HongLeDangKhoa SE182425
HongLeDangKhoa SE182425
HongLeDangKhoa SE182425
8
Hồng Lê Đăng Khoa SE182425
Background / Scenario
The Domain Name System (DNS) is invoked when you type a Uniform Resource Locator (URL), such as
http://www.cisco.com, into a web browser. The first part of the URL describes which protocol is used. Common
protocols are Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol over Secure Socket Layer (HTTPS), and
File Transfer Protocol (FTP).
DNS uses the second part of the URL, which in this example is www.cisco.com. DNS translates the domain name
(www.cisco.com) to an IP address to allow the source host to reach the destination server. In this lab, you will observe
DNS in action and use the nslookup (name server lookup) command to obtain additional DNS information.
Required Resources
1 PC (Windows with internet and command prompt access)
b. At the command prompt, ping the URL for the Internet Corporation for Assigned Names and Numbers (ICANN)
at www.icann.org. ICANN coordinates the DNS, IP addresses, top-level domain name system management, and
root server system management functions. The computer must translate www.icann.org into an IP address to know
where to send the Internet Control Message Protocol (ICMP) packets.
The first line of the output displays www.icann.org converted to an IP address by DNS. You should be able to see
the effect of DNS, even if your institution has a firewall that prevents pinging, or if the destination server has
prevented you from pinging its web server.
Note: If the domain name is resolved to an IPv6 address, use the command ping -4 www.icann.org to
translate into an IPv4 address if desired.
C:\> ping www.icann.org
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 33 www.netacad.com
Lab - Observe DNS Resolution
Ipv6: 2620:0:2d0:200::7
Ipv4: 192.0.32.7
c. Type the IPv4 addresses from step b into a web browser, instead of the URL. Enter https://192.0.32.7 in the web
browser. If your computer has an IPv6 address you can enter the IPv6 address. https://[2620:0:2d0:200::7] in
the web browser.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 33 www.netacad.com
Lab - Observe DNS Resolution
d. Notice that the ICANN home web page is displayed without using DNS.
Most humans find it easier to remember words, rather than numbers. If you tell someone to go to www.icann.org,
they can probably remember that. If you told them to go to 192.0.32.7, they would have a difficult time
remembering an IP address. Computers process in numbers. DNS is the process of translating words into numbers.
Additionally, there is a second translation that takes place. Humans think in Base 10 numbers. Computers process in
Base 2 numbers. The Base 10 IP address 192.0.32.7 in Base 2 numbers is 11000000.00000000.00100000.00000111.
What happens if you cut and paste these Base 2 numbers into a browser?
The website does not display. The software code used in web browsers recognizes base
10 numbers.
e. At a command prompt, ping www.cisco.com.
Note: If the domain name is resolved to an IPv6 address, use the command ping -4 www.cisco.com to
translate into an IPv4 address if desired.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 33 www.netacad.com
Lab - Observe DNS Resolution
When you ping www.cisco.com, do you get the same IP address as the example? Explain.
Answer will vary depending upon where you are geographically. Cisco hosts its
web content on a series of mirror servers. This means that Cisco uploads the
exact same content to geographically diverse servers. When someone tries to
reach www.cisco.com, the traffic is directed to the closest mirror server.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 33 www.netacad.com
Lab - Observe DNS Resolution
Type the IP address that you obtained when you pinged www.cisco.com into a browser. Does the web site
display? Explain.
Part 2: Observe DNS Lookup Using the nslookup Command on a Web Site
a. At the command prompt, type the nslookup command.
C:\> nslookup
What is the default DNS server used?
b. Notice how the command prompt changed to a greater than (>) symbol. This is the nslookup prompt. From
this prompt, you can enter commands related to DNS.
At the prompt, type ? to see a list of all the available commands that you can use in nslookup mode.
Non-authoritative answer:
Name: e2867.dsca.akamaiedge.net
Addresses: 2600:1404:a:395::b33
2600:1404:a:38e:::b33
172.230.155.162
Aliases: www.cisco.com
www.cisco.com.akadns.net
wwwds.cisco.com.edgekey.net
wwwds.cisco.com.edgekey.net.globalredir.akadns.net
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 33 www.netacad.com
Lab - Observe DNS Resolution
Under addresses, in addition to the 172.230.155.162 IP address, there are the following numbers: 2600:1404:a:395::b33 and
2600:1404:a:38e:::b33. What are these?
d. At the nslookup prompt, type the IP address of the Cisco web server that you just found. You can use
nslookup to get the domain name of an IP address if you do not know the URL.
> 172.230.155.162
Default Server: one.one.one.one
Address: 1.1.1.1
Name: a172-230-155-162.deploy.static.akamaitechnologies.com
Address: 172.230.155.162
You can use the nslookup tool to translate domain names into IP addresses. You can also use it to translate IP
addresses into domain names.
Using the nslookup tool, record the IP addresses associated with www.google.com.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 33 www.netacad.com
Lab - Observe DNS Resolution
Part 3: Observe DNS Lookup Using the nslookup Command on Mail Servers
a. At the nslookup prompt, type set type=mx to use nslookup to identify mail servers.
> set type=mx
b. At the nslookup prompt, type cisco.com.
> cisco.com
Server: one.one.one.one
Address: 1.1.1.1
Non-authoritative answer:
cisco.com MX preference = 20, mail exchanger = rcdn-mx-01.cisco.com
cisco.com MX preference = 30, mail exchanger = aer-mx-01.cisco.com
cisco.com MX preference = 10, mail exchanger = alln-mx-01.cisco.com
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 33 www.netacad.com
Lab - Observe DNS Resolution
A fundamental principle of network design is redundancy (more than one mail server is configured). In this way, if
one of the mail servers is unreachable, then the computer making the query tries the second mail server. Email
administrators determine which mail server is contacted first by using MX preference. The mail server with the
lowest MX preference is contacted first.
Based upon the output above, which mail server will be contacted first when the email is sent to cisco.com?
alln-mx-01.cisco.com
c. At the nslookup prompt, type exit to return to the regular PC command prompt.
d. At the PC command prompt, type ipconfig /all.
Write the IP addresses of all the DNS servers that your school uses.
DNS basically acts like the phonebook for the Internet. So DNS translates names
to numbers. The numbers can be either IPv4 or IPv6.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 33 www.netacad.com
Lab - Observe DNS Resolution
16.4.7
Lab - Observe DNS Resolution
Topology
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway
Objectives
Part 1: Configure Basic Device Settings
Part 2: Configure the Router for SSH
Access Part 3: Configure the Switch for
SSH Access Part 4: SSH from the CLI on the
Switch
Background / Scenario
In the past, Telnet was the most common network protocol used to remotely configure network devices. Telnet does
not encrypt the information between the client and server. This allows a network sniffer to intercept passwords and
configuration information.
Secure Shell (SSH) is a network protocol that establishes a secure terminal emulation connection to a router or other
networking device. SSH encrypts all information that passes over the network link and provides authentication of the
remote computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network professionals. SSH is
most often used to log in to a remote device and execute commands.
However, it can also transfer files using the associated Secure FTP (SFTP) or Secure Copy (SCP) protocols.
The network devices that are communicating must be configured to support SSH in order for SSH to function. In this
lab, you will enable the SSH server on a router and then connect to that router using a PC with an SSH client installed.
On a local network, the connection is normally made using Ethernet and IP.
Note: The routers used with CCNA hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.4 (universalk9
image). The switches used in the labs are Cisco Catalyst 2960s with Cisco IOS Release 15.2(2) (lanbasek9 image). Other
routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands
available and the output produced might vary from what is shown in the labs. Refer to the Router Interface Summary
Table at the end of the lab for the correct interface identifiers.
Note: Make sure that the routers and switches have been erased and have no startup configurations. If you are unsure,
contact your instructor.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 33 www.netacad.com
Lab - Observe DNS Resolution
Required Resources
1 Router (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
1 Switch (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable)
1 PC (Windows with a terminal emulation program, such as Tera Term)
Console cables to configure the Cisco IOS devices via the console ports
Ethernet cables as shown in the topology
Instructions
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 33 www.netacad.com
Lab - Observe DNS Resolution
h) Create a banner that will warn anyone accessing the device that unauthorized access is prohibited.
i) Configure and activate the G0/0/1 interface on the router using the information contained in the
Addressing Table.
j) Save the running configuration to the startup configuration file.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 33 www.netacad.com
Lab - Observe DNS Resolution
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 33 www.netacad.com
Lab - Observe DNS Resolution
recommended for remote connections. In Part 2, you will configure the router to accept SSH connections over the VTY
lines.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 33 www.netacad.com
Lab - Observe DNS Resolution
Configure a username using admin as the username and Adm1nP@55 as the password.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 15 of 33 www.netacad.com
Lab - Observe DNS Resolution
b) Establish an SSH session to R1. Use the username admin and password Adm1nP@55. You should be able
to establish an SSH session with R1.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 16 of 33 www.netacad.com
Lab - Observe DNS Resolution
h) Create a banner that will warn anyone accessing the device that unauthorized access is prohibited.
i) Configure and activate the VLAN 1 interface on the switch according to the Addressing Table.
j) Save the running configuration to the startup configuration file.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 17 of 33 www.netacad.com
Lab - Observe DNS Resolution
fix
Use the same commands that you used to configure SSH on the router in Part 2 to configure SSH for the switch.
a) Configure the device name as listed in the Addressing Table.
b) Configure the domain for the device.
c) Configure the encryption key method.
d) Configure a local database username.
e) Enable Telnet and SSH on the VTY lines.
f) Change the login method to use the local database for user verification.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 18 of 33 www.netacad.com
Lab - Observe DNS Resolution
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 19 of 33 www.netacad.com
Lab - Observe DNS Resolution
R1>
b) You can return to S1 without closing the SSH session to R1 by pressing Ctrl+Shift+6. Release the
Ctrl+Shift+6 keys and press x. The switch privileged EXEC prompt displays.
R1>
S1#
c) To return to the SSH session on R1, press Enter on a blank CLI line. You may need to press Enter a second
time to see the router CLI prompt.
S1#
[Resuming connection 1 to 192.168.1.1 ... ]
R1>
d) To end the SSH session on R1, type exit at the router prompt.
R1# exit
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 20 of 33 www.netacad.com
Lab - Observe DNS Resolution
1 Protocol Version 1
2 Protocol Version 2
Reflection Question
How would you provide multiple users, each with their own username, access to a network device?
You would add each user’s username and password to the local database using the
username command.
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces
the router has. There is no way to effectively list all the combinations of configurations for each router class. This table
includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include
any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI
interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the
interface.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 21 of 33 www.netacad.com
Lab - Observe DNS Resolution
16.5.2
Lab - Observe DNS Resolution
Topology
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway
Objectives
Part 1: Configure Basic Device Settings
Part 2: Configure Basic Security Measures on the
Router Part 3: Configure Basic Security Measures on
the Switch
Background / Scenario
It is recommended that all network devices be configured with at least a minimum set of best practice security commands. This
includes end user devices, servers, and network devices, such as routers and switches.
In this lab, you will configure the network devices in the topology to accept SSH sessions for remote management. You
will also use the IOS CLI to configure common, basic best practice security measures. You will then test the security
measures to verify that they are properly implemented and working correctly.
Note: The routers used with CCNA hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.4 (universalk9
image). The switches used in the labs are Cisco Catalyst 2960s with Cisco IOS Release 15.2(2) (lanbasek9 image). Other
routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands
available and the output produced might vary from what is shown in the labs. Refer to the Router Interface Summary
Table at the end of the lab for the correct interface identifiers.
Note: Make sure that the routers and switches have been erased and have no startup configurations. If you are unsure,
contact your instructor.
Required Resources
1 Router (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable) 1
Switch (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable) 1 PC
(Windows with a terminal emulation program, such as Tera Term)
Console cables to configure the Cisco IOS devices via the console ports
Ethernet cables as shown in the topology
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 22 of 33 www.netacad.com
Lab - Observe DNS Resolution
Instructions
Part 1: Configure Basic Device Settings
In Part 1, you will set up the network topology and configure basic settings, such as the interface IP addresses, device
access, and passwords on the devices.
Step 1: Cable the network as shown in the topology.
Attach the devices shown in the topology and cable as necessary.
Step 2: Initialize and reload the router and switch.
Step 3: Configure the router and switch.
a. Console into the device and enable privileged EXEC mode.
b. Assign the device name according to the Addressing Table.
c. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as
though they were hostnames.
d. Assign class as the privileged EXEC encrypted password.
e. Assign cisco as the console password and enable login.
f. Assign cisco as the VTY password and enable login.
g. Create a banner that warns anyone accessing the device that unauthorized access is prohibited.
h. Configure and activate the G0/0/1 interface on the router using the information contained in the
Addressing Table.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 23 of 33 www.netacad.com
Lab - Observe DNS Resolution
i. Configure the default SVI on the switch with the IP address information according to the Addressing Table.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 24 of 33 www.netacad.com
Lab - Observe DNS Resolution
c. Change the passwords (privileged exec, console, and vty) to meet the new length requirement.
d. Configure the router to accept only SSH connections from remote locations
1) Configure the username SSHadmin with an encrypted password of 55HAdm!n2020
2) The router’s domain name should be set to ccna-lab.com
3) The key modulus should be 1024 bits.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 25 of 33 www.netacad.com
Lab - Observe DNS Resolution
e. Set security and best-practice configurations on the console and vty lines.
1) Users should be disconnected after 5 minutes of inactivity.
2) The router should not allow vty logins for 2 minutes if 3 failed login attempts occur within 1
minute.
Step 2: Verify that your security measures have been implemented correctly.
a. Use Tera Term on PC-A to telnet to R1. Does
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 26 of 33 www.netacad.com
Lab - Observe DNS Resolution
c. Intentionally mistype the user and password information to see if login access is blocked after two
attempts.
d. From your console session on the router, issue the show login command to view the login status. In the
example below, the show login command was issued within the 120 second login blocking period and shows that
the router is in Quiet-Mode. The router will not accept any login attempts for 111 more
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 27 of 33 www.netacad.com
Lab - Observe DNS Resolution
seconds.
e. After the 120 seconds has expired, SSH to R1 again and login using the SSHadmin username and
55HAdm!n2020 for the password.
After you successfully logged in, what was displayed?
If you mistype this password, are you disconnected from your SSH session after three failed attempts within 60
seconds? Explain.
No. The login block-for 120 attempts 3 within 60 command only monitors session login
attempts on VTY lines.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 28 of 33 www.netacad.com
Lab - Observe DNS Resolution
g. Issue the show running-config command at the privileged EXEC prompt to view the security settings you
have applied.
c) Configure the switch to accept only SSH connections from remote locations.
1) Configure the username SSHadmin with an encrypted password of 55HAdm!n2020
2) The switches domain name should be set to ccna-lab.com
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 29 of 33 www.netacad.com
Lab - Observe DNS Resolution
d) Set security and best-practice configurations on the console and vty lines.
1) Users should be disconnected after 5 minutes of inactivity.
2) The switch should not allow logins for 2 minutes if 3 failed login attempts occur within 1 minute.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 30 of 33 www.netacad.com
Lab - Observe DNS Resolution
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 31 of 33 www.netacad.com
Lab - Observe DNS Resolution
Step 3: Verify that your security measures have been implemented correctly.
f) Verify that Telnet has been disabled on the switch.
g) SSH to the switch and intentionally mistype the user and password information to see if login access is blocked.
h) After the 30 seconds has expired, SSH to S1 again and log in using the SSHadmin username and
55HAdm!n2020 for the password.
Did the banner appear after you successfully logged in?
Yes.
i) Enter privileged EXEC mode using $cisco!PRIV* as the password.
j) Issue the show running-config command at the privileged EXEC prompt to view the security settings you
have applied.
Reflection Questions
1. The password cisco command was entered for the console and VTY lines in your basic configuration in Part 1.
When is this password used after the best practice security measures have been applied?
This password will not be used any longer.This command was disabled as soon as the
login local command was entered for those lines.
2. Are preconfigured passwords shorter than 10 characters affected by the security passwords min-length 12
command?
No. The security passwords min-length command only affects passwords that are entered after this
command is issued. Any pre-existing passwords remain in effect. If they are changed, they will
need to be at least 12 characters long.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 32 of 33 www.netacad.com
Lab - Observe DNS Resolution
Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces
the router has. There is no way to effectively list all the combinations of configurations for each router class. This table
includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include
any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI
interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the
interface.
2013 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 33 of 33 www.netacad.com