August 2016

Archive for August 2016

Router Standard Access-List

1./ Router HQ

hostname ROUTER-HQ

interface fa0/0
ip address 10.0.1.1 255.255.255.0
no shutdown
exit

interface fa0/1
ip address 192.168.12.1 255.255.255.0
no shutdown
exit

interface serial0/1/0
ip address 192.168.11.1 255.255.255.0
clock rate 2000000
no shutdown
exit

ip route 10.1.1.0 255.255.255.0 192.168.11.2
ip route 10.2.1.0 255.255.255.0 192.168.12.2
ip route 10.3.1.0 255.255.255.0 192.168.12.3

2./ Router KCM

hostname ROUTER-KCM

interface fa0/0
ip address 10.1.1.1 255.255.255.0
no shutdown
exit

interface s0/0
ip address 192.168.11.2 255.255.255.0
no shutdown
ip route 10.0.1.0 255.255.255.0 192.168.11.1
ip route 10.2.1.0 255.255.255.0 192.168.11.1
ip route 10.3.1.0 255.255.255.0 192.168.11.1

3./ Router BTB

hostname ROUTER-BTB

interface fa0/0
ip address 10.2.1.1 255.255.255.0
no shutdown
exit

interface fa0/1
ip address 192.168.12.2 255.255.255.0
no shutdown
exit

ip route 10.0.1.0 255.255.255.0 192.168.12.1
ip route 10.1.1.0 255.255.255.0 192.168.12.1
ip route 10.3.1.0 255.255.255.0 192.168.12.3

4./ Router SRP

hostname ROUTER-SRP

interface fa0/0
ip address 10.3.1.1 255.255.255.0
no shutdown
exit

interface fa0/1
ip address 192.168.12.3 255.255.255.0
no shutdown
exit

ip route 10.0.1.0 255.255.255.0 192.168.12.1
ip route 10.1.1.0 255.255.255.0 192.168.12.1
ip route 10.2.1.0 255.255.255.0 192.168.12.2

5./ Standard Access Control List (ACL):

===============================================

Excercise 1:

Block laptop 1 (10.0.1.2) in LAN HQ from accessing other
laptops at other networks.
But allow other laptops and server in this LAN HQ.

ROUTER HQ:

access-list 20 deny host 10.0.1.2
access-list 20 permit any
access-list 20 deny any

interface fa0/0
ip access-group 20 in

1. remove standard acl 20

no access-list 20 deny host 10.0.1.2

2. remove filter inbound from fa0/0

interface fa0/0
no ip access-group 20 in

3./ apply to filter outbound of access-list 20

interface serial0/1/0
ip access-group 20 out

interface fa0/1
ip access-group 20 out

===============================================

Excercise 2:

Block laptop 6 (10.3.1.2) in LAN SRP from access all hosts in LAN HQ.
Block all laptop in LAN KCM from access all hosts in LAN HQ.
But other laptops allowed. Must apply ACL into ROUTER HQ.

ROUTER HQ:

access-list 99 deny host 10.3.1.2
access-list 99 deny 10.1.1.0 0.0.0.255
access-list 99 permit any

interface f0/0
ip access-group 99 out

--------split access list statement into the existing access list number.
Block laptop 4 (10.2.1.2) in LAN BTB from access all hosts in LAN HQ.

--------check the ACL sequence number:

# show access-list

ip access-list standard 99
25 deny host 10.2.1.2

===============================================

REQUIREMENT 3:

Allow web server (10.0.1.3) & LAN KCM (10.1.1.0/24) to access LAN BTB (10.2.1.0/24)
But other laptops denied.
Must apply ACL into ROUTER BTB.

ROUTER BTB:

access-list 3 permit host 10.0.1.3
access-list 3 permit 10.1.1.0 0.0.0.255
access-list 3 deny any

interface fa0/1
ip access-group 3 in

===============================================

REQUIREMENT 4:

Allow only LaptopX (10.0.1.10) in LAN HQ to remote telnet ROUTER HQ.
But other laptops denied. Must apply ACL into ROUTER HQ.

line vty 0 4
password telnetpass
login
exit

enable secret secretpass

access-list 66 permit host 10.0.1.10
line vty 0 4
access-class 66 in

************ Lesson ****************

Access Control List (ACL)

Standard ACL characteristic:
- Permit or deny traffic of data flow
- check source ip address
- apply entire protocols
- Cisco recommend to apply standard ACL into the router near to the destination

Sample config:

Step 1: create standard acl statements:

(config)# access-list acl-id permit/deny src-ip-address

acl-id = 1 ---> 99 or 1300 --->1999

src-ip-address:
1) host ip address: 10.0.1.2/32     (host is class full 32 bit mask bit)
     /32 --> subnet mask: 255.255.255.255
         --> wildcard mask= 255.255.255.255 - subnet mask=
                          = 0.0.0.0

---> src-ip-address:     host 10.0.1.2 OR 10.0.1.2 0.0.0.0
(config)# access-list acl-id permit/deny host 10.0.1.2
(config)# access-list acl-id permit/deny 10.0.1.2 0.0.0.0

src-ip-address:
2) network address: 10.0.1.0/24           (network block)
     /24 --> subnet mask: 255.255.255.0
         --> wildcard mask= 255.255.255.255 - subnet mask=
                          = 0.0.0.255

---> src-ip-address: 10.0.1.0 0.0.0.255
(config)# access-list acl-id permit/deny 10.0.1.0 0.0.0.255

src-ip-address:
3) unspecified: 0.0.0.0/0
     /0 --> subnet mask: 0.0.0.0
         --> wildcard mask= 255.255.255.255 - subnet mask=
                          = 255.255.255.255

---> src-ip-address: 0.0.0.0 255.255.255.255 OR any
(config)# access-list acl-id permit/deny 0.0.0.0 255.255.255.255
(config)# access-list acl-id permit/deny any

Step 2: apply standard acl into interface

(config)# interface name
(config-if)# ip access-group acl-id in/out

************* Exercise *******************

REQUIREMENT 1:

Block Web Server (10.0.1.3) in LAN HQ from accessing other
laptops at other networks.
But allow other laptops and server in this LAN HQ.

ROUTER HQ:

???

access-list 10 deny host 10.0.1.3
access-list 10 permit any

======= filter outbound (apply)
???

int se0/1/0
ip access-group 10 out
exit
int f0/1
ip access-group 10 out

======= remove from interface
???

int se0/1/0
no ip access-group 10 out
exit

int f0/1
no ip access-group 10 out
exit

no access-list 10

######################################################

REQUIREMENT 2:

Block laptop 7 (10.3.1.3) in LAN SRP from access all hosts in LAN HQ.
Block all laptop in LAN BTB(10.2.1.0/24) from access all hosts in LAN HQ.
But other laptops allowed. Must apply ACL into ROUTER HQ.

ROUTER HQ:

???

access-list 20 deny host 10.3.1.3
access-list 20 deny 10.2.1.0 0.0.0.255
access-list 20 permit any

int f0/0
ip access-group 20 out

--------split access list statement into the existing access list number.
Block laptop 6 (10.3.1.2) in LAN SRP from access all hosts in LAN HQ.

???

ip access-list standard 20
15 deny host 10.3.1.2

######################################################

REQUIREMENT 3:

Allow only Laptop3 (10.1.1.3) in LAN KCM to remote telnet ROUTER HQ.
But other laptops denied. Must apply ACL into ROUTER HQ.
set telnet password: telnetpwd
set enable secret password : secretpwd

Router HQ

???

line vty 0 4
password telnetpwd
login
exit

enable secret secretpwd

access-list 30 permit host 10.1.1.3
line vty 0
access-class 30 in

Administrative authorize accessing for router cisco

Unknown 1:12 AM Add Comment

1/- Set enable OR secret password: Protect Privilege Exec Mode

enable password myPassword

2/- Set enable OR secret password: Protect Privilege Exec Mode

enable secret mysecretpass

3/- Set Console password(console): When login via console, required console password

enable
configur terminal
line console 0
password consolepass
login

4/- Set username password(console): When login via console, required username password

username user1 secret user1pass
line console 0
login local

5/- Set username password(console): When login via console, required username password
   (cmd: privilege is login without prilege-mode)

username user1 privilege 15 secret user1pass
line console 0
login local

6/- Set Telnet password(telnet): When login via telnet remote access, required telnet password
    Ex: IP router: 192.168.2.1/24

line vty 0 4
password telnetpass
login

7/- Set username password(telnet): When login via telnet remote access, required username password

interface fa0/0
ip address 192.168.2.1 255.255.255.0
no shutdown
exit
username user1 secret user1pass
line vty 0 4
login local
enable secret secretpass

8/- Set username password(telnet): When login via telnet remote access, required username password
(cmd: privilege is login withou privilege-mode)

interface fa0/0
ip address 192.168.2.1 255.255.255.0
no shutdown
exit
username user1 privilege 15 secret user1pass
line vty 0 4
login local
enable secret secretpass

---------------------------------
4) Set SSH remote to Router or Switch (Secure SHell, 22/tcp) password:

Ex: R1-> IP: 192.168.2.1

interface fa0/0
ip address 192.168.2.1 255.255.255.0
no shutdown
exit

hostname R1
enable secret secretpass
username user1 secret user1pass
ip domain-name www.cambodia.com
crypto key generate rsa

1024

ip ssh version 2
line vty 0 4
login local
transport input ssh

(remote PC> ssh -l user1 192.168.2.1)

----------------------------------------------

How to ssh remote access from Cisco Router1 to Cisco Router2

# ssh -v 2 -l [username1] [ipofrouter2]
# ssh -l [username1] [ipofrouter2]

---------------------------------
5) Set banner to inform when login:

banner motd "Access for authorized users only. Please enter your username and password." : option 1
banner motd #Access for authorized users only. Please enter your username and password.# : option 2
banner motd ^Access for authorized users only. Please enter your username and password.^ : option 3

+ to encrypt password using with keyword password:

service password-encryption

+ to abort when type wrong command input.

no ip domain-lookup

************** Lesson *************

1/- Set enable OR secret password: Protect Privilege Exec Mode

enable password myPassword

2/- Set enable OR secret password: Protect Privilege Exec Mode

enable secret mysecretpass

3/- Set Console password(console): When login via console, required console password

line console 0
password consolepass
login

4/- Set username password(console): When login via console, required username password (**************************************************)

username user1 secret user1pass
username user2 secret user2pass
line console 0
login local

5/- Set username password(console): When login via console, required username password
   (cmd: privilege is login without prilege-mode)

username user1 privilege 15 secret user1pass
line console 0
login local

6/- Set Telnet password(telnet): When login via telnet remote access, required telnet password
    Ex: IP router: 192.168.2.1/24

line vty 0 4
password telnetpass
login

7/- Set username password(telnet): When login via telnet remote access, required username password

interface fa0/0
ip address 192.168.2.1 255.255.255.0
no shutdown
exit
username user1 secret user1pass
line vty 0 4
login local
enable secret secretpass

8/- Set username password(telnet): When login via telnet remote access, required username password
(cmd: privilege is login withou privilege-mode)

interface fa0/0
ip address 192.168.2.1 255.255.255.0
no shutdown
exit
username user1 privilege 15 secret user1pass
line vty 0 4
login local
enable secret secretpass

---------------------------------
4) Set SSH remote to Router or Switch (Secure SHell, 22/tcp) password:

Ex: R1-> IP: 192.168.2.1

interface fa0/0
ip address 192.168.2.1 255.255.255.0
no shutdown
exit
hostname R1

username mengheang secret Passw0rd
interface fa0/0
username user2    secret user2pass
ip domain-name www.cambodia.com
crypto key generate rsa

1024

ip ssh version 2
line vty 0 4
login local
transport input ssh
exit
enable secret secretpass     ***** put enable secret for using enable config *****

(remote PC> ssh -l mengheang 192.168.2.1)

# ssh -v 2 -l [username1] [ipofrouter2]

----------------------------------------------

How to ssh remote access from Cisco Router1 to Cisco Router2

# ssh -v 2 -l [username1] [ipofrouter2]
# ssh -l [username1] [ipofrouter2]

---------------------------------
5) Set banner to inform when login:

banner motd "Access for authorized users only. Please enter your username and password." : option 1
banner motd #Access for authorized users only. Please enter your username and password.# : option 2
banner motd ^Access for authorized users only. Please enter your username and password.^ : option 3

+ to encrypt password using with keyword password:

service password-encryption

+ to abort when type wrong command input.

no ip domain-lookup

************** Exercise ***************

###SET PASSWORD ON ROUTER HQ###

1) Set secret password (secretpwd$) : Protect Privilege Exec Mode

???

enable secrete secretpwd$

----------------------------

2) Set Console password (consolepwd$) : When login via console, required console password

???

line console 0
password consolepwd$
login

----------------------

3) Set Telnet password (telnetpwd$) : When login via telnet remote access, required telnet password

???

line vty 0
password telnetpwd$
login

################################################
###SET PASSWORD ON ROUTER KCM###
--------------------------------
4) Enable SSH version 2: by create
Username: john
Password: johnpwd$
And set secret password (secretpwd$)

???

enable secret secretpass

username john secret johnpwd$

ip domain-name www.cambodia.com

crypto key generate rsa

1024

ip ssh version 2
line vty 0 4
login local
transport input ssh

Administrative authorize accessing for switch cisco

Unknown 12:16 AM Add Comment

1- Command Set enable OR secret password: Protect Privilege Exec Mode

switch>enable
switch#configure terminal
switch(config)#enable password myPassword
switch(config)#enable secret mySecret

+ To encrypt password --> using with keyword password:

switch(config)#service password-encryption

2- Set Telnet password:When login via telnet remote access, required telnet password

switch>enable
switch#configure terminal
switch(config)#line vty 0 4
switch(config)# password telnetPassword
switch(config)# login

3- Set username password: When login via telnet remote access, required username password

switch>enable
switch#configure terminal
switch(config)#interface vlan1
switch(config-if)# ip address 192.168.2.5 255.255.255.0
switch(config-if)#no shutdown
switch(config-if)#exit
switch(config)#ip default-gateway 192.168.2.1
switch(config)#username User secret 123
switch(config)#line vty 0 4
switch(config)#login local
switch(config)#enable secret secretpass

4- Set SSH remote via Switch (Secure SHell, 22/tcp) password:

Ex: Switch --> IP: 192.168.2.2

switch>enable
switch#configure terminal
switch(config)#interface vlan1
switch(config-if)# ip address 192.168.2.2 255.255.255.0
switch(config-if)#no shutdown
switch(config-if)#exitswitch(config)#enable secret secretpass
switch(config)#username User secret Userpass
switch(config)#ip domain-name www.cambodia.com
switch(config)#crypto key generate rsa
switch(config)#1024

switch(config)#ip ssh version 2
switch(config)#line vty 0 4
switch(config)# login local
switch(config)#transport input ssh

==> login PC> ssh -l User192.168.2.2

********** Lesson **************

1/- Set enable OR secret password: Protect Privilege Exec Mode

enable password myPassword

2/- Set enable OR secret password: Protect Privilege Exec Mode

enable secret mysecretpass

3/- Set Telnet password(telnet): When login via telnet remote access, required telnet password
Ex: IP router: 192.168.2.1/24

line vty 0 4
password telnetpass
login

4/- Set username password(telnet): When login via telnet remote access, required username password

interface vlan 1
ip address 192.168.2.5 255.255.255.0
no shutdown
exit
ip default-gateway 192.168.2.1
username user1 secret user1pass
line vty 0 4
login local
enable secret secretpass

5/- Set username password(telnet): When login via telnet remote access, required username password
(cmd: privilege is login withou privilege-mode)

interface vlan 1
ip address 192.168.2.5 255.255.255.0
no shutdown
exit
ip default-gateway 192.168.2.1
username user1 privilege 15 secret user1pass
line vty 0 4
login local
enable secret secretpass

6/- Set SSH remote to Router or Switch (Secure SHell, 22/tcp) password:

Ex: Sw1--> IP: 192.168.2.5

hostname R1_Sw1
config ter
int vlan 1
ip add 192.168.2.5 255.255.255.0
no shut
exit
ip default-gateway 192.168.2.1

username mengheang secret Passw0rd
ip domain-name www.cambodia.com
crypto key generate rsa
1024

ip ssh version 2
line vty 0 4
login local
transport input ssh
exit
enable secret secretpass

(copy pass into R1 or Sw1 )

(remote PC> ssh -l dara 192.168.2.1)
# ssh -v 2 -l [username1] [ipofrouter2]

----------------------------------------------

How to ssh remote access from Cisco Router1 to Cisco Router2

# ssh -v 2 -l [username1] [ipofrouter2]
# ssh -l [username1] [ipofrouter2]

---------------------------------
5) Set banner to inform when login:

banner motd "Access for authorized users only. Please enter your username and password." : option 1
banner motd #Access for authorized users only. Please enter your username and password.# : option 2
banner motd ^Access for authorized users only. Please enter your username and password.^ : option 3

+ to encrypt password using with keyword password:

service password-encryption

+ to abort when type wrong command input.

no ip domain-lookup

Static route and Default route of Cisco Router

Unknown 3:01 AM Add Comment

1. Router BTB

Router>enable
Router#hostname ROUTER-BTB
ROUTER-BTB#config terminal
ROUTER-BTB(config)#interface fa0/0
ROUTER-BTB(config-if)#ip address 192.168.1.10 255.255.255.248
ROUTER-BTB(config-if)#no shutdown
ROUTER-BTB(config-if)#exit
ROUTER-BTB(config)#interface fa0/1
ROUTER-BTB(config-if)#ip address 10.2.1.1 255.255.255.0
ROUTER-BTB(config-if)#no shutdown
ROUTER-BTB(config-if)#exit
ROUTER-BTB(config)#ip route 10.3.1.0 255.255.255.0 192.168.1.11
ROUTER-BTB(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.9

2. Router HQ

Router>enable
Router#hostname ROUTER-HQ
ROUTER-HQ#config terminal
ROUTER-HQ(config)#interface fa0/0
ROUTER-HQ(config-if)#ip address 10.0.1.1 255.255.255.0
ROUTER-HQ(config-if)#no shutdown
ROUTER-HQ(config-if)#exit
ROUTER-HQ(config)#interface fa0/1
ROUTER-HQ(config-if)#ip address 192.168.1.9 255.255.255.248
ROUTER-HQ(config-if)#no shutdown
ROUTER-HQ(config)#exit
ROUTER-HQ(config)#interface serial0/1/0
ROUTER-HQ(config-if)#ip address 192.168.1.1 255.255.255.252
ROUTER-HQ(config-if)#clock rate 2000000
ROUTER-HQ(config-if)#no shutdown
ROUTER-HQ(config-if)#exit
ROUTER-HQ(config)#ip route 10.1.1.0 255.255.255.0 192.168.1.2
ROUTER-HQ(config)#ip route 10.2.1.0 255.255.255.0 192.168.1.10
ROUTER-HQ(config)#ip route 10.3.1.0 255.255.255.0 192.168.1.11

3. Router KCM

Router>enable
Router#hostname ROUTER-KCM
ROUTER-KCM#config terminal
ROUTER-KCM(config)#interface fa0/0
ROUTER-KCM(config-if)#ip address 10.1.1.1 255.255.255.0
ROUTER-KCM(config-if)#no shutdown
ROUTER-KCM(config-if)#exit
ROUTER-KCM(config)#interface se0/0
ROUTER-KCM(config-if)#ip address 192.168.1.2 255.255.255.252
ROUTER-KCM(config-if)#no shutdown
ROUTER-KCM(config-if)#exit
ROUTER-KCM(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

4. Router SRP

Router>enable
Router#hostname ROUTER-SRP
ROUTER-SRP#config terminal
ROUTER-SRP(config)#interface fa0/0
ROUTER-SRP(config-if)#ip address 192.168.1.11 255.255.255.248
ROUTER-SRP(config-if)#no shutdown
ROUTER-SRP(config-if)#exit
ROUTER-SRP(config)#interface fa0/1
ROUTER-SRP(config-if)#ip address 10.3.1.1 255.255.255.0
ROUTER-SRP(config-if)#no shutdown
ROUTER-SRP(config-if)#exit
ROUTER-SRP(config)#ip route 10.2.1.0 255.255.255.0 192.168.1.10
ROUTER-SRP(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.9

Default route and Static route of Cisco

Unknown 1:48 AM Add Comment

Static route to many router of Cisco

Unknown 1:28 AM Add Comment

1- Router TV3

Router>enable
Router#configure terminal
Router(config)#Hostname TV3
TV3(config)#interface fa0/0
TV3(config-if)#ip add 192.2.2.1 255.255.255.0
TV3(config-if)#no shut
TV3(config-if)#exit
TV3(config)#int f0/1
TV3(config-if)#ip add 12.0.2.5 255.255.255.252
TV3(config-if)#no shut
TV3(config-if)#exit
TV3(config)#ip route 129.27.201.0 255.255.255.252 12.0.2.6
TV3(config)#ip route 195.5.5.0 255.255.255.0 12.0.2.6
TV3(config)#ip route 205.129.131.12 255.255.255.252 12.0.2.6
TV3(config)#ip route 196.6.6.0 255.255.255.0 12.0.2.6
TV3(config)#ip route 213.152.31.8 255.255.255.252 12.0.2.6
TV3(config)#ip route 193.3.3.0 255.255.255.0 12.0.2.6
TV3(config)#exit

2- Router TV11

Router>enable
Router#configure terminal
Router(config)#Hostname TV11
TV11(config)#int f0/0
TV11(config-if)#ip add 129.27.201.2 255.255.255.252
TV11(config-if)#no shut
TV11(config-if)#exit
TV11(config)#int f0/1
TV11(config-if)#ip add 195.5.5.1 255.255.255.0
TV11(config-if)#no shut
TV11(config-if)#exit
TV11(config)#ip route 205.129.131.12 255.255.255.252 129.27.201.1
TV11(config)#ip route 196.6.6.0 255.255.255.0 129.27.201.1
TV11(config)#ip route 213.152.31.8 255.255.255.252 129.27.201.1
TV11(config)#ip route 193.3.3.0 255.255.255.0 129.27.201.1
TV11(config)#ip route 12.0.2.4 255.255.255.252 129.27.201.1
TV11(config)#ip route 192.2.2.0 255.255.252.0 129.27.201.1
TV11(config)#exit

3- Router TV9

Router>enable
Router#configure terminal
Router(config)#Hostname TV9
TV9(config)#int f0/0
TV9(config-if)#ip add 196.6.6.1 255.255.255.0
TV9(config-if)#no shut
TV9(config-if)#ex
TV9(config)#int s0/1
TV9(config-if)#ip add 205.129.31.14 255.255.255.252
TV9(config-if)#clock rate 9600
TV9(config-if)#bandwidth 256
TV9(config-if)#no shut
TV9(config-if)#exit
TV9(config)#ip route 213.152.31.8 255.255.255.252 205.129.131.13
TV9(config)#ip route 193.3.3.0 255.255.255.0 205.129.131.13
TV9(config)#ip route 12.0.2.4 255.255.255.252 205.129.131.13
TV9(config)#ip route 192.2.2.0 255.255.252.0 205.129.131.13
TV9(config)#ip route 129.27.201.0 255.255.255.252 205.129.131.13
TV9(config)#ip route 195.5.5.0 255.255.255.0 205.129.131.13
TV9(config)#exit

4- Router TVK

Router>enable
Router#configure terminal
Router(config)#Hostname TVK
TVK(config)#int f0/0
TVK(config-if)#ip add 193.3.3.1 255.255.255.0
TVK(config-if)#no shut
TVK(config-if)#exit
TVK(config)#int s0/0
TVK(config-if)#ip add 213.152.31.10 255.255.255.252
TVK(config-if)#clock rate 9600
TVK(config-if)#bandwidth 256
TVK(config-if)#no shut
TVK(config-if)#exit
TVK(config)#copy run start
TVK(config)#ip route 12.0.2.4 255.255.255.252 213.152.31.9
TVK(config)#ip route 192.2.2.0 255.255.252.0 213.152.31.9
TVK(config)#ip route 129.27.201.0 255.255.255.252 213.152.31.9
TVK(config)#ip route 195.5.5.0 255.255.255.0 213.152.31.9
TVK(config)#ip route 205.129.131.12 255.255.255.252 213.152.31.9
TVK(config)#ip route 196.6.6.0 255.255.255.0 213.152.31.9
TVK(config)#exit

5. Router CTN

Router>enable
Router#configure terminal
Router(config)#Hostname CTN
CTN(config)#int f0/0
CTN(config-if)#ip add 129.27.201.1 255.255.255.252
CTN(config-if)#no shut
CTN(config-if)#exit
CTN(config)#int f0/1
CTN(config-if)#ip add 12.0.2.6 255.255.255.252
CTN(config-if)#no shut
CTN(config-if)#exit
CTN(config)#int s0/0
CTN(config-if)#ip add 213.152.31.9 255.255.255.252
CTN(config-if)#no shut
CTN(config-if)#exit
CTN(config)#int s0/1
CTN(config-if)#ip add 205.129.131.13 255.255.255.252
CTN(config-if)#no shut
CTN(config-if)#ex
CTN(config)#ip route 192.2.2.0 255.255.255.0 12.0.2.5
CTN(config)#ip route 195.5.5.0 255.255.255.0 129.27.201.2
CTN(config)#ip route 196.6.6.0 255.255.255.0 205.129.31.14
CTN(config)#ip route 193.3.3.0 255.255.255.0 213.152.31.10
CTN(config)#exit

Static route of Cisco router

Unknown 1:43 AM 1 Comment

=> Static Route is lesson that teach about Router configuration that has different Vlan IP and other site location also. We configure from other site to other site can recognize each other via network so we can copy data and connect each other via other purpose.

so please see diagram image and practice like command below:

1. Command set IP and route to Router TV3
Router TV3

Router>enable
Router#configure terminal
Router(config)#interface fa0/0
Router(config-if)#ip add 201.1.1.5 255.255.255.252
Router(config-if)#no shut
Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip add 192.2.2.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#exit
Router(config)#ip route 177.7.7.0 255.255.255.0 201.1.1.6

1. Command set IP and route to Router TV5
Router TV5

Router>enable
Router#configure terminal
Router(config)#interface fa0/0
Router(config-if)#ip add 201.1.1.6 255.255.255.252
Router(config-if)#no shut
Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip add 177.7.7.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#exit
Router(config-if)#ip route 192.2.2.0 255.255.255.0 201.1.1.5

******** Lesson ************

Static Route: Route data to specific destination via specific gateway

Sample Config
Option 1:
(config)# ip route [dst-network] [dst-subnet-mask] [gateway/next-hop-ipaddress]

Option 2:
(config)# ip route [dst-network] [dst-subnet-mask] [exit-interface]

===============

Default Route: Route data to any destination via specific gateway
Sample Config
Option 1:
(config)# ip route 0.0.0.0 0.0.0.0 [gateway/next-hop-ipaddress]

Option 2:
(config)# ip route 0.0.0.0 0.0.0.0 [exit-interface]

============
Serial Connection
DCE (Data Communication Equipment) connector
DTE (Data Terminal Equipment) connector

clock rate command : provide serial connection operational
: configure on interface which plug DCE connector.

(config-if)# clock rate number(bps)

============
Show the routing table on Router:
# show ip route

Switchport Hardening of Cisco

Unknown 11:22 PM Add Comment

=> Switchport Hardening is a lesson teach about port configuration in cisco switch that in each switch we can set like exam below:

1.Command set port fa0/1 immediately up of switch1

Switch1

Switch>enable
Switch#configure terminal
Switch(config)#int f0/1
Switch(config-if)#spanning-tree portfast
Switch(config-if)#end

2.Command disable port fa0/2 of switch1

Switch1

Switch>enable
Switch#configure terminal
Switch(config)#int f0/2
Switch(config-if)#shutdown

3. Command disable port fa0/1 to f0/5

Switch1

Switch>enable
Switch#configure terminal
Switch(config)#int range fa0/1-5
Switch(config-if)#shutdown

4. Command disable port fa0/1, fa0/2, fa0/2 to fa0/15, fa0/20

Switch1

Switch>enable
Switch#configure terminal
Switch(config)#interface range fa0/1 , fa0/2 , fa0/5 - 15 , fa0/20
Switch(config-if)#shutdown

5. Command set port-security port fa0/2 for can connect only Laptop1(Mac:00E0.B058.B1B8)

other device connect to this port will disable
(Default: maximum 1, violation shutdown )

Switch1

switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address 00E0.B058.B1B8
Switch(config-if)#switchport port-security violation shutdown

6.Command reset port fa0/2 to enable state

Switch1

switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#shutdown
switch(config-if)#no shutdown
switch(config-if)#end

7. Command set port-security port fa0/2 for can connect only Laptop1(Mac:00E0.B058.B1B8),

Laptop2(Mac:000C.8573.8E44) other device connect to this port will disable
Note: violation occurr is restrict

Switch1

switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address 00E0.B058.B1B8
Switch(config-if)#switchport port-security mac-address 000C.8573.8E44
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#end

8. Command remove port-security from fa0/2 of switch1

swtich1

switch>enable
swtich#configure terminal
swtich(config)#int fa0/2
switch(config-if)#no switchport mode access
switch(config-if)#no switchport port-security
switch(config-if)#end

9. Command show port security of switch1

switch1

switch>enable
switch#show port-security

10. Command show port security on fa0/2 of switch1

switch1

switch>enable
Switch#show port-security interface fastEthernet 0/2

******** Lesson Switchport Hardening of Cisco ***************

CISCO SWITCH

------to set port fa0/2 immediately up

interface fa0/2
spanning-tree portfast

# show ip interface brief : check status of all interface on the cisco device

------to disable port number 2 of cisco switch
interface fa0/2
shutdown

------to disable port number 1 to port number 5 of cisco switch

interface range fastEthernet 0/1 - 5
shutdown

------to disable port number 1, port number 2 and from port number 5 to 15
and port number 20

interface range fa0/1 , fa0/2 , fa0/5 - 15 , fa0/20
shutdown

=======================================

LAPTOP1: 0004.9AC6.EBA0
LAPTOP4: 00E0.B058.B1B8
LAPTOP5: 000C.8573.8E44

1) PORT SECURITY : Dynamic Learn MAC Address from PC

interface fa0/2
switchport mode access
switchport port-security
switchport port-security maximum 1 : (default= 1)
switchport port-security mac-address sticky
switchport port-security violation shutdown : (default=shutdown) មានន័យថា ពេលមាន PC ណាមកដោតភ្ជាប់ គឺ Port shutdown
switchport port-security violation restrict : មានន័យថាពេលមាន PC មកដោតគឺ Port has green-light normal but it cannot access and it count when they try log
switchport port-security violation protect : this port can not use when they try to log but no count

-------------In case the port in violation mode Shutdown ( when we use option 1 violation shutdown )
interface fa0/2
shutdown
no shutdown

========================================

1) PORT SECURITY : Static Learn MAC Address from PC

interface fa0/2
switchport mode access
switchport port-security
switchport port-security mac-address 00E0.B058.B1B8
switchport port-security mac-address 000C.8573.8E44
switchport port-security violation restrict

------------Verify which port setting port security

show port-security
show port-security interface fa0/2 :check the last MAC of PC connect to this port.

============================ web posting==========================================

1.Command set port fa0/1 immediately up of switch1

Switch1

Switch>enable
Switch#configure terminal
Switch(config)#int f0/1
Switch(config-if)#spanning-tree portfast
Switch(config-if)#end

2.Command disable port fa0/2 of switch1

Switch1

Switch>enable
Switch#configure terminal
Switch(config)#int f0/2
Switch(config-if)#shutdown

3. Command disable port fa0/1 to f0/5

Switch1

Switch>enable
Switch#configure terminal
Switch(config)#int range fa0/1-5
Switch(config-if)#shutdown

4. Command disable port fa0/1, fa0/2, fa0/2 to fa0/15, fa0/20

Switch1

Switch>enable
Switch#configure terminal
Switch(config)#interface range fa0/1 , fa0/2 , fa0/5 - 15 , fa0/20
Switch(config-if)#shutdown

5. Command set port-security port fa0/2 for can connect only Laptop1(Mac:00E0.B058.B1B8)
other device connect to this port will disable port
(Default: maximum 1, violation shutdown )

Switch1

switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address 00E0.B058.B1B8
Switch(config-if)#switchport port-security violation shutdown

6.Command reset port fa0/2 to enable state

Switch1

switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#shutdown
switch(config-if)#no shutdown
switch(config-if)#end

7. Command set port-security port fa0/2 for can connect only Laptop1(Mac:00E0.B058.B1B8),
Laptop2(Mac:000C.8573.8E44) other device connect to this port will disable
Note: violation occurr is restrict

Switch1

switch>enable
switch#configure terminal
switch(config)#interface fa0/2
switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address 00E0.B058.B1B8
Switch(config-if)#switchport port-security mac-address 000C.8573.8E44
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#end

8. Command remove port-security from fa0/2 of switch1

swtich1

switch>enable
swtich#configure terminal
swtich(config)#int fa0/2
switch(config-if)#no switchport mode access
switch(config-if)#no switchport port-security
switch(config-if)#end

9. Command show port security of switch1

switch1

switch>enable
switch#show port-security

10. Command show port security on fa0/2 of switch1

switch1

switch>enable
Switch#show port-security interface fastEthernet 0/2

**************** Exercise Switchport Hardening **************

CISCO SWITCH lab:

1) to set port fa0/3 immediately up ?????

    interface fa0/3
    spanning-tree portfast

2) to disable port number 3 ?????

    interface fa0/3
    shutdown

3) to enable port number 3 ?????

    interface fa0/3
    no shutdown

4) to disable port number 1 to port number 3 ?????

    interface range fa0/1 - 3
    shutdown

5) to disable port number 1 to port number 3 and port number 5 ????

    interface range fa0/1 - 3 , fa0/5
    shutdown

=======================================

PORT SECURITY : Static Learn MAC Address from PC

7) Allow the Web Server only can connect to port number 3. if violation occurred, this port should be changed to error disable state. ????
(if web-server has Mac: 0060.471D.CA4E )

    interface fa0/3
    switchport mode access
    switchport port-security
    switchport port-security maximum 1
    switchport port-security mac-address 0060.471D.CA4E
    switchport port-security violation shutdown

    ( # show port-security ; show port-security interface fa0/2 )
    ( Note: when use this please don't connect to PC that have this Mac Address: 0060.471D.CA4E )

    + disable port-security

    interface fa0/3
    no switchport port-security


8) How to reset this port to enable state: ?????

    interface fa0/3
    shutdown
    no shutdown

9) Allow one computer only can connect to port number 3. if violation occurred,
this port should be changed to restrict state. ????

    interface fa0/3
    switchport port-security violation restrict