How Do I?
A Practical Quick Start Guide for Building a Network
Table of Contents
How do I …
Configure a PC for Internet access? .............................................................................................................. 3

Use a straight-through cable to connect a PC to a switch. ............................................................... 3

Be sure the NIC has an IP address. .................................................................................................... 3

Be sure the NIC has a subnet mask. .................................................................................................. 3

Be sure the NIC has a default gateway. ............................................................................................ 3

Be sure at least one DNS server is in the PC’s NIC configurations. ................................................... 3

Option: enable dynamic addressing. ................................................................................................ 3
Troubleshoot a PC’s network connection to get Internet access? ............................................................... 3

Check all cable connections. ............................................................................................................. 3

Verify electric power on both ends of the connection. .................................................................... 3

Ping the default gateway. ................................................................................................................. 3

Ping a well-known public IP address. ................................................................................................ 4

Ping a well-known public DNS server................................................................................................ 4

Use nslookup to check DNS. ............................................................................................................. 4

Use tracert instead of ping to get a clearer picture of where any network outages may be........... 4
Get and secure administrative access to Cisco routers and switches? ........................................................ 4

Attach a console cable. ..................................................................................................................... 4

Type enable to get access. ............................................................................................................. 5

Set a password on the console port. ................................................................................................ 5
How Do I … ?

Set an enable password. ................................................................................................................... 5

Create a stronger secret password. .................................................................................................. 6

Obfuscate all passwords in the running configuration. .................................................................... 6

Set a password on the auxiliary port. ............................................................................................... 6

Configure an IP address for Telnet or ssh access. ............................................................................. 6

Set a Telnet password. ...................................................................................................................... 7

Use ssh instead of Telnet. ................................................................................................................. 7

Secure the web management interface............................................................................................ 8
Secure access ports on a switch? .................................................................................................................. 8

Shut down all the interfaces. Then turn on only those interfaces you wish to use. ........................ 8

Create a black hole VLAN. Assign all switchports to the black hole VLAN by default. ..................... 8

Create one of more VLANs for access. Do not use the default VLAN - VLAN 1 – for data traffic. .... 8

Verify each access port is assigned to the correct VLAN. ................................................................. 8

Enable switchport security................................................................................................................ 8

Set the switchport security violation level........................................................................................ 9

Option: limit the number of different MAC addresses that can connect to a switchport. .............. 9

Option: hard code the MAC address of the device connected to each switchport.......................... 9

Option: let the switchport learn one or more MAC addresses automatically.................................. 9
Set up a switch for trunking? ...................................................................................................................... 10

Create a management VLAN. .......................................................................................................... 10

Create a native VLAN. ..................................................................................................................... 10

Use crossover cables to connect switches to other switches. ........................................................ 10

Put any trunk ports into trunking mode. ........................................................................................ 10

Assign VLANs to each trunk. ........................................................................................................... 10

Assign the native VLAN to each trunk. ............................................................................................ 10

Use EtherChannel to aggregate links for similar traffic between two switches. ............................ 10
Allow different VLANs to communicate? .................................................................................................... 11

Use subinterfaces on a router......................................................................................................... 11
-2-
How Do I … ?
Configure a PC for Internet access?
 Use a straight-through cable to connect a PC to a switch.
 Be sure the NIC has an IP address.
 Be sure the NIC has a subnet mask.
 Be sure the NIC has a default gateway.
The default gateway is the closest interface on the nearest router to the PC. This address is a like a static
default route to allow the PC to reach anywhere on the Internet. The IP address on the PC and the default
gateway should be on the same subnet. They should have the same subnet mask.
 Be sure at least one DNS server is in the PC’s NIC configurations.
DNS servers are not needed for lab exercises only involving ping. But you will need a DNS server for
access to the web and other Internet-based resources.
 Option: enable dynamic addressing.
This will only work if there is a DHCP server available on the network. If there is, the DCHP server should
provide an IP address, a subnet mask, a default gateway, and one or more DNS servers.
Troubleshoot a PC’s network connection to get Internet access?
 Check all cable connections.
Look for loose connections. Also, verify Ethernet cables are of the right type. When in doubt, try a
different cable.
 Verify electric power on both ends of the connection.
A NIC will not be active if there is no power on the other end. It will look as if the NIC itself is down. In
case of multiple NICs, verify the NIC facing the Internet is enabled and has the correct settings. It may
help to disable the second NIC to be sure. A common reason for ping or other network utilities to fail in
dual NIC scenarios is because return network traffic is routed in unexpected directions through the
second NIC.
 Ping the default gateway.
If this ping fails, check the IP and other settings on the PC. Also check for cable or power problems. This is
the most basic network connectivity test. It needs to work before anything else will.
-3-
How Do I … ?
Troubleshoot a PC’s network connection to get Internet access? (Continued)
 Ping a well-known public IP address.
8.8.8.8, one of Google’s public DNS servers, is a good example. Ability to ping this address shows basic
Internet access is in place. Failure suggests problems somewhere between the PC and ISP connection to
the local network.
 Ping a well-known public DNS server.
Google’s 8.8.8.8 will work well for this test also. Ability to ping a well-known DNS server eliminates the
possibility of network or lower layer errors preventing DNS resolution.
 Use nslookup to check DNS.
Try nslookup to a popular web site. For example,
nslookup www.google.com
This will tell you if your DNS settings are correct.
 Use tracert instead of ping to get a clearer picture of where any network
outages may be.
Try tracing a route to the default gateway, the local DNS server, 8.8.8.8. or www.google.com. Results
will show if there is a clear network pathway between the PC and the Internet.
Get and secure administrative access to Cisco routers and switches?
 Attach a console cable.
Cisco devices feature console ports with a RJ-45 interface. However, this condole interface is not for a
patch cable. It’s for a console cable, also known as a rollover cable. The pinouts are different on console
cables as compared to Ethernet patch cables. On console cables, the respective wire number end pairs
are 1-8, 2-7, 3-6, 4-5, 5-4, 6-3, 7-2, and 8-1. Also, the router or switch end of the console cable terminates
in a RJ-45, but the other end usually terminates in a DB9 adapter. The DB9 attaches to the serial port on
a laptop or a PC. Use a terminal emulation program to set up a console session to the router or switch.
Settings for the terminal emulator include:
9600 baud
8 data bits
1 stop bit
No parity
-4-
How Do I … ?
Get and secure administrative access to Cisco routers and switches? (Continued)
 Type enable to get access.
After the boot sequence, Cisco devices out of the box will show prompts like these:
Switch>
Router>
This is user EXEC mode. It gives rights to a limited command set. To get rights to configure the device,
type enable at either of these prompts. Be sure to hit Enter at the end of each command.
Switch>enable
Router>enable
 Set a password on the console port.
To prevent others from logging in later and changing configurations, set a password on the console port.
Here is the syntax. (For brevity’s sake, we will just show the commands on a router. They are the same on
a switch.)
Router>enable
Router#configure terminal
Router(config)#line console 0
Router(config-line)#password MyPassword
Router(config-line)#exit
Router(config)#exit
Router#
 Set an enable password.
This limits those without the password to user level privileges.
Router>enable
Router#configure terminal
Router(config)#enable password MyPassword
Router(config)#exit
-5-
How Do I … ?
Get and secure administrative access to Cisco routers and switches? (Continued)
 Create a stronger secret password.
The enable password is saved in a relatively weak way from a cryptographic standpoint. A different
syntax saves the password based on the MD5 algorithm. Cisco calls this improved password a “secret”.
Router>enable
Router#configure terminal
Router(config)#enable secret MySecret
Router(config)#exit
 Obfuscate all passwords in the running configuration.
By default, Cisco passwords are visible in clear text in the running configuration. To obfuscate any
passwords, use this command:
Router(config)#service password-encryption
 Set a password on the auxiliary port.
The auxiliary port, AUX, is used to attach a phone cable for a dialup modem connection. To prevent
rogue access to this feature, set a password on AUX:
Router(config)#line aux 0
Router(config-line)#password MyPassword
Router(config-line)#exit
 Configure an IP address for Telnet or ssh access.
For a router, Telnet or ssh can use the IP address of one of the router’s data interfaces. See the section on
“How to configure the LAN interface of a router” on how to set up IP addresses on interfaces. For a
switch, switchports do not have IP addresses. Instead, an IP address must be added to the management
VLAN on the switch. Here is the syntax:
Switch(config)# interface vlan 1
Switch(config-if)#ip address 192.168.10.99 255.255.255.0
Switch(config-if)#no shutdown
-6-
How Do I … ?
Get and secure administrative access to Cisco routers and switches? (Continued)
Notes: in the example above, VLAN 1 is the management VLAN. This is the default. If a different VLAN
number is used for the management VLAN, change the command to match the new number. Likewise,
the IP address and subnet mask shown are examples. Just be sure the IP address for the switch is on the
same subnet as other addresses in the management VLAN.
 Set a Telnet password.
Cisco devices allow remote management through Telnet. Telnet traffic comes in-band through data
interfaces. However, the logical termination for Telnet connections on the Cisco side is a virtual terminal
or a VTY. Cisco IOS typically allows multiple simultaneous Telnet sessions. These sessions are numbered
from 0 to one less than the maximum number. For example, many devices support five Telnet sessions,
on VTYs numbered from 0 to 4. To secure Telnet, each of these VTYs needs a login password.
Router(config)#line vty 0 4
Router(config-line)#transport input telnet
Router(config-line)#password MyPassword
Router(config-line)#login
 Use ssh instead of Telnet.
Telnet is cryptographically weak. (Indeed, Telnet is not encrypted at all.) Secure shell (ssh) provides
remote access with more security. Use of ssh instead of telnet is a good security practice. The following
commands show how to configure ssh access to a Cisco device. Note that ssh requires several additional
commands beyond those required for Telnet
Router(config)#ip domain-name somedomain.com
Router(config)#username someuser password somepassword
Router(config)#crypo key generate rsa
Router(config)#line vty 0 4
Router(config-line)#transport input ssh
Router(config-line)#login local
-7-
How Do I … ?
Get and secure administrative access to Cisco routers and switches? (Continued)
 Secure the web management interface.
Cisco devices often come with an onboard web server, providing a management service through http.
The default passwords for this web interface are available through public documentation. Unless the
web interface is secured, anyone can use a web browser and a little research to get administrative access
to the device. If you plan to use the web interface, login and reset the administrative password right
away. Alternatively, just turn the web server off:
Router(config)#no ip http server
Secure access ports on a switch?
 Shut down all the interfaces. Then turn on only those interfaces you
wish to use.
Switchports are enabled by default. Turning them off prevents a rogue device from using an open port.
 Create a black hole VLAN. Assign all switchports to the black hole VLAN
by default.
A black hole VLAN is simply a VLAN that will never carry traffic. Assigning all ports to the black hole VLAN
by default means that even if a device gets access to a port, its traffic will not go anywhere.
 Create one of more VLANs for access. Do not use the default VLAN - VLAN
1 – for data traffic.
By choosing different VLAN numbers, you can segment different types of network traffic. Avoiding the
use of the default VLAN 1 eliminates the possibility of unintended mixing of traffic that should be kept
apart.
 Verify each access port is assigned to the correct VLAN.
Use the Cisco command:
(Switch)#show vlan
 Enable switchport security.
For each interface, select the interface, then enable port security from interface configuration mode. For
example:
Switch(config)#interface fa 0/1
Switch(config-if)#switchport port-security
-8-
How Do I … ?
Secure access ports on a switch? (Continued)
 Set the switchport security violation level.
After enabling switchport security, there are three violation levels from which to select: shutdown,
restrict, and protect. Shutdown disables the port after any unauthorized traffic. It alos logs all violations.
Restrict drops the unauthorized traffic, but otherwise keeps the port open. Unauthorized traffic is
logged. Protect drops the unauthorized traffic, keeps the port open, and does not log the violation.
Switch(config-if)#switchport port-security violation
[shutdown|restrict|protect]
 Option: limit the number of different MAC addresses that can connect to
a switchport.
Switch(config-if)#switchport port-security maximum[number]
The maximum number can be up to 1025, but a much smaller number like 1 or 2 is more common.
 Option: hard code the MAC address of the device connected to each
switchport.
Switch(config-if)#switchport port-security mac-address
[xxxx.xxxx.xxxx]
To hard code the device’s MAC address onto the switchport, replace the x’s in the code above with hex
characters for the MAC address.
 Option: let the switchport learn one of more MAC addresses
automatically.
Switch(config-if)# switchport port-security mac-address sticky
The MAC address of the first device connected to the switchport will be remembered as the authorized
MAC address. Note that “sticky” MAC addresses are saved in the running configuration, so they will
come back after a switch reboot. To change the sticky MAC address, be sure it to check the running
configuration after the change to be sure the old address is not still there.
-9-
How Do I … ?
Set up a switch for trunking?
 Create a management VLAN.
This VLAN will be used for management purposes like telnet or ssh. The management VLAN should not be
used for normal data traffic. By default, the management VLAN is VLAN 1. It is a good practice to change
the management VLAN to a different number.
 Create a native VLAN.
The native VLAN is the number assigned to all frames that arrive on the switch without a VLAN tag
attached. If you do not configure a nature VLAN, the switch may handled untagged frames in unexpected
ways. By default, the native VLAN is VLAN 1. It is a good practice to change the native VLAN to a
different number.
 Use crossover cables to connect switches to other switches.
Many recent switches are MDIX enabled, so a straight-through might work. But be sure to check if cable
type is causing any connectivity issues.
 Put any trunk ports into trunking mode.
Switch(config-if)#switchport mode trunk
 Assign VLANs to each trunk.
Switch(config-if)#switchport trunk allowed vlan [number, number,…|
number-number]
After using the syntax above to set up VLANs on the trunk the first time, use the key words “add” and
“remove” to make specific changes. Without using add or remove, the whole list of allowed VLANs needs
to be reentered.
Switch(config-if)#switchport trunk allowed vlan [add |remove] [number,
number, …| number-number]
 Assign the native VLAN to each trunk.
Switch(config-if)#switchport trunk native vlan [number]
 Use EtherChannel to aggregate links for similar traffic between two
switches.
First, pick the range of interfaces to be included in the EtherChannel group:
Switch(config)#interface range fa 0/1 – 2
- 10 -
How Do I … ?
Set up a switch for trunking? (Continued)
Then, create the channel group and assign the mode.
Switch(config-if)#channel group 1 mode
[on|auto|desirable|passive|active]
The simplest mode setting is “on”. This just creates the channel with no additional negotiation. “Auto”
and “desirable” lead to channel negotiation using Cisco’s proprietary Port Aggregation Protocol (PAgP).
If the two ends of the line are set to auto-desirable or desirable-desirable a channel will be established.
“Passive” and “active” lead to channel negotiation using IEEE standard 802.3ad, Link Aggregation
Control Protocol (LACP). If the two ends of the line are set to active-active or active-passive a channel will
be established. It is not possible to mix and match PAgP and LACP on the same link.
Allow different VLANs to communicate?
 Use subinterfaces on a router.
VLANs separate traffic at Layer 2 by adding VLAN tag numbers to each frame. Devices on different VLANs
cannot communicate with one another, even if their frames go through the same switch or move over
the same trunk link. To allow different VLANs to communicate, they need to be routed to one another at
Layer 3. This is called inter-VLAN routing.
One option for inter-VLAN routing is to attach a cable from each VLAN to a different interface on a
router. Then the VLANs can route to each other in the normal way by going through the router. To use
one less router interface, another approach is to carry all the different VLAN traffic to the router via a
trunk line. The challenge with this approach is to get a single router interface to participate in multiple
VLAN subnets. This can be done by configuring subinterfaces on the router. Each subinterface shares the
same physical interface, but each subinterface is in a different VLAN and subnet. Example configuration
commands for how to do this are shown below.
Router(config)#interface fa 0/1
Router(config-if)#no shutdown
Router(config-if)#interface fa 0/1.10
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 192.168.10.1 255.255.255.0
Router(config-subif)#interface fa 0/1.20
Router(config-subif)#encapsulation dot1q 20
Router(config-subif)#ip address 192.168.20.1 255.255.255.0
- 11 -
How Do I … ?
In the example above, interface fa 0/1.10 is in VLAN 10 and participates in the subnet 192.168.10.0/24.
Likewise, interface fa 0/1.20 is in VLAN 20 and participates in the subnet 192.168.20.0/24. Devices on
each respective subnet can communicate with each other through the router. All this traffic goes through
the same physical interface, fa 0/1, which does not have its own IP address and does not participate in
any particular subnet. Instead, fa 0/1 is like a switchport in trunk mode, supporting many different
VLANs.
- 12 -