Sunday, March 15, 2009

PT5.1 for CCNA simulation lab

I was preparing CCNA exam, to practice the lab simulation questions, I used Packet Tracer 5.1 to simulate the questions. I integrated the questions, answers, and the explanation into a single pka file. With these pka files, you can practice the lab questions, verify your answers in real time, and check the explanation. I believe you’ll be more confident in your CCNA exam after practicing these labs.

You can download these pka files from:

1. CCNA Access List Sim (Updated from real CCNA exam on 07-March-2009): http://www.valit.ca/lab/ccna/ccna_access_list_sim.zip

2. CCNA Implementation SIM (Updated from real CCNA exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_implement_sim.zip

3. CCNA Drag and Drop SIM Question (Updated from real CCNA exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_drag_drop_sim.zip

4. CCNA EIGRP LAB Question (Updated from real CCNA Exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_EIGRP_sim.zip

5. CCNA VTP SIM Question (Updated from real CCNA exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_vtp_sim.zip

6. CCNA RIP Configuration SIM Question (Updated from real CCNA exam on 19-Feb-2009): http://www.valit.ca/lab/ccna/ccna_Rip_sim.zip

7. CCNA NAT SIM Question: http://www.valit.ca/lab/ccna/ccna_NAT_sim1.zip

Please use Packet Tracer 5.1. I am not sure if 5.0 can open these files.

Even you are not preparing CCNA, it is still good to practice these labs in order to enhance your network knowledge.

Enjoy! And if you have any questions related to the files, comment or send me an email.

Friday, March 13, 2009

Packet Tracer file for new CCNA Access List Sim


(Updated from real CCNA exam on 07-March-2009)

I copy this sim from http://9tut.com. And I created a Packet Tracer 5.1 pka file to verify the answers, because I was confused with question 3 (I am still confused now). You can download this pka file from here: http://www.valit.ca/lab/ccna_access_list_sim.zip. I hope it can help you to understand this sim. Please use Packet Tracer 5.1, the pka file seems not woking in version 5.0.

Question:


An administrator is trying to ping and telnet from Switch to Router with the results shown below:

Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U.
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 ...
% Destination unreachable; gateway or host down
Switch>

Click the console connected to Router and issue the appropriate commands to answer the questions.

Answer and Explanation:

For this question we only need to use the show running-config command to answer all the questions below

Router>enable
Router#show running-config

interface Loopback1

 ip address 172.16.4.1 255.255.255.0

 no shutdown

!

interface Loopback2

 ip address 10.145.145.1 255.255.255.0

 ipv6 address 2001:410:2:3::/64 eui-64

 no shutdown

!

interface FastEthernet0/0

 ip address 10.4.4.3 255.255.255.0

 ip access-group 106 in

 duplex auto

 speed auto

 no shutdown

!

interface Serial0/0/0

 bandwidth 64

 no ip address

 ip access-group 102 out

 encapsulation frame-relay

 ip ospf authentication

 ip ospf authentication-key san-fran

 no shutdown

!

interface Serial0/0/0.1 point-to-point

 ip address 10.140.3.2 255.255.255.0

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 icndchain

 frame-relay interface-dlci 120

!

interface Serial0/0/1

 bandwidth 64

 ip address 10.45.45.1 255.255.255.0

 ip access-group 102 in

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 icndchain

 ip ospf authentication

 ip ospf authentication-key san-fran

 ipv6 address 2001:410:2:10::/64 eui-64

 no shutdown

!

router eigrp 100

 network 10.0.0.0

 network 172.16.0.0

 network 192.168.2.0

 no auto-summary

!

router ospf 100

 log-adjacency-changes

 network 10.4.4.3 0.0.0.0 area 0

 network 10.45.45.1 0.0.0.0 area 0

 network 10.140.3.2 0.0.0.0 area 0

 network 192.168.2.62 0.0.0.0 area 0

!

router rip

 version 2

 network 10.0.0.0

 network 172.16.0.0

!

ip default-gateway 10.1.1.2

!

!

ip http server

no ip http secure-server

!

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq ftp-data

access-list 102 deny tcp any any eq telnet

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

 

access-list 104 permit tcp any any eq ftp

access-list 104 permit tcp any any eq ftp-data

access-list 104 deny tcp any any eq telnet

access-list 104 permit icmp any any echo

access-list 104 deny icmp any any echo-reply

access-list 104 permit ip any any

 

access-list 106 permit tcp any any eq ftp

access-list 106 permit tcp any any eq ftp-data

access-list 106 deny tcp any any eq telnet

access-list 106 permit icmp any any echo-reply

 

access-list 110 permit udp any any eq domain

access-list 110 permit udp any eq domain any

access-list 110 permit tcp any any eq domain

access-list 110 permit tcp any eq domain any

access-list 110 permit tcp any any

 

access-list 114 permit ip 10.4.4.0 0.0.0.255 any

 

access-list 115 permit ip 0.0.0.0 255.255.255.0 any

 

access-list 122 deny tcp any any

access-list 122 deny icmp any any echo-reply

access-list 122 permit ip any any

!

 

Question 1:

Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?

A - Correctly assign an IP address to interface fa0/1
B - Change the ip access-group command on fa0/0 from "in" to "out"
C - Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D - Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E - Remove access-group 106 in from interface fa0/0 and add access-group 104 in

 

Answer: E

 

Explanation:

Let's have a look at the access list 104:

access-list 104 permit tcp any any eq ftp

access-list 104 permit tcp any any eq ftp-data

access-list 104 deny tcp any any eq telnet

access-list 104 permit icmp any any echo

access-list 104 deny icmp any any echo-reply

access-list 104 permit ip any any

 

The question does not ask about ftp traffic so we don't care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line "access-list 104 deny icmp any any echo-reply" will not affect our icmp traffic because the "echo-reply" message will be sent over the outbound direction.

Question 2:

What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?

A - Attempts to telnet to the router would fail
B - It would allow all traffic from the 10.4.4.0 network
C - IP traffic would be passed through the interface but TCP and UDP traffic would not
D - Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

 

Answer: B

Explanation:

From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network

Question 3:

What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?

A - No host could connect to Router through s0/0/1
B - Telnet and ping would work but routing updates would fail.
C - FTP, FTP-DATA, echo, and www would work but telnet would fail
D - Only traffic from the 10.4.4.0 network would pass through the interface

 

Answer: A

Explanation:

First let's see what was configured on interface S0/0/1:

interface Serial0/0/1

 bandwidth 64

 ip address 10.45.45.1 255.255.255.0

 ip access-group 102 in

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 icndchain

 ip ospf authentication

 ip ospf authentication-key san-fran

 ipv6 address 2001:410:2:10::/64 eui-64

 

Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).

B is not correct because if telnet and ping can work then routing updates can, too.

D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.

 

But here raise a question…

 

The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…

 

But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!

 

Please comment if you have any idea for this sim!

 

I am really confused with this question 3. 9tut is right, we can assign x.x.x.0 to a host, check the figure below:


 

I assigned 10.46.46.0 and 3.3.3.0 to 2 PCs, so “A - No host could connect to Router through s0/0/1” is incorrect; In PC 10.46.46.0 and 3.3.3.0, I can telnet and ping 10.45.45.1, I turn one of the routers off and then turn it on, the EIGRP routing updates seem no problem at all!

 

It seems none of the answers are correct. You can download the pka file and play around, if you find the right answer, please let me know.

Saturday, February 7, 2009

Flood the MAC address table of a Switch

Lab Section: Switch

Lab Title: Flood the MAC address table of a Switch

Objective

In this lab exercise, we will complete the following tasks:

1. Use Ettercap to overflow the MAC address table of a Cisco switch 2950.

2. Use Wireshark to sniff the FTP password.

Background

Switches maintain a table of MAC addresses and associated switch port. When a switch receives a frame, the destination MAC address is checked against the table, and the corresponding port is used to route the frame out of the switch. If a switch does not know which port to route the frame, or the frame is a broadcast, then the frame is routed out all ports except the port where it originated.

Scenario

Your computer is connected to an uncontrolled switch. You want to sniff the traffic of the other computers that are connected with this switch. Because switch has a MAC address table to match the destination, you have to flood this table to force the switch broadcast every frame and work like a Hub.

Topology

This figure illustrates the lab network environment:


Preparation

Tools and Resources

In order to complete the lab, the following is required:

1. Ettercap0.7.3: http://sourceforge.net/projects/ettercap/

2. WireShark 1.05: http://www.wireshark.org/

3. Putty or HyperTerminal


Additional Materials

Visit the following website for more information on the objectives covered in this lab:

1. http://en.wikipedia.org/wiki/ARP_poisoning

2. http://en.wikipedia.org/wiki/Ettercap_(computing)

Procedure

1. Preparation: To start the FTP server and Telnet Server in Windows 2003 server and check the connection between these PCs.

1.1 In Server 192.168.10.9, open a command line window.

1.2 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.3 Enter “ping 192.168.10.10”, check the connection of other computer.

1.4 Enter “ping 192.168.10.11”, check the connection of other computer. Make sure they are all connected.

1.5 Open “Control Panel”-> “Administrative tools”-> “Services”, find out the Telnet service and start it.

1.6 Back to the “Administrative Tools”, open “Computer Management”, click “Local Users and Groups”.

1.7 Enter the “User” window, add 2 new users, one is “telnetuser”, another is “ftpuser”, you need to setup password, and uncheck the “user must change password at next logon” option (just for convenience, you’d better not uncheck this option in the reality environment).

1.8 Setup user “telnetuser” as one of the members of “TelnetClients” Group.

1.9 Return to “Administrative Tools” window. Run “Internet Information Services(IIS) Manager” to setup FTP server.

1.10 Right click “Default FTP Site”, choose “Properties”, uncheck “Allow anonymous connections”, apply for the change.

1.11 In Sniffer PC, open a command line window.

1.12 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.13 Run Wireshark, click Menu “Capture”-> “Interface”. Click “option” to open the capture options windows.

1.14 Setup the Capture Filter, we use “IP only” here. Click “Start”.

1.15 Wireshark start to capture packets, as you can see. Only the broadcast and the local packets can be received.

1.16 In User PC, open a command line window.

1.17 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.18 Ping 192.168.10.10, Wireshark will capture the ICMP traffic because Wireshark is running in 192.168.10.10.

1.19 Telnet 192.168.10.9, Wireshark won’t get any packets because the switch forwarded the packets to 192.168.10.9 directly.

1.20 Connect the switch to the User PC with console cable.

1.21 Run Putty and open the terminal window.

Swithch>Enable

Swithch>Show mac-address-table dynamic

Ok, the test environment is settled.

Click here to watch the video1: Preparation (http://www.valit.ca/lab/lab7/lab7_1.html)

2. Flood MAC-address table.

2.1 In Sniffer PC: let’s use another capture filter in Wireshark, because we only care the traffic of the server

2.2 In Wireshark, click menu “capture”->”Interface”, click “options”, then click “capture filter”, and choose “IP address 192.168.10.9”, you may change the IP address. Click “ok” and “Start”.

2.3 Run ettercap. Click menu “Sniff”-> “Unified sniffing”, select the network interface, click “OK”.

2.4 Click menu “Plugins”-> “Manager the Plugins”, select “rand_flood”. Click menu “Start”-> “Start sniffing”.

2.5 In User PC: Inside the Putty window, enter “Show mac-address-table dynamic”, we’ll be able to see a lot of fate mac address.

2.6 Open a command line window, enter “telnet 192.168.10.9”, enter username and password, connect to the telnet server.

2.7 In Sniffer PC (192.168.10.10): we’ll be able to see the telnet traffic between 192.168.10.9(server) and 192.168.10.11(user), because the mac-address table is full, the switch has to broadcast the packets.

2.8 In User PC: Open IE Browser, enter Ftp://192.168.10.9, enter username and password. Connect to the FTP server.

2.9 In Sniffer PC (192.168.10.10): we’ll be able to see the FTP traffic between 192.168.10.9(server) and 192.168.10.11(user).

2.10 Ettercap also can sniff the telnet and ftp password, but if you want to capture and analyst other traffics, Wireshark is the better choise.

Click here to watch the video2: overflow (http://www.valit.ca/lab/lab7/lab7_2.html)