Está en la página 1de 14

Lab ID: 10.1116A329.DHI2.

Configuring Network Device Management


Objective
Learn how to configure and verify basic network device management using a Management virtual LAN
(VLAN), Simple Network Management Protocol (SNMP), and Terminal Access Controller Access Control
System (TACACS) authentication with local authentication as backup.

Lab Topology
The topology diagram below represents the NetMap in the Simulator.

Command Summary
Command Description
aaa authentication login {default | enables Authentication, Authorization, and Accounting (AAA)
list-name} method1 [method2…] login
aaa authorization exec method1 configures exec authorization to use methods from the list
[method2…]
aaa new-model enables the AAA model
authorization exec [default | list- enables AAA authorization to determine whether a user can
name] access privileged EXEC mode
configure terminal enters global configuration mode from privileged EXEC mode
enable enters privileged EXEC mode
encapsulation dot1q vlan-id sets the encapsulation method of the interface for 802.1Q VLAN
trunking; also specifies the VLAN ID for which the frames should
be tagged

1 Boson NetSim Lab Manual


Command Description
end ends and exits configuration mode
exit exits one level in the menu structure
interface type number changes from global configuration mode to interface
configuration mode
interface type number creates a subinterface
subinterface-id
ip address ip-address subnet-mask assigns an IP address to an interface
ip default-gateway ip-address configures a default gateway IP address to which traffic destined
to remote networks will be forwarded
line vty 0 4 enters configuration mode for the specified virtual terminal (VTY,
or Telnet) lines
line vty 0 15 enters configuration mode for the specified VTY lines
login authentication {default | list- enables login to a TACACS+ server
name}
ping ip-address sends an Internet Control Message Protocol (ICMP) echo
request to the specified address
show ip interface brief displays a brief summary of interface status and configuration
show running-config displays the active configuration file
show snmp community displays SNMP community access strings
show snmp contact displays SNMP system contact information
show snmp host displays the recipient details for SNMP notification operations
show snmp location displays the SNMP system location string
snmp-server contact text sets the system contact (sysContact) string
snmp-server community string [ro] sets up the community access string to permit access to the
SNMP
snmp-server host ip-address specifies the recipient of a SNMP notification operation
[community-string]
snmp-server location text sets the system location string
tacacs-server host ip-address configures a TACACS+ server to communicate with the specified
single-connection host
tacacs-server key key sets the authentication encryption key used for all TACACS+
communications between the access server and the TACACS+
daemon
telnet ip-address starts the terminal emulation program from a PC, router, or
switch; permits you to access devices remotely over the network
username name privilege privilege- sets the privilege level for the user
level password password
vlan vlan-id name vlan-name creates and/or names a VLAN

2 Boson NetSim Lab Manual


The IP addresses, subnet masks, and default gateways used in this lab are shown in the tables below:

IP Addresses
Device Interface IP Address Subnet Mask Default Gateway
Router1 FastEthernet 1/0.1 10.1.0.1 255.255.255.0 -
FastEthernet 1/0.10 10.10.0.1 255.255.255.0 -
FastEthernet 1/0.20 10.20.0.1 255.255.255.0 -
FastEthernet 1/0.99 10.99.0.1 255.255.255.0 -
Switch1 VLAN 99 10.99.0.2 255.255.255.0 10.99.0.1
Switch2 VLAN 99 10.99.0.3 255.255.255.0 10.99.0.1

Device IP Address Subnet Mask Default Gateway


PC1 10.10.0.2 255.255.255.0 10.10.0.1
PC2 10.10.0.3 255.255.255.0 10.10.0.1
PC3 10.20.0.2 255.255.255.0 10.20.0.1
PC4 10.20.0.2 255.255.255.0 10.20.0.1
PCAdmin 10.1.0.2 255.255.255.0 10.1.0.1
TACACSServer 10.1.0.3 255.255.255.0 10.1.0.1

Lab Tasks
Task 1: Configure the Management VLAN
This task involves moving device management from the default VLAN to a dedicated Management VLAN.
1. On Router1, display a brief summary of interface status and configuration and observe the current IP
configuration.

2. On Router1, create interface FastEthernet 1/0.99 to be used as the management VLAN.

3. On Router1, configure the new subinterface to use 802.1Q encapsulation and to use VLAN ID 99.

4. On Router1, configure the FastEthernet 0/1.99 interface with the appropriate IP address; refer to the
IP Addresses table.

5. On Router1, display a brief summary of the interface status and configuration and verify your
configuration.

6. On Switch1, create VLAN 99 named Management.

7. On Switch1, configure interface VLAN 99 with the appropriate IP address.

8. Configure Switch1 with the appropriate default gateway.

3 Boson NetSim Lab Manual


9. On Switch1, verify the configuration by reviewing the running configuration.

10. On Switch2, configure interface VLAN 99 with the appropriate IP address.

11. Configure Switch2 with the appropriate default gateway.

12. On Switch2, verify the configuration by reviewing the running configuration.

13. On PC1, ping Router1 (10.99.0.1), Switch1 (10.99.0.2), and Switch2 (10.99.0.3). The pings should
be successful.

Task 2: Configure and Verify SNMP on Router1


This task involves configuring and verifying SNMP on Router1.
1. On Router1, configure SNMP version 2 (SNMPv2) for read-only access using the community string
Boson.

2. On Router1, configure a contact address of snmp@boson.com.

3. On Router1, configure a location of R1_SNMP.

4. On Router1, configure PC1 (10.10.0.2) to be the trap receiver and to use a community string of
snmp_logs.

5. On Router1, verify that SNMP is enabled for the correct community string.

6. On Router1, verify that SNMP is configured with the correct location.

7. On Router1, verify that SNMP is configured with the correct contact address.

8. On Router1, verify that SNMP is enabled for the trap receiver with the correct community string.

Task 3: Configure and Verify TACACS+ on Router1


This task involves configuring and verifying TACACS+ on Router1.
1. On Router1, enable the AAA service.

2. On Router1, configure the TACACS+ host address for the server to be TACACSServer (10.1.0.3).

3. On Router1, configure the TACACS+ key for the server to be boson.

4. On Router1, create a login authentication method that authenticates against TACACSServer first
and uses the local user database as a backup. Use aaa_authentication as the authentication list
name.

5. On Router1, create an exec authorization method that authorizes exec sessions against
TACACSServer first and uses the local user database as a backup. Use aaa_author as the
authorization list name.
4 Boson NetSim Lab Manual
6. On Router1, create a backup user account with user name admin, privilege 15, and password
boson.

7. On Router1, configure the first five VTY lines to use the AAA authentication method aaa_author.

8. From PC1, telnet to Router1’s FastEthernet 1/0.99 interface (10.99.0.1). The TACACS+ user name
is cisco, and the password is ciscopass.

Task 4: Configure and Verify SNMP on Switch1 and Switch2


This task involves configuring and verifying SNMP on Switch1 and Switch2.
1. On Switch1, configure SNMPv2 for read-only access using a community string Boson, a contact
address of snmp@boson.com, a location of S1_SNMP, and a trap receiver to be PC1 (10.10.0.2)
with a community string of snmp_logs.

2. On Switch2, configure SNMPv2 for read-only access using a community string Boson, a contact
address of snmp@boson.com, a location of S1_SNMP, and a trap receiver to be PC1 (10.10.0.2)
with a community string of snmp_logs.

3. On Switch1 and Switch2, verity the previous SNMP configuration.

Task 5: Configure and Verify TACACS+ on Switch1 and Switch2


This task involves configuring and verifying TACACS+ on Switch1 and Switch2.
1. On Switch1, complete the following configurations:

a. Enable the AAA service.

b. Configure the TACACS+ host address for the server to be TACACSServer (10.1.0.3).

c. Configure the TACACS+ key for the server to be boson.

d. Create a login authentication method that authenticates against TACACSServer first and uses
the local user database as a backup. Use aaa_authentication as the authentication list name.

e. Create an exec authorization method that authorizes exec sessions against TACACSServer
first and uses the local user database as a backup. Use aaa_author as the authorization list
name.

f. Create a backup user account with user name admin, privilege 15, and password boson.

g. Configure all 16 VTY lines to use the AAA authentication method aaa_author.

5 Boson NetSim Lab Manual


2. On Switch2, complete the following configurations:

a. Enable the AAA service.

b. Configure the TACACS+ host address for the server to be TACACSServer (10.1.0.3).

c. Configure the TACACS+ key for the server to be boson.

d. Create a login authentication method that authenticates against TACACSServer first and uses
the local user database as a backup. Use aaa_authentication as the authentication list name.

e. Create an exec authorization method that authorizes exec sessions against TACACSServer
first and uses the local user database as a backup. Use aaa_author as the authorization list
name.

f. Create a backup user account with user name admin, privilege 15, and password boson.

g. Configure all 16 VTY lines to use the AAA authentication method aaa_author.

3. From PC1, telnet to Switch1 (10.99.0.2). The TACACS+ user name is cisco, and the password is
ciscopass.

4. From PC1, telnet to Switch2 (10.99.0.3). The TACACS+ user name is cisco, and the password is
ciscopass.

Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.

6 Boson NetSim Lab Manual


Lab Solutions
Task 1: Configure the Management VLAN
1. On Router1, issue the following command to observe the current IP configuration:

Router1#show ip interface brief


Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset up up
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/0.1 10.1.0.1 YES unset up up
FastEthernet1/0.10 10.10.0.1 YES unset up up
FastEthernet1/0.20 10.20.0.1 YES unset up up

2. On Router1, issue the following command to create interface FastEthernet 1/0.99 to be used as the
management VLAN:

Router1(config)#interface fastethernet 1/0.99

3. On Router1, issue the following command to configure the interface FastEthernet 1/0.99 to use
802.1Q encapsulation 99:

Router1(config-subif)#encapsulation dot1q 99

4. On Router1, issue the following command to configure interface FastEthernet 1/0.99 with the
appropriate IP address:

Router1(config-subif)#ip address 10.99.0.1 255.255.255.0

5. On Router1, verify the configuration by issuing the following command:

Router1#show ip interface brief


Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset up up
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/0.1 10.1.0.1 YES unset up up
FastEthernet1/0.10 10.10.0.1 YES unset up up
FastEthernet1/0.20 10.20.0.1 YES unset up up
FastEthernet1/0.99 10.99.0.1 YES unset up up

6. On Switch1, issue the following command to create VLAN 99 named Management:

Switch1(config)#vlan 99 name Management


VLAN 99 added:
Name:Management

7. On Switch1, issue the following commands to configure interface VLAN 99 with the appropriate IP
address:

Switch1(config-vlan)#interface vlan 99
Switch1(config-if)#ip address 10.99.0.2 255.255.255.0

7 Boson NetSim Lab Manual


8. On Switch1, issue the following command to configure the appropriate default gateway:

Switch1(config-if)#ip default-gateway 10.99.0.1

9. On Switch1, issue the following command to verify the configuration:

Switch1#show running-config
Building configuration...
Current configuration : 1457 bytes
!
Version 15.b
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch1
!
<output omitted>
!
interface Vlan0099
ip address 10.99.0.2 255.255.255.0
no ip route-cache
!
vlan 10 name VLAN0010
vlan 20 name VLAN0020
vlan 99 name Management
!
ip default-gateway 10.99.0.1
!
<output omitted>

10. On Switch2, issue the following commands to configure interface VLAN 99 with the appropriate IP
address:

Switch2(config)#interface vlan 99
Switch2(config-if)#ip address 10.99.0.3 255.255.255.0

11. On Switch2, issue the following command to configure the appropriate default gateway:

Switch2(config-if)#ip default-gateway 10.99.0.1

8 Boson NetSim Lab Manual


12. On Switch2, issue the following command to verify the configuration:

Switch2#show running-config
Building configuration...
Current configuration : 1263 bytes
!
Version 15.b
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch2
!
<output omitted>
!
interface Vlan0099
ip address 10.99.0.3 255.255.255.0
no ip route-cache
!
vlan 10 name VLAN0010
vlan 20 name VLAN0020
vlan 99 name Management
!
ip default-gateway 10.99.0.1
!
<output omitted>

13. On PC1, pings to Router1 (10.99.0.1), Switch1 (10.99.0.2), and Switch2 (10.99.0.3) should be
successful.

C:>ping 10.99.0.1
C:>ping 10.99.0.2
C:>ping 10.99.0.3

Task 2: Configure and Verify SNMP on Router1


1. On Router1, issue the following command to configure SNMPv2 for read-only access using the
community string Boson:

Router1(config)#snmp-server community Boson ro

2. On Router1, issue the following command to configure a contact address of snmp@boson.com:

Router1(config)#snmp-server contact snmp@boson.com

3. On Router1, issue the following command to configure a location of R1_SNMP:

Router1(config)#snmp-server location R1_SNMP

9 Boson NetSim Lab Manual


4. On Router1, issue the following command to configure PC1 (10.10.0.2) to be the trap receiver and
to use a community string of snmp_logs:

Router1(config)#snmp-server host 10.10.0.2 snmp_logs

5. On Router1, issue the following command to verify that SNMP is enabled for the correct community
string:

Router1#show snmp community

Community name : ILMI


Community Index : ILMI
Community SecurityName : ILMI
storage-type: read-only active

Community name : boson


Community Index : boson
Community SecurityName : boson
storage-type: read-only active

6. On Router1, issue the following command to verify that SNMP is configured with the correct location:

Router1#show snmp location


R1_SNMP

7. On Router1, issue the following command to verify that SNMP is configured with the correct contact
address:

Router1#show snmp contact


snmp@boson.com

8. On Router1, issue the following command to verify that SNMP is enabled for the trap receiver with
the correct community string:

Router1#show snmp host


Notification host: 10.10.0.1 udp-port: 162 type: trap
user: snmp_logs security model: v1

Task 3: Configure and Verify TACACS+ on Router1


1. On Router1, issue the following command to enable the AAA service:

Router1(config)#aaa new-model

2. On Router1, issue the following command to configure the TACACS+ host address for the server to
be TACACSServer (10.1.0.3):

Router1(config)#tacacs-server host 10.1.0.3

10 Boson NetSim Lab Manual


3. On Router1, issue the following command to configure the TACACS+ key for the server to be
boson:

Router1(config)#tacacs-server key boson

4. On Router1, issue the following command to create a login authentication method that
authenticates against TACACSServer first and uses the local user database as a backup. Use
aaa_authentication as the authentication list name:

Router1(config)#aaa authentication login aaa_authentication group tacacs+ local

5. On Router1, issue the following command to create an exec authorization method that authorizes
exec sessions against TACACSServer first and uses the local user database as a backup. Use
aaa_author as the authorization list name:

Router1(config)#aaa authorization exec aaa_author group tacacs+ local

6. On Router1, issue the following command to create a backup user account with user name admin,
privilege 15, and password boson:

Router1(config)#username admin privilege 15 password boson

7. On Router1, issue the following command to configure the first five VTY lines to use the AAA
authentication method aaa_author:

Router1(config)#line vty 0 4
Router1(config-line)#login authentication aaa_authentication
Router1(config-line)#authorization exec aaa_author

8. From PC1, a telnet to Router1’s FastEthernet 1/0.99 interface (10.99.0.1) should be successful:

C:>telnet 10.99.0.1
Username: cisco
Password: ciscopass
Router1>exit

Task 4: Configure and Verify SNMP on Switch1 and Switch2


1. On Switch1, issue the following commands to configure SNMPv2 for read-only access using a
community string Boson, a contact address of snmp@boson.com, a location of S1_SNMP, and a
trap receiver to be PC1 (10.10.0.2) with a community string of snmp_logs:

Switch1(config)#snmp-server community Boson ro


Switch1(config)#snmp-server contact snmp@boson.com
Switch1(config)#snmp-server location S1_SNMP
Switch1(config)#snmp-server host 10.10.0.2 snmp_logs

11 Boson NetSim Lab Manual


2. On Switch2, issue the following commands to configure SNMPv2 for read-only access using a
community string Boson, a contact address of snmp@boson.com, a location of S1_SNMP, and a
trap receiver to be PC1 (10.10.0.2) with a community string of snmp_logs:

Switch2(config)#snmp-server community Boson ro


Switch2(config)#snmp-server contact snmp@boson.com
Switch2(config)#snmp-server location S1_SNMP
Switch2(config)#snmp-server host 10.10.0.2 snmp_logs

3. On Switch1 and Switch2, issue the appropriate show commands to verify the previous SNMP
configuration. The following is sample output from Switch1:

Switch1#show snmp community

Community name : ILMI


Community Index : ILMI
Community SecurityName : ILMI
storage-type: read-only active

Community name : boson


Community Index : boson
Community SecurityName : boson
storage-type: read-only active

Switch1#show snmp location


R1_SNMP

Switch1#show snmp contact


snmp@boson.com

Switch1#show snmp host


Notification host: 10.10.0.1 udp-port: 162 type: trap
user: snmp_logs security model: v1

Task 5: Configure and Verify TACACS+ on Switch1 and Switch2


1. On Switch1, issue the following commands to complete the configuration:

Switch1(config)#aaa new-model
Switch1(config)#tacacs-server host 10.1.0.3
Switch1(config)#tacacs-server key boson
Switch1(config)#aaa authentication login aaa_authentication group tacacs+ local
Switch1(config)#aaa authorization exec aaa_author group tacacs+ local
Switch1(config)#username admin privilege 15 password boson
Switch1(config)#line vty 0 15
Switch1(config-line)#login authentication aaa_authentication
Switch1(config-line)#authorization exec aaa_author

12 Boson NetSim Lab Manual


2. On Switch2, issue the following commands to complete the configuration:

Switch2(config)#aaa new-model
Switch2(config)#tacacs-server host 10.1.0.3
Switch2(config)#tacacs-server key boson
Switch2(config)#aaa authentication login aaa_authentication group tacacs+ local
Switch2(config)#aaa authorization exec aaa_author group tacacs+ local
Switch2(config)#username admin privilege 15 password boson
Switch2(config)#line vty 0 15
Switch2(config-line)#login authentication aaa_authentication
Switch2(config-line)#authorization exec aaa_author

3. From PC1, you should be able to successfully telnet to Switch1 (10.99.0.2):

C:>telnet 10.99.0.2
Username: cisco
Password: ciscopass
Switch1>exit

4. From PC1, you should be able to successfully telnet to Switch2 (10.99.0.3):

C:>telnet 10.99.0.3
Username: cisco
Password: ciscopass
Switch2>exit

13 Boson NetSim Lab Manual


Sample Configuration Script
Router1 Router1 (continued)
Router1#show running-config interface FastEthernet1/0.1
Building configuration... encapsulation dot1q 1
Current configuration : 1395 bytes ip address 10.1.0.1 255.255.255.0
! !
Version 15.b interface FastEthernet1/0.10
service timestamps debug uptime encapsulation dot1q 10
service timestamps log uptime ip address 10.10.0.1 255.255.255.0
no service password-encryption !
! interface FastEthernet1/0.20
hostname Router1 encapsulation dot1q 20
aaa new-model ip address 10.20.0.1 255.255.255.0
! !
aaa authentication login aaa_ interface FastEthernet1/0.99
authentication group tacacs+ local encapsulation dot1q 99
aaa authorization exec aaa_author group ip address 10.99.0.1 255.255.255.0
tacacs+ local !
! ip classless
username admin privilege 15 password no ip http server
boson !
! snmp-server community boson ro
ip subnet-zero snmp-server location R1_SNMP
! snmp-server contact snmp@boson.com
ip cef snmp-server host 10.10.0.1 snmp_logs
no ip domain-lookup !
! tacacs-server host 10.1.0.3
interface FastEthernet0/0 tacacs-server key boson
description Link to ISP !
no ip address line con 0
no ip directed-broadcast line aux 0
! line vty 0 4
interface FastEthernet1/0 login authentication aaa_authentication
description Link to Switch1 authorization exec aaa_author
no ip address !
no ip directed-broadcast no scheduler allocate
! end

Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

14 Boson NetSim Lab Manual