Embed Size (px)
Citation preview
W&L Page 1CCNA 200-120
CCNA 200-120 Training2.4 Verify network status and switch operation using basic utilities such as
Jose Luis Flores / Amel Walkinshaw
Aug, 2015
W&L Page 2CCNA 200-120
2.0 LAN Switching Technologies
2.4 Verify network status and switch operation using basic utilities such as 2.4.a ping 2.4.b telnet 2.4.c SSH
W&L Page 3CCNA 200-120
2.4.a ping
The ping command uses Internet Control Message Protocol (ICMP) Echo Request and Echo Reply messages. Packet filtering policies on routers, firewalls, or other types of security gateways might prevent the forwarding of this traffic.
W&L Page 4CCNA 200-120
2.4.a ping
DOS
W&L Page 5CCNA 200-120
2.4.a ping
W&L Page 6CCNA 200-120
2.4.a ping
W&L Page 7CCNA 200-120
2.4.a ping
Warning: Using the debug ip packet detail command on a production router can cause high CPU utilization. This may result in a severe performance degradation or a network outage. We recommend that you carefully read Use the Debug Command before issuing debug commands.
W&L Page 8CCNA 200-120
2.4.a ping
Router1#debug ip packet detail IP packet debugging is on (detailed) Router1#ping 12.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.0.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms Router1# Jan 20 15:54:47.487: IP: s=12.0.0.1 (local), d=12.0.0.2 (Serial0), len 100, sending Jan 20 15:54:47.491: ICMP type=8, code=0 !--- This is the ICMP packet 12.0.0.1 sent to 12.0.0.2. !--- ICMP type=8 corresponds to the echo message. Jan 20 15:54:47.523: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 100, rcvd 3 Jan 20 15:54:47.527: ICMP type=0, code=0 !--- This is the answer we get from 12.0.0.2. !--- ICMP type=0 corresponds to the echo reply message. !--- By default, the repeat count is five times, so there will be five !--- echo requests, and five echo replies.
W&L Page 9CCNA 200-120
2.4.a ping
W&L Page 10CCNA 200-120
2.4.a ping
W&L Page 11CCNA 200-120
2.4.a ping
Router1#ping 34.0.0.4
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds:
Jan 20 16:00:25.603: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable.Jan 20 16:00:27.599: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable.Jan 20 16:00:29.599: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable.Jan 20 16:00:31.599: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable.Jan 20 16:00:33.599: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable.Success rate is 0 percent (0/5)
W&L Page 12CCNA 200-120
2.4.a ping
Now let us add a static route to Router1:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip route 0.0.0.0 0.0.0.0 Serial0
We now have:
Router1#debug ip packet detail IP packet debugging is on (detailed)
Router1#ping 34.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)
Jan 20 16:05:30.659: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 100, sending Jan 20 16:05:30.663: ICMP type=8, code=0 Jan 20 16:05:30.691: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 56, rcvd 3 Jan 20 16:05:30.695: ICMP type=3, code=1 Jan 20 16:05:30.699: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 100, sending Jan 20 16:05:30.703: ICMP type=8, code=0 Jan 20 16:05:32.699: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 100, sending Jan 20 16:05:32.703: ICMP type=8, code=0 Jan 20 16:05:32.731: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 56, rcvd 3 Jan 20 16:05:32.735: ICMP type=3, code=1 Jan 20 16:05:32.739: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 100, sending Jan 20 16:05:32.743: ICMP type=8, code=0
W&L Page 13CCNA 200-120
2.4.a ping
Host A pings interface S0/0 on router 3.What is the TTL value for that ping?A. 252B. 253C. 254D. 255
From the CCNA ICND2 Exam book: “Routers decrement the TTL by 1 every time they forward a packet; ifa router decrements the TTL to 0, it throws away the packet. This prevents packets from rotating forever. ”I want to make it clear that before the router forwards a packet, the TTL is still remain the same.For example in the topology above, pings to S0/1 and S0/0 of Router 2 have the same TTL. The picture below shows TTL values for each interface of each router and for Host B.Notice that Host A initializes ICMP packet with a TTL of 255:
W&L Page 14CCNA 200-120
2.4.a ping
Interface Down
This is a situation where the interface stops working. In the example below, we try to ping Router4 from Router1:
Router1#ping 34.0.0.4
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)
Since the routing is fine, we will do the troubleshooting step-by-step. First, let us try to ping Router2:
Router1#ping 12.0.0.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.0.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
W&L Page 15CCNA 200-120
2.4.a ping
From the above, we see that the problem lies between Router2 and Router3. One possibility is that the serial interface on Router3 has been shut down:
Router3#show ip interface brief Serial0 34.0.0.3 YES manual up up Serial1 23.0.0.3 YES manual administratively down down
This is quite simple to fix:
Router3#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router3(config)#interface s1 Router3(config-if)#no shutdown Router3(config-if)# Jan 20 16:20:53.900: %LINK-3-UPDOWN: Interface Serial1, changed state to up Jan 20 16:20:53.910: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up
W&L Page 16CCNA 200-120
2.4.a ping
W&L Page 17CCNA 200-120
2.4.a ping
When a host needs to reach a device on another subnet, the ARP cache entry will be that of the Ethernet address of the local router (default gateway) for the physical MAC address. The destination IP address will not change, and will be that of the remote host (HostB).
W&L Page 18CCNA 200-120
2.4.a ping
Which command can be used from a PC to verify the connectivity between hosts that connect through a switch in the same LAN?A. ping addressB. tracert addressC. traceroute addressD. arp address
W&L Page 19CCNA 200-120
2.4.a ping
Explanation:ICMP pings are used to verify connectivity between two IP hosts. Traceroute is used to verify the router hop path traffic will take but in this case since the hosts are in the same LAN there will be no router hops involved.
W&L Page 20CCNA 200-120
2.4.b Telnet
W&L Page 21CCNA 200-120
2.4.b Telnet
The network administrator normally establishes a Telnet session with the switch from host A. However, host A is unavailable. The administrator's attempt to telnet to the switch from host B fails, but pings to the other two hosts are successful.What is the issue?A. Host B and the switch need to be in the same subnet.B. The switch interface connected to the router is down.C. Host B needs to be assigned an IP address in VLAN 1.D. The switch needs an appropriate default gateway assigned.E. The switch interfaces need the appropriate IP addresses assigned.
W&L Page 22CCNA 200-120
2.4.b Telnet
Explanation:Ping was successful form host B to other hosts because of intervlan routing configured on router. But to manage switch via telnet the VLAN32 on the switch needs to be configured interface vlan32 along with ip address and its appropriate default-gateway address. Since VLAN1 interface is already configure on switch Host A was able to telnet switch.
W&L Page 23CCNA 200-120
2.4.b Telnet
A network administrator needs to allow only one Telnet connection to a router. For anyone viewing the configuration and issuing the show run command, the password for Telnet access should be encrypted.Which set of commands will accomplish this task?A. service password-encryption access-list 1 permit 192.168.1.0 0.0.0.255 line vty 0 4 login password cisco access-class 1B. enable password secret line vty 0 login password ciscoC. service password-encryption line vty 1 login password ciscoD. service password-encryption line vty 0 4 login password cisco
W&L Page 24CCNA 200-120
2.4.b Telnet
Explanation:Only one VTY connection is allowed which is exactly what's requested. Incorrect answer: command. Line vty0 4 would enable all 5 vty connections.
W&L Page 25CCNA 200-120
2.4.b Telnet
Which command shows your active Telnet connections?A. show cdp neigborsB. show sessionC. show usersD. show vty logins
W&L Page 26CCNA 200-120
2.4.b Telnet
Explanation:The “show users” shows telnet/ssh connections to your router while “show sessions” shows telnet/ssh connections from your router (to other devices). The question asks about “your active Telnet connections”, meaning connections from your router so the answer should be B.
W&L Page 27CCNA 200-120
2.4.c SSH
W&L Page 28CCNA 200-120
2.4.c SSH
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.
W&L Page 29CCNA 200-120
2.4.c SSH
W&L Page 30CCNA 200-120
2.4.c SSH
Test Authentication Authentication Test without SSH First test the authentication without SSH to make sure that authentication works with the router Carter before you add SSH. Authentication can be with a local username and password or with an authentication, authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the line password is not possible with SSH.) This example shows local authentication, which lets you Telnet into the router with username "cisco" and password "cisco." !--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements.
aaa new-model username cisco password 0 cisco line vty 0 4 transport input telnet
!--- Instead of aaa new-model, you can use the login local command.
W&L Page 31CCNA 200-120
2.4.c SSH
Authentication Test with SSH In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH on Carter and test SSH from the PC and UNIX stations.
ip domain-name rtp.cisco.com
!--- Generate an SSH key to be used with SSH.
crypto key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2
At this point, the show crypto key mypubkey rsa command must show the generated key. After you add the SSH configuration, test your ability to access the router from the PC and UNIX station.
W&L Page 32CCNA 200-120
Bibliography
• http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html• http://www.cisco.com/c/en/us/td/docs/ios/12_2/termserv/command/reference/ftersv_r/trfsltn.html#wp998287• http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html
W&L Page 33CCNA 200-120
Q&A
