Lap 5 – Team 8 – IA1906 – NWC204

7.1.6
Part 1: Examine the Header Fields in an Ethernet II Frame
Step 1: Review the Ethernet II header field descriptions and lengths.

Step 2: Examine the network configuration of the PC.

In this example, this PC host IP address is 192.168.1.147 and the default
gateway has an IP address of 192.168.1.1.
C:\> ipconfig /all

Step 3: Examine Ethernet frames in a Wireshark capture.

Step 4: Examine the Ethernet II header contents of an ARP request

What is significant about the contents of the destination address field?

 All hosts on the LAN will receive this broadcast frame. The host with
the IP address of 192.168.1.1 (default gateway) will send a unicast
reply to the source (PC host). This reply contains the MAC address of
the NIC of the default gateway.
Why does the PC send out a broadcast ARP prior to sending the first ping
request?
 The PC cannot send a ping request to a host until it determines the
destination MAC address, so that it can build the frame header for that
ping request. The ARP broadcast is used to request the MAC address of
the host with the IP address contained in the ARP.
What is the MAC address of the source in the first frame?
 It varies; in this case, it is f0:1f:af:50:fd:c8.
What is the Vendor ID (OUI) of the Source NIC in the ARP reply?
 It varies, in this case, it is Netgear.
What portion of the MAC address is the OUI?
  The first 3 octets of the MAC address indicate the OUI.
What is the NIC serial number of the source?
 It may vary, it is 99:c5:72 in this case.

Part 2: Use Wireshark to Capture and Analyze Ethernet Frames

Step 1: Determine the IP address of the default gateway on your PC.

What is the IP address of the PC default gateway?

 192.168.1.1

Step 2: Start capturing traffic on your PC NIC.

a. Open Wireshark to start data capture.
b. Observe the traffic that appears in the packet list window.

Step 3: Filter Wireshark to display only ICMP traffic.

Step 4: From the command prompt window, ping the default gateway of your
PC. Open a Windows command prompt.
From the command window, ping the default gateway using the IP address
that you recorded in Step 1.
Step 5: Stop capturing traffic on the NIC.
Click the Stop Capturing Packets icon to stop capturing traffic.

Step 6: Examine the first Echo (ping) request in Wireshark.

a. In the packet list pane (top section), click the first frame listed. You should
see Echo (ping) request under the Info heading. The line should now be
highlighted.
B. Examine the first line in the packet details pane (middle section). This line
displays the length of the frame

c. The second line in the packet details pane shows that it is an Ethernet II
frame. The source and destination MAC addresses are also displayed.
What is the MAC address of the PC NIC?
 f4:7b:09:4e:dc:fc
What is the default gateway’s MAC address?
 a0:cf:f5:a0:61:a2
You can click the greater than (>) sign at the beginning of the second line to
obtain more information about the Ethernet II frame. What type of frame is
displayed?
 0x0800 or an IPv4 frame type.
e. The last two lines displayed in the middle section provide information
about the data field of the frame.
What is the source IP address?
 192.168.1.3
What is the destination IP address?
 199.232.46.172

f. You can click any line in the middle section to highlight that part of the
frame (hex and ASCII) in the Packet Bytes pane (bottom section
What do the last two highlighted octets spell?
 hi
g. Click the next frame in the top section and examine an Echo reply frame
What device and MAC address is displayed as the destination address?
 (a0:cf:f5:a0:61:a2)
Step 7: Capture packets for a remote host.
a. Click the Start Capture icon to start a new Wireshark capture

b. In a command prompt window, ping www.cisco.com.

c. Stop capturing packets.

d. Examine the new data in the packet list pane of Wireshark.
In the first echo (ping) request frame, what are the source and destination
MAC addresses?
Source: This should be the MAC address of the PC.

Destination: This should be the MAC address of the Default Gateway.

What are the source and destination IP addresses contained in the data field
of the frame?
Source:This is still the IP address of the PC.

Destination:This is the address of the server at www.cisco.com.

Compare these addresses to the addresses you received in Step 6. The only
address that changed is the destination IP address. Why has the destination
IP address changed, while the destination MAC address remained the same?
 Layer 2 frames never leave the LAN. When a ping is issued to a remote
host, the source will use the default gateway MAC address for the
frame destination. The default gateway receives the packet, strips the
Layer 2 frame information from the packet and then creates a new
frame header with the MAC address of the next hop. This process
 continues from router to router until the packet reaches its destination
IP address.

Reflection Question

Wireshark does not display the preamble field of a frame header. What does
the preamble contain?
 The preamble field contains seven octets of alternating 1010
sequences, and one octet that signals the beginning of the frame,
10101011.

7.2.7

Part 1: Configure Devices and Verify Connectivity

Step 1: Cable the network as shown in the topology.
a. Attach the devices shown in the topology and cable as necessary.
b. Power on all the devices in the topology.
Step 2: Configure the IPv4 address for the PC.
a. Configure the IPv4 address, subnet mask for PC-A.

b. From the command prompt on PC-A, ping the switch address.

Were the pings successful? Explain
 No, it was not successful because the switch has not been configured
with an IP address yet.

Step 3: Configure basic settings for the switch.

a. Console into the switch and enter global configuration mode.

b. Assign a hostname to the switch based on the Addressing Table.

c. Disable DNS lookup.
d. Configure and enable the SVI interface for VLAN 1.
Step 4: Verify network connectivity.
Ping the switch from PC-A.

Question: Were the pings successful?

 Yes, the switch was configured with an IP address on VLAN 1 so PC-1
was able to ping.

Part 2: Display, Describe, and Analyze Ethernet MAC Addresses

Step 1: Analyze the MAC address for the PC-A NIC.
a. Using the output from the ipconfig /all command
C:\> ipconfig /all

What is the OUI portion of the MAC address for this device?
 5C-26-0A
What is the serial number portion of the MAC address for this device?
 24-2A-60
Using the example above, find the name of the vendor that
manufactured this NIC.
 Dell Inc.

b. From the command prompt on PC-A, issue the ipconfig /all command
 Identify the OUI portion of the MAC address for the NIC of PC-A.
 00-0A-41
Identify the serial number portion of the MAC address for the NIC of PC-A.
 EE-98-55

Identify the name of the vendor that manufactured the NIC of PC-A.
 Cisco Systems, Inc
Step 2: Analyze the MAC address for the S1 F0/6 interface.
a, Console into S1 and use the show interfaces vlan 1 command to find the
MAC address information. A sample is shown below. Use output generated by
your switch to answer the questions.
 What is the MAC address for VLAN 1 on S1?
 0002.4ac7.a27b
What is the MAC serial number for VLAN 1?
 C7-A2-7B
What is the OUI for VLAN 1?
 00-02-4A
Based on this OUI, what is the name of the vendor?

 Cisco Systems, Inc

What does bia stand for?
 Burned In Address (MAC)
Why does the output show the same MAC address twice?
 One is burned in (bia) and the other is stored in RAM and may be
modified
b, Another way to display the MAC address on the switch is to use the show
arp command.
What Layer 2 addresses are displayed on S1?
 The MAC address of the switch and the address of PC-A
What Layer 3 addresses are displayed on S1?
 The IP address of the switch and the address of PC-A
Step 3: View the MAC addresses on the switch

Did the switch display the MAC address of PC-A? If you answered yes, what
port was it on?
 Fa0/6
Reflection Questions
1. Can you have broadcasts at the Layer 2 level? If so, what would the MAC
address be?
=> FF:FF:FF:FF:FF:FF
2. Why would you need to know the MAC address of a device?
=> MAC addresses are the identifiers of a host within a local network
 7.3.7

Lab - View the Switch MAC Address Table

Part 1: Build and Configure the Network
Step 1: Cable the network according to the topology.

Step 2: Configure PC hosts.

Step 3: Initialize and reload switches as necessary.

Step 4: Configure basic settings for each switch. Open configuration window
a. Configure device name as shown in the topology.
b. Configure IP address as listed in Addressing Table.

c. Assign cisco as the console and vty passwords.

d. Assign class as the privileged EXEC password.
Part 2: Examine the Switch MAC Address Table
Step 1: Record network device MAC addresses.
a, Open a command prompt on PC-A and PC-B and type ipconfig /all.
Question: What are the Ethernet adapter physical addresses?
 PC-A MAC Address: 000C.CF2E.BE8E

 PC-B MAC Address: 0040.0B11.ADEE

c. Console into switch S1 and S2 and type the show interface F0/1
command on each switch.
Questions: On the second line of command output, what is the hardware
addresses (or burned-in address [bia])?
 S1 Fast Ethernet 0/1 MAC Address: 0001.9672.9201
 S2 Fast Ethernet 0/1 MAC Address: 0005.5e56.4501

Step 2: Display the switch MAC address table.

a. Establish a console connection to S2 and enter privileged EXEC mode.
b. In privileged EXEC mode, type the show mac address-table command
and press Enter.
S2# show mac address-table

Are there any MAC addresses recorded in the MAC address table?
 Yes
What MAC addresses are recorded in the table? To which switch ports are
they mapped and to which devices do they belong? Ignore MAC addresses
that are mapped to the CP
 1 0001.9672.9201 DYNAMIC Fa0/1
Step 3: Clear the S2 MAC address table and display the MAC address table
again.
a. In privileged EXEC mode, type the clear mac address-table dynamic
command and press Enter. S2# clear mac address-table dynamic
b. Quickly type the show mac address-table command again.
Questions: Does the MAC address table have any addresses in it for VLAN 1?
Are there other MAC addresses listed?

 No. The student will most likely discover that the MAC address for the
other switch’s F0/1 switch port has been quickly reinserted in the MAC
address table.
Wait 10 seconds, type the show mac address-table command, and press
Enter. Are there new addresses in the MAC address table?
 No
Step 4: From PC-B, ping the devices on the network and observe the switch
MAC address table.
a. From PC-B, open a command prompt and type arp -a.

Question: Not including multicast or broadcast addresses, how many device

IP-to-MAC address pairs have been learned by ARP?
=> The ARP cache may have no entries in it, or it may have the gateway IP
address to MAC address mapping.
b. From the PC-B command prompt, ping PC-A, S1, and S2.
Question: Did all devices have successful replies? If not, check your cabling
and IP configurations.
=> yes
c. From a console connection to S2, enter the show mac address-table
command. Open a configuration window

Question: Has the switch added additional MAC addresses to the MAC
address table? If so, which addresses and devices?
 There may only be one additional MAC address mapping added to the
table, most likely the MAC address of PC-A.
From PC-B, open a command prompt and retype arp -a.

Question: Does the PC-B ARP cache have additional entries for all network
devices that were sent pings?
 yes
Reflection Question
On Ethernet networks, data is delivered to devices by their MAC addresses.
For this to happen, switches and PCs dynamically build ARP caches and MAC
address tables. With only a few computers on the network this process
seems fairly easy. What might be some of the challenges on larger
networks?
 ARP broadcasts could cause broadcast storms. Because ARP and
switch MAC tables do not authenticate or validate the IP addresses to
MAC addresses it would be easy to spoof a device on the network.