CCNA Network Services and Security • Complete Question Bank
Complete CCNA Network Services and Security question bank — all 0 questions with answers and detailed explanations.
A router interface applies this ACL inbound:
10 deny tcp any any eq 80 20 permit ip any any
A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
A show ip nat translations command displays this entry:
Inside global 203.0.113.10:30001 Inside local 192.168.10.25:51514 Outside local 198.51.100.20:443 Outside global 198.51.100.20:443
Which statement is correct?
A switch has DHCP snooping enabled and Dynamic ARP Inspection enabled on VLAN 30. A printer with a static IP on VLAN 30 cannot communicate because its ARP packets are being dropped.
What is the best fix?
A switch port is configured with port security using these commands:
switchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security mac-address sticky
A user unplugs a company laptop and connects a different unauthorized device. The interface stays up/up, but the new device has no connectivity.
Which statement best explains what happened?
A host sends a packet larger than the outgoing interface MTU, and the IPv4 header has the Don't Fragment bit set.
What will a router do with the packet?
A router is configured as follows:
interface g0/1 ip address 172.16.1.1 255.255.255.0 ip helper-address 10.20.20.10
Hosts on 172.16.1.0/24 are not receiving addresses from the DHCP server at 10.20.20.10. The server is reachable by ping from the router.
What is the purpose of the ip helper-address command in this scenario?
An engineer wants users to get fast link-up on access ports but also wants the switch to disable a port if another switch is connected and sends BPDUs.
Which combination of features best meets that requirement?
access-list 110 ?
Refer to the exhibit. Users on the inside network can browse the web, but return traffic is failing for some sessions. A partial configuration shows:
interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat outside
!
interface GigabitEthernet0/1 ip address 203.0.113.10 255.255.255.0 ip nat inside
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.10.0 0.0.0.255
Based on this configuration, which change is required to make PAT work correctly?
interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.10 255.255.255.252 ip nat inside ! access-list 1 permit 192.168.10.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/1 overload
Observed symptom: - Internal users can reach internal routes - Internet browsing fails - Private source addresses are still seen on outbound WAN traffic
`ip nat inside source static 192.168.1.50 203.0.113.50`
`ip nat inside source list 1 interface GigabitEthernet0/1 overload`
User test results: - ping 10.20.30.40 = success - open http://10.20.30.40 = success - open http://intranet.corp.local = fail
interface Vlan30 ip address 10.30.30.1 255.255.255.0 no shutdown interface Vlan99 ip address 10.99.99.1 255.255.255.0 no shutdown Remote DHCP server: 10.99.99.20
interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.10 255.255.255.252 ip nat inside ! access-list 1 permit 192.168.10.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/1 overload
Requirement: - Block HTTP from 10.10.10.0/24 to 172.16.1.10 - Permit all other traffic access-list 110 ?
Client tests: - ping 172.16.20.50 = success - open http://172.16.20.50 = success - open http://portal.corp.example = fail
Requirement: - Block HTTPS from 10.20.20.0/24 to 172.16.5.10 - Allow all other traffic Configured entry: deny ip 10.20.20.0 0.0.0.255 host 172.16.5.10
User tests: - ping 192.168.200.50 = success - HTTP to 192.168.200.50 = success - HTTP to app.internal.lab = fail
Requirement: - Block Telnet from 10.30.30.0/24 to 172.16.9.9 - Allow all other traffic Configured ACL entry: deny tcp 10.30.30.0 0.0.0.255 host 172.16.9.9
Requirement: - Block HTTPS from 10.44.44.0/24 to 172.16.8.20 Configured ACL entry: deny tcp 10.44.44.0 0.0.0.255 host 172.16.8.20 eq 80
VLAN 70 DHCP scope: network 10.70.70.0 255.255.255.0 default-router 10.70.70.1 Client tests: - ping 192.0.2.50 = success - open http://192.0.2.50 = success - open http://portal.branch.lab = fail
interface Vlan40 ip address 10.40.40.1 255.255.255.0 ip helper-address 10.99.99.30 Expected VLAN 40 scope: 10.40.40.0/24 Observed client address range: 10.50.50.0/24
R1 has the following routes installed:
O 10.10.10.0/24 via 192.0.2.2 S 10.10.10.128/25 via 198.51.100.2
S* 0.0.0.0/0 via 203.0.113.1
A packet destined for 10.10.10.200 arrives at R1. Which route is used?
An ACL entry reads:
access-list 25 permit 192.168.8.0 0.0.0.15
Which address range does this statement match?
ip route 172.16.50.0 255.255.255.0 10.1.1.2 ip route 172.16.50.0 255.255.255.0 10.2.2.2 5 ip route 0.0.0.0 0.0.0.0 10.3.3.2
SW2# show spanning-tree vlan 10
Root ID Priority 32778
Address 0011.1111.1111
Cost 4
Port 1 (GigabitEthernet0/1)
Bridge ID Priority 32778
Address 00aa.aaaa.aaaaR1 Gi0/0: ip address 10.10.12.1 255.255.255.252 ip ospf 10 area 0 ip mtu 1500 R2 Gi0/0: ip address 10.10.12.2 255.255.255.252 ip ospf 10 area 0 ip mtu 1400 Both interfaces are up/up. show ip ospf neighbor on both routers: Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 1 EXSTART 00:00:31 10.10.12.2 Gi0/0
R1 learns three OSPF routes to different destinations:
O 10.10.10.0/24
O IA 10.20.20.0/24 O E2 10.30.30.0/24
Which statement is correct about these route types?
AP-1 channel: 1 AP-2 channel: 3 AP-3 channel: 6 All three APs cover the same conference area on 2.4 GHz. Transmit power is set to high on all APs.
Based on the JSON snippet below, which statement is correct?
{
"device": {
"hostname": "R1",
"interfaces": [
{"name": "Gig0/0", "status": "up"},
{"name": "Gig0/1", "status": "down"}
]
}
}interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat outside interface GigabitEthernet0/1 ip address 203.0.113.2 255.255.255.252 ip nat inside access-list 1 permit 192.168.10.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/1 overload
An ACL on R1 contains only these entries:
access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443 access-list 101 permit icmp any any
What happens to an HTTP packet sourced from 10.10.10.25 and destined for 198.51.100.10 if ACL 101 is applied in the traffic path?
WLAN: Guest Mapped VLAN: 300 Switch interface Gi1/0/24 toward AP: switchport mode trunk switchport trunk allowed vlan 10,20,30
interface Vlan20 ip address 10.20.20.1 255.255.255.0 ip helper-address 10.50.0.100 interface Vlan30 ip address 10.30.30.1 255.255.255.0 ip helper-address 10.50.0.10 DHCP server address: 10.50.0.10
SW1: interface range g1/0/1-2 channel-group 5 mode active SW2: interface range g1/0/1-2 channel-group 5 mode on
show ip route 192.0.2.0 Routing entry for 192.0.2.0/24 Known via "ospf 1", distance 110, metric 20, type intra area Last update from 10.1.12.2 on GigabitEthernet0/0 Configured routes: ip route 192.0.2.0 255.255.255.0 10.1.13.3 130 RIP also advertises 192.0.2.0/24 with distance 120.
show spanning-tree summary Switch is in pvst mode Root bridge for: VLAN0001 VLAN0010 VLAN0020 Extended system ID is enabled Portfast Default is disabled show spanning-tree vlan 40 Spanning tree enabled protocol ieee Root ID Priority 327...
show ip route 203.0.113.0 Routing entry for 203.0.113.0/24 Known via "static", distance 5, metric 0 * 198.51.100.2 Configured route: ip route 203.0.113.0 255.255.255.0 192.0.2.2 10 name ISP-A ip route 203.0.113.0 255.255.255.0 198.51.100.2 5 name ISP-B
AP-1 5 GHz power: 8 dBm AP-2 5 GHz power: 8 dBm AP-3 5 GHz power: 23 dBm AP-4 5 GHz power: 8 dBm Users report problems mainly near AP-3's area boundary.
ip flow-export destination 10.99.99.50 2055 ip flow-export source Loopback0 interface Loopback0 ip address 172.16.255.1 255.255.255.255 interface GigabitEthernet0/0 ip address 10.99.99.2 255.255.255.0 Collector subnet: 10.99.99.0/24 Collector accepts exports only from 10.99.99.2
access-list 1 permit 10.10.20.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 overload interface GigabitEthernet0/0 ip address 198.51.100.2 255.255.255.252 ip nat outside interface GigabitEthernet0/1 ip address 10.10.10.1 255.255.255.0 ip nat inside Users are in 10.10.10.0/24.
PC1 ipconfig IPv4 Address . . . . . . . . . : 10.40.40.25 Subnet Mask . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . : 10.40.40.1 DNS Server . . . . . . . . . . : 10.4.4.4 PC1> ping 8.8.8.8 success PC1> ping www.example.com failed Correct internal DNS server: 10.40.10.53
SW1: interface range g1/0/1-2 switchport mode trunk channel-group 5 mode active SW2: interface range g1/0/1-2 switchport mode trunk channel-group 5 mode desirable
Access-SW uplink: interface g0/24 switchport mode trunk switchport trunk allowed vlan 10,20 User ports: interface range g0/1-12 switchport mode access switchport access vlan 30 Distribution switch SVI: interface vlan 30 ip address 10.30.30.1 255.255.255.0
Clients: 10.40.40.0/24 in VLAN 40 SVI on distribution switch: 10.40.40.1/24 DHCP server: 172.16.1.10/24 reachable by routing Clients keep sending DHCPDISCOVER and receive no offer.
ACL 15: access-list 15 deny 10.10.10.50 access-list 15 permit any Applied inbound on G0/0, the user LAN interface.
PC output: C:\> ping 8.8.8.8 -> success C:\> ping www.example.com -> Ping request could not find host www.example.com
Requirement: Allow 10.1.10.0/24 to reach 198.51.100.20 on TCP ports 80 and 443 only. Block all other traffic from 10.1.10.0/24.
Configured: interface G0/0 ip nat inside interface G0/1 ip nat outside No translations appear in 'show ip nat translations'.
interface g0/0 ip address 192.168.20.1 255.255.255.0 ip nat outside ! interface g0/1 ip address 203.0.113.2 255.255.255.252 ip nat inside ! ip nat inside source list 10 interface g0/1 overload access-list 10 permit 192.168.20.0 0.0.0.255
Client IP address: 192.168.50.23/24 Ping to 192.168.50.1 succeeds Ping to 8.8.8.8 fails DHCP pool intended for VLAN 50 users
access-list 101 permit tcp any any eq 80 interface g0/1 ip access-group 101 in DMZ web server: 172.16.100.10
Source subnet: 10.20.30.0/24 Requirement: block Telnet, allow HTTP and HTTPS
ip nat inside source list 10 interface g0/1 access-list 10 permit 10.10.10.0 0.0.0.255 G0/0 = inside G0/1 = outside
VLAN 20 clients: 10.20.20.0/24 DHCP server: 10.99.99.10 Clients and server are in different subnets
show ntp associations address ref clock st when poll reach delay offset disp *~10.10.50.5 .INIT. 16 - 64 0 0.000 0.000 16000 Configured server: 10.10.50.5
Requirement: send warnings, errors, critical, alerts, and emergencies
line vty 0 4 access-class 12 in transport input ssh access-list 12 permit 10.5.5.0 0.0.0.255
User can ping 8.8.8.8 User cannot resolve www.example.com
show run | section nat ip nat inside source list 10 interface g0/0 overload access-list 10 permit 192.168.10.0 0.0.0.255
Targets: Log collector 10.10.10.50 Time source 10.10.10.60
interface vlan 30 ip address 10.30.30.1 255.255.255.0 no shutdown DHCP server: 10.99.99.20
ip nat inside source static 192.168.20.10 198.51.100.10 interface g0/0 ip nat outside ip access-group OUTSIDE-IN in
Requirement: report top applications and source-destination flows on WAN links
SW1# show port-security interface gi1/0/5 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Maximum MAC Addresses : 2 Current MAC Addresses : 2
SW1# show errdisable recovery ErrDisable Reason Timer Status bpduguard Enabled SW1# show interface status err-disabled Port Name Status Reason Gi1/0/11 err-disabled bpduguard
ip nat inside source list 10 interface g0/0 overload access-list 10 permit 192.168.10.0 0.0.0.255 ! interface g0/0 ip address 203.0.113.2 255.255.255.252 ! interface g0/1 ip address 192.168.10.1 255.255.255.0 ip nat inside
access-list 101 deny tcp 192.168.10.0 0.0.0.255 host 10.1.1.10 eq 23 access-list 101 permit ip any any ! interface g0/1 ip access-group 101 out
Client output: IP address: 192.168.50.22/24 Default gateway: 192.168.50.1 DNS server: 0.0.0.0
R1# show ntp associations address ref clock st when poll reach delay offset disp ~192.0.2.50 203.0.113.1 3 12 64 377 22.1 0.8 1.2 *198.51.100.20 .GPS. 1 14 64 377 18.3 0.4 0.9
ip access-list standard USERS_ONLY permit 192.168.30.0 0.0.0.255 deny any interface g0/1 ip access-group USERS_ONLY out
R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface g0/1 overload R1# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 203.0.113.10:1054 192.168.10.25:1054 8.8.8.8:53 8.8.8.8:53
R2# show clock *00:12:11.123 UTC Mon Mar 1 1993 R3# show logging | include %LINEPROTO Mar 1 00:12:17.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface G0/0, changed state to up
Router(config)# ip flow-export destination 192.0.2.50 2055 Router(config)# ip flow-export version 9
Relevant config: interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 10.20.20.1 255.255.255.0 ! ip dhcp excluded-address 10.20.20.1 10.20.20.254 ip dhcp pool USERS20 network 10.20.20.0 255.255.255.0 default-router 10.20.20.1
Current NAT: ip nat inside source list 10 interface GigabitEthernet0/0 overload
Example message: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
Interface: GigabitEthernet1/0/1
MAC Address: aaaa.bbbb.cccc
IP Address: Unknown
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A1B2C3D4E5F6G7H8I9J
Acct Session ID: 0x00000001
Handle: 0x81000001
Current Policy: DEFAULT
Server Policies:
Vlan Group: Vlan: 10
Method status list:
Method State
dot1x Authc SuccessSwitch# show running-config interface GigabitEthernet1/0/1
Building configuration...
Current configuration : 250 bytes
!
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
authentication port-control auto
authentication periodic
authentication timer reauthenticate 3600
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
end
Switch# show authentication sessions interface GigabitEthernet1/0/1 details
Interface: GigabitEthernet1/0/1
MAC Address: aaaa.bbbb.cccc
IP Address: 192.168.10.25
User-Name: host/workstation
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: 3600s
Common Session ID: 0A1B2C3D4E5F6G7H8I9J0K
Acct Session ID: 0x00000001
Handle: 0x00000001
Runnable methods list:
Method State
dot1x Authz Success
Switch# show dot1x all details
Sysauthcontrol ENABLED
Dot1x Protocol Version 3
Supplicant aaaa.bbbb.cccc, GigabitEthernet1/0/1
PAE = AUTHENTICATOR
quietPeriod = 60
serverTimeout = 30
maxReq = 2
reAuthMax = 2
allowAuthOn = [all]
startPeriod = 30
handshakePeriod = 15
txPeriod = 3
guestVlan = 999
authVlan = 100
criticalVlan = 200
hostMode = SINGLE_HOST
port-control = AUTO
control-direction = BOTH
host-auth = [success]
re-authentication = ENABLED
re-authperiod = 3600
server-timeout = 30
supp-timeout = 30
server-retries = 2
supp-retries = 2
max-reauth-req = 2
lastrx = 0
cap = 0
status = AUTHORIZED
state = HELD
backend-state = HELD
method = dot1x
timeout = 30SW1#show authentication sessions interface GigabitEthernet0/1 details Interface: GigabitEthernet0/1 MAC Address: aaaa.bbbb.cccc IP Address: 192.168.1.100 Status: Authorized Domain: DATA Oper host mode: single-host Oper control dir: both Session timeout: N/A Common Session ID: 0A1234567890ABCDEF123456 Acct Session ID: 0x00000001 Handle: 0x00000001 Runnable methods list: Method State dot1x Authc Success SW1#show dot1x interface GigabitEthernet0/1 details Dot1x Info for GigabitEthernet0/1 ----------------------------- PAE = AUTHENTICATOR PortControl = AUTO PortStatus = AUTHORIZED ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 SW1#show running-config interface GigabitEthernet0/1 Building configuration... Current configuration : 200 bytes ! interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 authentication port-control auto dot1x pae authenticator spanning-tree portfast end
Router# show running-config | section interface GigabitEthernet0/1 interface GigabitEthernet0/1 ip address 192.168.10.1 255.255.255.0 ip access-group OUTBOUND_FILTER out duplex auto speed auto ! Router# show running-config | section ip access-list extended OUTBOUND_FILTER ip access-list extended OUTBOUND_FILTER permit tcp 192.168.10.0 0.0.0.255 host 10.10.10.10 established permit icmp 192.168.10.0 0.0.0.255 host 10.10.10.10 echo-request deny ip any any
R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 192.168.1.10 198.51.100.1 198.51.100.1 --- 203.0.113.11 192.168.1.20 198.51.100.2 198.51.100.2 R1# show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 2 extended) Pool translations: 2 Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Hits: 5 Misses: 0 CEF Translated packets: 5, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0 access-list NAT permit 192.168.1.0 0.0.0.255 Refcount: 2
R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 192.168.1.10 --- --- --- 203.0.113.11 192.168.1.11 --- --- --- 203.0.113.12 192.168.1.12 --- --- --- 203.0.113.13 192.168.1.13 --- --- --- 203.0.113.14 192.168.1.14 --- --- --- 203.0.113.15 192.168.1.15 --- --- --- 203.0.113.16 192.168.1.16 --- --- --- 203.0.113.17 192.168.1.17 --- --- --- 203.0.113.18 192.168.1.18 --- --- --- 203.0.113.19 192.168.1.19 --- --- --- 203.0.113.20 192.168.1.20 --- --- --- 203.0.113.21 192.168.1.21 --- --- --- 203.0.113.22 192.168.1.22 --- --- --- 203.0.113.23 192.168.1.23 --- --- --- 203.0.113.24 192.168.1.24 --- --- --- 203.0.113.25 192.168.1.25 --- --- --- 203.0.113.26 192.168.1.26 --- --- --- 203.0.113.27 192.168.1.27 --- --- --- 203.0.113.28 192.168.1.28 --- --- --- 203.0.113.29 192.168.1.29 --- --- --- 203.0.113.30 192.168.1.30 --- ---
R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- --- --- 192.0.2.13 10.0.0.13 --- --- --- 192.0.2.14 10.0.0.14 --- --- --- 192.0.2.15 10.0.0.15 --- --- --- 192.0.2.16 10.0.0.16 --- --- --- 192.0.2.17 10.0.0.17 --- --- --- 192.0.2.18 10.0.0.18 --- --- --- 192.0.2.19 10.0.0.19 --- --- R1# show running-config | include ip nat ip nat pool MYPOOL 192.0.2.10 192.0.2.19 netmask 255.255.255.240 ip nat inside source list 1 pool MYPOOL
C:\Users\User1> nslookup intranet.company.local Server: dc01.company.local Address: 192.168.10.10 *** dc01.company.local can't find intranet.company.local: Non-existent domain C:\Users\User1> nslookup mail.company.local Server: dc01.company.local Address: 192.168.10.10 Name: mail.company.local Address: 192.168.10.55 C:\Users\User1> nslookup 192.168.10.50 Server: dc01.company.local Address: 192.168.10.10 Name: webserver.company.local Address: 192.168.10.50
A network administrator is troubleshooting an issue where internal hosts can ping the company's web server by IP address (192.0.2.10) but cannot access it using the fully qualified domain name www.example.com. The DNS server (192.0.2.5) is reachable and responds to queries. The administrator runs nslookup www.example.com from a host and receives the following output:
C:\> nslookup www.example.com
Server: UnKnown Address: 192.0.2.5
Name: www.example.com Address: 192.0.2.20
Based on the output, what is the most likely cause of the problem?
C:\Users\admin> nslookup www.example.com Server: dns.example.com Address: 192.0.2.5 Name: www.example.com Address: 198.51.100.1 C:\Users\admin> ping 198.51.100.1 Pinging 198.51.100.1 with 32 bytes of data: Reply from 192.0.2.10: Destination host unreachable. C:\Users\admin> ping 192.0.2.10 Pinging 192.0.2.10 with 32 bytes of data: Reply from 192.0.2.10: bytes=32 time<1ms TTL=128
Switch# show ip dhcp pool VLAN10
Pool VLAN10 :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 192.168.1.0 / 24
Total addresses : 254
Leased addresses : 0
Pending event : none
Automatic bindings :
Lease time : 1 day
Next network numbers :
192.168.1.0
Switch# show ip dhcp server statistics
Memory usage : 26740
Address pools : 1
Database agents : 0
Automatic bindings : 0
Manual bindings : 0
Expired bindings : 0
Malformed messages : 0
Message Received:
BOOTREQUEST : 0
DHCPDISCOVER : 0
DHCPREQUEST : 0
DHCPDECLINE : 0
DHCPRELEASE : 0
DHCPINFORM : 0
Switch# show ip dhcp conflict
IP address Detection method Detection time
192.168.1.1 Ping Jan 1 00:00:00.000
192.168.1.254 Ping Jan 1 00:00:00.000Router# show running-config | section interface GigabitEthernet0/1 interface GigabitEthernet0/1 description VLAN 200 ip address 192.168.200.1 255.255.255.0 ip helper-address 192.168.100.10 no shutdown ! Router# show ip dhcp relay information trusted DHCP relay information trusted: Not configured Router# show ip dhcp server statistics Memory usage: 12345 Address pools: 1 Database agents: 0 Automatic bindings: 0 Manual bindings: 0 Expired bindings: 0 Malformed messages: 0 Message received: BOOTREQUEST: 0 DHCPDISCOVER: 0 DHCPREQUEST: 0 DHCPDECLINE: 0 DHCPRELEASE: 0 DHCPINFORM: 0 Message sent: BOOTREPLY: 0 DHCPOFFER: 0 DHCPACK: 0 DHCPNAK: 0
R1# show running-config | section aaa aaa new-model aaa authentication login default local aaa authentication dot1x default local aaa authorization network default local ! radius server RADIUS address ipv4 10.0.0.2 auth-port 1812 acct-port 1813 key cisco123 ! interface GigabitEthernet0/1 switchport mode access dot1x pae authenticator spanning-tree portfast ! R1# show dot1x interface GigabitEthernet0/1 dot1x status for interface Gi0/1 PAE = AUTHENTICATOR portControl = AUTO controlDirection = Both hostMode = SINGLE_HOST reAuthentication = Disabled quietPeriod = 60 serverTimeout = 30 suppTimeout = 30 reAuthPeriod = 3600 (Locally configured) reAuthMax = 2 maxReq = 2 txPeriod = 30 rateLimitPeriod = 0 Session: Authen Method = NONE Auth SM State = DISCONNECTED Auth BEND SM State = IDLE Port Status = UNAUTHORIZED Wait Client = TRUE
R1# show running-config | section aaa aaa new-model aaa authentication login default group radius local radius server RADIUS address ipv4 192.0.2.10 key cisco123 ! R1# show aaa servers RADIUS: id 1, priority 1, host 192.0.2.10, auth-port 1812, acct-port 1813 State: current UP, duration 120s, previous duration 0s Dead: total 0, retransmit 0 SW1# show running-config | section dot1x dot1x system-auth-control dot1x port-control auto interface GigabitEthernet0/1 switchport mode access dot1x pae authenticator dot1x timeout reauth-period 3600 ! SW1# show authentication sessions interface GigabitEthernet0/1 Interface: GigabitEthernet0/1 MAC Address: Unknown IP Address: Unknown Status: Unauthorized Domain: DATA Oper host mode: single-host Session timeout: N/A Common Session ID: 0000000000000000000000 Acct Session ID: 0x00000000 Auth Method: dot1x SW1# show dot1x all summary Interface PAE Authenticator Supplicant Server Gi0/1 AUTH UNAUTHORIZED N/A N/A
R1# show running-config | section aaa|radius|interface|line|username username admin secret 5 $1$abc$defghijklmnopqrstuvwxyz12345 ! aaa new-model aaa authentication login default group radius local aaa authentication dot1x default group radius ! radius server RADIUS address ipv4 198.51.100.10 auth-port 1812 acct-port 1813 key cisco123 ! interface GigabitEthernet0/1 switchport mode access authentication port-control auto dot1x pae authenticator ! line vty 0 4 login authentication default transport input ssh ! end R1# show dot1x interface GigabitEthernet0/1 details Dot1x Info for GigabitEthernet0/1 ----------------------------- PAE = AUTHENTICATOR PortControl = AUTO PortStatus = UNAUTHORIZED ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 AuthPeriod = 30 R1# show radius server-group all Server group radius Type: Standard Member servers: RADIUS VRF: default R1# show radius server RADIUS Radius server: RADIUS Address: 198.51.100.10 Auth Port: 1812 Acct Port: 1813 Timeout: 5 seconds Retransmit: 3 Key: cisco123 State: current UP Dead: 0 Authentication: 0 requests, 0 timeouts, 0 failures Accounting: 0 requests, 0 timeouts, 0 failures
R1# show running-config | section aaa
aaa new-model
!
!
R1# show running-config | include radius
!
R1# show running-config interface GigabitEthernet0/1
interface GigabitEthernet0/1
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
R1# show authentication sessions interface GigabitEthernet0/1 details
Interface: GigabitEthernet0/1
MAC Address: 0050.7966.6800
IP Address: Unknown
User-Name: host-1
Status: Unauthorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A1B2C3D4E5F6G7H8I9J
Acct Session ID: 0x00000001
Handle: 0x81000001
Runnable methods list:
Method list: dot1xR1# show running-config | section aaa aaa new-model aaa authentication login default group radius local aaa authentication dot1x default group radius ! radius server RADIUS address ipv4 10.0.0.2 auth-port 1812 acct-port 1813 key cisco123 ! interface GigabitEthernet0/1 switchport mode access authentication port-control auto dot1x pae authenticator ! R1# show aaa servers RADIUS: id 1, priority 1, host 10.0.0.2, auth-port 1812, acct-port 1813 State: current UP, duration 120s, previous duration 0s Dead: total time 0s, count 0 R1# show dot1x interface GigabitEthernet0/1 details Dot1x Info for GigabitEthernet0/1 ------------------------------- PAE = AUTHENTICATOR PortControl = AUTO PortStatus = UNAUTHORIZED ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 AuthMethod = Open Critical = no Critical Recovery = no Guest VLAN = no Host Mode = Single Auth-Fail VLAN = no Vlan Group = no Capability = n/a Client Status = not authenticated Client Mac = 0000.0000.0000 Client IP = 0.0.0.0 Client Username = unknown Client Auth Protocol = unknown Client VLAN = 0 Client Session ID = 0
R1# show running-config | section aaa no aaa new-model ! R1# show running-config | section radius ! R1# show running-config interface GigabitEthernet0/1 interface GigabitEthernet0/1 description 802.1X port switchport mode access switchport access vlan 10 authentication port-control auto dot1x pae authenticator spanning-tree portfast ! R1# show authentication sessions interface GigabitEthernet0/1 Interface: GigabitEthernet0/1 MAC Address: aaaa.bbbb.cccc IP Address: unknown Status: Unauthorized Domain: DATA Oper host mode: single-host Oper control dir: both Session timeout: N/A Common Session ID: 0A0000010000000100000001 Acct Session ID: 0x00000001 Handle: 0x51000001 R1# test aaa group radius legacy aaaa.bbbb.cccc password cisco123 Trying to authenticate with server group radius User authentication request was rejected by server R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 203.0.113.1 YES NVRAM up up GigabitEthernet0/1 unassigned YES unset up up Loopback0 10.10.10.1 YES NVRAM up up
R1# show running-config | section aaa|radius|dot1x|interface GigabitEthernet0/1 aaa new-model aaa authentication login default group radius local radius server RADIUS_SERVER address ipv4 192.0.2.10 auth-port 1812 acct-port 1813 key Cisco123 ! interface GigabitEthernet0/1 description 802.1X Port switchport mode access authentication port-control auto dot1x pae authenticator spanning-tree portfast ! R1# show authentication sessions interface GigabitEthernet0/1 Interface: GigabitEthernet0/1 MAC Address: 0050.7966.6800 IP Address: Unknown Status: Unauthorized Domain: DATA Oper host mode: single-host Oper control dir: both Session timeout: N/A Common Session ID: 0A0000010000000B00000001 Acct Session ID: 0x00000001 Handle: 0x81000001 R1# ping 192.0.2.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.0.2.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5) R1# show radius server-group Server group radius: not defined
R1# show running-config | section interface GigabitEthernet0/0 interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip access-group BLOCK_SERVER in duplex auto speed auto ! R1# show running-config | section ip access-list ip access-list extended BLOCK_SERVER deny tcp any host 203.0.113.5 eq 80 permit ip any any !
R1# show running-config | section interface
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.0
no shutdown
!
R1# show ip route
Codes: L - local, C - connected, S - static
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0/24 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is subnetted, 1 subnets
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
203.0.113.1/32 [1/0] via 192.168.1.2R1#show running-config | section interface
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip access-group BLOCK_SSH in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.252
duplex auto
speed auto
!
R1#show access-lists
Extended IP access list BLOCK_SSH
10 deny tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 22
20 permit ip any anyR1# show running-config | section interface interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 duplex auto speed auto ! interface GigabitEthernet0/1 ip address 10.0.1.1 255.255.255.252 duplex auto speed auto ! R1# show running-config | section access-list access-list 10 permit any ! interface GigabitEthernet0/0 ip access-group 10 in !
R1# show running-config | section interface GigabitEthernet0/0 interface GigabitEthernet0/0 ip address 192.0.2.1 255.255.255.252 ip access-group BLOCK_HTTP in duplex auto speed auto ! R1# show running-config | section access-list ip access-list extended BLOCK_HTTP deny tcp any 203.0.113.100 0.0.0.0 eq 80 deny tcp any 203.0.113.100 0.0.0.0 eq 443 permit ip 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0 permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 22 permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 23 permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 443 permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 80 !
R1# show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip access-group BLOCK_SMTP in
duplex auto
speed auto
!
R1# show access-lists BLOCK_SMTP
Extended IP access list BLOCK_SMTP
10 deny tcp any any eq 25
20 permit ip any anyR1# show running-config | section interface interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 ip address 10.0.0.1 255.255.255.252 duplex auto speed auto ! R1# show access-lists (no output – no ACLs configured)
hostname R1 ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 no shutdown ! ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 !
R1# show running-config | section interface interface GigabitEthernet0/0 description LAN - 192.168.1.0/24 ip address 192.168.1.1 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 description LAN - 192.168.2.0/24 ip address 192.168.2.1 255.255.255.0 no shutdown ! interface Serial0/0/0 description WAN to ISP ip address 203.0.113.1 255.255.255.252 no shutdown
R1# show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
ip address 192.0.2.1 255.255.255.0
ip access-group BLOCK_IN in
duplex auto
speed auto
R1# show access-lists
Extended IP access list BLOCK_IN
10 deny ip any any
R1# show ip interface GigabitEthernet0/1 | include access
Inbound access list is BLOCK_INR1# show running-config | section interface GigabitEthernet0/0 interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip access-group PERMIT_ALL in ! R1# show running-config | section ip access-list ip access-list extended PERMIT_ALL permit ip any any
R1# show running-config | section interface interface GigabitEthernet0/0 description Link to Internal LAN ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 description Link to ISP ip address 203.0.113.2 255.255.255.252 duplex auto speed auto ! ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply
R1# show running-config | section ip nat ip nat inside source list 10 interface GigabitEthernet0/1 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.3 80 extendable ! access-list 10 permit 10.0.0.0 0.255.255.255 ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.2 255.255.255.248 ip nat outside !
R1# show running-config | section ip nat ip nat inside source list 1 interface GigabitEthernet0/1 ip nat inside source static tcp 192.168.1.10 80 198.51.100.10 80 extendable ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.252 ip nat inside ! access-list 1 permit 192.168.2.0 0.0.0.255
R1# show running-config | section ip nat ip nat inside source list 100 interface GigabitEthernet0/1 ip nat inside source static 192.168.1.10 203.0.113.5 access-list 100 permit ip 192.168.2.0 0.0.0.255 any ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat inside !
R1# show running-config | section ip nat ip nat inside source list 100 interface GigabitEthernet0/1 ip nat inside source static tcp 192.168.1.100 80 interface GigabitEthernet0/1 80 ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.248 ip nat inside ! access-list 100 permit ip 192.168.2.0 0.0.0.255 any
R1# show running-config | section ip nat ip nat inside source list NAT_POOL interface GigabitEthernet0/1 ip nat inside source static tcp 192.168.1.10 80 203.0.113.3 80 extendable ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.2 255.255.255.248 ip nat inside ! access-list 10 permit 10.0.0.0 0.255.255.255
R1# show running-config | section ip nat
ip nat inside source list 100 interface GigabitEthernet0/1
ip nat inside source static 192.168.1.10 203.0.113.10
!
R1# show running-config | section interface
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.0
ip nat outside
!
R1# show access-lists 100
Standard IP access list 100
10 permit 192.168.2.0 0.0.0.255R1# show running-config | section ip nat ip nat inside source list 10 interface GigabitEthernet0/1 ip nat inside source static tcp 10.10.10.100 80 203.0.113.2 80 ! interface GigabitEthernet0/0 ip address 10.10.10.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.248 ip nat inside ! access-list 10 permit 192.168.1.0 0.0.0.255
R1# show running-config | section ip nat ip nat inside source list 1 interface GigabitEthernet0/1 ip nat inside source static 192.168.1.10 203.0.113.10 ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 198.51.100.1 255.255.255.0 ip nat inside ! access-list 1 permit 10.0.0.0 0.255.255.255
R1# show running-config | section ip nat ip nat inside source list 10 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.1.100 203.0.113.5 ! access-list 10 permit 10.0.0.0 0.255.255.255 ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.2 255.255.255.248 ip nat inside ! interface Serial0/0/0 ip address 10.0.0.1 255.255.255.252 ip nat outside !
R1# show running-config | section ip nat ip nat inside source list 100 interface GigabitEthernet0/1 ip nat inside source static 192.168.10.100 203.0.113.10 ! access-list 100 permit ip host 192.168.10.100 any ! interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.2 255.255.255.252 ip nat inside ! interface GigabitEthernet0/2 ip address 10.0.0.1 255.255.255.252 no ip nat
R1# show running-config | section ip nat ip nat inside source list 100 interface GigabitEthernet0/1 ip nat inside source static tcp 192.168.10.100 80 203.0.113.5 80 extendable ! access-list 100 permit ip 192.168.20.0 0.0.0.255 any ! interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat outside !
R1# show running-config | section ip nat ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.6 80 ! ip nat inside source list 2 interface GigabitEthernet0/0 overload ! interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.248 ip nat inside ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat outside ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 2 permit 192.168.1.0 0.0.0.255
R1# show running-config | section ip nat ip nat pool GLOBAL 203.0.113.1 203.0.113.1 netmask 255.255.255.0 ip nat inside source list 1 pool GLOBAL ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.2.0 0.0.0.255
R1# show running-config | section ip domain ip domain lookup ip name-server 10.0.0.2 ip domain timeout 3 ip domain retry 2 ! R1# ping 203.0.113.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 203.0.113.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1# nslookup www.example.com Server: 10.0.0.2 Address: 10.0.0.2#53 ** server can't find www.example.com: SERVFAIL R1# dig www.example.com @203.0.113.10 ; <<>> DiG 9.11.3 <<>> www.example.com @203.0.113.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12345 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.example.com. IN A ;; Query time: 2 msec ;; SERVER: 203.0.113.10#53(203.0.113.10) ;; WHEN: Mon Jan 01 00:00:00 UTC 2024 ;; MSG SIZE rcvd: 45 R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.0.0.1 YES NVRAM up up GigabitEthernet0/1 203.0.113.2 YES NVRAM up up Loopback0 192.0.2.1 YES NVRAM up up
R1# show running-config | section ip domain ip domain lookup ip domain name courseiva.local ip name-server 203.0.113.10 ! R1# nslookup fileserver.courseiva.local Server: 203.0.113.10 Address: 203.0.113.10#53 ** server can't find fileserver.courseiva.local: NXDOMAIN R1# nslookup webserver.courseiva.local Server: 203.0.113.10 Address: 203.0.113.10#53 Name: webserver.courseiva.local Address: 192.0.2.5 R1# dig fileserver.courseiva.local ; <<>> DiG 9.11.3 <<>> fileserver.courseiva.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;fileserver.courseiva.local. IN A ;; AUTHORITY SECTION: courseiva.local. 86400 IN SOA ns1.courseiva.local. admin.courseiva.local. 2025032101 3600 900 86400 3600 ;; Query time: 12 msec ;; SERVER: 203.0.113.10#53(203.0.113.10) ;; WHEN: Fri Mar 21 10:00:00 UTC 2025 ;; MSG SIZE rcvd: 98 R1# ping 203.0.113.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 203.0.113.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
You are connected to R1. The network uses DNS to resolve hostnames for remote device management. Currently, R1 cannot resolve the hostname 'ServerA' via DNS. Using the nslookup and dig commands, you have gathered the following outputs:
nslookup ServerA Server: 203.0.113.1 Address: 203.0.113.1#53
Name: ServerA.example.com Address: 203.0.113.10
dig ServerA ... ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ... ...
The show running-config command shows that 'ip domain-lookup' is enabled, the name-server is 203.0.113.1, and no static host entries are configured. Diagnose and fix the DNS resolution failure. Ensure that R1 can successfully resolve 'ServerA' to its intended IP address 198.51.100.10.
R1# show running-config | section ip domain ip domain lookup ip name-server 203.0.113.1 ip domain name example.com ! R1# show ip dns server DNS server: 203.0.113.1 Default domain: example.com R1# nslookup ServerA Server: 203.0.113.1 Address 1: 203.0.113.1 Name: ServerA.example.com Address 1: 203.0.113.10 R1# dig ServerA ; <<>> DiG 9.8.3 <<>> ServerA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1234 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ServerA. IN A ;; Query time: 10 msec ;; SERVER: 203.0.113.1#53(203.0.113.1) ;; WHEN: Thu Jan 18 12:00:00 2024 ;; MSG SIZE rcvd: 28 R1# ping ServerA Translating "ServerA"...domain server (203.0.113.1) % Unrecognized host or address, or protocol not running.
R1# show running-config | section ip domain ip domain lookup ip name-server 203.0.113.10 ip domain timeout 1 ! R1# show ip dns DNS lookup is enabled DNS server 203.0.113.10 DNS timeout 1 seconds Default domain name: example.com ! R1# nslookup server.example.com Server: 203.0.113.10 Address 1: 203.0.113.10 Name: server.example.com Address 1: 203.0.113.50 ! R1# dig server.example.com ; <<>> DiG 9.8.3 <<>> server.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;server.example.com. IN A ;; ANSWER SECTION: (empty) ;; AUTHORITY SECTION: (empty) ;; ADDITIONAL SECTION: (empty) ;; Query time: 1 msec ;; SERVER: 203.0.113.10#53(203.0.113.10) ;; WHEN: Thu Jan 11 12:34:56 2024 ;; MSG SIZE rcvd: 34
R1# show running-config | section ip domain ip domain lookup ip domain name internal ip name-server 192.0.2.53 ip name-server 203.0.113.53 ! R1# show ip dns DNS lookup enabled Default domain: internal Name-server list: 192.0.2.53 (unreachable) 203.0.113.53 R1# nslookup webserver.internal Server: 203.0.113.53 Address: 203.0.113.53#53 ** server can't find webserver.internal: NXDOMAIN R1# nslookup 192.168.10.50 Server: 203.0.113.53 Address: 203.0.113.53#53 50.10.168.192.in-addr.arpa name = mail.internal. R1# dig @203.0.113.53 example.com ; <<>> DiG 9.11.3 <<>> @203.0.113.53 example.com ;; connection timed out; no servers could be reached
R1# show running-config | section ip domain ip domain lookup ip domain name example.com ip name-server 192.0.2.53 ! R1# show ip dns server DNS server is enabled Forwarding: enabled Forwarder: 192.0.2.53 (unreachable) R1# nslookup server1.example.com Server: 192.0.2.53 Address: 192.0.2.53#53 ** server can't find server1.example.com: NXDOMAIN R1# dig -x 192.168.1.10 ; <<>> DiG 9.11.4-P1 <<>> -x 192.168.1.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345 ;; QUESTION SECTION: ;10.1.168.192.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 0.in-addr.arpa. 86400 IN SOA ns.example.com. admin.example.com. 1 3600 900 604800 86400 ;; Query time: 1 msec ;; SERVER: 192.0.2.53#53(192.0.2.53) ;; WHEN: Mon Jan 15 10:00:00 UTC 2024 ;; MSG SIZE rcvd: 96
R1#show running-config | section ip domain ip domain lookup ip domain name courseiva.com ip name-server 198.51.100.53 ! R1#ping 198.51.100.53 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 198.51.100.53, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5) R1#nslookup fileserver.courseiva.com Server: 198.51.100.53 Address: 198.51.100.53#53 ** server can't find fileserver.courseiva.com: NXDOMAIN R1#nslookup 203.0.113.10 Server: 198.51.100.53 Address: 198.51.100.53#53 ** server can't find 203.0.113.10.in-addr.arpa: NXDOMAIN R1#dig fileserver.courseiva.com ; <<>> DiG 9.16.1 <<>> fileserver.courseiva.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: courseiva.com. 3600 SOA ns1.courseiva.com. admin.courseiva.com. 2025030101 3600 900 86400 3600 R1#dig -x 203.0.113.10 ; <<>> DiG 9.16.1 <<>> -x 203.0.113.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12346 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: 113.0.203.in-addr.arpa. 3600 SOA ns1.courseiva.com. admin.courseiva.com. 2025030101 3600 900 86400 3600 R1#
R1# show running-config | section ip domain ip domain lookup ip name-server 198.51.100.53 203.0.113.53 ip domain list example.com R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 10.0.0.1 YES NVRAM up up GigabitEthernet0/0/1.10 192.168.10.1 YES NVRAM up up GigabitEthernet0/0/1.20 192.168.20.1 YES NVRAM up up R1# ping 198.51.100.53 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 198.51.100.53, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5) R1# nslookup files.example.com Server: 198.51.100.53 Address: 198.51.100.53#53 ** server can't find files.example.com: NXDOMAIN R1# nslookup files.example.com 203.0.113.53 Server: 203.0.113.53 Address: 203.0.113.53#53 Name: files.example.com Address: 203.0.113.100 R1# dig @198.51.100.53 files.example.com A ; <<>> DiG 9.16.1 <<>> @198.51.100.53 files.example.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12345 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;files.example.com. IN A ;; Query time: 100 msec ;; SERVER: 198.51.100.53#53(198.51.100.53) ;; WHEN: Thu Jan 01 00:00:00 UTC 2024 ;; MSG SIZE rcvd: 42 R1# dig @203.0.113.53 files.example.com A ; <<>> DiG 9.16.1 <<>> @203.0.113.53 files.example.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54321 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;files.example.com. IN A ;; ANSWER SECTION: files.example.com. 3600 IN A 203.0.113.100 ;; Query time: 50 msec ;; SERVER: 203.0.113.53#53(203.0.113.53) ;; WHEN: Thu Jan 01 00:00:00 UTC 2024 ;; MSG SIZE rcvd: 60
R1# show running-config | section ip domain ip domain lookup ip name-server 203.0.113.1 ip domain timeout 3 ip domain retry 2 R1# nslookup fileserver.courseiva.com Translating "fileserver.courseiva.com"...% Unrecognized host or address, or protocol not running. R1# nslookup 198.51.100.10 Server: 203.0.113.1 Address: 203.0.113.1#53 ** server can't find 10.100.51.198.in-addr.arpa: NXDOMAIN R1# dig fileserver.courseiva.com ; <<>> DiG 9.8.3-P1 <<>> fileserver.courseiva.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1234 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fileserver.courseiva.com. IN A ;; AUTHORITY SECTION: courseiva.com. 3600 IN SOA ns1.courseiva.com. admin.courseiva.com. 2025032101 3600 900 86400 3600 R1# dig -x 198.51.100.10 ; <<>> DiG 9.8.3-P1 <<>> -x 198.51.100.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5678 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.100.51.198.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 100.51.198.in-addr.arpa. 3600 IN SOA ns1.courseiva.com. admin.courseiva.com. 2025032101 3600 900 86400 3600
R1#show running-config | section ip domain ip domain lookup ip domain name courseiva.local ip name-server 192.168.1.100 ! R1#show ip dns No DNS servers configured R1#ping 192.168.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5) R1#nslookup server01.courseiva.local Translating "server01.courseiva.local"...domain server (255.255.255.255) % Unrecognized host or address, or protocol not running.
R1#show running-config | section dhcp ip dhcp excluded-address 192.168.100.1 192.168.100.10 ip dhcp excluded-address 192.168.100.254 ! ip dhcp pool POOL_100 network 192.168.100.0 255.255.255.0 default-router 192.168.100.254 dns-server 8.8.8.8 ! interface GigabitEthernet0/0 ip address 192.168.100.1 255.255.255.0 no shut ! interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip helper-address 192.168.100.254 no shut
R1#show running-config | section dhcp ip dhcp excluded-address 192.168.50.1 192.168.50.200 ip dhcp pool LAN50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 8.8.8.8 ! interface GigabitEthernet0/0 ip address 192.168.50.1 255.255.255.0 ip helper-address 203.0.113.10 no shutdown ! interface GigabitEthernet0/1 ip address 10.0.0.1 255.255.255.252 no shutdown !
SW1#show running-config | section interface vlan 10 interface Vlan10 ip address 192.168.10.254 255.255.255.0 ip helper-address 192.168.20.1 ! SW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is disabled Interface Trusted Rate limit (pps) ----------------------- ------- ----------------- GigabitEthernet0/1 no unlimited GigabitEthernet0/2 no unlimited R1#show running-config | section dhcp ip dhcp excluded-address 192.168.10.1 192.168.10.254 ! ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 203.0.113.10 !
R1#show running-config | section dhcp ip dhcp excluded-address 192.168.20.0 192.168.20.255 ip dhcp pool VLAN20_POOL network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 203.0.113.10 ! interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 no shutdown SW1#show running-config | section interface vlan 20 interface Vlan20 ip address 192.168.20.1 255.255.255.0 ip helper-address 192.0.2.99 SW1#show ip dhcp snooping Global DHCP Snooping is disabled DHCP Snooping is configured on following vlans: No VLANs configured SW1#show interfaces status | include Fa0/3 Fa0/3 connected 1 auto auto 10/100BaseTX
R1#show running-config | section dhcp ip dhcp excluded-address 192.168.10.1 192.168.10.254 ip dhcp pool VLAN10_POOL network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 ip helper-address 10.0.0.2 ! SW1#show running-config | section dhcp ip dhcp snooping ip dhcp snooping vlan 10 no ip dhcp snooping information option interface GigabitEthernet0/1 ip dhcp snooping trust ! interface GigabitEthernet0/2 ip dhcp snooping limit rate 10 !
SW1#show running-config | section interface interface GigabitEthernet0/0 description to DHCP Server ip address 10.0.0.1 255.255.255.252 no switchport ! interface GigabitEthernet0/1 switchport access vlan 20 spanning-tree portfast ! interface Vlan20 ip address 192.168.20.1 255.255.255.0 ip helper-address 10.0.0.3 ! SW1#show ip dhcp snooping Switch DHCP snooping is disabled DHCP snooping is configured on following VLANs: none DHCP snooping is operational on following VLANs: none DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled circuit-id default format: vlan-mod-port remote-id: 00e0.f711.2233 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled Check for address on untrusted interfaces is enabled Custom option 82 strings are disabled
R1# show running-config | section dhcp ip dhcp excluded-address 192.168.50.1 192.168.50.100 ip dhcp pool VLAN50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 8.8.8.8 ! interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.252 no shutdown ! SW1# show running-config | section interface interface GigabitEthernet0/1 description uplink to R1 ip address 10.0.0.2 255.255.255.252 ip helper-address 10.0.0.1 ! interface VLAN50 ip address 192.168.50.1 255.255.255.0 ! interface FastEthernet0/5 description rogue server switchport mode access switchport access vlan 50 ! SW1# show ip dhcp snooping Switch DHCP snooping is disabled DHCP snooping is configured on the following VLANs: none DHCP snooping trust/untrusted ports: Trusted ports: Untrusted ports:
MLS1# show running-config | section interface interface GigabitEthernet0/0 description Link to R1 ip address 10.0.0.2 255.255.255.252 no switchport ! interface GigabitEthernet0/1 description Access port VLAN 20 switchport mode access switchport access vlan 20 ! interface Vlan20 ip address 192.168.20.1 255.255.255.0 ! MLS1# show ip dhcp snooping Switch DHCP snooping is disabled R1# show running-config | section dhcp ip dhcp excluded-address 192.168.20.1 192.168.20.254 ! ip dhcp pool VLAN20_POOL network 192.168.20.0 255.255.255.0 default-router 192.168.10.1 dns-server 4.4.4.4 ! R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.0.0.1 YES manual up up
R1#show running-config | section access-list|ip nat|interface GigabitEthernet0/1|interface GigabitEthernet0/2|interface GigabitEthernet0/0 access-list 10 permit 192.168.10.0 0.0.0.255 access-list 20 permit 192.168.20.0 0.0.0.0 ip nat pool NAT-POOL 200.1.1.1 200.1.1.2 netmask 255.255.255.252 ip nat inside source list 10 pool NAT-POOL overload ip nat inside source list 20 pool NAT-POOL overload interface GigabitEthernet0/0 ip address 200.1.1.1 255.255.255.252 ip nat outside interface GigabitEthernet0/1 ip address 192.168.10.1 255.255.255.0 ip nat inside interface GigabitEthernet0/2 ip address 192.168.20.1 255.255.255.0 ip nat inside
R1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address
Total number of bindings = 0
Current number of high bindings = 0
Maximum number of high bindings = 256R1# show ip access-lists
Extended IP access list 110
10 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 (145 matches)
20 permit ip 192.168.10.0 0.0.0.255 any (95 matches)
Extended IP access list BLOCK_WEB
10 deny tcp any any eq 80
20 deny tcp any any eq 443
30 permit ip any any (5 matches)
Standard IP access list 10
10 permit 192.168.10.0 0.0.0.255 (21 matches)
20 deny any (8 matches)R1# show ip dhcp pool Pool LAN-POOL : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 253 Excluded addresses : 0 Pending events : 0 Subnet : 192.168.1.0/24 Current bindings : 253 Lease expiration : 7 days 0 hours 0 minutes Automatic bindings : 253 Manual bindings : 0 Conflict reservations : 0
R1# show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 355 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 355 messages logged
Trap logging: level errors (3), 150 messages logged
Logging to 192.168.100.50
Log Buffer (4096 bytes):
*Feb 28 10:14:55.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
*Feb 28 10:15:22.123: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:15:22 UTC Feb 28 2025 to 10:15:22 UTC Feb 28 2025, configured from console by vty0 (192.168.1.10)
*Feb 28 10:15:24.456: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to down
*Feb 28 10:16:01.789: %SYS-7-DEBUG: Message from debug command interface GigabitEthernet0/0/1 held down
*Feb 28 10:16:10.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up
*Feb 28 10:16:15.222: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to up
*Feb 28 10:16:30.333: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.100.50 stoppedR1# show ip interface GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 192.168.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.251 224.0.0.252 Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled
R1# show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Peak translations: 0, occurred 00:00:00 ago Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Hits: 0 Misses: 15042 CEF Translated packets: 0, CEF Punted packets: 15042 Expired translations: 0 Dynamic mappings: -- Inside Source [Id: 1] access-list 1 interface GigabitEthernet0/1 refcount 0 pool: (none) refcount: 0
R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 209.165.200.225 192.168.1.10 --- --- --- 209.165.200.226 192.168.1.11 --- --- --- 209.165.200.227 192.168.1.12 --- --- --- 209.165.200.228 192.168.1.13 --- --- --- 209.165.200.229 192.168.1.14 --- --- --- 209.165.200.230 192.168.1.15 --- --- --- 209.165.200.231 192.168.1.16 --- --- --- 209.165.200.232 192.168.1.17 --- ---
R1# show ip dhcp conflict IP address Detection method Detection time VRF 192.168.1.50 Ping Mar 01 2025 10:23 AM 192.168.1.51 Ping Mar 01 2025 10:24 AM 192.168.1.52 Ping Mar 01 2025 10:25 AM 192.168.1.53 Ping Mar 01 2025 10:26 AM 192.168.1.54 Ping Mar 01 2025 10:27 AM 192.168.1.55 Ping Mar 01 2025 10:28 AM 192.168.1.56 Ping Mar 01 2025 10:29 AM 192.168.1.57 Ping Mar 01 2025 10:30 AM 192.168.1.58 Ping Mar 01 2025 10:31 AM 192.168.1.59 Ping Mar 01 2025 10:32 AM
R1# show access-lists
Standard IP access list 10
10 permit 192.168.1.0 0.0.0.255 (5 matches)
Extended IP access list 100
remark Allow HTTP to DMZ web servers
10 permit tcp any 192.168.1.0 0.0.0.255 eq www (234 matches)
remark Deny all other traffic and log
20 deny ip any any log (1356 matches)R1# show ntp status Clock is unsynchronized, stratum 16, no reference clock nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18 ntp uptime is 15000 (4.1 hours) reference time is 00000000.00000000 (00:00:00.000 UTC Jan 1 1900) clock offset is 0.0000 msec, root delay is 0.00 msec root dispersion is 0.00 msec, peer dispersion is 0.00 msec loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s system poll interval is 64, last update was 0 sec ago.
R1# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 203.0.113.10:80 192.168.1.10:80 --- --- tcp 203.0.113.10:443 192.168.1.10:443 --- --- tcp 203.0.113.1:49152 192.168.1.10:49152 198.51.100.5:80 198.51.100.5:80 tcp 203.0.113.1:49153 192.168.1.11:49153 198.51.100.6:443 198.51.100.6:443 udp 203.0.113.1:49154 192.168.1.11:49154 8.8.8.8:53 8.8.8.8:53 icmp 203.0.113.1:3 192.168.1.12:3 8.8.4.4:3 8.8.4.4:3 tcp 203.0.113.1:49155 192.168.1.12:49155 203.0.113.50:22 203.0.113.50:22 Total number of translations: 7
R1# show ip nat translations verbose Pro Inside global Inside local Outside local Outside global --- 203.0.113.5 10.1.1.0/24 --- --- udp 203.0.113.5:1024 10.1.1.10:5000 198.51.100.10:53 198.51.100.10:53 create 00:03:45, use 00:00:10 timeout: 300000, flags: extended dynamic, mapping-id: 2 udp 203.0.113.5:1024 10.1.1.11:5001 198.51.100.10:53 198.51.100.10:53 create 00:03:45, use 00:00:10 timeout: 300000, flags: extended dynamic, mapping-id: 2 tcp 203.0.113.5:1024 10.1.1.12:34567 203.0.113.100:443 203.0.113.100:443 create 00:01:22, use 00:00:05 timeout: 86400, flags: extended dynamic, mapping-id: 2 tcp 203.0.113.5:1024 10.1.1.13:45678 203.0.113.200:22 203.0.113.200:22 create 00:00:55, use 00:00:03 timeout: 86400, flags: extended dynamic, mapping-id: 2