CCNA_R&S-Student_Lab_Manual

R1(config-line)# line vty 0 4

R1(config-line)# exec-timeout 5 0

R1(config-line)# exit

R1(config)#

b.The following command impedes brute force login attempts. The router blocks login attempts for 30 seconds if someone fails two attempts within 120 seconds. This timer is set especially low for the purpose of this lab.

R1(config)# login block-for 30 attempts 2 within 120

What does the 2 within 120 mean in the above command?

__________________________________________________________________________

__________

What does the block-for 30 mean in the above command?

__________________________________________________________________________

__________

Step 4: Verify that all unused ports are disabled.

Router ports are disabled, by default, but it is always prudent to verify that all unused ports are in an administratively down state. This can be quickly checked by issuing the show ip interface brief command. Any unused ports that are not in an administratively down state should be disabled using the shutdown command in interface configuration mode.

R1# show ip interface brief

R1#

Step 5: Verify that your security measures have been implemented correctly.

a.Use Tera Term to telnet to R1.

Does R1 accept the Telnet connection? ___________________________

Why or why not?

__________________________________________________________________________

__________

b.Use Tera Term to SSH to R1.

Does R1 accept the SSH connection? __________

c.Intentionally mistype the user and password information to see if login access is blocked after two attempts.

What happened after you failed to login the second time?

__________________________________________________________________________

__________

©2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 221 of 257

__________________________________________________________________________

__________

d.From your console session on the router, issue the show login command to view the login status. In the example below, the show login command was issued within the 30 second login blocking period and shows that the router is in Quiet-Mode. The router will not accept any login attempts for 14 more seconds.

R1# show login

A default login delay of 1 second is applied.

No Quiet-Mode access list has been configured.

Router enabled to watch for login Attacks.

If more than 2 login failures occur in 120 seconds or less, logins will be disabled for 30 seconds.

Router presently in Quiet-Mode.

Will remain in Quiet-Mode for 14 seconds.

Denying logins from all sources.

R1#

e.After the 30 seconds has expired, SSH to R1 again and login using the admin username and Admin15p@55 for the password.

After you successfully logged in, what was displayed? ________________________

f.Enter privileged EXEC mode and use Enablep@55 for the password.

If you mistype this password, are you disconnected from your SSH session after two failed attempts within 120 seconds? ______________

Why or why not?

__________________________________________________________________________

__________

g.Issue the show running-config command at the privileged EXEC prompt to view the security settings you have applied.

Part 182: Configure Basic Security Measures on the Switch

Step 1: Strengthen Passwords on the switch.

Change the privileged EXEC encrypted password to meet strong password guidelines.

S1(config)# enable secret Enablep@55

Note: The security password min-length command is not available on the 2960 switch.

Step 2: Enable SSH Connections.

a.Assign the domain-name as CCNA-lab.com

S1(config)# ip domain-name CCNA-lab.com

b.Create a local user database entry for use when connecting to the router via SSH. The password should meet strong password standards, and the user should have administrative level access.

S1(config)# username admin privilege 15 secret Admin15p@55

c.Configure the transport input for the vty lines to allow SSH connections but not allow Telnet connections.

S1(config)# line vty 0 15

©2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 222 of 257

S1(config-line)# transport input ssh

d.The vty lines should use the local user database for authentication.

S1(config-line)# login local S1(config-line)# exit

e.Generate a RSA crypto key using a modulus of 1024 bits.

S1(config)# crypto key generate rsa modulus 1024

Step 3: Secure the console and VTY lines.

a.Have the switch log out a line that has been idle for 10 minutes.

S1(config)# line console 0

S1(config-line)# exec-timeout 10 0 S1(config-line)# line vty 0 15 S1(config-line)# exec-timeout 10 0 S1(config-line)# exit

S1(config)#

b.To impede brute force login attempts, configure the switch to block login access for 30 seconds if there are 2 failed attempts within 120 seconds. This timer is set especially low for the purpose of this lab.

S1(config)# login block-for 30 attempts 2 within 120

S1(config)# end

Step 4: Verify that all unused ports are disabled.

Switch ports are enabled, by default. Shut down all ports that are not in use on the switch. a. You can verify the switch port status using the show ip interface brief command.

S1# show ip interface brief

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 223 of 257

b.Use the interface range command to shut down multiple interfaces at a time.

S1(config)# interface range f0/1–4 , f0/7-24 , g0/1-2

S1(config-if-range)# shutdown S1(config-if-range)# end

S1#

c.Verify that all inactive interfaces have been administratively shut down.

S1# show ip interface brief

Step 5: Verify that your security measures have been implemented correctly.

a.Verify that Telnet has been disabled on the switch.

b.SSH to the switch and intentionally mistype the user and password information to see if login access is blocked.

©2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 224 of 257

c.After the 30 seconds has expired, SSH to S1 again and log in using the admin username and Admin15p@55 for the password.

Did the banner appear after you successfully logged in? __________

d.Enter privileged EXEC mode using Enablep@55 as the password.

e.Issue the show running-config command at the privileged EXEC prompt to view the security settings you have applied.

Part 183: Reflection

The password cisco command was entered for the console and vty lines in your basic configuration in Part 1. When is this password used after the best practice security measures have been applied?

_____________________________________________________________________________

__________

_____________________________________________________________________________

__________

_____________________________________________________________________________

__________

Are preconfigured passwords, shorter than 10 characters, affected by the security passwords minlength 10 command?

_____________________________________________________________________________

__________

_____________________________________________________________________________

__________

_____________________________________________________________________________

__________

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 225 of 257

Lab 26 - Testing Network Latency with Ping and Traceroute

Part 184: Topology

Part 185: Objectives

Part 1: Use Ping to Document Network Latency

Part 2: Use Traceroute to Document Network Latency

Part 186: Background / Scenario

To obtain realistic network latency statistics, this activity must be performed on a live network. Be sure to check with your instructor for any local security restrictions against using the ping command on the network.

The purpose of this lab is to measure and evaluate network latency over time, and during different periods of the day to capture a representative sample of typical network activity. This will be accomplished by analyzing the return delay from a distant computer with the ping command. Return delay times, measured in milliseconds, will be summarized by computing the average latency (mean) and the range (maximum and minimum) of the delay times.

Part 187: Required Resources

1 PC (Windows 7, Vista, or XP with Internet access)

Part 188: Use Ping to Document Network Latency

In Part 1, you will examine network latency to several websites in different parts of the globe. This process can be used in an enterprise production network to create a performance baseline.

Step 1: Verify connectivity.

Ping the following Regional Internet Registry (RIR) websites to verify connectivity:

C:\Users\User1> ping www.arin.net C:\Users\User1> ping www.lacnic.net C:\Users\User1> ping www.afrinic.net C:\Users\User1> ping www.apnic.net

Note: Because www.ripe.net does not reply to ICMP requests, it cannot be used for this lab.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 226 of 257

Step 2: Collect network data.

You will collect a sufficient amount of data to compute statistics on the ping output by sending out 25 echo requests to each address listed in Step 1. Record the results for each website to text files.

a.At the command prompt, type ping to list the available options.

C:\Users\User1> ping

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name

b.Using the ping command with the count option, you can send 25 echo requests to the destination as illustrated below. Furthermore, it will create a text file with filename of arin.txt in the current directory. This text file will contain the results of the echo requests.

C:\Users\User1> ping –n 25 www.arin.net > arin.txt

Note: The terminal remains blank until the command has finished, because the output has been redirected to a text file, arin.txt, in this example. The > symbol is used to redirect the screen output to the file and overwrite the file if it already exists. If appending more results to the file is desired, replace > with >> in the command.

c.Repeat the ping command for the other websites.

C:\Users\User1> ping –n 25 www.afrinic.net > afrinic.txt C:\Users\User1> ping –n 25 www.apnic.net > apnic.txt C:\Users\User1> ping –n 25 www.lacnic.net > lacnic.txt

©2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 227 of 257

Step 3: Verify data collection.

To see the results in the file created, use the more command at the command prompt.

C:\Users\User1> more arin.txt

Pinging www.arin.net [192.149.252.76] with 32 bytes of data: Reply from 192.149.252.76: bytes=32 time=108ms TTL=45

Reply from 192.149.252.76: bytes=32 time=114ms TTL=45 Reply from 192.149.252.76: bytes=32 time=112ms TTL=45 <output omitted>

Reply from 192.149.252.75: bytes=32 time=111ms TTL=45 Reply from 192.149.252.75: bytes=32 time=112ms TTL=45 Reply from 192.149.252.75: bytes=32 time=112ms TTL=45

Ping statistics for 192.149.252.75:

Packets: Sent = 25, Received = 25, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 107ms, Maximum = 121ms, Average = 111ms

Note: Press the Spacebar to display the rest of the file or press q to exit.

To verify that the files have been created, use the dir command to list the files in the directory. Also the wildcard * can be used to filter only the text files.

C:\Users\User1> dir *.txt

Volume in drive C is OS

Record your results in the following table.

www.afrinic. net

www.apnic. net

www.arin.ne t

www.lacnic. net

Compare the delay results. How is delay affected by geographical location?

_____________________________________________________________________________

_______

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 228 of 257

_____________________________________________________________________________

_______

Part 189: Use Traceroute to Document Network Latency

The routes traced may go through many hops and a number of different ISPs depending on the size of the ISPs and the location of the source and destination hosts. The traceroute commands can also be used to observe network latency. In Part 2, the tracert command is used to trace the path to the same destinations in Part 1.

The tracert command uses ICMP TTL Exceed packets and ICMP echo replies to trace the path.

Step 1: Use the tracert command and record the output to text files.

Copy the following commands to create the traceroute files:

C:\Users\User1> tracert www.arin.net > traceroute_arin.txt C:\Users\User1> tracert www.lacnic.net > traceroute_lacnic.txt C:\Users\User1> tracert www.afrinic.net > traceroute_afrinic.txt C:\Users\User1> tracert www.apnic.net > traceroute_apnic.txt

Step 2: Use the more command to examine the traced path.

a.Use the more command to access the content of these files:

C:\Users\User1> more traceroute_arin.txt

Tracing route to www.arin.net [192.149.252.75] over a maximum of 30 hops:

Trace complete.

In this example, it took less than 1 ms to receive a reply from the default gateway (192.168.1.1). In hop count 6, the round trip to 68.1.1.7 took an average of 71 ms. For the round trip to the final destination at www.arin.net took an average of 72 ms.

Between lines 5 and 6, there is more network delay as indicated by the round trip time increase from an average of 11 ms to 71 ms

b.Perform the same analysis with the rest of the tracert results.

What can you conclude regarding the relationship between the roundtrip time and geographical location?

©2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 229 of 257

__________________________________________________________________________

__________

__________________________________________________________________________

__________

Part 190: Reflection

The tracert and ping results can provide important network latency information. What do you need to do if you want an accurate baseline picture regarding network latency for your network?

_____________________________________________________________________________

__________

How can you use the baseline information?

_____________________________________________________________________________

__________

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 230 of 257