Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

3 Days.... 2

Status
Not open for further replies.
bobbyforhire

bobbyforhire

Technical User
Mar 11, 2008
253
US
So most of you in here know my ccent is coming up this Wednesday.. Today was my hands on day....I took what seems to be all day to draw up my network and implement it but i think i'm getting closer to being ready for the test.

here is my new network setup. I tossed in more than what was needed but i wanted to use all of my hardware and also use RIPv2.

PIX 501
2611 (2 ETH, 2 DSU/CSU)
2610 (1 ETH, 1 DSU/CSU)
1720 (1 FE , 1 DSU/CSU)
2924 (24 FE)

2924 - This was an older version so i had to use VLAN Database. I setup two VLans (well the first one came free). Ports 1-12 for VLan1 and 13-24 for VLan2.

2611 - I'm using this guy as my backbone. It's not the best but it's what I have.

ETH0/0 - 10.3.0.1/255.255.240.0
ETH0/1 - 10.4.0.1/255.255.240.0
SERIAL0 - 10.1.0.1/255.255.240.0
SERIAL1 - 10.2.0.1/255.255.240.0

My Pix is going out to ETH0/0 on the 2611. this is how i get my Internet. i setup ip nat ouside on this interface.

Eth0/1 - This is my personal network. I setup DHCP on the 2611 for this network. Also this is running ip nat inside.

Serial0 - (yes i know i's only 1.5mb but hey how many people going for there ccent get to play with t1 cross overs?) This is for my Production (web servers exc) i also put nat inside on this interface.

Serial1 - I need to make another T1 crossover cable so im not fully done with this one but it will be for my wireless.

On here i created an access-list 1 and included 10.4.0.0 0.0.0.255 and i included 10.2.0.0 for a permit.

After that i setup the overload to allow for PAT on the ETH0/0 interface. Tested from 10.4.0.0 and it worked!!!


2610:
Next was to play with the 2610 in this network. ETH0/0 is connected back to the 2611's 10.2.0.1. Then to make things fun i put the production on 192.168.2.1/24 and enabled DHCP, and connected this back to VLAN2 on the 2924. This is where i used my RIPv2. I enabled rip on all networks waited a few minutes and......YUP. the 2611 router could see the 192.168.2.X network with a nice shiney R next to it.


1720:
This is what's next, Right now i have my wireless in "bridge" mode and just tapped into the 2.x network to make sure that my VLANS were working and also my DHCP. I am going to setup the 1720 to do pretty much what the 2610 is doing.. just rouing and adding more IP address and DHCP server....before i do this i'm going to make sure that I have 3 vlans on the 2924 (one for me, one for wireless, and one for production). Oh and on the wireless i'm going to enable WEP on the linksys AP and then switchport security on the 2924 so only my MAC's can jump on the net and if anyone gets past my WEP...bam!!!! down goes the wireless and ill know about it.


I know that someone out there has read all of this and is like "Yeah, so whats your poin". Well i really wanted to beable to explain myself and to use this post as a ref back incase i decided to blow up my network and bring it back to this.


this is really starting to become fun!!!!




 
Sort by date Sort by votes
Awesome!
I know what you mean Bobby.. You have the network bug now.. I would use WPA or WPA2 encryption on the wireless if I were you... I just finished restricting my Juniper to local MACs only and removed SSID broadcasting but there are work arounds for those security measures.. WEP is weak so try to use WPA with TKI or AES... (And a good password) :)

You should look at buying a 2501 after the CCENT and placing it between your 2610 and your 2611 or the 1720.. Costs about $20 (eBay) but will make a GREAT Frame Relay switch for that setup with a pair of WIC-1T's!!! I think it would cost less going that route than buying an NM-4A/S or NM-4T and two WIC-1T's.. Plus you get another router.. LoL

In all actuality you have what you need now to toy around with route redistribution... Maybe..
OSPF--RIPv2--OSPF
2611--2610---1720

Post the configs after the cert as well if you don't mind... That way everyone can disseminate that info and offer pointers.. Or point their fingers and laugh.. LoL Just kidding!!!

The last thing that I would recommend you practice for your test is basic theory.. Switch theory (how they populate CAM tables and forward etc), Router theory (routing in general), OSI, troubleshooting (lights on a switch, ROMMON etc).. Basically, the things you learned in the beginning but may be fuzzy on... Just a brief review... Touch up on subnetting both the night before and the morning of the test.. AND DRINK A RED BULL JUST BEFORE!!! LoL (This really works for me)!!!



B Haines
CCNA R&S, ETA FOI
 
Upvote 0 Downvote
I already have a 2501!!! that was my first router..i bought it thinking hey it's a router for 12$ only to find it didn't have any ethernet ports. About a month ago i got the AUI converter but havn't done anything with it. I really don't know what Frame Relay is..i hate to say it i havn't seen it in any of my CCENT studies..i'm sure ill learn more about it next month when i starty to study for the ICND2 (pending that i pass the ICND1).

Here are my configs!


the 1720 is on hold until i get the t1 crossover.
 
Upvote 0 Downvote
Hmm this is odd..looking at my configs on the 2924 it's telling me that my vlan2 is shutdown

interface VLAN2
ip address 192.168.2.2 255.255.255.0
no ip route-cache
shutdown


i went and said no shut..did nothing...and to top it off i'm not having an issue with using that network?!?

 
Upvote 0 Downvote
Hey wanted to share a little more info on the wireless and why to avoid WEP...

Protecting Against These Tools

Just as it’s important to know how to utilize the aforementioned tools, it is important to know best practices on how to secure your Wireless Network Against these tools.

NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption.

Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption

Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update).

Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, it could also validate the remote system trying to gain access to the WLAN and not allow a rogue system access.

ASLeap – Use long and complex credentials, or better yet, switch to EAP-FAST or a different EAP type.

Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), use application layer encryption, like Simplite to encrypt your IM sessions, or use SSL. For corporate users, use IPSec VPN with split-tunneling disabled. This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES.

From:
B Haines
CCNA R&S, ETA FOI
 
Upvote 0 Downvote
Look at the other side of the link... Is that interface shut down? Is it assigned to VLAN 2 as well? And are you using a straight through cable between the two?

B Haines
CCNA R&S, ETA FOI
 
Upvote 0 Downvote
Oh, I think you need to setup Inter-VLAN routing on the 2610 running to the 2924. That would exlain why VLAN2 is down but management VLAN is up. Need a subinterface on that router if you don't have one already..

Would not let me look at the config of that router like the other two...

B Haines
CCNA R&S, ETA FOI
 
Upvote 0 Downvote
As for WEP, it's a linksys wireless AP. I'm using wep because it's at the house and i'm not worried about war driving and what not.


about vlan 2. it's working?!? it says it's shutdown but it's working i'm on the 192.168.2.x network now on the wireless (i just pluged it in with the production network).
 
Upvote 0 Downvote
Bobby,

Looks like you've confused the interface vlans 2 with the vlan 2. Interface Vlan 2 is a SVI. The vlan is created in vlan database for the 2924. The SVI is a Layer 3 representation of the Layer 2 vlan 2 ports. With 2924s you can only have one SVI and the default is Interface Vlan 1.

With multilayer switches, you can have multiple SVIs active. This can be confusing. However, the point to make is that the vlan and the interface vlan are two separate concepts and functions.

HTH
 
Upvote 0 Downvote
Sorry for not reading the post until now---just wanted to see the PIX config :)
Also, Clue is absolutely correct---weird thing is that unless you know this from jump street, it would confuse you all day. You can do a no shut on one "vlan", and the other one you have set up with an IP address will go "shut". Do a no shut on one, the other goes down. Whenever an IP address is assigned to a vlan in a layer 2 switch, then no other vlan interface (layer three interface for vlans---SVI) can be active. Only one at a time in a L2 switch.
The vlan database is for naming the vlans---you don't really need this, actually...just something like...

int vlan 2
ip add x.x.x.x y.y.y.y
no shut
int fa0/1
switchport mode trunk
switchport trunk encaps dot1q
int fa0/2
switchport mode access
switchport access vlan 3
int fa0/3
switchport mode access
switchport access vlan 4

The management vlan would be vlan 2, and vlans 3 and 4 would just be vlans, getting trunked via int fa0/1 to a router with subinterfaces set up.
In a layer 3 switch (CCNP), all switchports are default as access ports, so you would just need
switchport access vlan whatever

Also, you set an IP address on the vlan and a default gateway on the switch. The IP add in vlan whatever interface mode, and the default gateway in global config.
Also, like clue says, it's important to recognize what mode certain things are set up in---Cisco LOVES to show incorrect symbols. They may ask, "How would you set an IP address on the default vlan in a C2950?"
A.switch(config)#ip address 10.10.10.5 255.255.255.0
B.switch(config-if)ip address 10.10.10.5 255.255.255.0
C.switch(config)#interface vlan1 ip address 10.10.10.5 255.255.255.0
D.switch(config-if)#ip address 10.10.10.5
E.switch(config-if)#ip address 10.10.10.5 netmask 255.255.255.0
F.None of the above

Burt
 
Upvote 0 Downvote
Ok so with my switch i can only have two vlans. One is on by defualt and the other one is an SVI. This explains why i could not create more than the extra one eventhough it was saying "sure not a problem". But hey ill learn more about vlans when i go for the CCNA.


Burt - I would say B, but i dont' know what interface your in. C i don't think you can type past the interface. I mean if you said interface vlan1 then went to config-if i would type ip address 10.10.10.5 255.255.255.0.

F


So now that i have posted all of my configs...just have to wait for someone to hack my network :(



I havn't finised with the 501 as the vpn will crash and burn so i need to get it on a diffrent IP pool.
 
Upvote 0 Downvote
Bobby---the answer is "F". Look VERY carefully at the SYMBOLS that are not supposed to be there, or, that are...MISSING, such as "#".

Burt
 
Upvote 0 Downvote
Also, you can create at least the 24 VLANs (can't remember the number), but each switchport can access a different vlan if you want. The limit is not 2, nor is it 24, but technically, you can only have 23 access ports, because one needs to trunk.
There can be only one SVI, or layer 3 interface. This is actually the IP address of the switch itself. You just set it on a vlan interface.

Burt
 
Upvote 0 Downvote
Bobby,

You can have more than 2 vlans on your switch. Just create them with vlan database from privileged EXEC. Vlan database is used to create, delete, modify vlans as well as configure VTP (mode, domain, password, version, etc.). However, the newer tests don't let you create vlans with vlan database. You must create them from global config for the newer IOSes and test engines. If you try to create your VLANS by making SVIs, you will probably not get test questions correct. However, CCENT just introduces VLAN concepts and should not have you configure them. ICND/CCNA will.
 
Upvote 0 Downvote
Yeah, i'm not trying to mix up everyting right now. There is a reason why i'm going for ICND1 and then ICND2. I wanted to study alot on just these subjects so i don't have to spread out my knowledge and know less about something and fail the test!

On the bright side i just found out how to route ports on my new network!!! I was so happy when the website came up! after routing past the firewall and two routers! YEAH!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mattmich
  • Locked
  • Question
650-393 Cisco Lifecycle Services Express
Replies
0
Views
72
mattmich
mattmich
DougP
  • Locked
  • Question
complete Newbie, where do I start with 3ea 1720's and 2ea 2950's 1
Replies
3
Views
150
lerdalt
lerdalt
abidg
  • Locked
  • Question
Cisco Layer-2/3 Switch Network Design
Replies
1
Views
68
DallasBPF
DallasBPF
GTexx
  • Locked
  • Question
LAB 3640 Access Router Config.
Replies
3
Views
155
GTexx
GTexx
skk391
  • Locked
  • Question
ICND1 in a couple of days
Replies
10
Views
87
CiscoGuy33
CiscoGuy33

Part and Inventory Search

Sponsor

Back
Top