LABORATORIOS MODULOS 4-7

Farelo Sanabria, Edgar Enrique

Universidad Nacional de Colombia

Redes de computadores
bog-2025967-2-2024-03
LAB 4.6.6 Lab - Use Wireshark to View

Network Traffic Topology

Lab - Use Wireshark to View Network Traffic

Topology

Objectives
Part 1: Capture and Analyze Local ICMP Data in Wireshark
Part 2: Capture and Analyze Remote ICMP Data in Wireshark

Background / Scenario
Wireshark is a software protocol analyzer, or "packet sniffer" application, used for network
troubleshooting, analysis, software and protocol development, and education. As data
streams travel back and forth over the network, the sniffer "captures" each protocol data
unit (PDU) and can decode and analyze its content according to the appropriate RFC or
other specifications.
 Wireshark is a useful tool for anyone working with networks and can be used with most
labs in the CCNA courses for data analysis and troubleshooting. In this lab, you will use
Wireshark to capture ICMP data packet IP addresses and Ethernet frame MAC addresses.

Required Resources
• 1 PC (Windows with internet access)
• Additional PCs on a local-area network (LAN) will be used to reply to ping requests.
Using a packet sniffer such as Wireshark may be considered a breach of the security
policy of the school. It is recommended that permission be obtained before running
Wireshark for this lab. If using a packet sniffer such as Wireshark is an issue, the instructor
may wish to assign the lab as homework or perform a walk-through demonstration.

Instructions Part 1: Capture and Analyze Local ICMP

Data in Wireshark
In Part 1 of this lab, you will ping another PC on the LAN and capture ICMP requests and
replies in
Wireshark. You will also look inside the frames captured for specific information. This
analysis should help to clarify how packet headers are used to transport data to their
destination.

Step 1: Retrieve your PC interface addresses.

For this lab, you will need to retrieve your PC IP address and its network interface card
(NIC) physical address, also called the MAC address.
Open a Windows command prompt.

a. In a command prompt window, enter ipconfig /all, to the IP address of your PC

interface, its description, and its MAC (physical) address.
C:\Users\Student> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-

NB48BTC Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) 82577LM Gigabit Network
Connection
 Physical Address. . . . . . . . . :00-26-B9-DD-00-91
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::d809:d939:110f:1b7f%20(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.147(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
<output omitted>

b. Ask a team member or team members for their PC IP address and provide your PC IP
address to them.
Do not provide them with your MAC address at this time.
Close a Windows Command Prompt.

Step 2: Start Wireshark and begin capturing data.

a. Navigate to Wireshark. Double-click the desired interface to start the packet capture.
Make sure the desired interface has traffic.
b. Information will start scrolling down the top section in Wireshark. The data lines will
appear in different colors based on protocol.
This information can scroll by very quickly depending on what communication is
taking place between your PC and the LAN. We can apply a filter to make it easier to
view and work with the data that is being captured by Wireshark.

For this lab, we are only interested in displaying ICMP (ping) PDUs. Type icmp in the
Filter box at the top of Wireshark and press Enter, or click the Apply button (arrow
sign) to view only ICMP (ping) PDUs.
c. This filter causes all data in the top window to disappear, but you are still capturing the
traffic on the interface. Navigate to a command prompt window and ping the IP
address that you received from your team member.
C:\> ping 192.168.1.114

Pinging 192.168.1.114 with 32 bytes of data:

Reply from 192.168.1.114: bytes=32 time<1ms TTL=128
Reply from 192.168.1.114: bytes=32 time<1ms TTL=128
Reply from 192.168.1.114: bytes=32 time<1ms TTL=128
Reply from 192.168.1.114: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.114:

Packets: Sent = 4, Received = 4, Lost = 0 (0%
loss), Approximate round trip times in milli-
seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Notice that you start seeing data appear in the top window of Wireshark again.
 Note: If the PC of your team member does not reply to your pings, this may be
because the PC firewall of the team member is blocking these requests. Please see
Appendix A: Allowing ICMP Traffic Through a Firewall for information on how to allow
ICMP traffic through the firewall using Windows.

d. Stop capturing data by clicking the Stop Capture icon.

Step 3: Examine the captured data.

In Step 3, examine the data that was generated by the ping requests of your team member
PC. Wireshark data is displayed in three sections: 1) The top section displays the list of
 PDU frames captured with a summary of the IP packet information listed; 2) the middle
section lists PDU information for the frame selected in the top part of the screen and
separates a captured PDU frame by its protocol layers; and 3) the bottom section displays
the raw data of each layer. The raw data is displayed in both hexadecimal and decimal
form. a. Click the first ICMP request PDU frames in the top section of Wireshark. Notice
that the Source column has your PC IP address, and the Destination column contains the
IP address of the teammate PC that you pinged.

b. With this PDU frame still selected in the top section, navigate to the middle section.
Click the plus sign to the left of the Ethernet II row to view the destination and source
MAC addresses.
Questions:

Does the source MAC address match your PC interface?

Si

Type your answers here.

Does the destination MAC address in Wireshark match your team member MAC
address?

Si

Type your answers here.

How is the MAC address of the pinged PC obtained by your PC?

ARP request.

Type your answers here.

Note: In the preceding example of a captured ICMP request, ICMP data is
encapsulated inside an IPv4 packet PDU (IPv4 header) which is then encapsulated in
an Ethernet II frame PDU (Ethernet II header) for transmission on the LAN.

Part 2: Capture and Analyze Remote ICMP Data in

Wireshark
In Part 2, you will ping remote hosts (hosts not on the LAN) and examine the generated
data from those pings. You will then determine what is different about this data from the
data examined in Part 1.

Step 1: Start capturing data on the interface.

a. Start the data capture again.
b. A window prompts you to save the previously captured data before starting another
capture. It is not necessary to save this data. Click Continue without Saving.
c. With the capture active, ping the following three website URLs from a Windows
command prompt:
Open a Windows command prompt
 1) www.yahoo.com
2) www.cisco.com
3) www.google.com
Note: When you ping the URLs listed, notice that the Domain Name Server (DNS)
translates the URL to an IP address. Note the IP address received for each URL.

d. You can stop capturing data by clicking the Stop Capture icon.
Step 2: Examining and analyzing the data from the remote hosts.
Review the captured data in Wireshark and examine the IP and MAC addresses of the
three locations that you pinged. List the destination IP and MAC addresses for all three
locations in the space provided.
Questions:

IP address for www.yahoo.com: 200.152.173.204

Type your answers here.

MAC address for www.yahoo.com: Destination: ASUSTekCOMPU_5f:45:60
(40:b0:76:5f:45:60)

Type your answers here.

IP address for www.cisco.com: 2.19.32.102

Type your answers here.

MAC address for www.cisco.com: Destination: ASUSTekCOMPU_5f:45:60
(40:b0:76:5f:45:60)

Type your answers here.

IP address for www.google.com: 172.217.173.36

Type your answers here.

MAC address for www.google.com: Source: ASUSTekCOMPU_5f:45:60
(40:b0:76:5f:45:60)

Type your answers here.

What is significant about this information?

La MAC es siempre la misma

Type your answers here.

How does this information differ from the local ping information you received in Part
1?
 Un ping a un host local devuelve la dirección MAC de la NIC de la PC. Un ping a un
host remoto devuelve la dirección MAC de la interfaz LAN de la puerta de enlace
predeterminada.

Type your answers here.

Close the Windows command prompt

Reflection Question
Why does Wireshark show the actual MAC address of the local hosts, but not the actual
MAC address for the remote hosts?

Las direcciones MAC de los hosts remotos no se conocen en la red local, por lo que se
utiliza la dirección MAC de la puerta de enlace predeterminada. Una vez que el paquete
llega al enrutador de la puerta de enlace predeterminada, se elimina la información de
capa 2 del paquete y se adjunta un nuevo encabezado de capa 2 con la dirección MAC de
destino del enrutador del siguiente salto.

Type your answers here.

Appendix A: Allowing ICMP Traffic Through a Firewall

If the members of your team are unable to ping your PC, the firewall may be blocking those
requests. This appendix describes how to create a rule in the firewall to allow ping
requests. It also describes how to disable the new ICMP rule after you have completed the
lab.

Part 1: Create a new inbound rule allowing ICMP traffic through the firewall.
a. Navigate to the Control Panel and click the System and Security option in the
Category view.
b. In the System and Security window, click Windows Defender Firewall or Windows
Firewall.
c. In the left pane of the Windows Defender Firewall or Windows Firewall window,
click Advanced settings.
d. On the Advanced Security window, click the Inbound Rules option on the left sidebar
and then click New Rule… on the right sidebar.
e. This launches the New Inbound Rule wizard. On the Rule Type screen, click the
Custom radio button and click Next.
f. In the left pane, click the Protocol and Ports option and using the Protocol Type
drop-down menu, select ICMPv4, and then click Next.
 g. Verify that Any IP address for both the local and remote IP addresses are selected.
Click Next to continue.
h. Select Allow the connection. Click Next to continue.
i. By default, this rule applies to all the profiles. Click Next to continue.
j. Name the rule with Allow ICMP Requests. Click Finish to continue. This new rule
should allow your team members to receive ping replies from your PC.

Part 2: Disabling or deleting the new ICMP rule.

After the lab is complete, you may want to disable or even delete the new rule you created
in Step 1. Using the Disable Rule option allows you to enable the rule again at a later date.
Deleting the rule permanently deletes it from the list of inbound rules.

a. On the Advanced Security window, click Inbound Rules in the left pane and then
locate the rule you created previously.
b. Right-click the ICMP rule and select Disable Rule if so desired. You may also select
Delete if you want to permanently delete it. If you choose this option, you must re-
create the rule again to allow ICMP replies. End of

document
LAB 7.1.6 Lab - Use Wireshark to Examine
Ethernet Frames Topology
Lab - Use Wireshark to Examine Ethernet Frames Topology

Objectives
Part 1: Examine the Header Fields in an Ethernet II Frame
Part 2: Use Wireshark to Capture and Analyze Ethernet Frames

Background / Scenario
When upper layer protocols communicate with each other, data flows down the Open
Systems
Interconnection (OSI) layers and is encapsulated into a Layer 2 frame. The frame
composition is dependent on the media access type. For example, if the upper layer
protocols are TCP and IP and the media access is Ethernet, then the Layer 2 frame
encapsulation will be Ethernet II. This is typical for a LAN environment.

When learning about Layer 2 concepts, it is helpful to analyze frame header information.
In the first part of this lab, you will review the fields contained in an Ethernet II frame. In
Part 2, you will use Wireshark to capture and analyze Ethernet II frame header fields for
local and remote traffic.

Required Resources
• 1 PC (Windows with internet access and with Wireshark installed)

Instructions
Part 1: Examine the Header Fields in an Ethernet II
Frame
In Part 1, you will examine the header fields and content in an Ethernet II frame. A
Wireshark capture will be used to examine the contents in those fields.

Step 1: Review the Ethernet II header field descriptions and lengths.

Destination Source Frame
Preamble Address Address Type Data FCS

8 Bytes 6 Bytes 6 Bytes 2 Bytes 46 – 1500 Bytes 4 Bytes

Step 2: Examine the network configuration of the PC.
In this example, this PC host IP address is 192.168.1.147 and the default gateway has an
IP address of 192.168.1.1.
C:\> ipconfig /all
Ethernet
adapter
Ethernet:
Connection-specific
DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network
Connection
Physical Address. . . . . . . . . : F0-1F-AF-50-FD-C8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::58c5:45f2:7e5e:29c2%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.147(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, September 6, 2019 11:08:36
AM
Lease Expires . . . . . . . . . . : Saturday, September 7, 2019 11:08:36
AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
<output omitted>

Step 3: Examine Ethernet frames in a Wireshark capture.

The screenshots of the Wireshark capture below shows the packets generated by a ping
being issued from a PC host to its default gateway. A filter has been applied to Wireshark
to view the ARP and ICMP protocols only. ARP stands for address resolution protocol. ARP
is a communication protocol that is used for determining the MAC address that is
associated with the IP address. The session begins with an ARP query and reply for the
MAC address of the gateway router, followed by four ping requests and replies.
This screenshot highlights the frame details for an ARP request.

This screenshot highlights the frame details for an ARP reply.

Step 4: Examine the Ethernet II header contents of an ARP request.
The following table takes the first frame in the Wireshark capture and displays the data in
the Ethernet II header fields.

Field Value Description

Preamble Not shown in capture This field contains synchronizing bits, processed
by the NIC hardware.
Destination Broadcast Layer 2 addresses for the frame. Each address is 48
Address (ff:ff:ff:ff:ff:ff) bits long, or 6 octets, expressed as 12 hexadecimal
digits, 0-
9,A-F.
A common format is 12:34:56:78:9A:BC.
Source Address Dell_50:fd:c8 The first six hex numbers indicate the
(f0:1f:af:50:fd:c8) manufacturer of the network interface card (NIC),
the last six hex numbers are the serial number of
the NIC.
The destination address may be a broadcast,
which contains all ones, or a unicast. The source
address is always unicast.
Frame Type 0x0806 For Ethernet II frames, this field contains a
hexadecimal value that is used to indicate the
type of upper-layer protocol in the data field.
There are numerous upper-layer protocols
supported by Ethernet II. Two common frame
types are these: Value Description
0x0800 IPv4 Protocol
0x0806 Address Resolution Protocol (ARP)
Data ARP Contains the encapsulated upper-level protocol.
The data field is between 46 – 1,500 bytes.
FCS Not shown in capture Frame Check Sequence, used by the NIC to
identify errors during transmission. The value is
computed by the sending device, encompassing
frame addresses, type, and data field. It is verified
by the receiver.
What is significant about the contents of the destination address field?
 Todos los hosts en la lan recibirán el frame. La puerta de enlace predeterminada
(default Gateway) enviara una respuesta unicast a el destino, con la dirección MAC
del default Gateway.

Type your answers here.

Why does the PC send out a broadcast ARP prior to sending the first ping request?

Los computadores no pueden enviar una solicitud de unión (ping) sin conocer la
dirección MAC de destino. El ARP solicita la MAC.

Type your answers here.

What is the MAC address of the source in the first frame?

F0:1f:af:50:fd:c8

Type your answers here.

What is the Vendor ID (OUI) of the Source NIC in the ARP reply?

Netgear

Type your answers here.

What portion of the MAC address is the OUI?

Los 3 primeros octetos

Type your answers here.

What is the NIC serial number of the source?

99:c5:72

Type your answers here.

Part 2: Use Wireshark to Capture and Analyze Ethernet

Frames
In Part 2, you will use Wireshark to capture local and remote Ethernet frames. You will
then examine the information that is contained in the frame header fields.

Step 1: Determine the IP address of the default gateway on your PC.

Open a Windows command prompt.

Open a command prompt window and issue the ipconfig command.

What is the IP address of the PC default gateway?

192.168.0.1

Type your answers here.

Close a Windows command prompt.

Step 2: Start capturing traffic on your PC NIC.

a. Open Wireshark to start data capture.
b. Observe the traffic that appears in the packet list window.

Step 3: Filter Wireshark to display only ICMP traffic.

You can use the filter in Wireshark to block visibility of unwanted traffic. The filter does not
block the capture of unwanted data; it only filters what you want to display on the screen.
For now, only ICMP traffic is to be displayed.

In the Wireshark Filter box, type icmp. The box should turn green if you typed the filter
correctly. If the box is green, click Apply (the right arrow) to apply the filter.

Step 4: From the command prompt window, ping the default gateway of your PC.
From the command window, ping the default gateway using the IP address
Open a Windows command prompt.

that you recorded in Step 1.

Close Windows command prompt.

Step 5: Stop capturing traffic on the NIC.

Click the Stop Capturing Packets icon to stop capturing traffic.

Step 6: Examine the first Echo (ping) request in Wireshark.

The Wireshark main window is divided into three sections: the packet list pane (top), the
Packet Details pane (middle), and the Packet Bytes pane (bottom). If you selected the
correct interface for packet capturing previously, Wireshark should display the ICMP
information in the packet list pane of Wireshark.

a. In the packet list pane (top section), click the first frame listed. You should see Echo
(ping) request under the Info heading. The line should now be highlighted.
b. Examine the first line in the packet details pane (middle section). This line displays the
length of the frame.
c. The second line in the packet details pane shows that it is an Ethernet II frame. The
source and destination MAC addresses are also displayed.
Questions:

What is the MAC address of the PC NIC?

40:b0:76:5f:45:60

Type your answers here.

 What is the default gateway’s MAC address?

08:40:f3:2c:ab:20

Type your answers here.

d. You can click the greater than (>) sign at the beginning of the second line to obtain
more information about the Ethernet II frame.
Question:

What type of frame is displayed?

Un frame IPv4.

Type your answers here.

e. The last two lines displayed in the middle section provide information about the data
field of the frame.
Notice that the data contains the source and destination IPv4 address information.
Questions:

What is the source IP address?

192.168.0.192

Type your answers here.

What is the destination IP address?

192.168.0.1

Type your answers here.

f. You can click any line in the middle section to highlight that part of the frame (hex and
ASCII) in the Packet Bytes pane (bottom section). Click the Internet Control
Message Protocol line in the middle section and examine what is highlighted in the
Packet Bytes pane.
Question:

What do the last two highlighted octets spell?

..

Type your answers here.

g. Click the next frame in the top section and examine an Echo reply frame. Notice that
the source and destination MAC addresses have reversed, because this frame was
sent from the default gateway router as a reply to the first ping.
Question:

What device and MAC address is displayed as the destination address?

192.168.0.192 la del computador

Type your answers here.

Step 7: Capture packets for a remote host.

 a. Click the Start Capture icon to start a new Wireshark capture. You will receive a
popup window asking if you would like to save the previous captured packets to a file
before starting a new capture. Click Continue without Saving.
Open a Windows command prompt.

b. In a command prompt window, ping www.cisco.com.

Close a Windows command prompt.

c. Stop capturing packets.

d. Examine the new data in the packet list pane of Wireshark.
Questions:

In the first echo (ping) request frame, what are the source and destination MAC
addresses?

Source:
40:b0:76:5f:45:60

Type your answers here.

Destination:
08:40:f3:2c:ab:20

Type your answers here.

What are the source and destination IP addresses contained in the data field of the
frame?

Source:
192.168.0.192
Type your answers here.
Destination:
23.52.188.256

Type your answers here.

Compare these addresses to the addresses you received in Step 6. The only address
that changed is the destination IP address. Why has the destination IP address
changed, while the destination MAC address remained the same?

Porque nuestro pc envia el frame al default Gateway de LAN, este luego reenviara
el ping de conexión a la IP de cisco, y así de router en router hasta llegar al
destino.

Type your answers here.

Reflection Question
Wireshark does not display the preamble field of a frame header. What does the preamble
contain?

Contiene secuencias de bits, que representan el inicio del frame.

Type your answers here.

End of Document
LAB 7.2.7 Lab - View Network Device MAC
Addresses
Lab - View Network Device MAC Addresses

Topology

Addressing Table
Device Interface IP Address Subnet Mask

S1 VLAN 1 192.168.1.2 255.255.255.0

PC-A NIC 192.168.1.3 255.255.255.0

Blank Line, No additional information

Objectives
Part 1: Configure Devices and Verify Connectivity
Part 2: Display, Describe, and Analyze Ethernet MAC Addresses

Background / Scenario
Every device on an Ethernet LAN is identified by a Layer 2 MAC address. This address is
assigned by the manufacturer and stored in the firmware of the NIC. This lab will explore and
analyze the components that make up a MAC address, and how you can find this information
on a switch and a PC.
You will cable the equipment as shown in the topology. You will configure the switch and PC to
match the addressing table. You will verify your configurations by testing for network
connectivity.
After the devices have been configured and network connectivity has been verified, you will use
various commands to retrieve information from the devices to answer questions about your
network equipment.
Note: The switches used are Cisco Catalyst 2960s with Cisco IOS Release 15.2(2) (lanbasek9
image). Other switches and Cisco IOS versions can be used. Depending on the model and
Cisco IOS version, the commands available and the output produced might vary from what is
shown in the labs.
 Note: Make sure that the switches have been erased and have no startup configurations. If you
are unsure, ask your instructor.

Required Resources

1 Switch (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable)

1 PC (Windows with a terminal emulation program, such as Tera Term)

Console cable to configure the Cisco switch via the console ports

Ethernet cables as shown in the topology

Instructions
Part 1: Configure Devices and Verify Connectivity
In this part, you will set up the network topology and configure basic settings, such as the
interface IP addresses and device name. For device name and address information, refer to the
Topology and Addressing Table.

Step 1: Cable the network as shown in the topology.

a. Attach the devices shown in the topology and cable as necessary.
b. Power on all the devices in the topology.

Step 2: Configure the IPv4 address for the PC.

a. Configure the IPv4 address, subnet mask for PC-A.
b. From the command prompt on PC-A, ping the switch address.
Open a Windows command prompt
Question:

Were the pings successful? Explain.

RTA:: No, aun no se ha configurado el puerto físico en el Switch.
Type your answers here.
Close a Windows command prompt

Step 3: Configure basic settings for the switch.

In this step, you will configure the device name and the IP address, and disable DNS lookup on
the switch.
a. Console into the switch and enter global configuration mode.
Open a configuration window.

Switch> enable
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#
b. Assign a hostname to the switch based on the Addressing Table.
Switch(config)# hostname S1
c. Disable DNS lookup.
S1(config)# no ip domain-lookup
d. Configure and enable the SVI interface for VLAN 1.
S1(config)# interface vlan 1
S1(config-if)# ip address 192.168.1.2 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# end
*Mar 1 00:07:59.048: %SYS-5-CONFIG_I: Configured from console by console
Close a configuration window

Step 4: Verify network connectivity.

Open a Windows command prompt.

Ping the switch from PC-A.

Question:

Were the pings successful?

RTA:: Si esta vez si fue posible la conexión con 3 paquetes recibidos.
Type your answers here.
Close a Windows command prompt.

Part 2: Display, Describe, and Analyze Ethernet MAC Addresses

Every device on an Ethernet LAN has a MAC address that is assigned by the manufacturer and
stored in the firmware of the NIC. Ethernet MAC addresses are 48-bits long. They are displayed
using six sets of hexadecimal digits that are usually separated by dashes, colons, or periods.
The following example shows the same MAC address using the three different notation
methods:
00-05-9A-3C-78-00 00:05:9A:3C:78:00 0005.9A3C.7800
Note: MAC addresses are also called physical addresses, hardware addresses, or Ethernet
hardware addresses.
 You will issue commands to display the MAC addresses on a PC and a switch, and analyze the
properties of each one.

Step 1: Analyze the MAC address for the PC-A NIC.

Before you analyze the MAC address on PC-A, look at an example from a different PC NIC. You
can issue the ipconfig /all command to view the MAC address of your NIC. An example screen
output is shown below.
When using the ipconfig /all command, notice that MAC addresses are referred to as physical
addresses. Reading the MAC address from left to right, the first six hex digits refer to the vendor
(manufacturer) of this device. These first six hex digits (3 bytes) are also known as the
organizationally unique identifier (OUI). This 3-byte code is assigned to the vendor by the IEEE
organization.
To find the manufacturer, use the keywords IEEE OUI standards to find an OUI lookup tool on
the internet or navigate to http://standards-oui.ieee.org/oui.txt to find the registered OUI vendor
codes. The last six digits are the NIC serial number assigned by the manufacturer.
a. Using the output from the ipconfig /all command, answer the following questions.
C:\> ipconfig /all
<output
omitted>
Ethernet
adapter
Ethernet:
Connection-specific
DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82577LM Gigabit Network
Connection
Physical Address. . . . . . . . . : 5C-26-0A-24-2A-60
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::b875:731b:3c7b:c0b1%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.3 (Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
<output omitted>
Questions:

What is the OUI portion of the MAC address for this device?
RTA:: 5C-26-0A
Type your answers here.
What is the serial number portion of the MAC address for this device?
RTA: 2A-2A-60
Type your answers here.
Using the example above, find the name of the vendor that manufactured this NIC.
Type your answers here.
c. From the command prompt on PC-A, issue the ipconfig /all command and identify
the OUI portion of the MAC address for the NIC of PC-A.
 Type your answers here.
Identify the serial number portion of the MAC address for the NIC of PC-A.
RTA: 11-36-C1
our answers here.
Identify the name of the vendor that manufactured the NIC of PC-A.
RTA: 00-01-96

Type your answers here.

Step 2: Analyze the MAC address for the S1 F0/6 interface.

You can use a variety of commands to display MAC addresses on the switch.
a. Console into S1 and use the show interfaces vlan 1 command to find the MAC address
information. A sample is shown below. Use output generated by your switch to answer the
questions.
Open a configuration window

S1# show interfaces vlan 1

Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 001b.0c6d.8f40 (bia 001b.0c6d.8f40)
Internet address is 192.168.1.2/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY
10 usec, reliability 255/255,
txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:14:51, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
 0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
34 packets output, 11119 bytes, 0 underruns
0 output errors, 2 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

Question:

What is the MAC address for VLAN 1 on S1?

RTA: 0002.166a.96ba

Type your answers here.

What is the MAC serial number for VLAN 1?
RTA: 6A-96-BA
T
What is the OUI for VLAN 1?
RTA: 00-02-16
Type your answers here.
Based on this OUI, what is the name of the vendor?
RTA: CISCO.
Type your answers here.
What does bia stand for?
RTA: es la direccion real y física que se encuentra del dispositivo.
Type your answers here.
 Why does the output show the same MAC address twice?
RTA: Se pueden generar una MAC, diferente a la real y física por medio de
comandos.
Type your answers here.
b. Another way to display the MAC address on the switch is to use the show arp command.
Use the show arp command to display MAC address information. This command maps the
Layer 2 address to its corresponding Layer 3 address. A sample is shown below. Use output
generated by your switch to answer the questions.
S1# show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.2 - 001b.0c6d.8f40 ARPA Vlan1
Internet 192.168.1.3 0 5c26.0a24.2a60 ARPA

Vlan1 What

Layer 2 addresses are displayed on S1?

RTA: las MAC´s del pc y del switch.

Type your answers here.
What Layer 3 addresses are displayed on S1?
RTA: las ip del pc y del switch.

Type your answers here.

Step 3: View the MAC addresses on the switch.

Issue the show mac address-table command on S1. A sample is shown below. Use output
generated by your switch to answer the questions.
S1# show mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
 All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
1 5c26.0a24.2a60 DYNAMIC Fa0/6
Total Mac Addresses for this criterion: 21
Question:

Did the switch display the MAC address of PC-A? If you answered yes, what port was
it on?
RTA: Si pertenece al puerto FA0/6.
Type your answers here.

Reflection Questions
1. Can you have broadcasts at the Layer 2 level? If so, what would the MAC address be?
RTA: Si usando una dirección broadcast FF.FF.FF.FF.FF.FF.FF.FF
Type your answers here.
2. Why would you need to know the MAC address of a device?
RTA: Se obtiene mucha información a partir de esta, como el vendedor del
dispositivo, además que la MAC es única del dispositivo, por ende permite localizar
un dispositivo de mejor manera que con la IP.
Type your answers here.
End of Document
LAB 7.3.7 Lab - View the Switch MAC
Address Table Topology
Lab - View the Switch MAC Address Table

Topology

Addressing Table
Device Interface IP Address Subnet Mask

S1 VLAN 1 192.168.1.11 255.255.255.0

S2 VLAN 1 192.168.1.12 255.255.255.0
PC-A NIC 192.168.1.1 255.255.255.0
PC-B NIC 192.168.1.2 255.255.255.0

Objectives
Part 1: Build and Configure the Network
Part 2: Examine the Switch MAC Address Table
Background / Scenario
The purpose of a Layer 2 LAN switch is to deliver Ethernet frames to host devices on the
local network. The switch records host MAC addresses that are visible on the network,
and maps those MAC addresses to its own Ethernet switch ports. This process is called
building the MAC address table. When a switch receives a frame from a PC, it examines
the frame’s source and destination MAC addresses. The source MAC address is recorded
and mapped to the switch port from which it arrived. Then the destination MAC address is
looked up in the MAC address table. If the destination MAC address is a known address,
then the frame is forwarded out of the corresponding switch port associated with that
MAC address. If the MAC address is unknown, then the frame is broadcasted out of all
switch ports, except the one from which it came. It is important to observe and
understand the function of a switch and how it delivers data on the network. The way a
switch operates has implications for network administrators whose job it is to ensure
secure and consistent network communication.

Switches are used to interconnect and deliver information to computers on local area
networks. Switches deliver Ethernet frames to host devices identified by network interface
card MAC addresses.

Cisco and/or its affiliates. All rights reserved. Cisco

In Part 1, you will build a multi-switch topology with a trunk linking the two switches. In
Part 2, you will ping various devices and observe how the two switches build their MAC
address tables.

Note: The switches used are Cisco Catalyst 2960s with Cisco IOS Release 15.2(2)
(lanbasek9 image). Other switches and Cisco IOS versions can be used. Depending on the
model and Cisco IOS version, the commands available and output produced might vary
from what is shown in the labs.

Note: Make sure that the switches have been erased and have no startup configurations. If
you are unsure contact your instructor.

Required Resources
• 2 Switches (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or
comparable)
• 2 PCs (Windows with terminal emulation program, such as Tera Term)
• Console cables to configure the Cisco IOS devices via the console ports
• Ethernet cables as shown in the topology
Note: The Fast Ethernet interfaces on Cisco 2960 switches are autosensing and an
Ethernet straight-through cable may be used between switches S1 and S2. If using
another model Cisco switch, it may be necessary to use an Ethernet crossover cable.
Instructions Part 1: Build and Configure the Network
Step 1: Cable the network according to the topology.

Step 2: Configure PC hosts.

Step 3: Initialize and reload switches as necessary.

Step 4: Configure basic settings for each switch.

O
p
e
n
c
o
n
f
i
g
u
r
a
t
i
o
n
w
i
n
d
o
w

a. Configure device name as shown in the topology.

b. Configure IP address as listed in Addressing Table.
c. Assign cisco as the console and vty passwords.
d. Assign class as the privileged EXEC password.

C
l
o
s
e
c
o
n
f
i
g
u
r
a
t
i
o
n
w
i
n
d
o
w
Part 2: Examine the Switch MAC Address Table
A switch learns MAC addresses and builds the MAC address table, as network devices
initiate communication on the network.

Step 1: Record network device MAC addresses.

a. Open a command prompt on PC-A and PC-B and type ipconfig /all.
O
p
e
n
W
i
n
d
o
w
s
c
o
m
m
a
n
d
p
r
o
m
p
t
Question:

What are the Ethernet adapter physical addresses?

PC-A MAC Address: 0090.2B14.E4AE

Type your answers here.

PC-B MAC Address: 0007.ECC5.EBBA
 Type your answers here.
C
l
o
s
e
W
i
n
d
o
w
s
c
o
m
m
a
n
d
p
r
o
m
p
t

b. Console into switch S1 and S2 and type the show interface F0/1 command on each
switch.
O
p
e
n
a
c
o
n
f
i
g
u
r
a
t
i
o
n
w
i
n
d
o
w
Questions:

On the second line of command output, what is the hardware addresses (or burned-in
address [bia])?

S1 Fast Ethernet 0/1 MAC Address: bia 00e0.f98c.2001

Type your answers here.

S2 Fast Ethernet 0/1 MAC Address: bia 00e0.f99d.3301
 Type your answers here.
C
l
o
s
e
a
c
o
n
f
i
g
u
r
a
t
i
o
n
w
i
n
d
o
w

Step 2: Display the switch MAC address table.

 Console into switch S2 and view the MAC address table, both before and after running
network communication tests with ping.

a. Establish a console connection to S2 and enter privileged EXEC mode.

O
p
e
n
a
c
o
n
f
i
g
u
r
a
t
i
o
n
w
i
n
d
o
w

b. In privileged EXEC mode, type the show mac address-table command and press
Enter.

S2# show mac address-table

Even though there has been no network communication initiated across the network
(i.e., no use of ping), it is possible that the switch has learned MAC addresses from its
connection to the PC and the other switch.
Questions:

Are there any MAC addresses recorded in the MAC address table?

Type your answers here.

What MAC addresses are recorded in the table? To which switch ports are they
mapped and to which devices do they belong? Ignore MAC addresses that are
mapped to the CPU.

RTA:: Si solo una, la conexión a el S1.

 Type your answers here.

If you had not previously recorded MAC addresses of network devices in Step 1, how
could you tell which devices the MAC addresses belong to, using only the output from
the show mac address-table command? Does it work in all scenarios?

RTA:: No, o en algunos caso los que son reservados para CPU.

Type your answers here.

Step 3: Clear the S2 MAC address table and display the MAC address table again.
a. In privileged EXEC mode, type the clear mac address-table dynamic command and
press Enter.

S2# clear mac address-table dynamic

b. Quickly type the show mac address-table command again.
Questions:

Does the MAC address table have any addresses in it for VLAN 1? Are there other MAC
addresses listed?

RTA:: Solo muestra la mac del switch 1.

Type your answers here.

Wait 10 seconds, type the show mac address-table command, and press Enter. Are
there new addresses in the MAC address table?
 Type your answers here.
C
l
o
s
e
a
c
o
n
f
i
g
u
r
a
t
i
o
n
w
i
n
d
o
w

Step 4: From PC-B, ping the devices on the network and observe the switch MAC address
table.
a. From PC-B, open a command prompt and type arp -a.
O
p
e
n
a
c
o
m
m
a
n
d
p
r
o
m
p
t
Question:

Not including multicast or broadcast addresses, how many device IP-to-MAC address
pairs have been learned by ARP?
 RTA:: ninguna.

Type your answers here.

b. From the PC-B command prompt, ping PC-A, S1, and S2.
Question:

Did all devices have successful replies? If not, check your cabling and IP
configurations.
 RTA:: Si todos conectaron correctamente.

Type your answers here.

C
l
o
s
e
a
c
o
m
m
a
n
d
p
r
o
m
p
t

c. From a console connection to S2, enter the show mac address-table command.
O
p
e
n
a
c
o
n
f
i
 g
u
r
a
t
i
o
n
w
i
n
d
o
w
Q
u
e
s
t
i
o
n
:

Has the switch added additional MAC addresses to the MAC address table? If so,
which addresses and devices?

RTA:: Si añadió los que se usaron para hacer un ping desde el pc-b.

Type your answers here.

C
l
o
s
e
a
c
o
n
f
i
g
u
r
a
t
i
o
n
w
i
n
d
o
w
O
p
e
n
a
c
o
m
m
a
n
d
p
r
o
m
p
t

From PC-B, open a command prompt and retype arp -a.

Question:

Does the PC-B ARP cache have additional entries for all network devices that were
sent pings?
 RTA:: Si, ahora si están todas las entradas a las que se hizo ping.

Type your answers here.

C
l
o
s
e
a
c
o
m
m
a
n
d
p
r
o
m
p
t

Reflection Question
On Ethernet networks, data is delivered to devices by their MAC addresses. For this to
happen, switches and PCs dynamically build ARP caches and MAC address tables. With
only a few computers on the network this process seems fairly easy. What might be some
of the challenges on larger networks?

RTA:: Es fácil suplantar la identidad de un dispositivo, pues arp no valida las

informaciones de las MAC´s e IP´s recibidas.

Type your answers here.

E
n
d
o
f
D
o
c
u
m
e
n
t