CCIE Pursuit Blog

August 10, 2008

Internetwork Expert Volume II: Lab 5 – Section 10

Section 10 – IP Services – 4 Points

10.1 DNS

Configure your network so that telnet sessions from r6 can reach other routers by their DNS names.  This sounds like a simple matter of just assigning host names to the routers’ loopback addresses. But they also specify a DNS server IP address.  There’s also this:

“This configuration should not affect any other [that vty 0 4] lines on r6”

Configuring DNS

The solution is very simple:

r6(config)#ip name-server

And then it gets weird:

r6(config)#ip domain-lookup
r6(config)#line con 0
r6(config-line)#transport preferred none

I say weird because one of the requirements is “if a user mistypes a command while on the console port it should not try to look it up in DNS.”  Generally, “no ip domain-lookup” takes care of this. It turns out that “transport preferred none” will handle this as well, but at the line level.  So as long as you are connected via the console port you’ll be fine.  Turning on “ip domain-lookup” globally will ensure that all other users (not on the console port) will endure the frustration of DNS lookups for fat-fingered commands. 

10.2 Local Authorization

Configure r6 so that NOC users login (via telnet) at privilege level 2 and can only see the running configuration for hostname, interfaces, interface encapsulations, and any IP access-lists applied to interfaces.

r6(config)#username NOC privilege 2 password CISCO
r6(config-line)#do sh run | sec vty
line vty 0 4
 password cisco
r6(config)#line vty 0 4
r6(config-line)#login local

Now to configure what options privilege level 2 users can see:

privilege interface level 2 ip access-group
privilege interface level 2 ip <- IOS added this
privilege interface level 2 encapsulation
privilege configure level 2 interface
privilege configure level 2 hostname
privilege exec level 2 show running-config
privilege exec level 2 show <- IOS added this

Testing it out: 

Trying … Open

User Access Verification

Username: NOC
r6#sh privi
Current privilege level is 2
r6#sh run
Building configuration…

Current configuration : 204 bytes
hostname r6
interface Loopback0
interface FastEthernet0/0
interface Serial0/0
interface Serial0/0.1 multipoint
interface FastEthernet0/1


That looks right except for the encapsulation.  s0/0 is configured for Frame-Relay and that should show up.  If I changed it to “privilege interface level 2 encapsulation frame-relay” then it would work.

I also don’t understand why IE did not set up a NOC username and login local under the vty line.


  1. To see the encapsulations you would have to do this:

    privilege interface all level 2 encapsulation

    The keyword “all” allows all encapsulations to be displayed (unless it’s HDLC or any defaults). Any time you have a command separated by a space and you want any keywords after that to appear, you need the word “all”.

    hope that helps 🙂

    Comment by DH — August 10, 2008 @ 10:27 pm | Reply

  2. @DH – Thank you. That’s a great piece of information.

    Comment by cciepursuit — August 11, 2008 @ 8:54 am | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

%d bloggers like this: