config-if)# username R2 secret cisco
R3(config)# interface s0/0/1
R3(config-if)# ppp authentication pap
R3(config-if)# ppp pap sent-username R3 password class

Step 3: Configure PPP CHAP Authentication Between R3 and ISP

a. Enter the following commands into ISP. The hostname is sent as the username:

Router(config)# hostname ISP
ISP(config)# username R3 secret cisco
ISP(config)# interface s0/0/0
ISP(config-if)# ppp authentication chap

b. Enter the following commands into R3. The passwords must match for CHAP authentication:

R3(config)# username ISP secret cisco
R3(config)# interface serial0/1/0
R3(config-if)# ppp authentication chap

Step 4: Test connectivity between computers and the web server.

From PC and Laptop, ping the web server at 209.165.200.2. Both ping commands should be successful.
Remember to give enough time for STP and EIGRP to converge.

Step 4: Test connectivity between computers and the web server.

From PC and Laptop, ping the web server at 209.165.200.2. Both ping commands should be successful.
Remember to give enough time for STP and EIGRP to converge.

Note: This is the Cisco Network Academy lab, you can join the netacad.com website to learn the entire CCNA.

Download the Lab: PAP and CHAP Configuration or CCNA Packet Tracer Lab

That is all you need to learn to configure PAP and CHAP in Cisco Router. Let’s see what is the difference between PAP and CHAP authentication protocols?

What is the Difference Between PAP and CHAP?

The password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) are both used to authenticate PPP sessions and can be used with many VPNs. Basically, PAP works like a standard login procedure; the remote system authenticates itself to the user a static username and password combination. The password can be encrypted for additional security, but PAP is subject to numerous attacks. In particular, since the information is static, it is subject to password guessing as well as snooping.

CHAP takes a more sophisticated and secure approach to authentication by creating a unique challenge phrase (a randomly generated string) for each authentication. The challenge phrase is combined with device hostnames using one-way hashing functions to authenticate in a way where no static secret information is ever transmitted over the wire. Because all transmitted information is dynamic, CHAP is significantly more robust than PAP.

Another advantage of CHAP over PAP is that CHAP can be set up to do repeated midsession authentications. This is useful for dial-up PPP sessions and other sessions where a port may be left open even though the remote device has disconnected. In this case, its possible for someone else to pick up the connection mid-session simply by establish physical connectivity.

Related Search:

• PPP pap configuration
• PPP chap configuration
• Configure chap authentication on s0/0/0
• pap chap configuration

The post How to Configure PAP and CHAP in Cisco Router? appeared first on TECHNIG.

A step by step guide to configure Inter-VLAN Routing on the Cisco router or layer 3 switches. Basically, on a VLAN, no host can communicate with hosts within other VLANs. It means only hosts that are members of the same VLAN can communicate with each other. So if you want your VLANs hosts can communicate with each other, you must configure inter-VLAN routing using a router or a layer 3 switch. Here we completely demonstrate the Inter-VLAN configuration using a Cisco router and a layer 3 switch.

The router you are using for Inter-VLAN routing must be compatible and support Inter-Switch Link (ISL) which is a Cisco Systems proprietary protocol, and IEEE 802.1q frame format for routing on the Fast Ethernet interfaces. In Inter-VLAN the physical Fast Ethernet interface of the router is divided into sub-Interfaces for each VLAN. You can set IP address for each sub-Interface in order to route between VLANs.

How to Create VLAN on Cisco Switches?

Let’s configure it on the below Inter-VLAN routing Lab. Download the Packet Tracer Inter-VLAN routing Lab for CCNA or create your own Lab.

1. First of all, create two VLAN in the switch and named VLAN A and VLAN B with the following command.

Switch>enable 
Switch#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 2
Switch(config-vlan)#name VLAN-A
Switch(config-vlan)#vlan 3
Switch(config-vlan)#name VLAN-B
Switch(config-vlan)#exit

2. OK, the VLANs A and B are created successfully. Now check them with “show vlan” command.

3. You see the result in the screenshot, the VLANs are ready for assigning switch ports to them.

Assigning Switch Ports for VLANs

In this section, the switch ports are divide and assign to VLANs. Before configuring Inter-VLAN routing, a host in a VLAN can only communicate within its own VLAN and not reach to other VLANs. So let’s configure it.

1. Try to assign switch ports for each VLANs with the following commands.

Switch(config)#interface fastEthernet 0/2
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#
Switch(config)#interface fastEthernet 0/5
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit

2. Now the port FastEthernet 0/2 and FastEthernet 0/5 are members of VLAN 2 which named VLAN-A. Go to set the PC3 and PC2 to VLAN-B.

3. Let’s assign a range of ports to a VLAN using “interface range” command.

Switch(config)#interface range fastEthernet 0/3-4
Switch(config-if-range)#switchport mode access 
Switch(config-if-range)#switchport access vlan 3
Switch(config-if-range)#exit

Note: The interface range command can assign a range of interfaces to a VLAN. Read more about basic VLAN configuration on “Configure VLAN on Cisco Switches Using Cisco Packet Tracer” post.

4. Now we have just done the basic VLAN configuration like creating VLAN and assigning switch ports to VLANs. Let’s enable Trunking mode on the switch port to the router and then configure Inter-VLAN routing on the router.

Configure Trunking Ports on Switch

With the command “switch port mode trunk” you can configure trunking on the FastEthernet 0/1 port of the SW1. The VLAN Trunking Protocol (VTP) let the VLANs transmit theirs traffics over a physical line simultaneously. Read more about VTP on Wikipedia website.

1. Just navigate to FastEthernet 0/1 interface and type “switchport mode trunk“ the press enter to enable trunking on Fa0/1 interface line.

Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode trunk 
Switch(config-if)#

2. Now the VLANs can transmit traffic over the FastEthernet 0/1 without any problems.

Note: Try to enable trunking mode only to interface between to switch or router devices. It’s not necessary to enable it on the interface of the switch to PC.

Configure Inter-VLAN Routing on Cisco Router

Finally, the lab is ready to configure Inter-VLAN routing. If you test the PCs, they can ping with each other within a VLAN but not with other VLANs. So in order to communicate they need routing. Not network routing protocols such as Static routing or dynamic routing like RIP, and OSPF. Just need Inter-VLAN Routing which you simply configure according to below step by step Inter-VLAN routing guide.

1. Try to assign an IP address to the router and enable the interface you want to configure inter-VLAN routing.

Router>enable 
Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.248
Router(config-if)#no shutdown

2. Good, the IP 192.168.10.1 with the subnet mask of 255.255.255.248 is assigned for physical FastEthernet 0/0 interface.

Note: We need to have subinterface for each VLANs on the router. The subinterface is a virtual interface card that inter-VLAN doing routing using them.

3. Now try to create a subinterface for each VLAN with interface command and assign IP address from the different network for each VLAN. In this case, I have subnetted the 192.168.10.0/24 IP address to 3 networks.

Router(config)#interface fastEthernet 0/0.2
Router(config-subif)#
Router(config-subif)#encapsulation dot1Q 2
Router(config-subif)#ip address 192.168.10.9 255.255.255.248
Router(config-subif)#

4. See the result with “do show ip interface brief” from sub-interface area.

The virtual sub-interface FastEthernet0/0.2 has created and it has the 192.168.10.9 IP address. This sub-interface act as a default gateway for VLAN-A with an address of 192.168.10.8/29.

5. Do the same to create a sub-interface for VLAN-B also.

Router(config)#interface fastEthernet 0/0.3
Router(config-subif)#ip address 192.168.10.17 255.255.255.248

% Configuring IP routing on a LAN subinterface is only allowed if that
subinterface is already configured as part of an IEEE 802.10, IEEE 802.1Q,
or ISL vLAN.

Router(config-subif)#encapsulation dot1Q 3
Router(config-subif)#ip address 192.168.10.17 255.255.255.248
Router(config-subif)#

6. Everything is fine, but you see the error with red colour! It is because we forgot to set the encapsulation dot1Q command. Before assigning an IP address to a sub-interface, you should set IEEE 802.1q with encapsulation command.

Finally, all VLANs hosts can communicate with each other. That’s all you need to configure Inter-VLAN routing on your corporate network. Download the complete Lab of Inter-VLAN routing Cisco Packet Tracer Lab. Follow the below steps if you want to configure inter-VLAN on Layer 3 Switches or troubleshooting inter-VLAN on routers and switches.

Configure Inter-VLAN Using Layer 3 Switches

Work the same, just need a Cisco Layer 3 switch. To configure Inter-VLAN on a Layer 3 switch, you must assign an IP address to VLANs instead of sub-interfaces. Assigning an IP address to VLAN is easy, only read the “Assigning IP address to VLAN” section at the end of this articles.

To configure Inter-VLAN routing using layer 3 switches, you don’t need router anymore. All configuration has done within the layer 3 switch.

Troubleshooting and Assigning IP address to VLANs

As this post is related to configure Inter-VLAN routing, so we must do some more about VLAN configuration such as assigning IP address to VLANs, controlling VLANs remotely with Telnet, and some essential troubleshooting commands.

How to Assign an IP address to VLANs?

In order to assign an IP address to a VLAN, simply go to VLAN and set the IP address like assigning IP address to an interface of a router.

Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.10.4 255.255.255.248
Switch(config-if)#no shutdown

Check it with “do show ip interface brief” command, whether the default VLAN 1 has gotten the IP address of 192.168.10.4/29 or not.

Yes, that’s fine. This can help you remotely configure VLANs through the internet or network.

Troubleshooting Inter-VLAN Routing

To see the VLANs on a switch, type the “show vlan” command. This command will list all created VLANs within a switch.

The “show interface trunk” command shows encapsulation and trunking status.

The “show interfaces fastEthernet 0/1 switchport” display the status of a specific switch port. See the result on the screenshot.

OK, I think it’s enough for Configuring Inter-VLAN routing. I hope you find this configure Inter-VLAN routing article’s helpful and if you have any problem or question regarding this article, ask us through the comment section.

The post Configure Inter VLAN Routing on Cisco Router and Layer 3 Switches appeared first on TECHNIG.

Configure DHCP on Cisco Router. Last week we published a topic about installation and configuration of DHCP Server in Windows Server 2012 R2. We have introduced the DHCP Server “Install and Configure DHCP Server on Windows Server 2012 R2” and told the necessary services and network protocols requirement if you don’t know the basic of DHCP Server? you must read the article first.

Create and Configure a CCNA Lab within Cisco Packet Tracer.

Download the DHCP configuration in Cisco router lab of packet tracer from the end of this post or try to create your own network lab with two routers and their LAN networks and then configure it with the following step by step guide.

Configure the Router 1 with below IP address and initial configuration. I assume you know and understand the basic router and Switch configuration clearly. So no need to explain the functions of the basic router and switch commands line.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R1
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 10.10.10.1 255.255.255.252
R1(config-if)#no shutdown

R1(config-if)#clock rate 64000
R1(config-if)#

For Router 2, configure the same interface serial 0/0/0 and FastEthernet 0/0 with the following commands.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface serial 0/0/0
R2(config-if)#ip address 10.10.10.2 255.255.255.252
R2(config-if)#no shutdown

R2(config-if)#

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.1 255.255.255.0
R2(config-if)#no shutdown

Configure DHCP on Cisco Router Using Packet Tracer

Let’s configure Router 2 as DHCP Server and set the clients to get their IP address from DHCP Server in Cisco Router.

In the R2 while you are in the config mode, type the command ‘IP DHCP excluded-address 192.168.10.1 192.168.10.20‘ and then press enter. This command ‘ip dhcp excluded-address’ will create an exclusive range of IP addresses which reserved for Network Servers and DHCP Server will not assign them to clients.

The ‘ip dhcp pool‘ command creates a pool for a network. You can create many pools on a router for all Local area network that connected to the router.

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.20
R2(config)#ip dhcp pool Technig_Clients
R2(dhcp-config)#
R2(dhcp-config)#network 192.168.10.0 255.255.255.0
R2(dhcp-config)#default-router 192.168.10.1
R2(dhcp-config)#dns-server 192.168.10.100
R2(dhcp-config)#

Now go to client setting and set the IP Configuration to DHCP and see the client get a new IP address from DHCP Server.

So that’s it, configure DHCP on Cisco router within a minute! Simple and easy.

DHCP Relay on Cisco Router

Remember some DHCP options (DHCP Relay Agent) when you need to provide IP addresses from a DCHP server to clients that are outside of your network or are not in the same Local Area Network. You must use the ‘ip helper-address‘ to forward the DHCP client requests to the remote host.

Configure the R1 to relay the DHCP client request. It does not work without routing. So configure Routers with static or dynamic routing. Here I’m testing with RIP.

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip helper-address 10.10.10.2
R1(config-if)#exit

R1(config)#router rip
R1(config-router)#network 10.10.10.0
R1(config-router)#network 192.168.30.0
R1(config-router)#exit

Go to the client IP configuration setting and see the forwarded request by DHCP Server.

Hope you learn the configuration of the DHCP Server on the Cisco Router and Download the DHCP on Cisco Router Packet Tracer.

Related Search: 

Configure DHCP on cisco router interface
Configure DHCP on cisco router in packet tracer
What is DHCP pool
Configure DHCP on cisco switch 2960
How to configure DHCP pool on cisco switch
IP DHCP excluded-address
Cisco DHCP lease command
IP DHCP server

The post How to Configure DHCP on Cisco Router? appeared first on TECHNIG.

This article is going to shows the CCNA students to configure and enable telnet and ssh on Cisco router and switches. The Telnet is an old and non-secure application protocol for remote control services. You can configure telnet on all Cisco switches and routers with the following step by step guides. But it’s not the best way to the wide-area network. However, we just going to enable telnet and ssh to test them for CCNA Certification exams.

Enable Telnet and SSH on Cisco Router

To enable telnet on Cisco router, simply do it with “line vty” command. First of the first download the CCNA Lab to Enable Telnet and SSH on Cisco Router from Telnet and SSH Lab. The Lab is configured with DHCP server and all clients get an IP address from DHCP Server on Router.

Go to router R1 console and configure telnet with “line vty” command.

R1>enable 
R1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#line vty 0 
R1(config-line)#password Pass123
R1(config-line)#login 
R1(config-line)#logging synchronous 
R1(config-line)#exec-timeout 40
R1(config-line)#motd banner $Admin Access Only$ 
R1(config-line)#exit 
R1(config)#

• The “line vty” command enable the telnet and the “0″ is just let a single line or session to the router. If you need more session simultaneously, you must type “line vty 0 10“.
• The “password” command set the “Pass123” as a password for telnet. You can set your own password.
• The “login” command authenticate and ask you the password of telnet. If you type “no login” command, the telnet never authenticates for the password which is not a good practice in a real network environment.
• The “logging synchronous” command stops any message output from splitting your typing.
• The “exec-timeout” command just sets the time-out limit on the line from the default to “40″ minutes.
• The motd-banner forces a banner message to appear when logging in.

OK, the Telnet services enabled successfully. But you must set the enable password for the router in order to control it remotely.

R1(config)#enable password Password
R1(config)#exit

Testing Telnet Connectivity

Now from a client PC test the telnet connectivity and to ensure that it works fine or not yet. If it does not work, try to troubleshoot telnet errors.

Let’s test telnet from the admin PC. Type telnet 192.168.10.1 and press enter, then enter the telnet password. Next type enable command and press enter, then type the router password.

Packet Tracer PC Command Line 1.0
PC>telnet 192.168.10.1
Trying 192.168.10.1 ...Open

User Access Verification

Password: 
R1>enable 
Password: 
R1#

Now you are remotely connected to router R1 and you can execute all router commands through a telnet command-line interface.

If you need more information about Telnet commands and options, from the config-line mode type “?“, the question mark will display all telnet commands.

That is it, the telnet services configuration on Cisco router.

2. Enable Telnet and SSH: SSH Configuration.

Secure Shell or SSH is a secure protocol and the replacement for Telnet and other insecure remote shell protocols. So for secure communication between network devices, I strongly recommend using SSH instead of Telnet.

Configure SSH on Cisco routers and switches with the below step by step guide to SSH configuration.

1. Open the router R1 console line and create domain and username.

R1(config)#ip domain-name Technig.com
R1(config)#username Shais Password Pass123
R1(config)#

Then “IP domain-name” command creates a domain and named Technig.com.

The “username Shais Password Pass123” command just create a username “Shais” with “Pass123” password.

2. If you don, just follow and generate the encryption keys for securing the ssh session.

R1(config)#crypto key generate rsa 
The name for the keys will be: R1.Technig.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#

Type “crypto key generate rsa” command and press enter when asking you “How many bits in the modulus [512]:” just type “1024″ and press enter. The system will generate 1024 bits keys to secure session lines. You can choose modules in the range of 360 to 2048.

3. Now enable SSH version 2, set timeout duration and login attempt time on the router. Remember this message if you going to use ssh version 2 “Please create RSA keys (of at least 768 bits size) to enable SSH v2.”

R1(config)#ip ssh version 2
R1(config)#ip ssh time-out 50
R1(config)#ip ssh authentication-retries 4

4. Enable vty lines and configure access protocols.

R1(config)#line vty 0
R1(config-line)#transport input ssh 
R1(config-line)#password Pass123
R1(config-line)#login 
R1(config-line)#logging synchronous 
R1(config-line)#motd-banner 
R1(config-line)#exit
R1(config)#

The configuration is the same as telnet, just the transport input ssh command change the line to Secure Shell. The configuration has completed, next, you must test ssh from a client PC.

Testing SSH Connectivity

From a client PC, open the command line and type “ssh -l Shais 192.168.10.1” then press enter.

Packet Tracer PC Command Line 1.0
PC>ssh -l Shais 192.168.10.1
Open
Password:

R1>enable 
Password: 
R1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#

Here, I have connected successfully and the connection is secured with Secure Shell.

Hope you understand the configuration of enabling Telnet and SSH on Cisco router and switches. Now you should be able to simply enable Telnet and SSH on your routers and switches.

The post How to Enable Telnet and SSH on Cisco Router and Switches? appeared first on TECHNIG.

Another post related to CCNA Certification and this time learn how to configure OSPF routing? The configuration of the OSPF routing protocol is easy as RIP Routing. The Open Shortest Path First (OSPF) is a routing protocol for wide area networks and enterprise network. OSPF is perhaps the most widely used interior gateway protocol (IGP) in large enterprise networks. The IS-IS is another link-state dynamic routing protocol, which is more common in large service provider networks. The most widely used exterior gateway protocol is the Border Gateway Protocol (BGP), the principal routing protocol between autonomous systems on the Internet.

OSPF Routing Lab Configuration

Download the lab from this post or create your own OSPF Routing Lab and try to learn OSPF Routing configuration using this step by step guide.

Router 1: Do the basic configuration of your routers, switches and computers. Set the IP address for each interface the same as a screenshot. The diagram is classless IP addresses and sub-netted to many networks. So it means you must familiar with IP sub-netting and VLSM.

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface serial 1/3
R1(config-if)#ip address 20.10.10.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#
R1(config)#interface serial 1/1
R1(config-if)#ip address 10.10.10.1 255.255.255.252
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#
R1(config)#interface serial 1/0
R1(config-if)#ip address 10.10.10.5 255.255.255.252
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown

Router 2: Do the following configuration for Router 2.

R2(config)#interface serial 1/0
R2(config-if)#ip address 10.10.10.6 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.10.1 255.255.255.0
R2(config-if)#no shutdown

Router 3: Now try to set IP address for Router 3 interfaces also.

Router#enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R3
R3(config)#interface serial 1/0
R3(config-if)#ip address 10.10.10.2 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 192.168.1.1 255.255.255.0
R3(config-if)#no shutdown

Good, the basic configuration has competed and now start configure OSPF routing protocol on this network.

How to Configure OSPF Routing Protocol?

The Lab is ready for routing, download and configures OSPF routing with the following step by step guide. In router, R1 configure OSFP routing with Router OSPF command.

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#network 20.10.10.0 0.0.0.3 area 0
R1(config-router)#network 10.10.10.0 0.0.0.3 area 0
R1(config-router)#network 10.10.10.4 0.0.0.3 area 0
R1(config-router)#

The router OSPF command enables OSPF routing on the router, and the 1 before OSFP is the process ID of the OSFP Protocol. You can set different process id from “1-65535” for each router.

The network command with network ID “network 20.10.10.0” is the network identifier, and the “ 0.0.0.3″ is the wildcard mask of 20.10.10.0 network. Wildcard mask determines which interfaces to advertise because OSPF advertises interfaces, not networks.

Now go to Router R3 and configure with the following commands.

R3>enable
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#network 192.168.1.0 0.0.0.255 area 0
R3(config-router)#network 10.10.10.0 0.0.0.3 area 0

Don? So do the following for router R2.

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router ospf 1
R2(config-router)#network 192.168.10.0 0.0.0.255 area 0
R2(config-router)#network 10.10.10.4 0.0.0.3 area 0

OK, OSPF routing configuration has been finished successfully, now test your network whether they can ping with each other or not. In my Lab they work perfect, you can download and see the result. Configure OSPF Routing Protocol – Complete Lab.

Related Search: 

OSPF configuration step by step.
how to configure OSPF between two routers.
how to configure OSPF on Cisco router packet tracer.
OSPF configuration in packet tracer.
OSPF basic configuration.
simple OSPF configuration example.
OSPF routing protocol configuration pdf.
how to configure the router in packet tracer.
how to configure OSPF step by step.

The post How to Configure OSPF Routing Protocol Using Packet Tracer? appeared first on TECHNIG.

Here we configure standard access list on Cisco router devices. The Standard Access List (ACL) on Cisco router works to permit or deny the entire network protocols of a host from being distinguishing. These decisions are all based on source IP address which filters network traffic by examining the source IP address in a packet. We can create the standard IP access list by using the access-list command with numbers 1 to 99 or in the expanded range of 1300 to 1999.

I’m using Cisco Packet Tracer to do this task. You can create your own network topology within Cisco packet tracer or use the best network simulator GNS3. If you are new in GNS3, I recommended to read the topics of GNS3 installation “Install GNS3 Network Simulator Step by Step in Windows” and the configuration article “Essential GNS3 Configuration for Cisco Lab“, these will help you to find your way in using GNS3.

Here I share my own created topology for standard IP access list with packet tracer. Download and test it. Download CCNA Lab: Configure Standard Access List.

Try to configure it with any routing protocol you want. Static route, RIP, or OSPF. This article “Configure Static Routing in Packet Tracer” can help you to configure static routing for CCNA.

Configure Standard Access List on Cisco Router

Let’s test the standard access list on our network with preventing access from subnet 192.168.10.0 to network 192.168.0.0 which connected directory to router R1 and just allow PC2 can get access to the network 192.168.0.0/24.

In the router R1, create an access list “access-list 10 permit 192.168.10.3 0.0.0.0” and then set it on the FastEthernet 0/0 which is the gateway to the network.

R1>enable 
R1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 10 permit 192.168.10.3 0.0.0.0
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip access-group 10 out
R1(config-if)#exit

The command ” access-list 10 permit 192.168.10.3 0.0.0.0” deny all host on the network 192.168.10.0 but permit only PC3. We use the wildcard 0.0.0.0 for PC3. It’s only allowed the exact host with 192.168.10.3 IP address.

The command “IP access-group 10 out” just apply this outbound traffic to this network.

Remember, we set the access list command on the global configuration and set the IP access-gorup to the interface configuration.

Now test the with ping from PC3 to any host on the network 192.168.0.0/24. It must ping successfully but not allowed for other PCs of the network 192.168.10.0/24.

You can configure it with the following configuration also.

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 10 deny 192.168.10.3 0.0.0.0
R1(config)#access-list 10 permit any
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip access-group 10 out

Working with Standard access list on Cisco router is easy and simple. Just try to do some more practice to get expert. If you want to know and test more access-list commands, simply type a question mark (?) in front of your command.

R2(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R2(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
R2(config)#access-list 10 permit ?
A.B.C.D Address to match
any Any source host
host A single host address
R2(config)#access-list 10 permit any ?
<cr>

Hope it would be helping you to understand the Standard IP access list on Cisco routers.

The post Configure Standard Access List On Cisco Router appeared first on TECHNIG.