Lab21

Lab11
10.2
Lab2
Lab3

 b. Ensure that the OSI Model tab is selected. Under the Out Layers column, ensure that
the Layer 7 box is highlighted.
What is the text displayed next to the Layer 7 label? HTTP
What information is listed in the numbered steps directly below the In Layers and Out
Layers boxes?
1. The HTTP client sends a HTTP request to the server.

 c. Click Next Layer. Layer 4 should be highlighted. What is the Dst Port value? 80

 d. Click Next Layer. Layer 3 should be highlighted. What is the Dest.

IP value? 192.168.1.254
 e. Click Next Layer. What information is displayed at this layer? Layer 2 Ethernet II
Header and inbound and outbound MAC addresses

 f. Click the Outbound PDU Details tab.Information listed under the PDU Details is
reflective of the layers within the TCP/IP model.
Note: The information listed under the Ethernet II section provides even more detailed
information than is listed under Layer 2 on the OSI Model tab. The Outbound PDU
Details provides more descriptive and detailed information. The values under DEST
MAC and SRC MAC within the Ethernet II section of the PDU Details appear on the OSI
Model tab under Layer 2, but are not identified as such.
What is the common information listed under the IP section of PDU Details as compared
to the information listed under the OSI Model tab? With which layer is it associated?
SRC IP and DST IP at Layer 3
What is the common information listed under the TCP section of PDU Details, as
compared to the information listed under the OSI Model tab, and with which layer is it
associated?
SRC PORT and DEST PORT at Layer 4
What is the Host listed under the HTTP section of the PDU Details? What layer would
this information be associated with under the OSI Model tab?
www.osi.local, Layer 7

 g. Click the next colored square box under the Event List > Info column. Only Layer 1 is
active (not grayed out). The device is moving the frame from the buffer and placing it on
to the network.

 h. Advance to the next HTTP Info box within the Event List and click the colored square
box. This window contains both In Layers and Out Layers. Notice the direction of the
arrow directly under the In Layers column; it is pointing upward, indicating the direction
the information is travelling. Scroll through these layers making note of the items
previously viewed. At the top of the column the arrow points to the right. This denotes
that the server is now sending the information back to the client.
Comparing the information displayed in the In Layers column with that of the Out
Layers column, what are the major differences?
The Src and Dst Ports, Src and Dst IPs and MAC addresses have been swapped.

 i. Click the Outbound PDU Details tab. Scroll down to the HTTP section.What is the first
line in the HTTP message that displays?
HTTP/1.1 200 OK – this means that the request was successful and the page delivered
from the server.
  j. Click the last colored square box under the Info column. How many tabs are displayed
with this event and why?
Just 2, one for the OSI Model and one for Inbound PDU Details because this is the
receiving device

Part 2: Display Elements of the TCP/IP Protocol Suite

In Part 2 of this activity, you will use the Packet Tracer Simulation mode to view and examine
some of the other protocols comprising of the TCP/IP suite.

Step 1: View Additional Events

a. Close any open PDU information windows.

b. In the Event List Filters > Visible Events section, click Show All.

What additional Event Types are displayed?

Depending on whether any communications has occurred prior to starting the original
simulation, there should now be entries for ARP, DNS, TCP and HTTP. It is possible that the ARP
entries may not show, depending on what a student may have done prior to going to simulation
mode. If the activity is started from scratch all of those will be listed.

These extra entries play various roles within the TCP/IP suite. If the Address Resolution Protocol
(ARP) is listed, it searches MAC addresses. DNS is responsible for converting a name (for
example, www.osi.local) to an IP address. The additional TCP events are responsible for
connecting, agreeing on communication parameters, and disconnecting the communications
sessions between the devices. These protocols have been mentioned previously and will be
further discussed as the course progresses. Currently there are over 35 possible protocols
(event types) available for capture within Packet Tracer.

c. Click the first DNS event in the Info column. Explore the OSI Model and PDU Detail tabs and
note the encapsulation process. As you look at the OSI Model tab with Layer 7 highlighted, a
description of what is occurring is listed directly below the In Layers and Out Layers (“1. The
DNS client sends a DNS query to the DNS server.”). This is very useful information to help
understand what is occurring during the communication process.

d. Click the Outbound PDU Details tab. What information is listed in the NAME : in the DNS
QUERY section?
www.osi.local

e. Click the last DNS Info colored square box in the event list. Which device is displayed?
The Web Client
What is the value listed next to ADDRESS: in the DNS ANSWER section of the Inbound PDU
Details?
192.168.1.254 – the address of the Web Server

f. Find the first HTTP event in the list and click the colored square box of the TCP event
immediately following this event. Highlight Layer 4 in the OSI Model tab. In the numbered list
directly below the In Layers and Out Layers, what is the information displayed under items 4
and 5?
4. The TCP connection is successful. 5. The device sets the connection state to ESTABLISHED.

TCP manages the connecting and disconnecting of the communications channel along with
other responsibilities. This particular event shows that the communication channel has been
ESTABLISHED.
g. Click the last TCP event. Highlight Layer 4 in the OSI Model tab. Examine the steps listed
directly below In Layers and Out Layers. What is the purpose of this event, based on the
information provided in the last item in the list (should be item 4)?
CLOSING the connection.

Lab4

Step 2: Examine the Primary Network.

a. Click the Primary Network icon. Hold the mouse pointer over the various cables. What is
located on the table to the right of the blue rack?
Configuration Terminal

b. Click Back to return to Home City.

Step 3: Examine the Secondary Network.

a. Click the Secondary Network icon. Hold the mouse pointer over the various cables. Why are
there two orange cables connected to each device?
Fiber cables come in pairs, one for transmit, the other for receive

b. Click Back to return to Home City.

Step 4: Examine the Home Network.

a. Why is there an oval mesh covering the home network?

It represents the range of the wireless network

b. Click the Home Network icon. Why is there no rack to hold the equipment?
Home networks typically do not have racks.

c. Click the Logical Workspace tab to return to the logical topology.

Lab5.2

c. What is the IPv4 address of the 3rd hop in the Packet Tracer traceroute output?
10.110.178.133

d. Which router and interface in the monterey.ca building is configured with this IPv4 address?
rur02.monterey.ca.sfba.comcast.net; GigabitEthernet0/0

e. What is the IPv4 address of the 4th hop in the Packet Tracer traceroute output?
10.139.198.129

f. Which router and interface in the monterey.ca building is configured with this IPv4 address?
rur01.monterey.ca.sfba.comcast.net; GigabitEthernet0/0

g. Why do you think the IP addresses for the other interfaces are not shown in the traceroute
output?
Those interfaces are the source for the packets that are sent to the next hop destination.
Source IP addresses are not shown in traceroute output.

h. List the hops in your own traceroute output that belong to your local ISP.
Answers will vary.

Lab8.2

Part 2: Examine a Switch MAC Address Table

Step 1: Generate additional traffic to populate the switch MAC address table.

a. From 172.16.31.2, enter the ping 172.16.31.4 command.

b. Click 10.10.10.2 and open the Command Prompt.

c. Enter the ping 10.10.10.3 command. How many replies were sent and received? 4 sent, 4
received.

Step 2: Examine the MAC address table on the switches.

a. Click Switch1and then the CLI tab. Enter the show mac-address-table command. Do the
entries correspond to those in the table above? Yes

b. Click Switch0, then the CLI tab. Enter the show mac-address-table command. Do the entries
correspond to those in the table above? Yes

Why are two MAC addresses associated with one port? Because both devices connect to one
port through the Access Point.

Part 3: Examine the ARP Process in Remote Communications

Step 1: Generate traffic to produce ARP traffic.

a. Click 172.16.31.2 and open the Command Prompt.

b. Enter the ping 10.10.10.1 command.

c. Type arp –a. What is the IP address of the new ARP table entry? 172.16.31.1

d. Enter arp -d to clear the ARP table and switch to Simulation mode.

e. Repeat the ping to 10.10.10.1. How many PDUs appear? 2

f. Click Capture/Forward. Click the PDU that is now at Switch1. What is the target destination IP
destination address of the ARP request? 172.16.31.1

g. The destination IP address is not 10.10.10.1. Why? The gateway address of the router
interface is stored in the IPv4 configuration of the hosts. If the receiving host is not on the same
network, the source uses the ARP process to determine a MAC address for the router interface
serving as the gateway.

Step 2: Examine the ARP table on Router1.

a. Switch to Realtime mode. Click Router1 and then the CLI tab.

b. Enter privileged EXEC mode and then the show mac-address-table command. How many
MAC addresses are in the table? Why? Zero, This command means something completely
different than the switch command show mac address-table.

c. Enter the show arp command. Is there an entry for 172.16.31.2? Yes

What happens to the first ping in a situation where the router responds to the ARP request? It
times out.
Lab6.2

What is significant about the contents of the destination address field?

All hosts on the LAN will receive this broadcast frame. The host with the IP address of
192.168.1.1 (default gateway) will send a unicast reply to the source (PC host). This reply
contains the MAC address of the NIC of the default gateway.

Why does the PC send out a broadcast ARP prior to sending the first ping request?

The PC cannot send a ping request to a host until it determines the destination MAC address, so
that it can build the frame header for that ping request. The ARP broadcast is used to request
the MAC address of the host with the IP address contained in the ARP.

What is the MAC address of the source in the first frame?

It varies; in this case, it is f0:1f:af:50:fd:c8.

What is the Vendor ID (OUI) of the Source NIC in the ARP reply?

It varies, in this case, it is Netgear.

What portion of the MAC address is the OUI?

The first 3 octets of the MAC address indicate the OUI.

What is the NIC serial number of the source?

It may vary, it is 99:c5:72 in this case.

ource:

This should be the MAC address of the PC.

Destination:

This should be the MAC address of the Default Gateway.

What are the source and destination IP addresses contained in the data field of the frame?

Source:

This is still the IP address of the PC.

Destination:

This is the address of the server at www.cisco.com.

Compare these addresses to the addresses you received in Step 6. The only address that
changed is the destination IP address. Why has the destination IP address changed, while the
destination MAC address remained the same?

Layer 2 frames never leave the LAN. When a ping is issued to a remote host, the source will use
the default gateway MAC address for the frame destination. The default gateway receives the
packet, strips the Layer 2 frame information from the packet and then creates a new frame
header with the MAC address of the next hop. This process continues from router to router until
the packet reaches its destination IP address.

Lab6.1
Lab7.2
Lab8.1

c. Click the Simulation button in the lower right corner of the Packet Tracer Topology window.

d. Click the Show All/None button in the lower left part of the Simulation Panel. Make
certain Event List Filters – Visible Events displays None.

e. From the command prompt on PCA1, issue the command ping -n 1 2001:db8:acad:1::b. This
will start the process of pinging PCA2.

f. Click the Play Capture Forward button, which is displayed as an arrow pointing to the right
with a vertical bar within the Play Controls box. The status bar above the Play Controls should
read Captured to 150. (The exact number may vary.)

g. Click the Edit Filters button. Select the IPv6 tab at the top and check the boxes
for ICMPv6 and NDP. Click the red X in the upper right of the Edit ACL Filters window. The
captured events should now be listed. You should have approximately 12 entries in the window.
Question:
Why are ND PDUs present?
In order to send ICMPv6 ping packets to PCA2, PCA1 needs to know the MAC address of the
destination. IPv6 ND requests this information on the network.

h. Click the square in the Type column for the first event, which should be ICMPv6.

Question:
Because the message starts with this event there is only an Outbound PDU. Under the OSI
Model tab, what is the Message Type listed for ICMPv6?
ICMPv6 Echo Message Type: 128

Notice there is no Layer 2 addressing. Click the Next Layer >> button to get an explanation
about the ND (Neighbor Discovery) process.

i. Click the square next to the next event in the Simulation Panel. It should be at device PCA1
and the type should be NDP.

Questions:
What changed in the Layer 3 addressing?
The destination address is now an IPv6 multicast address of FF02::1:FF00:B

What Layer 2 addresses are shown?

The source address is PCA1 MAC – 0001.427E.E8ED and the destination MAC address is
3333.FF00.000B

When a host does not know the MAC address of the destination, a special multicast MAC
address is used by IPv6 Neighbor Discovery as the Layer 2 destination address.

j. Select the first NDP event at SwitchA.

Question:
Is there any difference between the In Layers and Out Layers for Layer 2?
No. The switch does not alter Layer 2 information, it only forwards the frame.

k. Select the first NDP event at PCA2. Click the Outbound PDU Details.
Question:
What addresses are displayed for the following?

Note: The addresses in the fields may be wrapped, adjust the size of the PDU window to make
address information easier to read.

Ethernet II DEST ADDR: 0001.427E.E8ED

Ethernet II SRC ADDR: 0040.0B02:.243E

IPv6 SRC IP: 2001:db8:acad:1::b

IPv6 DST IP: 2001:db8:acad:1::a

Question:

l. Select the first NDP event at RTA. Why are there no Out Layers?
The IPv6 address does not match the router’s address so it drops the packet.

m. Click through the Next Layer >> button until the end and read steps 4 through 7 for further
explanation.

n. Click the next ICMPv6 event at PCA1.

Question:
Does PCA1 now have all of the necessary information to communicate with PCA2?
Yes, it now knows both the destination IPv6 address as well as the destination MAC address of
PCA2.

o. Click the last ICMPv6 event at PCA1. Notice this is the last communication listed.

Question:
What is the ICMPv6 Echo Message Type?
The ICMPv6 Echo Message Type is 129, an echo reply.

p. Click the Reset Simulation button in the Simulation Panel. From the command prompt of
PCA1 repeat the ping to PCA2. (Hint: you should be able to press the up arrow to bring the
previous command back.)

q. Click the Capture Forward button 5 times to complete the ping process.

Question:
Why weren’t there any NDP events?
PCA1 already knows the MAC address of PCA2 so it doesn’t need to use Neighbor Discovery.

1. When does a device require the IPv6 Neighbor Discovery process?

When the destination MAC address is not known. This process is similar to ARP with IPv4.

2. How does a router help to minimize the amount of IPv6 Neighbor Discovery traffic on a
network?
The router keeps neighbor tables so that it doesn’t need to initiate ND for every destination
host.

How does IPv6 minimize the impact of the ND process on network hosts?
It uses a multicast address so that only a handful of addresses would be listening to the
Neighbor Discovery messages. IPv6 creates a specially crafted multicast destination MAC
address which includes a portion of the node address.

3. How does the Neighbor Discovery process differ when a destination host is on the same LAN
and when it is on a remote LAN?
When a destination host is on the same LAN segment only the device that matches the IPv6
address responds and other devices drop the packet. When the device is remote the gateway
device (usually a router) provides the MAC address of the interface on the local interface for the
destination MAC and then searches for the MAC address on the remote network. The router will
then place the responding IPv6/MAC address pair in the IPv6 Neighbor table. (similar to an ARP
table in IPv4)

Lab8.3

Answer the following questions regarding the captured data:

1. Were there different types of wires used to connect devices? Yes, copper and fiber
2. Did the wires change the handling of the PDU in any way? No
3. Did the Hub lose any of the information given to it? No
4. What does the Hub do with MAC addresses and IP addresses? Nothing
5. Did the wireless Access Point do anything with the information given to it? Yes. It repackaged
it as wireless 802.11
6. Was any MAC or IP address lost during the wireless transfer? No
7. What was the highest OSI layer that the Hub and Access Point used? Layer 1
8. Did the Hub or Access Point ever replicate a PDU that was rejected with a red “X”? Yes
9. When examining the PDU Details tab, which MAC address appeared first, the source or the
destination? Destination
10. Why would the MAC addresses appear in this order? A switch can begin forwarding a frame
to a known MAC address more quickly if the destination is listed first
11. Was there a pattern to the MAC addressing in the simulation? No
12. Did the switches ever replicate a PDU that was rejected with a red “X”? No
13. Every time that the PDU was sent between the 10 network and the 172 network, there was
a point where the MAC addresses suddenly changed. Where did that occur? It occurred at the
Router
14. Which device uses MAC addresses starting with 00D0? The Router
15. To what devices did the other MAC addresses belong? To the sender and receiver
16. Did the sending and receiving IPv4 addresses switch in any of the PDUs? No
17. If you follow the reply to a ping, sometimes called a pong, do the sending and receiving IPv4
addresses switch? Yes
18. What is the pattern to the IPv4 addressing in this simulation? Each port of a router requires
a set of non-overlapping addresses
19. Why do different IP networks need to be assigned to different ports of a router? The
function of a router is to inter-connect different IP networks.
20. If this simulation was configured with IPv6 instead of IPv4, what would be different? The
IPv4 addresses would be replaced with IPv6 addresses, but everything else would be the same.

Lab9.3
Lab14

C:\> ping www.icann.org

Pinging www.vip.icann.org [2620:0:2d0:200::7] with 32 bytes of data:

Reply from 2620:0:2d0:200::7: time=43ms

Reply from 2620:0:2d0:200::7: time=41ms

Reply from 2620:0:2d0:200::7: time=44ms

Reply from 2620:0:2d0:200::7: time=39ms

Ping statistics for 2620:0:2d0:200::7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 39ms, Maximum = 44ms, Average = 41ms

C:\> ping -4 www.icann.org

Pinging www.vip.icann.org [192.0.32.7] with 32 bytes of data:

Reply from 192.0.32.7: bytes=32 time=41ms TTL=241

Reply from 192.0.32.7: bytes=32 time=42ms TTL=241

Reply from 192.0.32.7: bytes=32 time=42ms TTL=241

Reply from 192.0.32.7: bytes=32 time=43ms TTL=241

Ping statistics for 192.0.32.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 41ms, Maximum = 43ms, Average = 42ms

Record the IP addresses for www.icann.org.

192.0.32.7 and 2620:0:2d0:200::7

C:\> ping www.cisco.com

Pinging origin-www.cisco.com [2600:1408:7:1:9300::90] with 32 bytes of data:

Reply from 2600:1408:7:1:9300::90: time=70ms

Reply from 2600:1408:7:1:9300::90: time=74ms

Reply from 2600:1408:7:1:9300::90: time=72ms

Reply from 2600:1408:7:1:9300::90: time=71ms

Ping statistics for 2600:1408:7:1:9300::90:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 70ms, Maximum = 74ms, Average = 71ms

C:\> ping -4 www.cisco.com

Pinging e2867.dsca.akamaiedge.net [172.230.155.162] with 32 bytes of data:

Reply from 172.230.155.162: bytes=32 time=7ms TTL=54

Reply from 172.230.155.162: bytes=32 time=6ms TTL=54

Reply from 172.230.155.162: bytes=32 time=7ms TTL=54

Reply from 172.230.155.162: bytes=32 time=6ms TTL=54

Ping statistics for 172.230.155.162:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 6ms, Maximum = 7ms, Average = 6ms

When you ping www.cisco.com, do you get the same IP address as the example? Explain.
Answer will vary depending upon where you are geographically. Cisco hosts its web content on
a series of mirror servers. This means that Cisco uploads the exact same content to
geographically diverse (spread out all over the world) servers. When someone tries to reach
www.cisco.com, the traffic is directed to the closest mirror server.

Type the IP address that you obtained when you pinged www.cisco.com into a browser. Does
the web site display? Explain.

The Cisco web site does not display. There are at least two possible explanations for this: 1.
Some web servers are configured to accept IP addresses sent from a browser and some are not.
2. It may be a firewall rule in the Cisco security system that prohibits an IP address from being
sent via a browser. Depending on the Web Browser you can also get a message saying the
connection is not secure or there is a certificate error.

C:\> nslookup

Default Server: one.one.one.one

Address: 1.1.1.1

>

What is the translated IPv4 address?

From a specific location, 172.230.155.162.

Note: The IP address from your location will most likely be different because Cisco uses
mirrored servers in various locations around the world.

Is it the same as the IP address shown with the ping command?

Yes

Under addresses, in addition to the 172.230.155.162 IP address, there are the following
numbers: 2600:1404:a:395::b33 and 2600:1404:a:38e:::b33. What are these?
IPv6 (IP version 6) IP addresses at which the web site is reachable.
Lab17.2

1. What could prevent ping or traceroute responses from reaching the originating device beside
network connectivity issues?
Firewall on the PCs, access lists command, routing issues, interface is down, network delay

2. If you ping a non-existent address on the remote network, such as 209.165.200.227, what is
the message displayed by the ping command? What does this mean? If you ping a valid host
address and receive this response, what should you check?
Request timed out or periods (.). This means that there was no response in the default time
period. Some of the items you may check: router is down, destination host is down, return
route to your device and latency of the response is not more than the default time period

3. If you ping an address that does not exist in any network in your topology, such as
192.168.5.3, from a Windows-based PC, what is the message displayed by the ping command?
What does this message indicate?
Destination host unreachable. This message indicates that there is no route to the destination
as the network is not listed by the routing table.
4. What is the IPv4 TTL value set on the Windows host? What is the IPv4 TTL value set on a
Cisco device?
Windows sets the TTL value to 128 and the Cisco device will set the TTL value to 255.

5. What is the IPv6 Hop Limit value set on the Windows host? What is the IPv6 Hop Limit value
set on a Cisco device?
Windows sets the TTL value to 128, which is the same as IPv4 TTL value and the Cisco device will
set the TTL value to 64.

Lab35

Step 1: Configure an ACL to permit FTP and ICMP from PC1 LAN.

a. From global configuration mode on R1, enter the following command to determine the first
valid number for an extended access list.

R1(config)# access-list ?

<1-99> IP standard access list

<100-199> IP extended access list

b. Add 100 to the command, followed by a question mark.

R1(config)# access-list 100 ?

deny Specify packets to reject

permit Specify packets to forward

remark Access list entry comment

c. To permit FTP traffic, enter permit, followed by a question mark.

R1(config)# access-list 100 permit ?

ahp Authentication Header Protocol

eigrp Cisco's EIGRP routing protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

ip Any Internet Protocol

ospf OSPF routing protocol

 tcp Transmission Control Protocol

udp User Datagram Protocol

d. When configured and applied, this ACL should permit FTP and ICMP. ICMP is listed above, but
FTP is not. This is because FTP is an application layer protocol that uses TCP at the transport
layer. Enter TCP to further refine the ACL help.

R1(config)# access-list 100 permit tcp ?

A.B.C.D Source address

any Any source host

host A single source host

e. The source address can represent a single device, such as PC1, by using the host keyword and
then the IP address of PC1. Using the keyword any permits any host on any network. Filtering
can also be done by a network address. In this case, it is any host that has an address belonging
to the 172.22.34.64/27 network. Enter this network address, followed by a question mark.

R1(config)# access-list 100 permit tcp 172.22.34.64 ?

A.B.C.D Source wildcard bits

f. Calculate the wildcard mask by determining the binary opposite of the /27 subnet mask.

11111111.11111111.11111111.11100000 = 255.255.255.224

00000000.00000000.00000000.00011111 = 0.0.0.31

g. Enter the wildcard mask, followed by a question mark.

R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 ?

A.B.C.D Destination address

any Any destination host

eq Match only packets on a given port number

gt Match only packets with a greater port number

host A single destination host

lt Match only packets with a lower port number

neq Match only packets not on a given port number

range Match only packets in the range of port numbers

h. Configure the destination address. In this scenario, we are filtering traffic for a single
destination, which is the server. Enter the host keyword followed by the server’s IP address.

R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 ?

dscp Match packets with given dscp value

eq Match only packets on a given port number

established established

gt Match only packets with a greater port number

lt Match only packets with a lower port number

neq Match only packets not on a given port number

precedence Match packets with given precedence value

range Match only packets in the range of port numbers

<cr>

i. Notice that one of the options is <cr> (carriage return). In other words, you can
press Enter and the statement would permit all TCP traffic. However, we are only permitting FTP
traffic; therefore, enter the eq keyword, followed by a question mark to display the available
options. Then, enter ftp and press Enter.

R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ?

<0-65535> Port number

ftp File Transfer Protocol (21)

pop3 Post Office Protocol v3 (110)

smtp Simple Mail Transport Protocol (25)

telnet Telnet (23)

www World Wide Web (HTTP, 80)

R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp

j. Create a second access list statement to permit ICMP (ping, etc.) traffic from PC1 to Server.
Note that the access list number remains the same and a specific type of ICMP traffic does not
need to be specified.

R1(config)# access-list 100 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62

k. All other traffic is denied, by default.

l. Execute the show access-list command and verify that access list 100 contains the correct
statements. Notice that the statement deny any any does not appear at the end of the access
list. The default execution of an access list is that if a packet does not match a statement in the
access list, it is not permitted through the interface.

R1#show access-lists

Extended IP access list 100

10 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp

20 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62

Step 2: Apply the ACL on the correct interface to filter traffic.

From R1’s perspective, the traffic that ACL 100 applies to is inbound from the network
connected to the Gigabit Ethernet 0/0 interface. Enter interface configuration mode and apply
the ACL.

Note: On an actual operational network, it is not a good practice to apply an untested access list
to an active interface.

R1(config)# interface gigabitEthernet 0/0

R1(config-if)# ip access-group 100 in

Step 3: Verify the ACL implementation.

a. Ping from PC1 to Server. If the pings are unsuccessful, verify the IP addresses before
continuing.

b. FTP from PC1 to Server. The username and password are both cisco.

PC> ftp 172.22.34.62

c. Exit the FTP service.

ftp> quit

d. Ping from PC1 to PC2. The destination host should be unreachable, because the ACL did not
explicitly permit the traffic.

Part 2: Configure, Apply and Verify an Extended Named ACL

Step 1: Configure an ACL to permit HTTP access and ICMP from PC2 LAN.
a. Named ACLs start with the ip keyword. From global configuration mode of R1, enter the
following command, followed by a question mark.

R1(config)# ip access-list ?

extended Extended Access List

standard Standard Access List

b. You can configure named standard and extended ACLs. This access list filters both source and
destination IP addresses; therefore, it must be extended. Enter HTTP_ONLY as the name. (For
Packet Tracer scoring, the name is case-sensitive and the access list statements must be the
correct order.)

R1(config)# ip access-list extended HTTP_ONLY

c. The prompt changes. You are now in extended named ACL configuration mode. All devices on
the PC2 LAN need TCP access. Enter the network address, followed by a question mark.

R1(config-ext-nacl)# permit tcp 172.22.34.96 ?

A.B.C.D Source wildcard bits

d. An alternative way to calculate a wildcard is to subtract the subnet mask from

255.255.255.255.

255.255.255.255

- 255.255.255.240

-----------------

= 0. 0. 0. 15

R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15

e. Finish the statement by specifying the server address as you did in Part 1 and
filtering www traffic.

R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www

f. Create a second access list statement to permit ICMP (ping, etc.) traffic
from PC2 to Server. Note: The prompt remains the same and a specific type of ICMP traffic does
not need to be specified.

R1(config-ext-nacl)# permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62

g. All other traffic is denied, by default. Exit extended named ACL configuration mode.
h. Execute the show access-list command and verify that access list HTTP_ONLY contains the
correct statements.

R1# show access-lists

Extended IP access list 100

10 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp

20 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62

Extended IP access list HTTP_ONLY

10 permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www

20 permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62

Step 2: Apply the ACL on the correct interface to filter traffic.

From R1’s perspective, the traffic that access list HTTP_ONLY applies to is inbound from the
network connected to the Gigabit Ethernet 0/1 interface. Enter interface configuration mode
and apply the ACL.

Note: On an actual operational network, it is not a good practice to apply an untested access list
to an active interface. It should be avoided if possible.

R1(config)# interface gigabitEthernet 0/1

R1(config-if)# ip access-group HTTP_ONLY in

Step 3: Verify the ACL implementation.

a. Ping from PC2 to Server. If the ping is unsuccessful, verify the IP addresses before continuing.

b. From PC2 open a web browser and enter the IP address of the Server. The web page of the
Server should be displayed.

c. FTP from PC2 to Server. The connection should fail. If not, troubleshoot the access list
statements and the access-group configurations on the interfaces.

Answer Script

Router R1

enable

configure terminal

access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp

access-list 100 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62

interface gigabitEthernet 0/0

ip access-group 100 in

ip access-list extended HTTP_ONLY

permit tcp 172.22.34.96 0.0.0.15

permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www

permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62

interface gigabitEthernet 0/1

ip access-group HTTP_ONLY in

lab36

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

G0/0 172.31.1.126 255.255.255.224

RT1 S0/0/0 209.165.1.2 255.255.255.252 N/A

PC1 NIC 172.31.1.101 255.255.255.224 172.31.1.126

PC2 NIC 172.31.1.102 255.255.255.224 172.31.1.126

PC3 NIC 172.31.1.103 255.255.255.224 172.31.1.126

Server1 NIC 64.101.255.254 255.254.0.0 64.100.1.1

Server2 NIC 64.103.255.254 255.254.0.0 64.102.1.1

a. Create a named extended IP access list on router RT1 which will deny PC1 access to the HTTP
and HTTPS services of Server1 and Server2. Four access control statements are required.

What is the command to begin the configuration of an extended access list with the name ACL?

ip access-list extended ACL

b. Begin the ACL configuration with a statement that denies access from PC1 to Server1, only
for HTTP (port 80). Refer to the addressing table for the IP address of PC1 and Server1.

RT1(config-ext-nacl)# deny tcp host 172.31.1.101 host 64.101.255.254 eq 80

c. Next, enter the statement that denies access from PC1 to Server1, only for HTTPS (port 443).

RT1(config-ext-nacl)# deny tcp host 172.31.1.101 host 64.101.255.254 eq 443

d. Enter the statement that denies access from PC1 to Server2, only for HTTP. Refer to the
addressing table for the IP address of Server 2.

RT1(config-ext-nacl)# deny tcp host 172.31.1.101 host 64.103.255.254 eq 80

e. Enter the statement that denies access from PC1 to Server2, only for HTTPS.

RT1(config-ext-nacl)# deny tcp host 172.31.1.101 host 64.103.255.254 eq 443

Step 2: Deny PC2 to access FTP services on Server1 and Server2.

Refer to the addressing table for the IP address of PC2.

a. Enter the statement that denies access from PC2 to Server1, only for FTP (port 21 only).

RT1(config-ext-nacl)# deny tcp host 172.31.1.102 host 64.101.255.254 eq 21

b. Enter the statement that denies access from PC2 to Server2, only for FTP (port 21 only).

RT1(config-ext-nacl)# deny tcp host 172.31.1.102 host 64.103.255.254 eq 21

Step 3: Deny PC3 to ping Server1 and Server2.

Refer to the addressing table for the IP address of PC3.

a. Enter the statement that denies ICMP access from PC3 to Server1.

RT1(config-ext-nacl)# deny icmp host 172.31.1.103 host 64.101.255.254

b. Enter the statement that denies ICMP access from PC3 to Server2.

RT1(config-ext-nacl)# deny icmp host 172.31.1.103 host 64.103.255.254

Step 4: Permit all other IP traffic.

By default, an access list denies all traffic that does not match any rule in the list. Enter the
command that permits all traffic that does not match any of the configured access list
statements.

RT1(config-ext-nacl)# permit ip any any

Step 5: Verify the access list configuration before applying it to an interface.

Before any access list is applied, the configuration needs to be verified to make sure that there
are no typographical errors and that the statements are in the correct order. To view the current
configuration of the access list, use either the show access-lists or the show running-
config command.

RT1# show access-lists

Extended IP access list ACL

10 deny tcp host 172.31.1.101 host 64.101.255.254 eq www

20 deny tcp host 172.31.1.101 host 64.101.255.254 eq 443

30 deny tcp host 172.31.1.101 host 64.103.255.254 eq www

40 deny tcp host 172.31.1.101 host 64.103.255.254 eq 443

50 deny tcp host 172.31.1.102 host 64.101.255.254 eq ftp

60 deny tcp host 172.31.1.102 host 64.103.255.254 eq ftp

70 deny icmp host 172.31.1.103 host 64.101.255.254

80 deny icmp host 172.31.1.103 host 64.103.255.254

90 permit ip any any

RT1# show running-config | begin access-list

ip access-list extended ACL

deny tcp host 172.31.1.101 host 64.101.255.254 eq www

deny tcp host 172.31.1.101 host 64.101.255.254 eq 443

deny tcp host 172.31.1.101 host 64.103.255.254 eq www

deny tcp host 172.31.1.101 host 64.103.255.254 eq 443

deny tcp host 172.31.1.102 host 64.101.255.254 eq ftp

deny tcp host 172.31.1.102 host 64.103.255.254 eq ftp

deny icmp host 172.31.1.103 host 64.101.255.254

deny icmp host 172.31.1.103 host 64.103.255.254

permit ip any any

Note: The difference between the output of the show access-lists command and the output of
the show running-config command is that the show access-lists command includes the
sequence numbers assigned to the configuration statements. These sequence numbers enable
the editing, deleting, and inserting of single lines within the access list configuration. Sequence
numbers also define the processing order of individual access control statements, starting with
the lowest sequence number.

Part 2: Apply and Verify the Extended ACL

The traffic to be filtered is coming from the 172.31.1.96/27 network and is destined for remote
networks. Appropriate ACL placement depends on the relationship of the traffic with respect
to RT1. In general, extended access lists should be placed on the interface closest to the source
of the traffic.

Step 1: Apply the ACL to the correct interface and in the correct direction.

Note: In an actual operational network, an untested ACL should never be applied to an active
interface. This is not a good practice and can disrupt network operation.

On which interface should the named ACL be applied, and in which direction?

Interface Gigabit Ethernet 0/0, in.

Enter the configuration commands to apply the ACL to the interface.

RT1(config)# interface g0/0

RT1(config-f)# ip access-group ACL in

Step 2: Test access for each PC.

a. Access the websites of Server1 and Server2 using the web browser of PC1. Use both the
HTTP and HTTPS protocols. Use the show access-lists command to view which access list
statement permitted or denied the traffic. The output of the show access-lists command
displays the number of packets that match each statement since the last time the counters were
cleared, or the router rebooted.

Note: To clear the counters on an access list, use the clear access-list counters command.

RT1#show ip access-lists

Extended IP access list ACL

10 deny tcp host 172.31.1.101 host 64.101.255.254 eq www (12 match(es))

20 deny tcp host 172.31.1.101 host 64.101.255.254 eq 443 (12 match(es))

30 deny tcp host 172.31.1.101 host 64.103.255.254 eq www

40 deny tcp host 172.31.1.101 host 64.103.255.254 eq 443

50 deny tcp host 172.31.1.102 host 64.101.255.254 eq ftp

60 deny tcp host 172.31.1.102 host 64.103.255.254 eq ftp

70 deny icmp host 172.31.1.103 host 64.101.255.254

80 deny icmp host 172.31.1.103 host 64.103.255.254

90 permit ip any any

b. Access FTP of Server1 and Server2 using PC1. The username and password is cisco.

c. Ping Server1 and Server2 from PC1.

d. Repeat Step 2a to Step 2c with PC2 and PC3 to verify proper access list operation.

Answer Configuration

Router RT1

enable

configure terminal

ip access-list extended ACL

deny tcp host 172.31.1.101 host 64.101.255.254 eq www

deny tcp host 172.31.1.101 host 64.101.255.254 eq 443

deny tcp host 172.31.1.101 host 64.103.255.254 eq www

deny tcp host 172.31.1.101 host 64.103.255.254 eq 443

deny tcp host 172.31.1.102 host 64.101.255.254 eq ftp

deny tcp host 172.31.1.102 host 64.103.255.254 eq ftp

deny icmp host 172.31.1.103 host 64.101.255.254

deny icmp host 172.31.1.103 host 64.103.255.254

permit ip any any

interface GigabitEthernet0/0

ip access-group ACL in
end

lab38

a. Block HTTP and HTTPS traffic from reaching Server3.

R1(config)# ipv6 access-list BLOCK_HTTP

R1(config)# deny tcp any host 2001:db8:1:30::30 eq www

R1(config)# deny tcp any host 2001:db8:1:30::30 eq 443

b. Allow all other IPv6 traffic to pass.

R1(config)# permit ipv6 any any

Step 2: Apply the ACL to the correct interface.

Apply the ACL on the interface closest to the source of the traffic to be blocked.

R1(config)# interface GigabitEthernet0/1

R1(config-if)# ipv6 traffic-filter BLOCK_HTTP in

Step 3: Verify the ACL implementation.

Verify that the ACL is operating as intended by conducting the following tests:

 Open the web browser of PC1 to http://2001:db8:1:30::30 or https://2001:db8:1:30::30.

The website should appear.

 Open the web browser of PC2 to http://2001:db8:1:30::30 or https://2001:db8:1:30::30.

The website should be blocked.

 Ping from PC2 to 2001:db8:1:30::30. The ping should be successful.

Part 2: Configure, Apply, and Verify a Second IPv6 ACL

The logs now indicate that your server is receiving pings from many different IPv6 addresses in a
Distributed Denial of Service (DDoS) attack. You must filter ICMP ping requests to your server.

Step 1: Create an access list to block ICMP.

Configure an ACL named BLOCK_ICMP on R3 with the following statements:

a. Block all ICMP traffic from any hosts to any destination.

R1(config)# ipv6 access-list BLOCK_ICMP

R3(config)# deny icmp any any

b. Allow all other IPv6 traffic to pass.

R3(config)# permit ipv6 any any

Step 2: Apply the ACL to the correct interface.

In this case, ICMP traffic can come from any source. To ensure that ICMP traffic is blocked,
regardless of its source or any changes that occur to the network topology, apply the ACL
closest to the destination.

R3(config)# interface GigabitEthernet0/0

R3(config-if)# ipv6 traffic-filter BLOCK_ICMP out

Step 3: Verify that the proper access list functions.

a. Ping from PC2 to 2001:db8:1:30::30. The ping should fail.

b. Ping from PC1 to 2001:db8:1:30::30. The ping should fail.

c. Open the web browser of PC1 to http://2001:db8:1:30::30 or https://2001:db8:1:30::30. The

website should display.

Answer script

Router R1

enable

config t

ipv6 access-list BLOCK_HTTP

deny tcp any host 2001:db8:1:30::30 eq www

deny tcp any host 2001:db8:1:30::30 eq 443

permit ipv6 any any

interface GigabitEthernet0/1

ipv6 traffic-filter BLOCK_HTTP in

end

Router R3

enable

config t

ipv6 access-list BLOCK_ICMP

deny icmp any any

permit ipv6 any any

interface GigabitEthernet0/0

ipv6 traffic-filter BLOCK_ICMP out

end

lab17.1
a. From PC-A, ping the default gateway using the IPv4 address (GigabitEthernet 0/0/1 interface
of R1).

C:\> ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

In this example, four ICMP requests that have 32 bytes each, were sent. The responses were
received in less than one millisecond with no packet loss. The transmission and reply time can
increase as the ICMP requests and responses are processed by more devices during the journey
to and from the destination.

This can also be done using the IPv6 address of the default gateway (GigabitEthernet 0/0/1
interface of R1).

C:\> ping 2001:db8:acad:1::1

Pinging 2001:db8:acad:1::1 with 32 bytes of data:

Reply from 2001:DB8:ACAD:1::1: bytes=32 time<1ms TTL=255

Reply from 2001:DB8:ACAD:1::1: bytes=32 time<1ms TTL=255

Reply from 2001:DB8:ACAD:1::1: bytes=32 time<1ms TTL=255

Reply from 2001:DB8:ACAD:1::1: bytes=32 time<1ms TTL=255

Ping statistics for 2001:DB8:ACAD:1::1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

b. From PC-A, ping the addresses listed in the following table and record the average round trip
time and IPv4 TTL, or IPv6 Hop Limit.

Destination Average Round Trip Time (ms) TTL / Hop Limit

192.168.1.10 <1 (Answers will vary.) 128 (Answers will vary.)

2001:db8:acad:1::10 <1 (Answers will vary.) 128 (Answers will vary.)

192.168.1.1 (R1) <1 (Answers will vary.) 255 (Answers will vary.)

2001:db8:acad:1::1 (R1) 1 (Answers will vary.) 64 (Answers will vary.)

192.168.1.2 (S1) 1 (Answers will vary.) 255 (Answers will vary.)

2001:db8:acad:1::2(S1) 1 (Answers will vary.) 64 (Answers will vary.)

64.100.0.2 (R1) 1 (Answers will vary.) 255 (Answers will vary.)

2001:db8:acad::2 (R1) <1 (Answers will vary.) 64 (Answers will vary.)

64.100.0.1 (ISP) <1 (Answers will vary.) 254 (Answers will vary.)

2001:db8:acad::1 (ISP) 1 (Answers will vary.) 63 (Answers will vary.)

209.165.200.225 (ISP G0/0/1) Unreachable Unreachable

 Destination Average Round Trip Time (ms) TTL / Hop Limit

2001:db8:acad:200::225 (ISP G0/0/1) Unreachable Unreachable

209.165.200.226 (External) Unreachable Unreachable

2001:db8:acad:200::226 (External) Unreachable Unreachable

*Answers Note: The average round trip time was increased if the message “Request timed out”
was displayed during the first ICMP request. ARP caused the delay, and this resulted in packet
loss.

Step 2: Perform pings from S1 to External.

From S1, attempt to ping ISP and External using IPv4 and IPv6 addresses.

What are the ping results from S1 to ISP and External?

The pings were successful to ISP G0/0/0 interface. The pings were unsuccessful to ISP G0/0/1
interface and External NIC.

Part 2: Use Tracert and Traceroute Commands for Basic Network Testing

The commands for tracing routes can be found on PCs and network devices. For a Windows-
based PC, the tracert command uses ICMP messages to trace the path to the destination.
The traceroute command uses the User Datagram Protocol (UDP) datagrams for tracing routes
to the destination for Cisco devices and other Unix-like PCs.

In this part, you will examine the traceroute commands and determine the path that a packet
travels to the destination. You will use the tracert command from the PCs and
the traceroute command from the Cisco devices. You will also examine the options that are
available for fine tuning the traceroute results.

Step 1: From PC-A, use the tracert command to External.

a. At the command prompt of PC-A, type tracert 209.165.200.226.

C:\> tracert 209.165.200.226

Tracing route to 209.165.200.226 over a maximum of 30 hops:

1 * * 1 ms 192.168.1.1

2 * 0 ms 0 ms 64.100.0.1
 3 0 ms * 0 ms 64.100.0.1

4 * 11 ms * Request timed out.

5 0 ms * 0 ms 64.100.0.1

Control-C

^C

C:\>

Note: You can stop the trace route by pressing Ctrl-C.

The tracert result indicates the path from PC-A to External is from PC-A to R1 to ISP and is
unable to arrive at External. The tracert results indicate an issue at the ISP router.

b. Repeat the tracert command using the IPv6 address. At the command prompt,
enter tracert 2001:db8:acad:200::226.

Step 2: From S1, use the traceroute command to External.

From S1, type traceroute 209.165.200.226 or traceroute 2001:db8:acad:200::226.

Note: To stop the traceroute, press Ctrl-Shift-6.

S1# traceroute 209.165.200.226

Type escape sequence to abort.

Tracing the route to 209.165.200.226

1 * 0 msec 0 msec

2 64.100.0.1 0 msec 0 msec 0 msec

3 64.100.0.1 !H * !H

4 * *

<output omitted>

S1# traceroute 2001:db8:acad:200::226

Type escape sequence to abort.

Tracing the route to 2001:db8:acad:200::226

 1* * * *

<output omitted>

The traceroute command has additional options. You can use the ? or just press Enter after
typing
traceroute at the prompt to explore these options.

Note: The available options are limited in Packet Tracer.

The following link provides more information regarding the ping and traceroute commands for
a Cisco device:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/
products_tech_note09186a00800a6057.shtml

Part 3: Correct the network connectivity issue at ISP.

Step 1: Access the network location where the connectivity issue is occurring.

From the previous steps, you had determined that there is an issue at the ISP router using
the ping and traceroute commands. You have remote SSH access to all the network devices
using username admin and password class.

a. From the terminal of S1, SSH into the ISP router using the G0/0/0 interface to correct the
problem.

C:\> ssh -l admin 64.100.0.1

b. Use the show commands to examine the running configurations for the ISP router.

ISP# show ip interface brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0/0 64.100.0.1 YES manual up up

GigabitEthernet0/0/1 192.168.8.1 YES manual up up

Vlan1 unassigned YES NVRAM administratively down down

ISP# show run | section interface

interface GigabitEthernet0/0/0
ip address 64.100.0.1 255.255.255.252

duplex auto

speed auto

ipv6 address FE80::1 link-local

ipv6 address 2001:DB8:ACAD::1/64

interface GigabitEthernet0/0/1

ip address 192.168.8.1 255.255.255.0

negotiation auto

speed auto

ipv6 address 2001:DB8:ACAD:201::225/128

<output omitted>

The outputs of the show run and show ip interface brief commands indicate that the
GigabitEthernet 0/0/1 interface is up/up but that it is configured with an incorrect IP address.

c. Correct the issues you found. From the command prompt on PC-A, copy and paste the
following configuration into the ISP router to correct the issue in the SSH session to the ISP
router.

configure terminal

interface g0/0/1

no ip address 192.168.8.1 255.255.255.0

ip address 209.165.200.225 255.255.255.224

no ipv6 address 2001:db8:acad:201::225/64

ipv6 address 2001:db8:acad:200::225/64

ipv6 address fe80::225 link-local

no shutdown

d. Exit the SSH session when finished.

Step 2: Verify end-to-end connectivity.

From the PC-A command prompt, use the ping and tracert commands to verify end-to-end
connectivity to the external server at 209.165.200.226 and 2001:db8:acad:200::226.

Part 4: Use Extended Ping Commands

Step 1: Use extended ping commands on PC-A.

The default ping command sends four requests of 32 bytes each. It waits 4,000 milliseconds (4
seconds) for each response to be returned before displaying the “Request timed out” message.
The ping command can be fine-tuned for troubleshooting a network.

a. At the command prompt, type ping and press Enter.

C:\> ping

Packet Tracer PC Ping

Usage: ping [-n count | -v TOS | -t ] target

b. Using the –t option, ping External to verify that External is reachable. The -t option will
continuously ping the target until stopped. Use Ctrl+c to stop the ping sequence.

C:\> ping –t 209.165.200.226

Pinging 209.165.200.226 with 32 bytes of data:

span>
Reply from 209.165.200.226: bytes=32 time<1ms TTL=126

span>
Reply from 209.165.200.226: bytes=32 time<1ms TTL=126

span>

c. To illustrate the results when a host is unreachable, shut down the GigabitEthernet 0/0/1
interface on the ISP router. From switch S1, SSH to the ISP G0/0/0 interface. Use the
password class.

S1# ssh -l admin 64.100.0.1

d. Use the shutdown command to disable the GigabitEthernet 0/0/1 interface on the ISP router.
command.

Reply from 209.165.200.226: bytes=32 time<1ms TTL=126

Reply from 64.100.0.1: Destination host unreachable.

Reply from 64.100.0.1: Destination host unreachable.

While the network is functioning correctly, the ping command can determine whether the
destination responded and how long it took to receive a reply from the destination. If a network
connectivity problem exists, the ping command displays an error message.

e. Re-enable the GigabitEthernet 0/0/1 interface on the ISP router (using the no
shutdown command) before moving onto the next step. After about 30 seconds, the ping
should be successful again.

Reply from 64.100.0.1: Destination host unreachable.

Request timed out.

Request timed out.

Reply from 209.165.200.226: bytes=32 time<1ms TTL=126

Reply from 209.165.200.226: bytes=32 time<1ms TTL=126

f. Press Ctrl+c to stop the ping command.

g. The above steps can be repeated for the IPv6 address to obtain an ICMP error message.

What ICMP error messages did you receive?

Destination net unreachable, request timed out.
h. Enable the GigabitEthernet 0/0/1 interface on the ISP router (using the no
shutdown command) before moving onto the next step. After about 30 seconds, the ping
should be successful again.

Step 2: Test network connectivity from the R1 network using Cisco devices.

The ping command is also available on Cisco devices. In this step, the ping command is
examined using R1 and S1.

a. From R1, ping External on the external network using the IP address of 209.165.200.226.

R1# ping 209.165.200.226

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

The exclamation point (!) indicates that the ping was successful from R1 to External. The round
trip takes an average of 1 ms with no packet loss, as indicated by a 100% success rate.

b. Because a local host table was configured on R1, you can ping Externalv4 on the external
network using the hostname configured from R1.

R1# ping Externalv4

What is the IP address used?

209.165.200.226

c. In the privileged EXEC mode, there are more options available for the ping command. At the
command line, type ping and press Enter. Use ipv6 as the protocol.
Input 2001:db8:acad:200::226 or external for the target IPv6 address. Press Enter to accept the
default value for other options.

R1# ping

Protocol [ip]: ipv6

Target IPv6 address: 2001:db8:acad:200::226

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands? [no]:

Sweep range of sizes? [no]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:db8:acad:200::226, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

d. You can use an extended ping to observe where there is a network issue. Start
the ping command to 209.165.200.226 with a repeat count of 50000. Then, shut down the
GigabitEthernet 0/0/1 interface on the ISP router.

From the SSH session to ISP on switch S1, disable the GigabitEthernet 0/0/1 interface on ISP.
e. From the SSH session, enable the GigabitEthernet 0/0/1 interface on ISP after the
exclamation points (!) have replaced by the letter U and periods (.). After about 30 seconds, the
ping should be successful again. Press Ctrl+Shift+6 to stop the ping command.

R1# ping

Protocol [ip]:

Target IP address: 209.165.200.226

Repeat count [5]: 50000

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Sending 500, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<output omitted>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.U.U.U.U.U.

U.U................!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<output omitted>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!

Success rate is 99 percent (9970/10000), round-trip min/avg/max = 1/1/10 ms

The letter U in the results indicates that a destination is unreachable. An error PDU was received
by R1. Each period (.) in the output indicates that the ping timed out while waiting for a reply
from External. In this example, 1% of the packets were lost during the simulated network
outage.
The ping command is extremely useful when troubleshooting network connectivity. However,
ping cannot indicate the location of a problem when a ping is not successful.
The tracert (or traceroute) command can display network latency and path information.

f. In the PT activity window, click Check Results to verify all the assessment items and
connectivity tests are correct.

Reflection Questions

1. What could prevent ping or traceroute responses from reaching the originating device beside
network connectivity issues?
Firewall on the PCs, access list commands, routing issues, interface is down, network delay

2. If you ping a non-existent address on the remote network, such as 209.165.200.227, what is
the message displayed by the ping command? What does this mean? If you ping a valid host
address and receive this response, what should you check?
Request timed out or periods (.). This means that there was no response in the default time
period. Some of the items you may check: router is down, destination host is down, return
route to your device and latency of the response is not more than the default time period

3. If you ping an address that does not exist in any network in your topology, such as
192.168.5.3, from a Windows-based PC, what is the message displayed by the ping command?
What does this message indicate?
Destination host unreachable. This message indicates that there is no route to the destination
as the network is not listed by the routing table.

Lab18

Connectivity Issues:
1. Server 1 is set to receive its IP address over DHCP. It should be statically configured with the
correct IP address, subnet mask, and default gateway.
2. Router RTR-3 interface G0/0/1 has been configured with the wrong IPv6 address. The
address should be 2001:DB8:5::1/64 as shown in the addressing table.
RTR-3

enable

config terminal

interface g0/0/1

ipv6 address 2001:DB8:5::1/64

3. Note: The G0/0/1 interface may need to be shut down and brought back up in order for the
new route to take effect. The old route may still show up in the routing table as well.
4. PC-4 is configured with the wrong default gateway address. It should be 10.10.5.1 as shown
in the addressing table.

Lab21

College Router

enable

config terminal

hostname College

enable secret class

line console 0

password cisco

login

line vty 0 15

password cisco

login

exit

service password-encryption

banner motd #Unauthorized access to this device is prohibited!#

interface g0/0

ip address 128.107.20.1 255.255.255.0

ipv6 address 2001:db8:a::1/64

ipv6 address FE80::1 link-local

description Link to Class-A

no shutdown

interface g0/1

ip address 128.107.30.1 255.255.255.0

ipv6 address 2001:db8:b::1/64

ipv6 address FE80::1 link-local

description Link to Class-B

no shutdown

exit
ipv6 unicast-routing

end

copy running-config startup-config

Class-B Switch

enable

configure terminal

hostname Class-B

banner motd #Unauthorized access to this device is prohibited!#

enable secret class

line console 0

password cisco

login

line vty 0 4

password cisco

login

exit

service password-encryption

interface vlan 1

description Vlan 1

ip address 128.107.30.15 255.255.255.0

no shutdown

end

copy running-config startup-config

PCs host