CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf

CCNA Routing & Switching v3 LAB Guide
1
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA RnS, CCNA Sec, CCNP RnS, CCNP Sec, CCIE Sec (written)

2
I have dedicated this book to my sweet angel Arshia
and
to my beloved Eva !
Special thanks to Mony, Opu and Tapos who has given me encourage to write this book.
All rights reserved. No part of this book may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying, recording, or by any
information storage and retrieval system, without written permission from the publisher,
except for the inclusion of brief quotations in a review.
Published in the Bangladesh
First Edition November 2017
Copyright® 2017 akhtechnologypark ltd.
Published by:
ATech Press
42, Kawran Bazar
Dhaka-1215
Cell:+88-01830618474

3
Contents
1. Cisco CLI mode ----------------------------------------------------------------------------- 5
2. Basic Configuration of Router and Switch ------------------------------------------------------- 7
3. Configuring SSH Access to Cisco Device -------------------------------------------------------- 14
4. Backup and restoring your configuration ------------------------------------------------------- 18
5. VLAN, Access and Trunk Port Configuration ----------------------------------------------------- 20
6. VTP Configuration ------------------------------------------------------------------------------ 27
7. Etherchannel Configuration ------------------------------------------------------------------------ 30
8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration----------------------------- 33
9. Inter-Vlan Routing Configuration on L3 Switch (SVI) -------------------------------------------- 42
10. Configure Port Security ----------------------------------------------------------------------------- 45
11. Configure portfast ---------------------------------------------------------------------------------- 51
12. Configure BPDU Guard on Cisco Switch ------------------------------------------------------------ 52
13. Configure Root Guard on Cisco Switch ------------------------------------------------------------- 53
14. Spanning tree behavior - mode , priority value, root bridge ---------------------------------- 56
15. DHCP Configuration on Cisco Router ----------------------------------------------------------------58
16. DHCP Configuration on Cisco Switch --------------------------------------------------------------- 61
17. Static route and Static default route configuration --------------------------------------------- 63
18. Static default route configuration --------------------------------------------- ----------------- - -67
19. RIPv2 Basic configuration -----------------------------------------------------------------------------71
20. RIP Passive Interface ------------------------------------------------------------------------------- 75
21. Configure RIP Authentication -----------------------------------------------------------------------76
22. EIGRP configuration (EIGRP Neighbor Adjacency) -------------------------------------------- --- 84
23. EIGRP Passive Interface ---------------------------------------------------------------------- ---- - 86
24. EIGRP Authentication -------------------------------------------------------------------------- -- - -89
25. EIGRP Hold time and Hello time ----------------------------------------------------------- -- -91
26. EIGRP Summarization ------------------------------------------------------------------------- ----- - 92
27. EIGRP Project LAB --------------------------------------------------------------------------------- - 95
28. OSPF Configuration --------------------------------------------------------------------------------- 107
29. OSPF Virtual LAB ------------------------------------------------------------------------------------- 108
30. OSPF Authentication --------------------------------------------------------------------------------- 110

4
31. OSPF summarization --------------------------------------------------------------------------------- 112
32. PPP and HDLC ---------------------------------------------------------------------------------------- 113
33. BGP Basic Configuration -----------------------------------------------------------------------------117
34. BGP peering with loopback Address ----- ---------------------------------------------------------120
35. BGP Single Homed Design ---------------------------------------------------------------------------123
36. BGP Redundancy with Load Sharing ---------------------------------------------------------------129
37. HSRP Configuration ----------------------------------------------------------------------------------131
38. Standard ACL -----------------------------------------------------------------------------------------137
39. Extended ACL -----------------------------------------------------------------------------------------140
40. Named ACL --------------------------------------------------------------------------------------------144
41. Staci NAT ---------------------------------------------------------------------------------------------146
42. ICMP Configuration -----------------------------------------------------------------------------------150
43. Dynamic NAT -----------------------------------------------------------------------------------------154
44. Static PAT ---------------------------------------------------------------------------------------------155
45. Dynamic PAT -----------------------------------------------------------------------------------------159
46. Configure GRE Tunnel ------------------------------------------------------------------------------160
47. AAA configuration ----------------------------------------------------------------------------- 163
48. Syslog Server ---------------------------------------------------------------------------------------169
49. SNMPv3 Configurtion ---------------------------------------------------------------------------------173
50. Password Recovery ---------------------------------------------------------------------------------- 175
51. Final Project ----------------------------------------------------------------------------------------177
52. Configure IPv6 -------------------------------------------------------------------------------------- 193
53. Configure IPv6 Static Route ----------------------------------------------------------------------- 196
54. Configure RIPNG on Cisco Router ----------------------------------------------------------------- -199
55. Dual-Stack Example ----------------------------------------------------------------------------------201
56. Site-to-Site VPN Configuration ------------------------------------------------------------------- --203
==============================================================================
Appendix
Subnetting----------------------------------------------------------209

5
LAB 1: CISCO CLI MODE
Cisco routers have different configuration modes based on the model. Mainly two modes :
EXEC Mode Prompt Typical Use
User ccna> Check the router status
Privileged ccna # Accessing the router
From privileged Mode we enter into the Global Configuration mode with "config ternminal" command.
To be access either User Exec or Privileged mode a password is needed if we set password. From Global
Configuration Mode (password is not needed here) we can configure interfaces, routing protocols,
access lists and many more.
Some of the specific configuration modes can be entered from Global Configuration Mode and other
from Privileged mode:
User Exec Mode ( ">" prompt) : It is used to get statistics from router, see which version IOS you're
running, check memory resources and a few more things.
Privileged Mode ( "#" prompt): Here you can enable or disable interfaces on the router, get more
detailed information on the router, for example, view the running configuration of the router, copy the

6
configuration, load a new configuration to the router, backup or delete the configuration, backup or
delete the IOS and a lot more.
Global Configuration Mode ("config# " prompt): It is accessible via Privileged Mode. In this mode we
can configure each interface individually, setup banners and passwords, enable secrets (encrypted
passwords), enable and configure routing protocols and a lot more. Every time we want to configure or
change something on the router, we will need to be in this mode.
Examples :
Router>------------------------- User Exec Mode
Router>enable ----------------- Enter Privileged Mode
Router#-------------------------- Privileged Mode
Router#disable ---------------- Enter User Exec Mode
Router>-------------------------- User Exec Mode
Router#conf ig terminal------ Enter Global Configuration Mode
Router(config)#----------------- Global Configuration Mode
Router(config)#interface fastEthernet 0/0---- Enter Interface Configuration Mode

7
Router(config-if)#-------------------------------- Interface Configuration Mode
Router(config)#interface fastEthernet 0/0.10-- Enter Sub-Interface Configuration Mode
Router(config-subif)#------------------------------ Sub-Interface Configuration Mode
Router(config)#line vty 0 4----------------------- Enter Line Mode
Router(config-line)#------------------------------- Line Mode
================================================================================
LAB2. BASIC CONFIGURATION OF ROUTER AND SWITCH
Objective:
2. Configure the Switch (DU)as follows:
 hostname
 login banner
 enable password for accessing privilege mode
 assign console password to prevent console login
 assign IP for vlan 1 (Management VLAN)
 configure virtual terminal for telnet session
 set default gateway for the switch
1. Configure the Router (BUET) as follows:
 hostname

8
 login banner
 enable password for accessing privilege mode
 Assign IP Address on Router Interface
 assign console password to prevent console login
 configure virtual terminal for telnet session

3. Assign IP for the PC
4. Save all configurations
5. Verification
Switch – DU Configuration
1. First check the startup-config and running-config…If there any configuration is exist
When you type a command in the global configuration mode it is stored in the running configuration. A
running configuration resides in a device’s RAM, so if a device loses power, all configured commands
will be lost.
So you need to copy your current configuration into a startup configuration. A startup configuration is
stored in the NVRAM of a device, now all configurations are saved even if the device loses power.
Check the startup-config and running-config
Switch#show startup-config
Startup-config is not present
Switch#show running-config
There are two ways to save your configuration:
Switch#copy running-config startup-config
or
Switch# write memory
2. Enter global configuration mode and configure Hostname as DU
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch (config) #hostname DU
DU(config)#
3. Assign password cisco123
Enable password will restrict one's access to privilege mode which is like a root user's password. We can
set it in two ways: enable password / enable secret command.

9
enable secret password provides encryption automatically using MD5 hash algorithm.
The enable password password does not encrypt the password and can be view in clear text in the
running-config. In order to encrypt the enable password password , use the service password-
encryption command. Actually, the enable secret password command provides stronger encryption
than the service password-encryption command.
DU(config)#enable secret cisco123
4. Configure login banner
A login banner is displayed whenever someone connects to the router by telnet or console connections
DU(config)#banner motd "Unauthorized Users are highly Prohibited to login
here"
DU(config)#
5. Console Password
We can protect console port of Cisco devices using console port password.
DU(config)#line console 0
DU(config-line)#password ashish123
DU(config-line)#login
DU(config-line)#exit
DU(config)#
6. Telnet configuration for remote access
Telnet is a user command and an underlying TCP/IP protocol for accessing remote devices.
The VTY lines are the Virtual Terminal lines of the router. They are Virtual in the sense that they are a
function of software - there is no hardware associated with them. They appear in the configuration as
line vty 0 4.
DU#conf t
DU(config)#line vty 0 4
DU(config-line)#password ashish@123#
7. Configure management vlan for remotely access on the switch
By default, all switch ports are part of VLAN 1. VLAN 1 contains control plane traffic and can contain
user traffic.
By default, VLAN 1 is the management VLAN. Management VLAN is used for purposes such as telnet,
SNMP, and syslog.

10
DU(config)#interface vlan 1
DU(config-if)#ip address 192.168.10.10 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#
8. Configure default-gateway for the switch
The switch should be configured with a default gateway if the switch will be managed remotely from
networks not directly connected. The default gateway is the first Layer 3 device (such as a router) on
the same management VLAN network to which the switch connects. The switch will forward IP packets
with destination IP addresses outside the local network to the default gateway.
DU(config)#ip default-gateway 192.168.10.1
----------------------------------------------------------------------------------------------------------------------------
Router – BUET Configuration
1. First check the startup-config and running-config
Router#show startup-config
startup-config is not present
Router#show running-config
2. Configure Hostname as BUET
Router #conf t
Router (config)#hostname BUET
BUET(config)#
3. Assign enable secret password cisco123
BUET(config)#enable secret cisco123
BUET(config)#
4. Configure login banner
BUET(config)#banner motd "Do not try to access here"
5. Console password
BUET(config)#line console 0
BUET(config-line)#password ashish123
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#

11
6. Enter Virtual Terminal lines and give a password ashish@123#, to login remotely
BUET(config)#line vty 0 4
BUET(config-line)#password ashish@123#
BUET(config)#
7. Configure IP Address Router's on Interface
Enter global configuration mode
BUET# config terminal
BUET(config)#
Enter FastEthernet 0/0 interface configuration mode :
BUET(config)#interface fastEthernet 0/0
BUET(config-if)#
Enter IP address and subnet mask:
BUET(config-if)#ip address 192.168.10.1 255.255.255.0
By default, all interfaces on a Cisco router are “Administratively Down”. To bring an interface up, issue
the no shutdown command.
BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#
8. Save Configuration
BUET#write memory
Building configuration...
[OK]
BUET#
DU#write memory
[OK]
you can also save configuration using
BUET# copy running-config start-up config
But be sure about the command, cannot be reversed as:
copy start-up config running-config

12
Then your entire configuration will be lost or backup from NVRAM.
9. Assign IP to all hosts
11. Now ping to all devices from any PC
C:>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
C:>ping 192.168.10.3

13
C:>ping 192.168.10.1
14. Now logon to the router remotely
C:>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
Do not try to access here
User Access Verification
Password:
Password:
BUET>
16. Now logon to the switch remotely
C:>telnet 192.168.10.10
Trying 192.168.10.10 ...Open
Unauthorized Users are highly prohibited to login here
Password:
DU>
N.B. if the switch is L3 you can assign IP address to its interfaces as follows:
DU(config)#interface fastEthernet 0/2
DU(config-if)# no switchport
DU(config-if)# ip address 192.168.10.10 255.255.255.0
DU(config-if)# no shutdown
For routing capabilities you can also follow the rules
DU(config)# ip routing
LAB 3: CONFIGURING SSH ON CISCO SWITCH AND ROUTER

14
Telnet was designed to work within a private network and not across a public network where
threats can appear. Because of this, all the data is transmitted in plain text, including
passwords. This is a major security issue and the developers of SSH used encryptions to make
it harder for other people to sniff the password and other relevant information.
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network
devices. Communication between the client and server is encrypted in SSH. To do this, it uses
a RSA public/private keypair.
There are two versions: version 1 and 2. Version 2 is more secure and commonly used.
Enable SSH on Cisco Switch
Step 1: Configure Management IP
Switch#conf t
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.10.10 255.255.255.0
Switch(config-if)#no shutdown
Step 2 : Configure default gateway points to the router
Switch(config)#ip default-gateway 192.168.10.1
Step 3: Configure hostname and domain name
The name of the RSA keypair will be the hostname and domain name of the router.

15
Switch(config)#hostname ASHISH-SW
ASHISH-SW(config)#ip domain-name ashish.com
Step 4 :Generate the RSA Keys
ASHISH-SW(config)#crypto key generate rsa
The name for the keys will be: ASHISH-SW.ashish.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
ASHISH-SW(config)#
Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate
and enhance more security
Step 5: SSH version 1 is the default version. So change it to version 2
ASHISH-SW(config)#ip ssh version 2
Step 6 : Setup the Line VTY configurations
ASHISH-SW(config)#line vty 0 4
ASHISH-SW(config-line)#transport input ssh
ASHISH-SW(config-line)#login local
Step 7: Create the username password
ASHISH-SW(config)#username ashish privilege 15 password cisco123
Step 8: Create enable password
ASHISH-SW(config)#enable secret cisco123
Step 9: create console password
ASHISH-SW(config)#line console 0
ASHISH-SW(config-line)#logging synchronous
ASHISH-SW(config-line)#login local
Step 10: Verify SSH
C:>ssh -l ashish 192.168.10.10
Password:
ASHISH-SW#conf t

16
ASHISH-SW(config)#
Enable SSH on Router (same as before)
Router>en
Router#conf t
Router(config)#hostname Venus
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#ip address 192.168.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#ip domain-name cisco.com
Venus(config)#username ashish privilege 15 password cisco123
Venus(config)#crypto key generate rsa
The name for the keys will be: Venus.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
Venus(config)#
*Mar 1 0:34:31.790: %SSH-5-ENABLED: SSH 1.99 has been enabled
Venus(config)#ip ssh version 2
Venus(config)#enable secret cisco
Venus(config)#line console 0
Venus(config-line)#logging synchronous
Venus(config-line)#login local
Venus(config-line)#exit
Venus(config)#line vty 0 4
Venus(config-line)#transport input ssh
Venus(config-line)#login local

17
Venus#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Venus#
C:>ssh -l ashish 192.168.10.1
Password:
Venus#conf t
Venus(config)#
Key Note:
----------------------------------------------------------------------------
"logging synchronous" prevents every logging output from immediately interrupting your console
session.
Say for example when you tried to telnet your Router or switch you will see lot of log messages before
you logged in with username and password.
---------------------------------------------------------------------------------------------------------------------------------
RSA is algorithm used by modern computers to encrypt and decrypt messages. It is an asymmetric
cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public
key cryptography, because one of them can be given to everyone.
============================================================================
LAB 4: BACKUP AND RESTORING CONFIGURATION

18
Configure tftp server (In your physical Lab you can download tftp server in your PC then
configure it. And rest of the configurations are same)
Verify configuration file is saved in NVRAM
Denver#show startup-config
DU#show startup-config
Now backup configuration file to tftp server (From Switch)
Denver#copy startup-config tftp
Address or name of remote host []? 192.168.10.4 (TFTP Server IP)
Destination filename [Denver-confg]? (Press Enter to save it as default name)
Writing startup-config...!!

19
[OK - 653 bytes]
653 bytes copied in 0.012 secs (54416 bytes/sec)
Denver#
Now backup configuration file to tftp server (From Router)
DU#copy startup-config tftp:
Address or name of remote host []? 192.168.10.4
Destination filename [DU-confg]?
Writing startup-config...!!
[OK - 1178 bytes]
1178 bytes copied in 0.032 secs (36812 bytes/sec)
DU#
Erase startup-configuration file and reboot or reload the router and switch
DU#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
DU#
DU#reload
Proceed with reload? [confirm]
Denver#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
BUET#
Denver #reload
Proceed with reload? [confirm]
Configure IP address to router and switch
Router#conf t
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit

20
Switch#conf t
Switch(config-if)#exit
Now restore configuration from tftp server to switch and router
Switch#copy tftp running-config
Source filename []? Denver-confg (Backup file name on tftp server)
Destination filename [running-config]? (Press enter)
Denver#write
[OK]
Denver#
Router#copy tftp running-config
Source filename []? DU-confg (Backup file name on tftp server)
Destination filename [running-config]? (Press enter)
Now save the configuration to NVRAM
Switch# write memory
Router# write memory
============================================================================
LAB 5: Configure VLAN, Access and Trunk Port
The design of layer-2 switched network is a flat network. Each and every device on the
Network can see the transmission of every broadcast packet even if it does not need to
receive the data. But we can create multiple/ separate broadcast domain logically in a L2
switch. This is possible with VLAN technology. VLAN means Virtual LAN.

21
The segregation of vlan is only to reduce the broadcast domain. Every vlan means you are
using one subnet for each vlan.
The VLANs makes network management easy with number of ways:
 The VLAN can categorize many broadcast domains into number of logical subnets.
 The network needs to configure a port into the suitable VLAN in order to achieve
change, add or move.
 In the VLAN a group of users with the demand of high security can be included so that
the external users out the VLAN cannot interact with them.
 When it comes to logical classification of users in terms of function, we can consider
VLAN as independent from their geographic or physical locations.
 Even the security of network can be enhanced by VLAN.
 The number of broadcast domains are increased with VLANs while the size decreases.
Trunk Ports: Between switches we are going to create a trunk. A trunk connection is an
interface carries multiple VLANs.
Access Ports : Carries data, generally connected to hosts or Servers
There are two trunking protocols we can use:
1. IEEE 802.1Q: Open standard, support switch of any vendor.
2. Cisco ISL (Inter-Switch Link): Cisco proprietary protocol that is only supported on
some Cisco switches.
On a Cisco switch, VLAN 1 is by default. 802.1Q will not tag the native VLAN while ISL does
tag the native VLAN.
By default all switch ports are on VLAN1.
VLAN information is not saved in the running-config or startup-config but in separate file
vlan.dat on flash memory. To delete the VLAN information , delete the file by delete
flash:vlan.dat command.

22
Objective
1. Basic configuration of switch
2. Create VLANs
3. configuration of trunk ports
4. Configuration of Access ports
5. Assign IP to hosts
6. Verification
Data sheet
VLAN ID VLAN Name Ports Switch Subnet
10 Cisco F0/1 - f0/9 DU 192.168.10.0/24
20 Solaris F 0/10 - F 0/20 BUET 172.16.20.0/24
1. Basic configuration of switch
Switch(config)#hostname DU
DU(config)#enable secret cisco
DU(config-line)#password cisco

23
Switch(config)#hostname BUET
BUET(config)#enable secret cisco
BUET(config-line)#password cisco
2. Create VLANs
DU(config)#vlan 10
DU(config-vlan)#name cisco
DU(config-vlan)#exit
DU(config)#vlan 20
DU(config-vlan)#name solaris
DU(config)#
BUET(config)#vlan 10
BUET(config-vlan)#name cisco
BUET(config-vlan)#exit
BUET(config)#vlan 20
BUET(config-vlan)#name solaris
BUET(config-vlan)#exit
BUET(config)#
3. configuration of trunk ports
DU(config)#interface gigabitEthernet 0/1
DU(config-if)#switchport mode trunk
DU(config-if)#exit
BUET(config)#interface gigabitEthernet 0/1
BUET(config-if)#switchport mode trunk
DU#show interfaces gigabitEthernet 0/1 switchport
Name: Gig0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk

24
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
BUET#conf t
BUET(config)#interface range fastEthernet 0/1 - 9
BUET(config-if-range)#switchport mode access
BUET(config-if-range)#switchport access vlan 10
BUET(config-if-range)#exit
BUET(config)#exit
BUET#
DU#conf t

25
DU(config)#interface range fastEthernet 0/1 - 9
DU(config-if-range)#switchport mode access
DU(config-if-range)#switchport access vlan 10
DU(config-if-range)#exit
DU(config-if-range)#end
DU#
5. Assign IP to hosts

26
Ping to same VLAN..............PC0 to PC2
C:>ping 192.168.10.3
C:>ping 172.16.20.3 (PC1 to PC 3)
Ping to different VLAN......................... (PC1 to PC0)
C:>ping 192.168.10.2
Request timed out.
Request timed out.
Request timed out.
Request timed out.

27
LAB 6: VTP Configuration
VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used by Cisco switches to
exchange VLAN information. VTP replicates configured VLANs to all participating switches.
Consider a network with 50 switches. Without VTP, if you want to create a VLAN on each
switch, you would have to manually enter commands to create the VLAN on each switch! VTP
enables you to create the VLAN only on one switch. That switch can then propagate
information about that VLAN to each switch on a network and cause other switches to create
that VLAN too. If you want to delete a VLAN, you only need to delete it on one switch, and
the change is automatically propagated to every other switch inside the same VTP domain.
Cisco switches can be configured in one of three VTP modes:
 Server
 Client
 Transparent
Server mode is the default for Cisco switches.
Client mode takes VLAN configuration from the Server. It doesn’t place the VLANs in a
vlan.dat file.
Switches in Transparent mode never updated themselves. If they receive VTP advertisements
they will forward them along. In Transparent mode you can configure VLANs normally as you
would on a Server switch.
Be careful, if a switch is deployed with a higher VTP revision number than the rest of the VTP
switches. Because of that, switches in Client mode will download whatever VLAN
configuration that switch has, remove your current configuration. So before use them in a
production network , configure them as Transparent mode. You can also omit VTP
Configuration to avoid these situation.

28
Objective:
1. Create VTP Server and VTP Client
2. Configure Trunk port
3. Create VLAN on Server
4. Verify
1. Create VTP Server and VTP Client
Switch(config)#hostname SERVER
SERVER(config)#vtp domain cisco.com
SERVER(config)#vtp mode server
SERVER(config)#vtp password cisco
SERVER(config)#vtp version 2
SERVER(config)#
Switch(config)#hostname Client
Client(config)#vtp domain cisco.com
Client(config)#vtp version 2
Client(config)#vtp mode client
Client(config)#vtp password cisco
NOTES
 The VTP domain name must match and it is case sensitive.
 Make sure that If any password is set, the password is the same on both sides.
 Every switch in the VTP domain must use the same VTP version. VTP V1 and VTP V2 are not
compatible on switches in the same VTP domain. But VTP v2 and v3 are compatible.
2. Configure Trunk port
SERVER(config)#interface gigabitEthernet 0/1
SERVER(config-if)#switchport mode trunk
SERVER(config-if)#no shut
Client(config)#interface gigabitEthernet 0/1
Client(config-if)#switchport mode trunk
Client(config-if)# no shut
3. Create VLAN on Server only
SERVER(config)#vlan 100
SERVER(config-vlan)#name cisco
SERVER(config-vlan)#exit
SERVER(config)#vlan 200

29
SERVER(config-vlan)#name solaris
SERVER(config-vlan)#end
4. Verify the VLANs are propagated on Client Switch
Here we can see that we have created VLAN on Server switch and it has been seen on Client
Switch Vlan 100 and Vlan 200.
Other Verification Command of VTP

30
From here we can check the VTP Mode, VTP Domain Name and revision Number. Revision
number must be same. If not same, Updates are not considered propagated successfully.
LAB 7: ETHERCHANNEL Configuration
 EtherChannel is a port link aggregation technology or port-channel architecture which
is a bundle of multiple physical links into a single logical link.
 Etherchannel is great for improving redundancy in your network.
 In this way you can increase the bandwidth of a particular connection.
 With EtherChannel the links that are aggregated are not blocked by STP.
Link aggregation is very common and is usually seen in the following scenarios:
 Switch to switch connectivity in an access block (non-stackable)
 Access switch connectivity to distribution switches.
 Server connectivity to the data center LAN fabric
If you are going to create an etherchannel you need to make sure that all ports have the same
configuration:
 Duplex has to be the same.
 Speed has to be there same.
 Same native AND allowed VLANs.
 Same switchport mode (access or trunk).
There’s a maximum to the number of links you can use: 8 physical interfaces.
If you want to configure an Etherchannel there are two protocols you can choose from:
PAGP – port aggregation protocol
 Developed by Cisco
 The port modes are defined as either auto or desirable
LACP – link aggregation control protocol
 Open standard as defined by IEEE 802.3ad standard

31
 The port modes are either passive or active. Passive is the equivalent of the PAGP auto
and active is the equivalent of PAGP desirable mode.
S1(config)#int range fa0/7-12
S1(config-if-range)##channel-group 1 mode desirable
or
S1(config-if-range)##channel-group 1 mode active
We can use desirable so that the switch will actively negotiate to form a PAgP link(Cisco
Proprietary EtherChannel).
or we can use active so that the switch will actively negotiate to form a LACP link(open
standard EtherChannel).
To verify the configuration, you can use show etherchannel summary.
Objective
1. Create Etherchannel
2. Configure Trunk

32
3. Verification
Create Etherchannel
DU(config)#interface range gigabitEthernet 0/1 - 2
DU(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
Switch(config)#hostname ASHISH
ASHISH(config)#interface range gigabitEthernet 0/1 - 2
ASHISH(config-if-range)#channel-group 1 mode passive
ASHISH(config-if-range)#
Configure Trunk
DU(config)#interface port-channel 1
DU(config-if)# no shut
ASHISH(config)#interface port-channel 1
ASHISH(config-if)#switchport mode trunk
ASHISH(config-if)# no shutdown
Verification

33
Po1 = Port channel 1 , Channel group must be same for both switch
S = Capital S means L2
U = in Use
LACP = which Etherchannel Protol is used
P = in port Channel
if these appears, be sure your configuration is correct
LAB 8. VLAN, VTP, Etherchannel and Inter-VLAN Routing configuration
Inter-VLAN Routing
In our previous lab, we only can communicate with same VLAN. For example, PCs within VLAN
10 or VLAN 20. In order to communicate with different VLAN we must need routing with
different VLAN as each VLAN is now a separate broadcast domain. So we need a L3 switch or
Router for Routing. Here we will use a Router.
SWITCH VLAN ID VLAN NAME SWITCH PORTS SUBNET
DU 100 CISCO F 0/3 - 15 192.168.100.0/24
200 SOLARIS F 0/16 - 21 172.16.200.0/24
BUET 100 CISCO F 0/ 6 - 10 192.168.100.0/24
200 SOLARIS F 0/14 - 20 172.16.200.0/24

34
OBJECTIVE:
BASIC CONFIGURATION OF SWITCH AND ROUTER
ETHER-CHANNEL & TRUNK PORT CONFIGUARTION
VTP CONFIGURATION
CONFIGURATION OF VLAN
VERIFY VTP, TRUNK PORTS AND ETHERCHANNEL CONFIGURATION
CONFIGURE ACCESS-PORTS
CONFIGURE IP TO HOSTS
VERIFICATION
CONFIGURE INTER-VLAN ROUTING
VERIFY CONFIGURATION
BASIC CONFIGURATION OF SWITCH AND ROUTER
==========================================
Switch>en
Switch#conf t
DU(config)#banner motd "Do not try to login my Switch"
DU(config-line)#password cisco123
========================================
Switch#conf t
Switch(config)#hostname BUET
BUET(config)#hostname BUET
BUET(config)#banner motd "This is the switch of BUET"
BUET(config-line)#password cisco123
BUET(config-line)#end
BUET#
=====================================================
Router>en
Router#conf t

35
Router(config)#hostname DENVER
DENVER(config)#enable secret cisco123
DENVER(config)#banner motd "This Router belongs to VENUS TELECOM LTD"
DENVER(config)#line console 0
DENVER(config-line)#password cisco123
DENVER(config-line)#login
DENVER(config-line)#end
ETHER-CHANNEL & TRUNK PORT CONFIGUARTION
DU(config-if-range)#channel-group 1 mode active
DU(config-if-range)#no shutdown
TRUNK PORT CONFIGUARTION
DU(config)#interface port-channel 1
DU(config-if)#sw
DU(config-if)#switchport mo
====================================================
BUET(config-if-range)#channel-group 1 mode passive
BUET(config-if-range)#no shutdown
TRUNK PORT CONFIGUARTION
BUET(config)#interface port-channel 1
BUET(config-if)#no shutdown '
VTP CONFIGURATION
DU(config)#vtp domain cisco.com
DU(config)#vtp mode server
DU(config)#vtp version 2
DU(config)#vtp password cisco
DU(config)#exit

36
BUET(config)#vtp domain cisco.com
BUET(config)#vtp mode client
BUET(config)#vtp version 2
BUET(config)#vtp password cisco
BUET(config)#
CONFIGURATION OF VLAN
DU(config)#vlan 100
DU(config-vlan)#name CISCO
DU(config-vlan)#EXIT
DU(config)#VLan 200
DU(config-vlan)#NAMe SOLARIS
VERIFY
==========
DU#show etherchannel summary
Group Port-channel Protocol Ports
------+-------------+-----------+------
1 Po1(SU) LACP Fa0/1(P) Fa0/2(P)
DU#
CONFIGURE ACCESS-PORTS
DU#conf t

37
BUET(config-if-range)#end
BUET#
CONFIGURE IP TO HOSTS

38
Verify
ping to same VLAN
C:>ping 192.168.100.3
C:>ping 172.16.200.3
PING to different VLAN
C:>ping 192.168.100.2

39
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Not successful, Right ? So we will now configure Inter-Vlan Routing to get access to different
VLAN.
CONFIGURE INTER-VLAN ROUTING
BUET#conf t
BUET(config)#interface gigabitEthernet 0/1
DENVER#conf t
DENVER(config)#interface fastEthernet 0/0
DENVER(config-if)#no shutdown
DENVER(config-if)#exit
DENVER(config)#interface fastEthernet 0/0.100
DENVER(config-subif)#encapsulation dot1Q 100
DENVER(config-subif)#ip address 192.168.100.1 255.255.255.0
DENVER(config-subif)#no shutdown
DENVER(config-subif)#exit
Here we have created two sub-interface 0/0.100 and 0/0.200 for respective VLANs. For
encapsulation dot1Q is used.
Verify
Now ping to different VLAN
C:>ping 172.16.200.2

40
C:>ping 192.168.100.2
====================================================================
TELNET ACCESS to Switch
======================
VTP SERVER
============
DU#conf t
DU(config)#vlan 99
DU(config-vlan)#name admin
DU(config)#vlan 199
DU(config-vlan)#name admin2
DU(config-if)#switchport mode access
DU(config-if)#switchport access vlan 99
DU(config-if)#exit
DU(config)#interface vlan 99
DU(config-if)#exit
Telnet Configuration
DU(config-line)#password cisco123

41
BUET(config-if)#switchport mode access
BUET(config-if)#switchport access vlan 199
BUET(config)#interface vlan 199
Telnet Configuration
BUET(config-line)#password cisco123
DENVER(config)#line vty 0 4
DENVER(config-line)#password cisco123
DENVER(config-line)#login
DENVER(config-line)#exit
DENVER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/8 ms
DENVER#telnet 192.168.10.1
Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD
Password:
% Password: timeout expired!
[Connection to 192.168.10.1 closed by foreign host]
==============================================================
DENVER#conf t

42
DENVER(config)#end
=======================================================
DENVER#ping 192.168.20.1
!!!!!
DENVER#telnet 192.168.20.1
Trying 192.168.10.1 ...OpenThis Router belongs to VENUS TELECOM LTD
Password:
LAB 9 : Inter-Vlan Routing Configuration on L3 Switch
SVI - Switched Virtual Interface. There is no physical interface for the VLAN, hence it is
virtual.
Technique is, Assign IP address of each VLAN Interface (suppose Interface vlan 10), then
issue the " ip routing " command on global configuration mode.
Generally, routers do the routing between different broadcast domains that is, Different
VLANs. But SVI provides the routing capabilities of different VLANs.
Example switch models that support layer 3 routing are the 3550, 3750, 3560 etc.

43
Our Tasks (All configuration is only on L3 switch here)
1. Creating vlan 10 and vlan 20
2. Naming these two vlans:
vlan 10 = cisco
vlan 20 = solaris
4. Assigning IP to Hosts
5. Assigning IP to Vlan Interface
6. Verification
CREATE VLAN
Switch#conf t
Switch(config)#vlan 10
Switch(config-vlan)#name cisco
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name solaris
Switch(config-vlan)#exit
ACCESS-PORT CONFIGURATION
Switch(config)#interface range fastEthernet 0/3 - 9
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit
Switch(config)#interface range fastEthernet 0/10 - 15
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit
ASSIGN IP TO VLAN INTERFACE

44
ENABLE ROUTING
Switch(config)#ip routing
Switch(config)#exit
ASSIGN IP TO HOSTS

45
VERIFICATION
Ping to different vlan
LAB 10 : Port Security
Port Security
One can access unsecure network resources by plugging his laptop into one of our available
switch ports. He can also change his physical location in LAN network without telling the admin.
But you can secure layer two accesses by using port security.
First in our LAB we will plug one PC, and other PC will remain unplugged as shown in figure:

46
Assign IP to hosts
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 1
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security mac-address sticky
Port security is disabled by default. switchport port-security command enables it.
According to our requirements we can limit hosts that can be associated with an interface.
We can set this limit anywhere from 1 to 132. Maximum number of devices that can be
associated with the interface is 132. By default it is set to 1. switchport port-security
maximum value command will set the maximum number of hosts.
We have two options static and dynamic to associate mac address with interface.
In static method we have to manually define exact host mac address with switchport port-
security mac-address MAC_address command.

47
In dynamic mode we use sticky feature that allows interface to learn mac address
automatically
We need to specify what action; it should take in security violation. Three possible modes are
available:
Protect: - This mode only work with sticky option. In this mode frames from non-allowed
address would be dropped.
Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this
mode, switch will make a log entry and generate a security violation alert.
Shutdown: - In this mode switch will generate the violation alert and disable the port. Only
way to re-enable the port is to manually enter no shutdown command. This is the default
violation mode.
Switchport port security explained
Command Description
Switch>enable Move in privilege exec mode
Switch#configure terminal Move in global configuration mode
Switch(config)#interface fastethernet
0/1
Move in interface mode
Switch(config-if)#switchport mode
access
Assign port as host port
Switch(config-if)#switchport port-
security
Enable port security feature on this port
security maximum 1
Set limit for hosts that can be associated with
interface. Default value is 1. Skip this command to
use default value.
security violation shutdown
Set security violation mode. Default mode is
shutdown. Skip this command to use default mode.
security mac-address sticky
Enable sticky feature.

48
We have secured F0/1 port of switch. We used dynamic address learning feature. Switch will
remember first learned mac address (on interface F0/1) with this port. We can check MAC
Address table for currently associated address.
No mac address is associated with F0/1 port. Switch learns mac address from incoming
frames.
We need to generate frame from PC0 that would be receive on F0/1 port of switch. We can
use ping to generate frames from PC0 to Server.
Switch learns this address dynamically but it is showing as STATIC. Sticky option automatically
converts dynamically learned address in static address.

49
Switchport port security testing
Now we unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).
Now try to ping from PC1 to Server
Why ping is not success ? Because switch detected the mac address change and shutdown the
port.
Verify port security
We have three commands to verify the port security
show port-security
This command displays port security information about all the interfaces on switch.

50
show port-security address
Display statically defined or dynamically learned address with port security.
show port-security interface interface
Display port security information about the specific interface.
Here is a useful command to check your port security configuration. Use show port-security
interface to see the port security details per interface. We can see the violation mode is
shutdown and that the last violation was caused by MAC address 0002.1622.CB46:1 The
aging time is 0 mins which means it will stay in err-disable state forever.
How to reset an interface that is disabled due to violation of port security
Manually restart the interface. Unplugged cable from PC1 and plugged back it to PC0
Run following commands on switch and test connectivity from pc

51
First go to the interface, shutdown and then apply no shutdown.
LAB 11: Configure Portfast
Advantages
 Interfaces which is portfast enabled will go to forwarding mode immediately, the
interface will skip the listening and learning state.
 A switch will never generate a topology change notification.
 The PortFast feature will only have effect when the interface is in a non-trunking mode.
So, enabling the PortFast feature on a trunk port is useless. Only in access mode.
Configure PortFast on Cisco Switch (First unplug the two PCs as shown in figure)
Next, execute the following command on Switch to enable the PortFast feature on the Fa0/1
interface.
Switch(config)#interface fa0/1

52
Switch(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
Switch(config-if)#
Now, connect PC0 to the fa0/1 interface and PC1 to the fa0/2 interface, as shown in the
following figure.
We notice that the Fa0/1 interface will be activated within 5 seconds because it will not
participate in the STP convergence process.
LAB 12 : Configure BPDU Guard on Cisco Switch
 The BPDU Guard is used to protect the Spanning Tree domain from external influence.
BPDU Guard is disabled by default. But it is recommended to apply BPDU guard enable
for all ports on which the Port Fast is enabled.
 BPDU guard should be applied toward user-facing ports to prevent rogue switch
network extensions by an attacker.
 BPDU Guard can be configured either in Global mode or Interface mode
 On an interface BPDU guard will put the port into err disable state if a BPDU is
received
In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is
received.
SW2(config)# spanning-tree portfast bpduguard default
SW2(config-if)# spanning-tree bpduguard enable

53
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 1
Switch(config-if)#spanning-tree portfast
Switch(config-if)#spanning-tree bpduguard enable
Switch#show spanning-tree interface fastEthernet 0/1 portfast
VLAN0001 enabled
LAB 13: Configure Root Guard on Cisco Switch
Root-guard will stop a superior bpdu from becoming the root.
Note: Root guard is best deployed towards ports that connect to switches which should
not be the root bridge
For example, a port on the distribution layer switch which is connected to an access layer
switch can be Root Guard enabled, because the access layer switch should never become the
Root Bridge.

54
Switch1(config)#hostname DU
Switch2(config)#hostname ASHISH
Now check which switch is the root bridge
Switch DU becomes the root bridge...right ?
Now we will enable root guard on switch DU on port G 0/1 so that if the Switch ASHISH want
to become root bridge then the port G0/1 of DU switch will shutdown.
DU(config-if)#spanning-tree guard root
Now apply ping to PC1 to PC2 to verify connectivity
C:>ping 192.168.10.2

55
Now we will change the priority value of Switch ASHISH ....to check what happen !!
ASHISH(config)#spanning-tree vlan 1 priority 4096
now ping....
C:>ping 192.168.10.2
Request timed out.
Request timed out.
Request timed out.
The port beomes red colored......that indicates the port is shutdown when switch ASHISH
wants to root bridge
%SPANTREE-2-ROOTGUARDBLOCK: Port 0/1 tried to become non-designated in VLAN 1.
Moved to root-inconsistent state
--------------------------------- And the above message is generated on switch DU-------------------------------
To recover from this ..............
Reset the priority value of switch ASHISH
ASHISH(config)#spanning-tree vlan 1 priority 32768
On DU switch
DU(config-if)#shutdown

56
Now apply ping to PC1 to PC2 to verify connectivity
C:>ping 192.168.10.2
LAB 14 : Spanning tree behavior - mode , priority value, root bridge
Here Switch DU is the root bridge as its all the ports are forwarding mode. (Indicates green
signal)
By default Cisco switches run a separate STP instance for every VLAN configured on the
switch; this mode is called PVST.
We will configure Switch ASHISH as a root switch for the default VLAN (1) using one method
then DU switch in another method :
Method 1 (Switch ASHISH will be the root bridge )
First verify switch ASHISH if it is root or not..................
The switch is not the roor bridge

57
Now we will make it root bridge by using the following command:
spanning-tree vlan [list] root [primary | secondary]
Using this command will automatically lower the priority of the switch to a very significant
value in order to make sure that the switch is elected as a root switch.
ASHISH(config)#spanning-tree vlan 1 root primary
We can see that the switch is now the root bridge.
Method2 (Switch DU will be the root bridge now):
Setting the Bridge priority using the command spanning-tree vlan [list] priority
[value].
DU(config)#spanning-tree vlan 1 priority 4096
DU is now the root switch.

58
LAB 15 : DHCP CONFIGURATION ON CISCO ROUTER
DHCP (Dynamic Host Configuration Protocol) is a part of the Application Layer protocol. DHCP
is used by network devices (For example- PCs, network printers, etc) to automatically obtain
an IP Address, Default Gateway, Domain Name, DNS Servers and more.
DHCP is available on Cisco IOS routers and switches. But DHCP is only available on newer IOS-
based switches such as Catalyst 3550 and 3750.
 The Client sends a DHCP Discover (broadcast message) message to find a DHCP server.
 The DHCP server responds with a DHCP Offer message (Unicast Message)- which includes the
IP address, default gateway and lease time for the IP address offered; also includes DNS
server, TFTP server and many more.
 The client responds with a DHCP Request message (broadcast message) which is a formal
request.
 Then the server responds with a DHCP Ack message (unicast message) confirming that the IP
address has been leased to the client

59
Here the router will act as a DHCP server. An IP Address 192.168.20.20 is already assigned to
the switch. So this IP Address will be excluded from the DHCP pool to avoid IP address
conflict.
Configure an IP address on the router's Interface
Router#conf t
Assign an IP Address and default gateway for the switch
Switch#conf t
DHCP Configuration on the Router
1. Create a DHCP pool that defines the network of IP addresses and will be given out to
the clients
Router(config)#ip dhcp pool ashish-pool
2. Define the network and subnet for the address-pool to be used
Router(dhcp-config)#network 192.168.20.0 255.255.255.0
3. Define the primary and secondary DNS servers.
Router(dhcp-config)# dns-server 192.168.20.1
4. Define the default router (i.e., default gateway)
Router(dhcp-config)#default-router 192.168.20.1
5. Exclude the IP addresses we don't want our DHCP server giving you.
Router(config)#ip dhcp excluded-address 192.168.20.20 192.168.20.30

60
Verification:
On PC0 and PC1 Enable DHCP
Here we see that both PC gets IP Addresses and other parameters Dynamically.
Apply ping from Host to host and Host to Router or Switch

61
LAB 16: DHCP SERVER CONFIGURATION ON CISCO SWITCH
Here the Switch will act as a DHCP server. An IP Address 192.168.20.2 is already assigned to
the Server. So this IP Address will be excluded from the DHCP pool to avoid IP address
conflict.

62
Switch#conf t
Switch(config)#ip dhcp pool ashish-pool
Switch(dhcp-config)#network 192.168.20.0 255.255.255.0
Switch(dhcp-config)#default-router 192.168.20.1
Switch(dhcp-config)#dns-server 192.168.20.1
Switch(dhcp-config)#exit
Switch(config)#ip dhcp excluded-address 192.168.20.10 192.168.20.20
Verification
On PC0 and PC1 Enable DHCP

63
Also ping from PC0 to PC1 and Default Gateway
LAB 17: Static route configuration
Overview of Static Routing
 Routes are configured Manually
 Administrative distance value 0
 Reducing CPU/RAM overhead and saving bandwidth.
 Static routes are not advertised over the network
 Not fault-tolerant

64
 Initial configuration and maintenance is time-consuming.
 Not appropriate for complex topologies
DU Router (Basic Configuration)
Router#configure terminal
Router(config)#hostname DU
DU(config-if)#description conectivity from DU to BUET
DU(config-if)#description connectivity to Local Network
DU(config-if)#exit

65
BUET Router (Basic Configuration)
Router(config)#hostname BUET
BUET(config-if)#description Connectivity from BUET to DU
BUET(config-if)#description connectivity from BUET to it's Local Network
Now Assign IP Address to Hosts

66
Try to Ping from PC0 to PC1
C:>ping 192.168.30.2
Reply from 192.168.10.1: Destination host unreachable.
Thus we need routing either static or dynamic, right ?
Let us start with static routing...............
DU Router
DU(config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2
BUET Router
BUET(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1
Rules of Static route
Router(config)# ip route [destination_network] [subnet_mask] [next-hop]
On point-to-point links, an exit-interface can be specified instead of a next-hop address.
Router(config)# ip route [destination_network] [subnet_mask] [Exit-Interface ]
So for the previous example instead of IP Address we can write exit-interface as follows but if
the 2 routers are connected point-to-point
DU(config)#ip route 192.168.30.0 255.255.255.0 fastEthernet 0/0
BUET(config)#ip route 192.168.10.0 255.255.255.0 fastEthernet 0/0
Now ping again,

67
C:>ping 192.168.30.2
Telnet to BUET Router..............
C:>telnet 192.168.20.2
Trying 192.168.20.2 ...Open
Password:
Password:
BUET>
Success...right ..
Other verification command
BUET#show ip route
Gateway of last resort is not set
S 192.168.10.0/24 [1/0] via 192.168.20.1
C 192.168.20.0/24 is directly connected, FastEthernet0/0
S ----- represent Static route
C------Directly connected route
LAB 18 : Static Default Routing
It is a special type of static route. Default routing is used in stub networks. The stub network
has only one way for the traffic to go, to reach several different networks.
A DEFAULT ROUTE is sometime called Zero/Zero Route because the network and subnet we
are specifying as the destination for the traffic that it would match are all zeros.
A DEFAULT ROUTE says "for any traffic that DOES NOT match a specific route in the routing
table ,then forward that traffic to this destination (next-hop-router-IP Address)".Other
words default route is a "CATCH ALL"
On default route, both the network and subnet mask will be zero (0.0.0.0 0.0.0.0).
ip route 0.0.0.0 0.0.0.0 next-hop-router-IP address

68
Normally Customer route to ISP is default route and ISP route to Customer is normal static
route as shown below :
Objective:
 Basic Configuration on Router CUSTOMER and ISP
 Static default route to INTERNET on CUSTOMER Router
 Static route to CUSTOMER LAN on ISP Router
 Verification
Configuration
Basic Configuration on Router CUSTOMER and ISP
CUSTOMER Router
Router(config)#hostname CUSTOMER
CUSTOMER(config)#interface fastEthernet 0/1
CUSTOMER(config-if)#description CUSTOMER LAN
CUSTOMER(config-if)#ip address 192.168.10.1 255.255.255.0
CUSTOMER(config-if)#no shutdown
CUSTOMER(config-if)#exit
CUSTOMER(config)#interface fastEthernet 0/0
CUSTOMER(config-if)#description Connectivity to ISP
CUSTOMER(config-if)#ip address 103.13.148.1 255.255.255.248
CUSTOMER(config-if)#no shutdown

69
ISP ROUTER
Router(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#description Connectivity to CUSTOMER ROUTER
ISP(config-if)#ip address 103.13.148.2 255.255.255.248
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config-if)#description Connectivity to INTERNET
default route to INTERNET on CUSTOMER Router
CUSTOMER(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Static route to CUSTOMER LAN on ISP Router
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Assign IP Address to hosts.............................

70
Verification
Apply Ping from PC0 to PC1
C:>ping 100.100.100.2
Successfull.....................
Now on Customer Router
S* indicates default route
On ISP Router
..................S indicates Static route

71
LAB 19: RIPv2 Configuration
Dynamic Routing Protocol
 Interior Gateway Protocol - RIP, IGRP, EIGRP, OSPF, IS-IS
 Distance vector - RIP, IGRP
 Link-state - OSPF, IS-IS
 Hybrid - EIGRP
 Exterior Gateway Protocol - BGP
IGPs are used for routing within networks that are under a common network administration,
whereas EGP (exterior gateway protocols) are used to exchange routing information between
networks.
RIP - Distance Vector Routing Protocol
RIP Fundamentals (RIPv2)
 Distance-vector protocol.
 Uses UDP port 520.
 Classless protocol (support for CIDR).
 Supports VLSMs.
 Metric is router hop count.
 Maximum hop count is 15; infinite (unreachable) routes have a metric of 16.
 Periodic route updates sent every 30 seconds to multicast address 224.0.0.9.
 25 routes per RIP message (24 if you use authentication).
 Supports authentication.
 Implements split horizon with poison reverse.
 Implements triggered updates.
 Subnet mask included in route entry.
 Administrative distance for RIPv2 is 120.
 Used in small, flat networks or at the edge of larger networks.
 Prevents routing loops (Split Horizon, Route poisoning, Hold-down Timers and
Maximum hop Count)

72
Hello and Dead Time
RIPv2 EIGRP OSPF
Hello interval = 30 sec
Dead interval = 30*6 = 180
Hold down timers = 180 sec
Flush timers = 240 sec
Hello sends every 5 sec, dead 15
sec (point to point)
In NBMA , hello interval = 60 sec
and dead = 180 sec
ppp hello 10 dead 40
brodcast same
But in point to multipoing hello
is 30 sec, dead 120 sec
RIPV2 CONFIGURATION LAB
Objective:
 Basic Configuration of Router
 Assign IP Address to Hosts
 RIP Configuration
 Configure Passive Interface
 Configure Authentication (MD5)
1. Basic Configuration of Router
DU Router

73
DU(config-if)#description Connected to LAN
DU(config-if)#exit
DU(config-if)#description Connected to BUET router
BUET
BUET(config-if)#description to DU Router
BUET(config-if)#description connected to BUET LAN
2. Assign IP Address to Hosts

74
RIP Configuration
DU(config)#router rip
DU(config-router)#version 2
DU(config-router)#network 192.168.10.0
DU(config-router)#no auto-summary
BUET(config)#router rip
BUET(config-router)#version 2
BUET(config-router)#network 100.100.100.0
BUET(config-router)#no auto-summary
Network command sends RIP updates to the associated Network. we specify only the directly
connected networks of this router.
Auto Summarization is turned on by default for RIPv2 and EIGRP, altough these are Classless
Routing protocols. So you manually have to make them Classless with the "no auto-summary"
command.
Verification
R indicates RIP generated Routes
Apply ping from DU LAN to BUET LAN
C:>ping 100.100.100.100

75
LAB 20 : Configure Passive Interface
RIP updates will be sent to all interfaces when we use network command on that interfaces.
But, we don’t need to send updates everywhere. In our LAB on DU Router does not need to
send RIP updates to a the LAN switch.
We can use use the passive-interface command to prevent RIP updates to send.
DU(config-router)#passive-interface f
DU(config-router)#passive-interface fastEthernet 0/1
Verification
DU#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 17 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 2, receive 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
103.0.0.0
192.168.10.0
Passive Interface(s):
FastEthernet0/1
Routing Information Sources:
Gateway Distance Last Update
103.13.148.2 120 00:00:04
Distance: (default is 120)
DU#

76
RIP send updates only to 224.0.0.9 (multicast address) Via F0/0 (103.13.148.1).....not
192.168.10.0/24
BUET#show ip route rip
103.0.0.0/29 is subnetted, 1 subnets
R 192.168.10.0/24 [120/1] via 103.13.148.1, 00:00:15, FastEthernet0/0
We can see that the network is advertised but not send any RIP updates
towards DU LAN.
LAB 21: Configure RIP Authentication
Plain text authentication mode is the default setting in every RIPv2 packet, when
authentication is enabled. Plain text authentication should not be used when security is an
issue, because the unencrypted authentication password is sent in every RIPv2 packet. Note:
RIP version 1 (RIPv1) does not support authentication.
I have used GNS3 to configure this LAB

77
Objective:
1. Basic configuration of Router R1 and R2
2. Configure RIP
3. Assign IP address to hosts
4. Verify Configuration
5. Configure Authentication
6. Verify
Basic configuration of Router R1
DU(config-if)#exit
DU(config-if)#exit
RIP Configuration
DU(config)#router rip
DU(config-router)#version 2
DU(config-router)#end
Basic configuration of Router R2
BUET#conf t

78
Configure RIP on R2
BUET(config)#router rip
BUET(config-router)#version 2
BUET(config-router)#end
BUET#
Assign IP address to hosts and verify connectivity using ping command
DU#show ip route rip
DU#
R2#show ip route rip
R2#

79
Configure Authentication
MD5 Authentication
The Cisco implementation of RIP v2 supports MD5 authentication. This provides a higher level
of security over clear text. Both router interfaces need to be configured with MD5
authentication. The key number and key string must match on both sides, or authentication
will fail.
DU Router
DU(config)#key chain venus
(Name a key chain)
DU(config-keychain)#key 1
(This is the Identification number of an authentication key on a key chain)
DU(config-keychain-key)#key-string ashish
(The actual password or key-string.It needs to be identical to the key-string
on the remote router)
DU(config-keychain-key)#exit
DU(config-keychain)#exit
BUET Router
BUET(config)#key chain venus
BUET(config-keychain)#key 1
BUET(config-keychain-key)#key-string ashish
BUET(config-keychain-key)#exit
BUET(config-keychain)#exit
BUET(config)#
Apply it to Interface
DU(config-if)#ip rip authentication mode md5
Now check using debug command what is happened if MD5 is enable in DU router and
BUET Router is not..............
BUET#debug ip rip
RIP protocol debugging is on
BUET#

80
*Mar 1 00:09:03.883: RIP: ignored v2 packet from 192.168.10.1 (invalid authentication)
*Mar 1 00:09:03.951: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2)
*Mar 1 00:09:03.951: RIP: build update entries
*Mar 1 00:09:03.951: 192.168.30.0/24 via 0.0.0.0, metric 1, tag 0
*Mar 1 00:09:09.847: 192.168.20.0/24 via 0.0.0.0, metric 2, tag 0u
BUET#undebug all
BUET ROUTER
BUET(config-if)#ip rip authentication mode md5
BUET(config-if)#end
Now verify
BUET#debug ip rip
BUET#
*Mar 1 00:09:58.267: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.10.2)
*Mar 1 00:09:59.131: RIP: received packet with MD5 authentication
*Mar 1 00:09:59.131: RIP: received v2 update from 192.168.10.1 on FastEthernet0/0
*Mar 1 00:09:59.135: 192.168.20.0/24 via 0.0.0.0 in 1 hops
BUET #undebug all
All possible debugging has been turned off
Plain text Authentication
DU(config-if)#ip rip authentication key-chain venus
DU(config-if)#end
BUET(config)#int fastEthernet 0/0
BUET(config-if)#ip rip authentication key-chain venus
BUET(config-if)#end

81
Verification
DU#debug ip rip
DU#
*Mar 1 00:07:21.115: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1
(192.168.20.1)
DU#
*Mar 1 00:07:39.775: RIP: received packet with text authentication ashish
*Mar 1 00:07:39.775: RIP: received v2 update from 192.168.10.2 on FastEthernet0/0
*Mar 1 00:07:39.779: 192.168.30.0/24 via 0.0.0.0 in 1 hops
DU#
(192.168.10.1)
DU#
(192.168.20.1)
DU#undebug all
Introduction to EIGRP
 Distance vector routing protocols.
 EIGRP was created by Cisco which means you can only run it on Cisco hardware.
 Cisco added some of the features from link-state routing protocols to EIGRP which
makes it far more advanced than a true distance vector routing protocol like RIP.
 EIGRP does not use broadcast packets to send information to other neighbors but will
use multicast or unicast.
 IPv4 you can also use EIGRP to route IPv6 or even some older network layer protocols
like IPX or AppleTalk
 EIGRP is 100% loop-free
 EIGRP has its own protocol number which is 88. Other protocol numbers you are
familiar with are TCP (6) and UDP (17).
 EIGRP Table:
1. Neigbor Table
2. Topology Table
3. Routing Table

82
 EIGRP routers will start sending hello packets to other routers just like OSPF does, if
you send hello packets and you receive them you will become neighbors.
 EIGRP uses a rich set of metrics namely bandwidth, delay, load and reliability. The
lower these metrics the better.
 Sophisticated metric that supports load-balancing across unequal-cost paths.
 Support for authentication only MD5 authentication
 Manual summarization at any interface
 Uses multicast 224.0.0.10.
 EIGRP max hop count 255 (all 8 bits 11111111)
 Neighbor discovery and maintenance: Periodic hello messages
 EIGRP neighbor-ship condition:
 Both routers must be in the same primary subnet
 Both routers must be configured to use the same k-values
 Both routers must in the same AS
 Both routers must have the same authentication configuration (within reason)
 The interfaces facing each other must not be passive
EIGRP’s function is controlled by four key technologies:
 Neighbor discovery and maintenance: Periodic hello messages
 The Reliable Transport Protocol (RTP): Controls sending, tracking, and
acknowledging EIGRP messages
 Diffusing Update Algorithm (DUAL): Determines the best loop-free route
 Protocol-independent modules (PDM): Modules are “plug-ins” for IP, IPX, and
AppleTalk versions of EIGRP
EIGRP Neighborship Requirements and Conditions
EIGRP Router doesn’t trust anyone blindly. It checks following configuration values to insure
that requesting router is eligible to become his neighbor or not.
1. Active Hello packets
2. AS Number
3. K-Values

83
 If you lose the successor because of a link failure EIGRP will copy/paste the feasible
successor in the routing table. This is what makes EIGRP a FAST routing protocol…but
only if you have feasible successor in the topology table.
 RIP and OSPF both can do load balancing but the paths have to be equal. EIGRP can do
unequal load balancing
EIGRP Packets and Metrics
EIGRP packets:
Hello
Update
Query
Reply
ACK (Acknowledgement)
Neighbor Discovery and Route Exchange
Step 1. Router A sends out a hello.
Step 2. Router B sends back a hello and an update.The update contains routing information.
Step 3. Router A acknowledges the update.
Step 4. Router A sends its update.
Step 5. Router B acknowledges.
A neighbor is considered lost if no hello is received within three hello periods (called the hold
time). The default hello/hold timers are as follows:
 5 seconds/15 seconds for multipoint circuits with bandwidth greater than T1 and for
point-to-point media
 60 seconds/180 seconds for multipoint circuits with bandwidth less than or equal to T1
EIGRP Summarization
EIGRP has two ways of summarizing networks:
Automatic summarization:
 Subnets are summarized to the classful network.
 This is the default for EIGRP.
And Manual summarization.

84
What if I entered a wrong key-string?
authentication mismatch
What are the k-values that EIGRP uses?
k1 = bandwidth
k2 = load
k3 = delay
k4 = reliability
k5 = MTU
LAB 22: EIGRP Neighbor Adjacency
loopback interface is a virtual interface—an interface not associated with any hardware or
network
Basic Configuration
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#exit
R2(config-if)#exit

85
EIGRP Configuration
R1(config)#router eigrp 10
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end
------------------------------------------------
Verification
R1#debug eigrp packets hello
R1#
*Mar 1 00:21:05.583: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.10.2
*Mar 1 00:21:05.583: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Mar 1 00:21:06.139: EIGRP: Sending HELLO on Loopback0
*Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:21:06.139: EIGRP: Received HELLO on Loopback0 nbr 10.10.10.1
*Mar 1 00:21:06.139: AS 10, Flags 0x0, Seq 0/0 idbQ 0/0
R1#undegug all

86
LAB 23 : EIGRP Passive Interface
If we want to advertise a network in EIGRP but we don’t want to send hello packets
everywhere, in this case we can use this features.
Basic Configuration
R1(config-if)#exit
R1(config-if)#exit
R2(config-if)#exit
EIGRP Configuration
------------------------------------------------

87
We can configure passive Interface in two ways. First we apply first method in router R1
and the 2nd method in router R2.
R1#conf t
R1(config-router)#passive-interface default
*Mar 1 00:27:50.875: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
192.168.10.2 (FastEthernet0/0) is down: interface passive
R1(config-router)#no passive-interface fastEthernet 0/0
192.168.10.2 (FastEthernet0/0) is up: new adjacency
R1(config-router)#
Passive-interface default command will make all the interface passive and then we will
disable the specific interface with "no passive-interface" command
N.B. Neighborship Interface should be not passive,otherwise no neighborship will be formed
with neighbor routers
Verification
R1#show ip protocols
Routing Protocol is "eigrp 10"
10.10.10.0/24
192.168.10.0
Serial0/0
FastEthernet0/1
Serial0/1
Serial0/2
FastEthernet1/0
Loopback0
VoIP-Null0
Second Method
R2(config-router)#passive-interface loopback 0
R2(config-router)#

88
This is the another way to make the interface passive.
R2#show ip protocols
Routing Protocol is "eigrp 10"
11.11.11.0/24
192.168.10.0
Loopback0
Routing Information Sources:
Gateway Distance Last Update
(this router) 90 00:23:10
192.168.10.1 90 00:05:44
Distance: internal 90 external 170
-------------------------------------------------------------------------------------------------
R2#debug eigrp packets hello
EIGRP Packets debugging is on
(HELLO)
R2#
*Mar 1 00:37:39.787: EIGRP: Sending HELLO on FastEthernet0/0
R2#
R2#
R2#
R2#
R2#undebu
R2#undebug all
All possible debugging has been turned off
R2#
R2#
------------------------------------------------------------------------------------------------------------------------------------------

89
LAB 24: EIGRP Authentication
EIGRP only supports the MD5 authentication method.
EIGRP provides benefits like fast convergence, incremental updates and support for multiple
network layer protocols. EIGRP supports Message Digest 5 (MD5) authentication to prevent
malicious and incorrect routing information from being introduced into the routing table of a
Cisco router.
Basic Configuration
R1(config-if)#exit
R1(config-if)#exit
R2(config-if)#exit
EIGRP Configuration

90
EIGRP Authentication
R1(config)#key chain venus
Specify the keychain name
R1(config-keychain)#key 1
Specify the keychain id
R1(config-keychain-key)#key-string ccnp
Specify the password
R1(config-if)#ip authentication mode eigrp 10 md5
Specify MD5 authentication for the EIGRP packets
R1(config-if)#ip authentication key-chain eigrp 10 venus
Apply key chain on the interface connecting to the other router.
N.B. A shared authentication key which is same on both routes must be configured. The
password is known as the ‘key’.
R2(config)#key chain venus
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string ccnp
R2(config-keychain-key)#exit
R2(config-if)#ip authentication mode eigrp 10 md5
R2(config-if)#ip authentication key-chain eigrp 10 venus
192.168.10.1 (FastEthernet0/0) is up: new adjacency
R2(config-if)#
R1#show ip eigrp interfaces detail
IP-EIGRP interfaces for process 10
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0 1 0/0 29 0/2 144 0
Hello interval is 5 sec

91
Next xmit serial <none>
Un/reliable mcasts: 0/5 Un/reliable ucasts: 10/13
Mcast exceptions: 5 CR packets: 4 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 1
Authentication mode is md5, key-chain is "venus"
Use multicast
LAB 25: Configure EIGRP Hold time and Hello time
Basic Configuration
R1(config-if)#exit
EIGRP Configuration

92
EIGRP uses two hello and hold timer :
Hello/Hold timer 5/15 (point to point / Broadcast Network)
Hello/Hold timer 60/180 (NBMA)
But it can be changed as following :
R1(config-if)#ip hello-interval eigrp 10 30
R1(config-if)#ip hold-time eigrp 10 90
R2(config-if)#ip hello-interval eigrp 10 300
R2(config-if)#ip hold-time eigrp 10 3600
N.B. It is possible for two routers to become EIGRP neighbors even though the hello and hold
timers do not match.
LAB 26: EIGRP Summarization
Summarization is used to reduce the size of a routing table thus reducing the load on CPU and
memory.
There are two types of summarization:
 Auto summarization - it will advertise the classful A, B or C network to its neighbors.
By default, the “auto-summary” command is enabled.
 Manual summarization - Here we will describe it........

93
Basic Configuration of R1 and R2
R1(config-if)#exit
R1(config-if)#interface loopback 1
EIGRP Configuration
-------------------------------------------------------------------
Now see the routing table

94
R1#show ip route
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.16.4.0/24 is directly connected, Loopback4
D 172.16.0.0/16 is a summary, 00:00:30, Null0
R2#show ip route
D 172.16.4.0 [90/409600] via 192.168.10.1, 00:00:07, FastEthernet0/0
Router R2 gets a number of EIGRP Route from R1, So we will now reduce the size of routing
table of R2
We will create the summary (Manual Summarization)
R1(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.248.0
Verification
R2#show ip route
R2#show ip route eigrp
Now we can see that R2 Router has only one summary route......

95
LAB 27 : ADVANCED EIGRP LAB
DU Router
1. Basic Configuration
DU>en
DU#conf t
DU(config)#hostname DU
DU(config)#enable password cisco
2. Line console password
3. Telnet configuration for remote login
4. IP configuration on router Interface

96
DU(config-if)#exit
5. Configure Loopback Interface
DU(config)#interface loopback 1
DU(config-if)#interface loopback 2
BUET Router
1. Basic Configuration
BUET (config)#hostname BUET
2. Line console password
3. Telnet configuration for remote login
4. IP configuration on router Interface
BUET(config)#

97
Main Configuration
EIGRP Configuration and advertise network
DU(config)#router eigrp 10
DU(config-router)#network 172.16.0.0 0.0.0.255
BUET(config)#router eigrp 10
BUET(config-router)#
Configure EIGRP Authentication
==========================
DU(config)#key chain ashishkey
DU(config-keychain)#key 1
DU(config-keychain-key)#key-string ashish
DU(config-keychain-key)#exit
DU(config-keychain)#exit
DU(config)#
DU(config-if)#ip authentication mode eigrp 10 md5
DU(config-if)#ip authentication key-chain eigrp 10 ashishkey
BUET(config)#key chain ashishkey
BUET(config-keychain)#key 1
BUET(config-keychain-key)#key-string ashish
BUET(config-keychain-key)#exit
BUET(config-keychain)#exit
BUET(config-if)#ip authentication mode eigrp 10 md5
BUET(config-if)#ip authentication key-chain eigrp 10 ashishkey

98
Configure EIGRP Summary Address
==========================
DU(config-if)#ip summary-address eigrp 10 172.16.0.0 255.255.252.0
Configure EIGRP Passive Interface
=========================
BUET(config-router)#passive-interface fastEthernet 0/1
Troubleshooting commands
# show ip route
# show ip eigrp neighbors / topology / interfaces
# show ip interface F0/0
# show ip protocols
OSPF Fundamentals
 Open standard Protocol
 It is a Link state Protocol
 It uses the Dijkstra shortest Path algorithm (construct a shortest path tree and then
populate the routing table with best routes)
 No limit on hop count
 Metric is cost ( cost = 10^8 / Bandwidth)
 Administrative distance is 110
 It is a Classless Routing Protocol
 Support VLSM and CIDR
 Supports only IP routing
 Supports only Equal cost load-balancing
 Uses the concept of Areas for easy management, hierarchical design
 Must have one area as Area 0, which is called backbone area
 All other areas must connect to this Area 0
 Scalability is better than of Distance Vector Routing Protocols
 Supports authentication
 Update are sent through multicast address 224.0.0.5 ( all routers) and 224.0.0.6( all
Designated Routers)
 Faster convergence

99
 Sends Hello packets every 10 seconds
 Triggered / Incremental updates : Sends update when change triggers in network and
sends only information about the change not complete routing table, LSAs are sent
when change occurs and only about the change.
 LSAs refresh every 30 minutes
 Forms neighbors with adjacent routers in same area
 LSAs used to advertises directly connected links
Link: That’s the interface of our router.
State: Description of the interface and how it’s connected to neighbor routers.
Link-state routing protocols operate by sending link-state advertisements (LSA) to all
other link-state routers. All the routers need to have these link-state advertisements so they
can build their link state database or LSDB. This LSDB is our full picture of the network, in
network terms we call this the topology.
OSPF maintains three tables :
Neighbor Table: Contains the list of directly connected neighbors (Routers).We can see
the table using the command ‘show ip ospf neighbors’.
Database Table: It is known as the Link state Database (LSDB). All possible routes to any
network in the same area are contained in this table. " show ip ospf database"
Routing Table: The best paths to reach each destination. The routing table can be seen
using the ‘show ip route’ command.
All the routers in OSPF have a common database.
The two level of hierarchy consist of:
 Transit Area ( backbone or Area 0)
 Regular Area ( non-backbone area)
OSPF works with the concepts of areas and by default you will always have a single area,
normally this is area 0 or also called the backbone area.
 Internal Router: The router for which all its interface belong to one area.
 Area Border Router (ABRs): The router that contains interfaces in more than one
area.
 Backbone Router: The router that has all or at least one interface in Area 0.

100
 Autonomous System Boundary Router (ASBR): The routers with connection to a
separate autonomous system.
Advantages of OSPF
 Open Standard this can be used by all vendors
 No limitations for hop count
 Provides a loop free network
 Provides faster convergence
Disadvantages of OSPF
 More CPU intensive, uses more CPU resources
 Design and Implementation is complex
 It only supports Equal cost load-balancing
 Only Supports IP and not others like IPX or Apple Talk
Once you configure OSPF your router will start sending hello packets. If you also receive
hello packets from the other router you will become neighbors.
Parameters to match to become neighbors
For two or more OSPF routers to become neighbors there are some parameters that need to
match / be identical:
- Area ID
- Area Type ( NSSA, Stub)
- Subnet Mask
- Hello Interval
- Dead Interval
- Prefix

101
- Network Type ( broadcast, point-to-point, etc)
- Authentication
OSPF Metric
Cost = Reference Bandwidth / Interface Bandwidth
Cost = 100Mbps / Bandwidth
Some things worth knowing about OSPF load balancing:
 Paths must have an equal cost.
 4 equal cost paths will be placed in routing table.
 Maximum of 16 paths.
 To make paths equal cost, change the “cost” of a link
Each LSA has an aging timer which carries the link-state age field. By default each OSPF LSA
is only valid for 30 minutes.
If the LSA expires then the router that created the LSA will resend the LSA and increase the
sequence number
OSPF has to get through 7 states in order to become neighbors…here they are:
1. Down: no OSPF neighbors detected at this moment.
2. Init: Hello packet received.
3. Two-way: own router ID found in received hello packet.
4. Exstart: master and slave roles determined.
5. Exchange: database description packets (DBD) are sent.
6. Loading: exchange of LSRs (Link state request) and LSUs (Link state update) packets.
7. Full: OSPF routers now have an adjacency.
OSPF Packet Types
1. Hello: to build and maintain neighbor relationship or adjacencies and as keepalives.
2. DBD – Database Descriptor: Used to verify if the LSDB between two routers is same. It
is a summary of the Link State Database (LSDB)
3. Link State Request (LSR): Any request made to other routers for some information is
using this packet.
4. Link State Update (LSU): Contains the information requested in the LSR.
5. Links State Acknowledgement (LSAck): Acknowledgement for all the OSPF packets
except the Hello packet.

102
Hellos are the keepalives for OSPF. If a Hello is not received in 4 Hello periods, then the
neighbor is considered Dead. 4 Hello Periods = Dead Time. The hello and dead timers are as
follows:
 LAN and point-to-point interfaces : Hello 10 seconds , Dead timer 40 seconds
 Non-broadcast Multi-access (NBMA) interfaces: Hello 30 seconds, Dead timer120
seconds
There are total 11 types of LSA but famous types are as follow.
LSA Type-1| Router LSA from one network: Each router generates a Type 1 LSA that lists its
active interfaces, IP addresses, neighbors and the cost to each. Flooded inside the router's
area. Link ID is router's ID.
LSA Type-2| Network LSA from more network (DR Generated): Type 2 LSA is created by the
DR on the network, and represents the subnet and the router interfaces connected to that
network. Link ID interface IP address. Does not cross area.
LSA Type-3| Summary LSA (ABR summary Route): Generated by Area Border Routers (ABRs).
In type 3 LSAs are advertised networks from an area to the rest of the areas in AS. The link-
state id used by this LSA is the network number advertised.
Describe how to reach from one area to another area, does the summary of network. Type 3
is called inter-area link, represented by O IA
LSA Type-4| Summary LSA (just IP address of ASBR): Describe how to reach ASBR. ABR says
other area's router if you want to go ASBR use me. ABR passes the ASBR summary route.
LSA Type-5| External LSA (ASBR summary Route): ASBR creates the route to go to external
routers. And says if you want to go to external routes use me. I know the path. Type 4 tells
other router how to go ASBR. These routes appear as O E1 or O E2
NSSA External LSA (Type 7): Type 7 LSA allow injection of external routes through Not-so-
Stubby-Areas (NSSA). Generally external routes are advertised by type 5 LSA but they are not
allowed inside any stub area. That’s why Type 7 LSA is used, to trick OSPF. Type 7 LSA is
generated by NSSA ASBR and is translated into type 5 LSA as it leaves the area by NSSA ABR,
which is then propagated throughout the network as type 5 LSA.
Stub area prevents external routers to go through it. So NSSA is used that allows type7 LSA
only

103
Area Types
Normal Areas: These areas can either be standard areas or transit (backbone) areas. Standard
areas are defined as areas that can accept intra-area, inter-area and external routes. The
backbone area is the central area to which all other areas in OSPF connect.
Stub Areas: These areas do not accept routes belonging to external autonomous systems (AS);
however, these areas have inter-area and intra-area routes. In order to reach the outside
networks, the routers in the stub area use a default route which is injected into the area by
the Area Border Router (ABR).
Totally Stub Areas: These areas do not accept routes belonging to external autonomous
systems (AS); and even inter-area routes (summary routes) are not propagated inside the
totally stubby areas. The default routes to be propagated within the area. The ABR injects a
default route into the area and all the routers belonging to this area use the default route to
send any traffic outside the area.
NSSA: This type of area allows the flexibility of importing a few external routes into the area
while still trying to retain the stub characteristic.
OSPF can do summarization
OSPF can do summarization but it’s impossible to summarize within an area. This means we
have to configure summarization on an ABR or ASBR. OSPF can only summarize our LSA type 3
and 5.
OSPF does not support auto summarization, only manual. OSPF route summarization can be of
two types:
1. Internal route summarization;
ABR(config-router)#area 15 range 192.168.0.0 255.255.254.0
1. External route summarization.
ASBR(config-router)# summary-address 172.16.32.0 255.255.224.0
OSPF Supports two types of Authentication:
 Plaintext authentication
 MD5 authentication!
OSPF Network types:

104
Point-to-Point
High-Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP), Open Shortest Path
First (OSPF) runs as a point-to-point network type.
Broadcast
An Ethernet segment is an example of such a network. Ethernet networks support broadcasts;
a single packet transmitted by a device can be multiplied by the medium (in this case an
Ethernet switch) so that every other end point receives a copy.
Non-Broadcast
Frame relay and ATM are probably the most common examples of non-broadcast transport,
requiring individual permanent virtual circuits (PVCs) to be configured between end points.
Non-Broadcast Multi-Access (NBMA)
An NBMA segment emulates the function of a broadcast network. Every router on the segment
must be configured with the IP address of each of its neighbors. OSPF hello packets are then
individually transmitted as unicast packets to each adjacent neighbor.
point-to-multipoint
No DR/BDR election since OSPF sees the network as a collection of point-to-point links.
Only a single IP subnet is used in the topology above.
DR/BDR Election Process
 DR/BDR election is per multi-access segment…not per area. Each multi-access segment
(ex: Ethernet Segment), will have a Designated Router (DR) and a Backup Designated
Router (BDR).
 The other Router who will be not the DR or BDR will be the DROTHER. DROTHER router
on the segment forms a Full adjacency with the DR/BDR. DR/BDR is a property of a
router’s interface, not the entire router.
 DR’s reduce network traffic as only they maintain the complete ospf database and
then send updates to the other routers on the shared network segment.
 The router with the highest priority on the data link wins the election, but by default
priorities are 1. In this case the router with the highest Router ID will win.

105
Consider, all OSPF router processes start at the same time, Router0 and Router1 win the
election for DR and BDR respectively because they have the highest Router ID’s on the
segment. Others routers will be the DROTHER.
Here Router2 and Router3 will make it full adjacency with router Router0(DR) or Router1(BDR)
 We can use show ip ospf neighbor command to verify this.
 The default priority is 1 but the priority can be changed by
Router(config-if)# ip ospf priority <priority number>
 If we do not want a router to participate in the DR / BDR election, then its priority
must be set as 0.
 We need to use clear ip ospf process before this change takes effect.
LAB --- OSPF

106
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1. BASIC CONFIGURATION
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R1#conf t
R1(config-if)#exit
R1(config-if)#exit
===================================================================
R2#conf t
R2(config-if)#exit
R2(config-if)#exit
R2(config)#
===================================================================
R3#conf t
R3(config-if)#exit
R3(config)#

107
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 28 : OSPF BASIC CONFIGURATION
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R1(config)#router ospf 1
R1(config-router)#network 172.16.0.0 0.0.3.255 area 0
R2#conf t
R3#conf t
R3(config-router)#exit
Wild card Mask
Wildcard masks are used to specify a range of network addresses. They are commonly used
with routing protocols (like OSPF) and access lists.
 To indicate the size of a network or subnet for some routing protocols, such as OSPF.
 To indicate what IP addresses should be permitted or denied in access control lists
(ACLs).
Slash Netmask Wildcard Mask
/32 255.255.255.255 0.0.0.0
/31 255.255.255.254 0.0.0.1
/30 255.255.255.252 0.0.0.3
/29 255.255.255.248 0.0.0.7
/28 255.255.255.240 0.0.0.15
/27 255.255.255.224 0.0.0.31
/26 255.255.255.192 0.0.0.63
/25 255.255.255.128 0.0.0.127
/24 255.255.255.0 0.0.0.255
/23 255.255.254.0 0.0.1.255
Rules :
If all bit 1 then all bit zero and vice versa ;

108
255.255.255.255 0.0.0.0
255.255.255.0 0.0.0.255
if other value (not 0 or 255) then find out the block size
255.255.255.248 ...... block size = 256-248 = 8
And wildcard bit will be "blocksize - 1" = 8 - 1 = 7
And thus here 255.255.255.248 0.0.0.7
===========================================================================
Verification
=============
Here we can see that neighbor ship is formed but no route to area 0 and area1
So we have to configure now virtual link on R1 and R2 through area 1.........................
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 29 : OSPF VIRTUAL-LINK
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In OSPF all other area must be connected with area 0 (Backbone area) either physically or
virtually. In our figure area 1 is directly connected with area 0 but area 2 is not connected
with area 0. So here area 2 have to be connected with area 0 virtually. In this Lab we will see
it :
First we configure Router ID on R1 and R2 Router

109
R1(config-router)#router-id 1.1.1.1
R1(config-router)#
R2(config-router)#router-id 2.2.2.2
Reload or use "clear ip ospf process" command, for this to take effect
R2#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
We must run this command to take effect on this configuration (also called soft reset)
Now we will configure virtual link through area 1
R1(config-router)#area 1 virtual-link 2.2.2.2
R2(config-router)#area 1 virtual-link 1.1.1.1
===========
Now verify
============
Ping to any loopback IP
R3#ping 172.16.1.1
!!!!!

110
--------------------------------------------------------------------------
R2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 1.1.1.1 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface FastEthernet0/0, Cost of using 10
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Adjacency State FULL (Hello suppressed)
Index 1/3, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAB 30: OSPF authentication
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Plaintext authentication on Router R1 and R2---F0/0 interface (Area 1)
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key mypass
---------------------------------------------------------
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key mypass
============
Verification
===========
R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 1
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 192.168.12.2

111
Backup Designated router (ID) 1.1.1.1, Interface address 192.168.12.1
oob-resync timeout 40
Cisco NSF helper support enabled
Index 1/5, flood queue length 0
Last flood scan length is 3, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
R1#
MD5 authentication on Router R2 and R3---F0/0 interface (Area 2)
R2(config-if)#ip ospf message-digest-key 1 md5 mypass1
R2(config-if)#ip ospf authentication message-digest
-------------------------------------------------------
R3(config-if)#ip ospf message-digest-key 1 md5 mypass1
R3(config-if)#ip ospf authentication message-digest
=====================================================================
Verification
===========
R2#show ip ospf interface f0/1
Internet Address 192.168.23.2/24, Area 2
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.23.3, Interface address 192.168.23.3
Backup Designated router (ID) 2.2.2.2, Interface address 192.168.23.2
oob-resync timeout 40
Last flood scan length is 1, maximum is 4
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.23.3 (Designated Router)

112
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
LAB 31: OSPF Summarization
OSPF does not support auto summarization, only manual. OSPF route summarization can be of
two types:
1. Internal route summarization;
2. External route summarization.
I’m going to show you an example of interarea route summarization on Router R1
First we will check the Routing table of R3
R1(config-router)#area 0 range 172.16.0.0 255.255.252.0
-------------------------------------------------

113
LAB 32 : PPP Configuration
Designing a wide area network (WAN) is one of the most challenging issues. We must have to
choose the correct connection type. Most carriers offer three connection types:
1. Circuit-switched connections
2. Packet-switched or cell-switched connections
3. Dedicated connection
Circuit-switched connections:
Asynchronous dial-in (PSTN) and ISDN services, the telephone companies use circuit switching.
Packet-switched or cell-switched connections
Examples of packet-switched and cell-switched networks include Frame Relay (packet-
switched), X.25 (packet-switched), and Asynchronous Transfer Mode or ATM (cell-switched).
Leased Line(Dedicated connection):
A permanent communication path exists between a Customer Premise Equipment (CPE) on
one site and a CPE at the remote site communicating through a Data Communicating
Equipment (DCE) within the providers' site. Synchronous serial lines are used for this
connection and the most frequent protocols observed in these lines are HDLC (High-Level
Data Link Control) and PPP (Point-to-Point Protocol). When cost in not an issue, you should
use this type of connection.

114
HDLC
 HDLC stands for High-Level Data Link Control protocol.
 HDLC is a Layer 2 protocol.
 HDLC would be the protocol with the least amount of configuration required to
connect these two locations. HDLC would be running over the WAN, between the two
locations.
 HDLC performs error correction, just like Ethernet.
 HDLC is actually proprietary because they added a protocol type field.
 HDLC is actually the default protocol on all Cisco serial interfaces.
PPP
PPP or Point-to-Point Protocol is a type of Layer 2 protocol (Data-link layer) used mainly for
WAN. PPP features two methods of authentication:
 PAP (Password Authentication Protocol) and
 CHAP (Challenge Handshake Authentication Protocol)
 PAP sends the password in clear text and CHAP sends the encrypted password
 PPP encapsulation is possible only over a serial link.
 PPP encapsulates Layer 3 data over point-to-point links.
 PPP uses a Network Control Protocol (NCP) component to encapsulate multiple
protocols and uses Link Control Protocol (LCP) to set up and negotiate control options
on the data link.
 PPP supports multivendor devices.

115
Configuration on Ashish Router
Basic Configuration
Router#conf t
Router(config)#interface serial 0/1/0
Router(config)#hostname Ashish
Ashish(config)#interface fastEthernet 0/0
Ashish(config-if)#ip add
Ashish(config-if)#ip address 192.168.10.1 255.255.255.0
Ashish(config-if)#no shut
Ashish(config-if)#no shutdown
PPP Configuration
Ashish(config)#username buet privilege 15 password cisco
Ashish(config)#interface serial 0/1/0
Ashish(config-if)#encapsulation ppp
Ashish(config-if)#ppp authentication chap
Ashish(config-if)#exit
For PPP configuration we must configure hostname and username. In this router username
will be the hostname of peer router , i.e. buet
Configure Static Route
Ashish(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2
Ashish(config)#
BUET Router
Router#conf t
Router(config)#hostname buet
buet(config)#interface serial 0/1/0
buet(config-if)#ip address 103.13.148.2 255.255.255.248
buet(config-if)#no shutdown
buet(config)#interface fastEthernet 0/0
buet(config-if)#ip address 192.168.20.1 255.255.255.0

116
buet(config-if)#no shutdown
buet(config)#username Ashish privilege 15 password cisco
buet(config)#interface serial 0/1/0
buet(config-if)#encapsulation ppp
buet(config-if)#ppp authentication chap
buet(config-if)#end
buet#
In this router username will be the hostname of peer router , i.e. Ashish
buet(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
Verification :
Ashish#show interfaces serial 0/1/0
Serial0/1/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 103.13.148.1/29
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 96 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
8 packets input, 1024 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9 packets output, 1152 bytes, 0 underruns

117
C:>ping 192.168.20.2
The clock rate will set the speed. It doesn’t matter much what clock speed we use. We can
use a command to verify that the DTE router has received the clock rate:
Ashish# show controllers serial 0/1/0
Interface Serial0/1/0
Hardware is PowerQUICC MPC860
DTE V.35 TX and RX clocks detected
idb at 0x81081AC4, driver data structure at 0x81084AC0
In the example above Ashish is the DTE side and it has received a clock rate. Show controllers
is a useful command when you don’t have physical access to your hardware so you don’t know
which side of the cable is DTE or DCE
LAB 33: BGP Basic Configuration
BGP is an external gateway protocol, It is used between different networks. It is the protocol
used between Internet service providers (ISPs) and also can be used between an Enterprise
and an ISP.
BGP was built for reliability, scalability, and control, not speed.
BGP stands for Border Gateway Protocol. Routers running BGP are termed BGP speakers.
 BGP uses the concept of autonomous systems (AS). An autonomous system is a group of
networks under a common administration. The Internet Assigned Numbers Authority
(IANA) assigns AS numbers: 1 to 64511 are public AS numbers and 64512 to 65535 are
private AS numbers.

118
 Autonomous systems run Interior Gateway Protocols (IGP) within the system. They run
an Exterior Gateway Protocol (EGP) between them. BGP version 4 is the only EGP
currently in use.
 Routing between autonomous systems is called interdomain routing.
 The administrative distance for EBGP routes is 20. The administrative distance for
IBGP routes is 200.
 BGP neighbors are called peers and must be statically configured.
 BGP uses TCP port 179. BGP peers exchange incremental, triggered route updates and
periodic keepalives.
 Routers can run only one instance of BGP at a time.
 BGP is a path-vector protocol.
BGP neighbors can be of two types:
 IBGP neighbors – when two neighbors are in the same AS;
 EBGP neighbors – when two neighbors belong to different AS.

119
Basic Configuration
ISP1
Router#conf t
Router(config)#hostname ISP1
ISP1(config)#interface fastEthernet 0/0
ISP1(config-if)#ip address 192.168.10.1 255.255.255.0
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
ISP2
Router(config)#hostname ISP2
BGP Configuration
ISP1(config)#router bgp 100 *100 is the AS Number of ISP1*
ISP1(config-router)#neighbor 192.168.10.2 remote-as 200 * Declare neighbor,
200 is the AS of ISP2, 192.168.10.2 is the IP Address of ISP2's F0/0
Interface*
ISP1(config-router)#network 10.10.10.0 mask 255.255.255.0 * advertise
network*
ISP1(config-router)#exit
ISP2(config)#router bgp 200
ISP2(config-router)#neighbor 192.168.10.1 remote-as 100
ISP2(config-router)#%BGP-5-ADJCHANGE: neighbor 192.168.10.1 Up
ISP2(config-router)#network 11.11.11.0 mask 255.255.255.0
ISP2(config-router)#

120
Verification
Show ip bgp summary command shows if the neighborship is formed
We can see the bgp route with show ip bgp command
LAB 34: BGP PEERING WITH LOOPBACK ADDRESS
To establish eBGP/iBGP connection if loopback is used as the following command is needed
neighbor <peer’s ip address> update-source loopback<id>
By default BGP will use the interface IP as the source address to establish TCP connection. If
update-source is not used then the BGP adjacency will never be formed, and will always stuck
in Active state.
Another is , If we want to establish connections to peers which are not directly connected
use this following command:
neighbor <peer’s ip address> ebgp-multihop <value>
The "value" indicates the number of hops. The range of "value" is 1 to 255.

121
R1: Configure IP Address to All Interface
R1#conf t
R1(config-if)#exit
R1(config-if)#exit
R2: Configure IP Address to All Interface
R2#conf t
R2(config-if)#exit
R2(config-if)#exit
BGP Configuration on R1 and R2
R1(config)#router bgp 100
R1(config-router)#neighbor 11.11.11.11 remote-as 200
R1(config-router)#neighbor 11.11.11.11 update-source loopback 0

122
R1(config-router)#neighbor 11.11.11.11 ebgp-multihop 2
R2(config-router)#neighbor 10.10.10.10 update-source loopback 0
R2(config-router)#neighbor 10.10.10.10 ebgp-multihop 2
Now we will check if BGP neighborship is established or not !
R1#show ip bgp summary
Not established, The BGP Session is still in Active Mode
Let us check with ping command if the loopback IP of R2 Router is reachable
Ping is also not successful. Check the routing table

123
The 11.11.11.11 route is not in the routing table. Let us create static route on both routers.
R1(config)#ip route 11.11.11.11 255.255.255.255 103.13.148.6
R2(config)#ip route 10.10.10.10 255.255.255.255 103.13.148.5
Now check the BGP Status..............Established..Right ??
N.B. ebgp-multihop command is required only for eBGP Router, if both Routers are in iBGP
then the command is not required !
LAB 35: BGP REDUNDANCY WITH LOAD SHARING
BGP load sharing is commonly done using loopback's Peering between two BGP Routers.

124
R1 Router : Configure IP Address to each Interface
Venus(config)#interface loopback 0
R2 Router: Configure IP Address to each Interface
Gvtl(config)#interface fastEthernet 0/1
Gvtl(config-if)#ip address 192.168.10.2 255.255.255.0
Gvtl(config-if)#no shutdown
Gvtl(config-if)#exit
Gvtl(config)#interface loopback 0

125
Configure OSPF as an IGP on both routers for reachability issue
Venus(config)#router ospf 1
Venus(config-router)#network 192.168.10.0 0.0.0.255 area 0
Venus(config-router)#exit
Gvtl(config)#router ospf 1
Gvtl(config-router)#network 192.168.10.0 0.0.0.255 area 0
Gvtl(config-router)#network 6.6.0 0.0.0.255 area 0
Gvtl(config-router)#exit
Gvtl(config)#
OSPF Neighborship Verification
# show ip ospf neighbor
Assign IP to Hosts and apply ping to its default gateway

126
Also ping from PC2 to PC1
BGP Configuration on Venus and Gvtl Router
(BGP Peering with loopback Address)
Venus(config)#router bgp 100
Venus(config-router)#neighbor 6.6.6.6 remote-as 200
Venus(config-router)#neighbor 6.6.6.6 update-source loopback 0
Venus(config-router)#neighbor 6.6.6.6 ebgp-multihop 2
Venus(config-router)#neighbor 6.6.6.6 soft-reconfiguration inbound
Venus(config-router)#maximum-paths 2
Venus(config-router)#no auto-summary
Venus(config-router)#exit
Gvtl(config)#router bgp 200
Gvtl(config-router)#neighbor 5.5.5.5 remote-as 100
Gvtl(config-router)#neighbor 5.5.5.5 ebgp-multihop 2
Gvtl(config-router)#neighbor 5.5.5.5 update-source loopback 0
Gvtl(config-router)#neighbor 5.5.5.5 soft-reconfiguration inbound
Gvtl(config-router)#maximum-paths 2
Gvtl(config-router)#no auto-summary

127
Gvtl(config-router)#exit
Note:
Soft-reconfiguration inbound allows the router to receive and save the updates from a
neighbor it its memory regardless of any policy applied in inbound direction. There is no need
to clear the bgp session if we have soft-reconfiguration enabled, one of its purposes is to
allow us to change the policy without clearing the session off.
BGP Peering with loopback Address added an extra benifit. Loopback is never down. So when
we make neighborship with loopback IP our BGP Session will remain up if one of the physical
link is getting down.
Verification of BGP
Venus#show ip bgp summary
We see that BGP State is UP (shows value means active)
Here we can see that at first 192.168.20.2 route is used and in the second time 192.168.10.2
is used. This proves that load is shared !!!
Now we will verify if one link is down other link is active or not !
Let us shutdown F0/0 Interface of Router Venus and at the same time issue continue ping
from PC1 to PC2
Venus(config-if)#shutdown

128
Some packets will be drop during shifting the link as F0/0 Interface is used as a (IP Address
corresponding to 192.168.20.0/24 Network) primary link. Look the following traceroute
Result..........
But if we shutdown the F0/1 link no packets will be dropped, as it is used here as the
secondary link.

129
LAB 36: BGP Single Homed Design
R1 is in our enterprise core and has OSPF as its IGP.
R1(config-if)#exit
R2 is in our enterprise edge and has OSPF for IGP and BGP for EGP.
R2(config-if)#exit
R2(config-if)#exit
R2(config-router)#default-information originate

130
R2(config-router)#network 1.1.1.0 mask 255.255.255.0
R2(config)#ip route 1.1.1.0 255.255.255.0 null 0
R2 is in the service provider edge. R2 has a couple of static routes to advertise into BGP and is
advertising a default route to R1 which will then propagated throughout the enterprise core.
R3(config-router)#network 2.2.2.0 mask 255.255.255.0
R3(config-router)#neighbor 192.168.20.1 default-originate
Verification
R3#show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.20.1 4 100 23 24 3 0 0 00:19:33 1
R2#show ip route
..................<output omitted>...................
S 1.1.1.0 is directly connected, Null0
B 2.2.2.0 [20/0] via 192.168.20.2, 00:17:59 ** BGP learned route **
B* 0.0.0.0/0 [20/0] via 192.168.20.2, 00:20:18 ** default route from BGP
because of the default originate command in R3 **
R2#show ip bgp
-------------------<output omitted>.........................
Network Next Hop Metric LocPrf Weight Path

131
*> 0.0.0.0 192.168.20.2 0 0 200 i
*> 1.1.1.0/24 0.0.0.0 0 32768 i
*> 2.2.2.0/24 192.168.20.2 0 0 200 i
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.20.1 1 FULL/BDR 00:00:31 192.168.10.1 FastEthernet0/1
R1#show ip route
------------------<outputs are omitted>--------------
Gateway of last resort is 192.168.10.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 192.168.10.1, 00:06:16, FastEthernet0/1
Here we can see R2 is BGP (Single homed) with R3 advertising a /24 (1.1.1.0/24) and R2 is
advertising a default to the enterprise core (R1).
Explaination
default-information originate, the router is going to Redistribute a default route it got from
another Router (OSPF)
neighbor x.x.x.x default-originate (BGP)
If you want to advertise default route to a specific peer, this is the method for that
requirement.
 Add ‘neighbor x.x.x.x default-originate’ under router bgp <ASN>
 It does not even check for the existence of a default route in the IP routing table
 The ‘default-information originate’ command should not be configured with the
‘neighbor x.x.x.x default-originate’ command on the same router
The Null interface is typically used for preventing routing loops.
Also prevent DoS Aattack. An example of where this traffic to unused IP addresses might come
from could be denial of service attacks, scanning of IP blocks to find vulnerable hosts, etc
LAB 37 : HSRP (Hot Standby Router Protocol) Configuration
HSRP provides layer 3 redundancy in our network through active and standby router
assignment, interface tracking, and load balancing. A group of physical routers, acting as a
single virtual router, advertise a single IP address and MAC address into our network. By
tracking interfaces and managing multiple groups, we can optimize speed as well as add

132
redundancy to our networks. And we can use VRRP or GLBP based on our individual network
needs. The services that HSRP provides are a great addition to any network.
Characteristics
 HSRP is Cisco proprietary
 HSRP has 5 states: Initial, listen, speak, standby and active.
 HSRP allows multiple routers to share a virtual IP and MAC address so that the end-
user hosts do not realize when a failure occurs.
 The active (or Master) router uses the virtual IP and MAC addresses.
 Standby routers listen for Hellos from the Active router. A hello packet is sent every 3
seconds by default. The hold time (dead interval) is 10 seconds.
 Virtual MAC of 0000.0C07.ACxx , where xx is the hexadecimal number of HSRP group.
 The group numbers of HSRP version 1 range from 0 to 255. HSRP does support group
number of 0 (we do check it and in fact, it is the default group number if you don’t
enter group number in the configuration) so HSRP version 1 supports up to 256 group
numbers. HSRP version 2 supports 4096 group numbers.

133
Assign IP Address to Venus
Switch#conf t
Switch(config)#hostname venus
venus(config)#int fastEthernet 0/10
venus(config-if)#no switchport
venus(config-if)#ip address 192.168.1.1 255.255.255.0
venus(config-if)#no shutdown
venus(config-if)#exit
venus(config-if)#no switchport
venus(config-if)#ip address 192.168.30.2 255.255.255.0
venus(config-if)#no shutdown
venus(config-if)#
Assign IP Address to Denver
Switch#conf t
Switch(config)#hostname Denver
Denver(config)#int fastEthernet 0/11
Denver(config-if)#no switchport
Denver(config-if)#ip address 192.168.1.2 255.255.255.0
Denver(config-if)#no shutdown
Denver(config-if)#exit
Denver(config-if)#no switchport
Denver(config-if)#ip address 192.168.40.2 255.255.255.0
Denver(config-if)#no shutdown
Denver(config-if)#end
Assign IP Address to Toronto
=============================
Router>en
Router#conf t
Router(config)#hostname Toronto
Toronto(config)#interface fastEthernet 0/0
Toronto(config-if)#ip address 192.168.30.1 255.255.255.0
Toronto(config-if)#no shutdown
Toronto(config-if)#exit
Toronto(config)#int fastEthernet 0/1

134
Toronto(config-if)#ip add
Toronto(config-if)#no shutdown
Toronto(config)#int loopback 1
Toronto(config)#int loopback 1
Create static route to 1.1.1.0/24 network from Venus and Denver
=====================================================================
venus(config)#ip route 1.1.1.0 255.255.255.0 192.168.30.1
Denver(config)#ip route 1.1.1.0 255.255.255.0 192.168.40.1
Create static route to 192.168.1.0/24 network from Toronto
================================================================
Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.30.2
Toronto(config)#ip route 192.168.1.0 255.255.255.0 192.168.40.2
Apply ip routing command on venus and Denver
=================================================
venus(config)#ip routing
Denver(config)#ip routing
Assign IP address to host with default Gateway 192.168.1.1 and
192.168.1.2 and apply ping command to 1.1.1.0 Network
======================================================================
C:>ping 1.1.1.1
Configure HSRP
venus(config-if)#standby 10 ip 192.168.1.3
venus(config-if)#standby 10 priority 110
venus(config-if)#standby 10 preempt
Denver(config-if)#standby 10 ip 192.168.1.3

135
Denver(config-if)#standby 10 priority 100
Denver(config-if)#standby 10 preempt
Denver(config-if)#end
Verify
============
venus#show standby
FastEthernet0/10 - Group 10
State is Active
12 state changes, last state change 01:01:47
Virtual IP address is 192.168.1.3
Active virtual MAC address is 0000.0C07.AC0A
Local virtual MAC address is 0000.0C07.AC0A (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.461 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.2
Priority 110 (configured 110)
Group name is hsrp-Fa0/10-10 (default)
venus#
-------------------------------------------------------------------
Denver#show standby
State is Standby
Preemption enabled
Active router is 192.168.1.1
Standby router is local
Priority 100 (default 100)
Denver#
Now change the default gateway of both PC to 192.168.1.3 and ping to 1.1.1.1

136
======================================================================
Successful...
now shutdown one of the interface F0/10 or F0/11 that has the highest
priority (110)
======================================================================
and verify by standby command...
also see that ping to 1.1.1.1 is even successful
------------------------------------------------------
Denver#show standby
State is Active
Preemption enabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
Denver#
Now the Denver switch is Active
-----------------------------------------------------------------
C:>ping 1.1.1.1
IP Access Control List (ACL)
Access-lists work on the network (layer 3) and the transport (layer 4) layer and can be used
for two different things:
 Filtering traffic
 Identifying traffic

137
Filtering is used to permit or deny traffic.
Identify means - selecting traffic. It can be used when we configure VPN. The traffic is
identified and then it passes through VPN Tunnels.
IP ACLs are the most popular as IP is the most common type of traffic. There are two types of
IP ACLs:
 Standard IP ACLs: 1 to 99 and 1300 to 1999
 Extended IP ACLs: 100 to 199 and 2000 to 2699
Standard IP ACLs can only control traffic based on the SOURCE IP address where Extended IP
ACLs identify traffic based on source IP, source port, destination IP, and destination port.
We can use ACLs to filter traffic according per protocol, per interface, and per direction. We
can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g.,
FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).
LAB 38 : Standard IP access-lists
Standard IP access-lists are based upon the source host or network IP address, and should be
placed closest to the destination network.

138
Router R1 (IP Address and EIGRP Configuration)
R1#conf t
R1(config-if)#exit
R1(config-if)#exit
Router R2 (IP Address and EIGRP Configuration)
R2#conf t
R2(config-if)#exit
R2(config-if)#exit
R2(config-if)#exit
R2(config)#
OK, Now we will create ACL rules so that.........

139
only PC 1, PC 2, PC3 can ping loopback IP
R1(config)#access-list 50 permit host 192.168.20.2
R1(config)#access-list 50 deny any
Apply it to R2 Router (closest to the destination)
R2(config-if)#ip access-group 50 in
Verification
R2#show ip interface fastEthernet 0/0
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 50
Now ping from PC4
PC4> ping 11.11.11.11
*192.168.20.1 icmp_seq=1 ttl=255 time=15.600 ms (ICMP type:3, code:13,
Communication administratively prohibited)
And from PC1 / PC2 / PC3
PC1> ping 11.11.11.11
84 bytes from 11.11.11.11 icmp_seq=1 ttl=254 time=46.800 ms

140
PC2> ping 12.12.12.12
PC3> ping 12.12.12.12
R2#show access-lists
Standard IP access list 50
10 permit 192.168.10.0, wildcard bits 0.0.0.255 (27 matches)
LAB 39 : EXTENDED IP ACCESS-LIST
Extended IP access-lists block based upon the source IP address, destination IP address, and TCP
or UDP port number. Extended access-lists should be placed closest to the source network.

141
Objective:
We will configure Extended ACL so that
PC0 can only posseses Telnet service
PC2 can only posseses HTTP Service and
PC1 can only posseses Mail service
IP Configuration
Router(config)#hostname LOCAL
LOCAL(config)#interface fastEthernet 0/1
LOCAL(config-if)#ip address 192.168.10.1 255.255.255.0
LOCAL(config-if)#no shutdown
LOCAL(config-if)#exit
LOCAL(config)#interface fastEthernet 0/0
LOCAL(config-if)#ip address 103.13.148.1 255.255.255.240
LOCAL(config-if)#no shutdown
LOCAL(config-if)#exit
Static Default Route
LOCAL(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Telnet Access
LOCAL(config)#line vty 0 5
LOCAL(config-line)#password cisco
LOCAL(config-line)#login
LOCAL(config-line)#exit
LOCAL(config)#enable secret cisco
IP Configuration
ISP(config-if)#exit
ISP(config-if)#exit

142
Static Route
Extended ACL Configuration
ISP(config)#access-list 101 permit tcp host 100.100.100.2 any eq telnet
ISP(config)#access-list 101 permit tcp host 100.100.100.4 any eq www
ISP(config)#access-list 101 permit tcp host 100.100.100.3 any eq smtp
Apply it to its Inside Interface
ISP(config-if)#ip access-group 101 in
ISP#show ip interface fastEthernet 0/1
FastEthernet0/1 is up, line protocol is up (connected)
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 101
ISP#show access-lists 101
Extended IP access list 101
permit tcp host 100.100.100.2 any eq telnet (37 match(es))
permit tcp host 100.100.100.4 any eq www (11 match(es))
permit tcp host 100.100.100.3 any eq smtp (2 match(es))
From PC0 login to Router LOCAL using telnet is possible

143
But from others PC it is not possible
From PC2 we can browse ....................
But PC0 or PC1 cannot browse to HTTP Server
From PC1 we can see that SMTP service is open but others PC not...

144
LAB 40: Named IP Access List
This allows standard and extended ACLs to be given names instead of numbers
Objective:
We will configure Named ACL to ensure that only PC0 can be logged in throughTelnet to
router BUET but PC1 can not..........
Basic Configuration of Router and Switch:
Router>en
Router#conf t

145
DU(config-if)#exit
DU(config)#router eigrp 10
DU(config-router)#exit
DU(config-if)#exit
BUET(config-router)#exit
BUET(config)#no ip domain-lookup
BUET(config)#exit
DEFINE NAMED ACL
DU(config)#ip access-list extended venus
DU(config-ext-nacl)#permit tcp host 172.16.10.2 any eq telnet
DU(config-ext-nacl)#deny tcp host 172.16.10.3 any eq telnet
DU(config-ext-nacl)#permit ip any any
DU(config-ext-nacl)#exit
Apply ACL to Router's Interface
DU(config-if)#ip access-group venus out

146
DU(config-if)#end
From PC0
C:>ping 192.168.10.2
C:>telnet 192.168.10.2 (Success)
Trying 192.168.10.2 ...Open
Password:
From PC1
C:>ping 192.168.10.2
C:>telnet 192.168.10.2 (Not Success)
Trying 192.168.10.2 ...
% Connection timed out; remote host not responding
C:>
DU#show ip access-lists
Extended IP access list venus
10 permit tcp host 172.16.10.2 any eq telnet (4 match(es))
20 deny tcp host 172.16.10.3 any eq telnet (12 match(es))
30 permit ip any any (4 match(es))
LAB 41: HOW TO BLOCKED ICMP ECHO AND ECHO-REQUEST
ICMP is a network layer protocol (ICMP has its own protocol number in the header, IP protocol
number 1). It does not rely on TCP or UDP.
Echo is simply call a 'ping'. The Echo Reply is the 'ping reply'. ICMP Echo's are used for
Network troubleshooting.

147
ICMP traffic is critical network traffic, but it can also cause security issues if used against your
network by a malicious attacker.
GW and ISP Router: Interface Configuration
Router#conf t
Router(config)#hostname GW
GW(config)#interface fastEthernet 0/0
GW(config-if)#ip address 103.13.148.1 255.255.255.240
GW(config-if)#no shutdown
GW(config-if)#exit
GW(config-if)#exit
ISP#conf t
ISP(config-if)#exit

148
ISP(config-if)#exit
Configure Static default route to Internet and Static route to Local LAN
GW(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Assign IP to Server PC (LAN Host)
Assign IP to Outside Host PC1
Apply ping from outside to our local LAN Server

149
But we do not want this. So we have to block ICMP Reply from inside LAN for outside hosts
GW(config)#ip access-list extended inside-in
GW(config-ext-nacl)#deny icmp any any echo-reply
GW(config-ext-nacl)#permit ip any any
GW(config-ext-nacl)#exit
Also block ICMP echo request from outside to inside LAN
GW(config)#ip access-list extended outside-in
GW(config-ext-nacl)#deny icmp any any echo
GW(config-ext-nacl)#permit ip any any
GW(config-ext-nacl)#exit
Apply these rules to both Interface
GW(config-if)#ip access-group inside-in in
GW(config-if)#exit
GW(config-if)#ip access-group outside-in in
GW(config-if)#end
Verification
Now Apply ping from outside host to inside Server - 172.16.10.2
But other Service such as WEB Service is permitted as we have not block it, only ICMP echo-
reply is blocked.

150
LAB 42 : STATIC NAT
We use Static NAT for one-to-one mapping between an inside address and an outside address.
Static NAT allows connections from an outside host to an inside host. Generally, static NAT is
used for servers inside our network.
Suppose, we have a web or a mail server with the inside IP address 192.168.10.2 and we want
it to be accessible from Internet i.e. when a remote host makes a request to 103.13.148.10.
In this case we must do a static NAT mapping between Inside (192.168.10.2) and Outside IPs
(103.13.148.10).

151
IP Configuration to router Interface and Hosts
Router>en
Router#conf t
Gateway(config)#hostname Gateway
Gateway(config)#interface fastEthernet 0/0
Gateway(config-if)#ip address 103.13.148.1 255.255.255.0
Gateway(config-if)#no shutdown
Gateway(config-if)#exit
Gateway(config-if)#ip address 192.168.10.1 255.255.255.0
Gateway(config-if)#no shutdown
Router>en
Router#conf t
ISP(config-if)#exit
ISP(config-if)#exit

152
Configure default-route to Internet on Gateway Router
Gateway(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Configure static route to LAN on ISP
Specify default gateway on switch
Static NAT Configuration
Gateway(config)#ip nat inside source static 192.168.10.2 103.13.148.10
Gateway(config-if)#ip nat inside
Gateway(config-if)#ip nat outside
Verification
Gateway# show ip route
ISP# show ip route

153
Ping from PC0 to Server PC
On Server PC ---- Activate the http service ;
From Internet PC (PC0 under ISP Router) browse using 103.13.148.10 IP (through Public
IP that is assigned for static mapping)

154
LAB 43 : Dynamic NAT (Like many to many)
(We will do Dynamic NAT Configuration following Static NAT , So all the configuration of
previous LAB will remain same)
When we have a pool of public IP addresses, Dynamic NAT is used.
Never use dynamic NAT for servers or other devices that need to be accessible from the
Internet.
Suppose our internal network is 192.168.10.0/24. We also have the pool of public IP
addresses from 103.13.148.20-103.13.148.30 and Net Mask is 255.255.255.0. The procedure
will be as follows:
Create an ACL for LAN traffic
-------------------------------------
Gateway(config)#access-list 1 permit 192.168.10.0 0.0.0.255
Create a nat pool which Public IP addresses are used for translations
Gateway(config)#ip nat pool venus 103.13.148.20 103.13.148.30 netmask
255.255.255.0
Apply the NAT with ACL and nat pool
Gateway(config)#ip nat inside source list 1 pool venus
Apply it to interface
Gateway(config-if)#ip nat inside
Gateway(config-if)#ip nat outside
Verification
PING PC0 from PC1 / PC2.................
Gateway#show ip nat translations
Dynamic NAT
icmp 103.13.148.20:3 192.168.10.11:3 10.10.10.2:3 10.10.10.2:3
icmp 103.13.148.20:4 192.168.10.11:4 10.10.10.2:4 10.10.10.2:4
icmp 103.13.148.21:5 192.168.10.10:5 10.10.10.2:5 10.10.10.2:5
icmp 103.13.148.21:6 192.168.10.10:6 10.10.10.2:6 10.10.10.2:6
icmp 103.13.148.21:7 192.168.10.10:7 10.10.10.2:7 10.10.10.2:7

155
Static NAT
--- 103.13.148.10 192.168.10.2 --- ---
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1025 10.10.10.2:1025
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1026 10.10.10.2:1026
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1027 10.10.10.2:1027
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1028 10.10.10.2:1028
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1029 10.10.10.2:1029
tcp 103.13.148.10:80 192.168.10.2:80 10.10.10.2:1030 10.10.10.2:1030
An inside host makes a request to an outside host and the router dynamically assigns an
available IP address from the pool for the translation of the private IP address. If there’s no
public IP address available, the router rejects new connections until you clear the NAT
mappings. However, you have as many public IP addresses as hosts in your network, you won’t
be faced this problem.
NAT Overload
NAT Overload, also called PAT, probably the most used type of NAT. We can configure NAT
overload in two ways, depending on how many public IP address we have..
LAB 44 : Static PAT
Suppose, we have only one public IP address allocated by our ISP. Here we have to map all our
inside hosts to the available IP address. The configuration is almost the same as for dynamic
NAT, but in this case we specify the outside interface instead of a NAT pool.

156
Router(config)#hostname GW
GW(config-if)#exit
GW(config-if)#exit
ISP(config-if)#exit
ISP(config-if)#exit
Static default route to Internet on GW Router
GW(config)#ip route 0.0.0.0 0.0.0.0 103.13.148.2
Static route to LAN on ISP Router
Assign IP address to Hosts and verify connectivity

157
C:>ping 192.168.10.10
C:>ping 192.168.10.20
Configure NAT overload
GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255
GW(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload
GW(config-if)#ip nat outside
GW(config-if)#exit

158
GW(config-if)#ip nat inside
GW(config-if)#exit
Verification
Apply ping from PC0 to OUTSIDE SERVER
C:>ping 100.100.100.30
Browse the OUTSIDE SERVER
The router automatically determines what public IP address to use for the mappings by
checking what IP is assigned to the Serial 0/0/0 interface. All the inside addresses are
translated to the only public IP address available on our router. Routers are able to recognize
the traffic flows by using port numbers, specified by the overload keyword.

159
LAB 45 : DYNAMIC PAT
The second way: If ISP gave you more than one public IP addresses, but not enough for a
dynamic or static mapping.
The configuration is same as dynamic NAT, but this time we will add overload for the router
to know to use traffic flow identification using port numbers, instead of mapping a private to
a public IP address dynamically.
Configure NAT overload
GW(config)# ip nat pool venus 103.13.148.5 103.13.148.10 netmask
255.255.255.240
GW(config)#access-list 1 permit 192.168.10.0 0.0.0.255
GW(config)#ip nat inside source list 1 pool venus overload
GW(config-if)#ip nat outside
GW(config-if)#exit
GW(config-if)#ip nat inside
Verification
C:>ping 100.100.100.30

160
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 103.13.148.5:10 192.168.10.20:10 100.100.100.30:10 100.100.100.30:10
icmp 103.13.148.5:11 192.168.10.20:11 100.100.100.30:11 100.100.100.30:11
icmp 103.13.148.5:12 192.168.10.20:12 100.100.100.30:12 100.100.100.30:12
icmp 103.13.148.5:9 192.168.10.20:9 100.100.100.30:9 100.100.100.30:9
tcp 103.13.148.5:1027 192.168.10.10:1027 100.100.100.30:80 100.100.100.30:80
tcp 103.13.148.5:1028 192.168.10.10:1028 100.100.100.30:80 100.100.100.30:80
We can clear the NAT translation table with the following commands:
Router#clear ip nat translation *
Router#show ip nat translations
LAB 46 : Configure GRE Tunnel
Generic Routing Encapsulation (GRE) is developed by Cisco is a simple IP packet
encapsulation protocol. GRE encapsulates the original IP packet with a new IP header also
appending an additional GRE header. A GRE tunnel creates a point-to-point link between two
routers that are otherwise not directly connected to each other.
When packets require to be sent from one network to another over the Internet or an
insecure network, We can use GRE Tunnel. A virtual tunnel is created between the two Cisco
routers and packets are sent through the tunnel.
GRE tunnels allow multicast packets but IPSec VPN does not support multicast packets. In
large networks where routing protocols such as OSPF, EIGRP are necessary, GRE tunnels
are the best to utilize.

161
Configuring GRE Tunnel:
Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface.
Then you must configure the tunnel endpoints for the tunnel interface.
Configuring Router Interface :
R1(config-if)#exit
R1(config-if)#exit
R1(config)#
R2(config-if)#exit
R2(config-if)#exit

162
Creating a Cisco GRE Tunnel
GRE tunnel uses a tunnel interface – a logical interface configured on the router with an IP
address where packets are encapsulated and de encapsulated as they enter or exit the GRE
tunnel.
First step is to create our tunnel interface on R1:
R1(config)# interface Tunnel0
R1(config-if)# ip address 172.16.10.1 255.255.255.0
R1(config-if)# ip mtu 1400
R1(config-if)# ip tcp adjust-mss 1360
R1(config-if)# tunnel source 192.168.20.1
R1(config-if)# tunnel destination 192.168.20.2
R2(config)# interface Tunnel0
R2(config-if)# ip address 172.16.10.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
R2(config-if)# tunnel source 192.168.20.2
R2(config-if)# tunnel destination 192.168.20.1
All Tunnel interfaces must be configured with an IP address. Each Tunnel interface is
configured with an IP address within the same subnet(172.16.10.0/24).
Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400
bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500
bytes and we have an added overhead because of GRE, we must reduce the MTU to account
for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary
packet fragmentation is kept to a minimum.
Now we will configure static route to make the reachability of two hosts:
Here next hope will be the tunnel Interface IP
R1(config)# ip route 192.168.30.0 255.255.255.0 172.16.10.2
R2(config)# ip route 192.168.10.0 255.255.255.0 172.16.10.1
n.b. We can also write tunnel source as an interface like
# tunnel source fastEthernet 0/0

163
R1#show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.20.1, destination 192.168.20.2
Tunnel protocol/transport GRE/IP
PC1#ping 192.168.30.2
!!!!!
LAB 47: AAA Configuration
AAA(Authentication, Authorization & Accounting ) provides the basic security framework
setting up access control on a network device.
Authentication = who is permitted to access a network
Provides the method of identifying users, including login and password dialog, challenge and
response, messaging support, and, depending on the security protocol you select, encryption.
Authorization = Control what they can do while they are there
Provides the method for remote access control, including one-time authorization or
authorization for each service, per-user account list and profile, user group support, and
support of IP, IPX, ARA, and Telnet.
Accounting =audit what actions they performed while accessing the network
Provides the method for collecting and sending security server information used for billing,
auditing, and reporting, such as user identities, start and stop times, executed commands
(such as PPP), number of packets, and number of bytes.

164
AAA uses two common methods :
1) Local AAA authentication:
This method stores usernames and passwords locally in the Cisco router, and users
authenticate against the local database.
2) Server-based AAA authentication:
A central AAA server contains the usernames and passwords for all users.
AAA can be used with both RADIUS & TACACS+ servers to provide secure services. But there
are some difference between the two protocols.
AAA Lab (Server-based AAA authentication)

165
Objective :
Any one telnet the router must be authenticated through AAA server and in case AAA server
is down , routers will use the local user accounts database.
RADIUS SERVER CONFIGURATION
Configuration:
Router#conf terminal
Router(config)#hostname Radius
Radius(config)#interface fastEthernet 0/0
Radius(config-if)#ip address 192.168.10.1 255.255.255.0
Radius(config-if)#no shutdown
Radius(config-if)#exit
Telnet Access from local database
Radius(config)#enable secret cisco123
Radius(config)#line vty 0 4
Radius(config-line)#login authentication default
Radius(config-line)#login
Radius(config-line)#exit
Radius(config)#username ashish password ashish123
Radius(config)#exit
AAA Server Configuration
To enable AAA, you need to configure the aaa new-model command in global configuration.
Until this command is enabled, all other AAA commands are hidden.
Radius(config)#aaa new-model
Set authentication for login using two methods: the Radius server (the first method). If the
Radius server doesn’t respond, then the router’s local database is used (the second method).
Radius(config)#aaa authentication login default group radius local
Tell the router what is the IP address for Radius server and key (password) to connect to:
Radius(config)#radius-server host 192.168.10.3 auth-port 1645 key cisco

166
Here,
Client name = any
Client IP = Rouer IP
Key = That is defined in previous command line
From the PC
C:>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
Username: admin
Password:
Radius>en
Password:
Radius#
Here username: admin and password: admin123 that was created in Radius Server
Now disconnect the ACS server or just remove the cable and try to Telnet the router using
ashish (local database) and it will work .

167
Be remember, If method 1 fail , you will not go to method 2, but if method 1 is not available
then you can go to method 2 and use it.
C:>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
Username: ashish
Password:
Radius>
Radius#show AAA user all
Unique id 4 is currently in use.
Accounting:
log=0x18001
Events recorded :
CALL START
INTERIM START
INTERIM STOP
update method(s) :
NONE
update interval = 0
Outstanding Stop Records : 0
Radius#show aaa sessions
Total sessions since last reload: 3
Session Id:4
Unique Id:4
User Name:admin
IP Address:0.0.0.0
Idle Time: 0
CT Call Handle: 0
Radius#
OR , TACACS+ Configuration
Router#conf t
Router(config)#hostname Tacacs
Tacacs(config)#interface fastEthernet 0/0
Tacacs(config-if)#ip address 192.168.10.2 255.255.255.0
Tacacs(config-if)#no shutdown
Tacacs(config-if)#exit
Tacacs(config)#aaa new-model

168
Tacacs(config)#aaa authentication login default group tacacs+ local
Tacacs(config)#tacacs-server host 192.168.10.4 key 8888
Tacacs(config)#enable secret cisco123
Tacacs(config)#line vty 0 4
Tacacs(config-line)#login authentication default
Tacacs(config-line)#login
AAA is enabled. Command not supported. Use an aaa authentication methodlist
Tacacs(config-line)#exit
Tacacs(config)#username ashish password ashish123
C:>telnet 192.168.10.2
Trying 192.168.10.2 ...Open
Username: admin
Password:
Tacacs>en
Password:
Tacacs#

169
LAB 48: Syslog Server
Cisco devices use the syslog protocol to manage system logs and alerts. Syslog Server collects
all the logs in a central location and then we can use these logs for the troubleshooting
devices.
There are 8 levels of logs that is generated. these are called severity level. Lower severity
level is more critical.
Message Logging Level Keywords
Level Keyword Level Description Syslog Definition
emergencies 0 System unstable LOG_EMERG
alerts 1 Immediate action needed LOG_ALERT
critical 2 Critical conditions LOG_CRIT
errors 3 Error conditions LOG_ERR
warnings 4 Warning conditions LOG_WARNING
notifications 5 Normal but significant condition LOG_NOTICE
informational 6 Informational messages only LOG_INFO
debugging 7 Debugging messages LOG_DEBUG
The software generates four other categories of messages:

170
 Error messages about software or hardware malfunctions, displayed at levels warnings
through emergencies: these types of messages mean that the functionality of the
access point is affected.
 Output from the debug commands, displayed at the debugging level: debug
commands are typically used only by the Technical Assistance Center (TAC).
 Interface up or down transitions and system restart messages, displayed at the
notifications level: this message is only for information; access point functionality is
not affected.
 Reload requests and low-process stack messages, displayed at the informational level:
this message is only for information; access point functionality is not affected.
Part of syslog messages
 Timestamp
 Log Message Name and Severity Level
 Message Text
LAB :
Router>

171
Router>enable
Router#conf t
Go to the service and be sure syslog service is on
Syslog configuration on DU Router
We will use the logging host <syslog server IP address> command to specify the Syslog
server address on Cisco router.
DU(config)#logging host 192.168.10.2

172
Then apply the logging trap <severity level> command to specify the log types and category
(called severity level). For example, use the debug log (severity level 7). We may use any
other severity level that we wish to test.
DU(config)#logging trap debugging
Then we will use the debug ip <protocol> command to enable debugging for a protocol. In
this case, we will use ICMP protocol.
DU#debug ip icmp
Apply ping 192.168.1.100 command to generate some ICMP packets to test your configuration.
C:>ping 192.168.10.1
C:>
Next, move on to Syslog Server console, and examine the output. In the following figure, you
can see the sample output of the Syslog server.
We can see the logs collected by Syslog Server for Cisco router.

173
LAB 49: SNMPv3
Simple Network Management Protocol (SNMP) is an application-layer protocol.
The Simple Network Management Protocol (SNMP) is used for network monitoring and
management. The network device send some informations to the NMS server to trace
graphics who permit to analysing the CPU, memory, I/O…
It is made up of 3 parts, the SNMP manager, SNMP agent and Management Information Base
(MIB).
 The SNMP manager is the software that is running on a pc or server that will monitor
the network devices
 The SNMP agent runs on the network device.
 The database that I just described is called the MIB (Manament Information Base) and
an object could be the interface status on the router (up or down) or perhaps the CPU
load at a certain moment. An object in the MIB is called an OID (Object Identifier).
Configure SNMP
Enable SNMP on Router
Router#conf t

174
Router(config)#snmp-server community V1 ro
%SNMP-5-WARMSTART: SNMP agent on host Router is undergoing a warm start
Router(config)#snmp-server community V1rw rw
Router(config)#exit
Router#
Here,
Read Community: V1. It has taken from read only (ro) community name.
Write Community: V1rw, it is the name of read and write (rw) community.
Testing SNMP from a PC
Click on PC0 and click Desktop tab, then open MIB Browser
Now go to Advanced tab and enter the following Information:
Address: 192.168.10.1
Read Community: V1
Write Community: V1rw
SNMP Version, select V3 and click OK.

175
Now on the MIB browser page expend MIB tree to system and select each value then hit the
GO button to display the exact information on Router0.
LAB 50: Password Recovery
Method 1
1. Shut the router down.
2. Remove the compact flash from the back of the router.
3. Turn the router back on.
4. When you see the Rommon1> prompt, enter the command of confreg 0x2142
5. Insert the compact flash.
6. Type reset.
7. When prompted to enter the initial configuration, type no and press enter.
8. At the router> prompt, type enable
9. At the Router# prompt, enter the configure memory command, and press Enter in
order to copy the startup configuration to the running configuration.
10. Use the config t command in order to enter global configuration mode.

176
11. Use this command in order to create a new user name and password:
router(config) #username cisco123 privilege 15 password cisco123
12. Use this command in order to change the boot statement:
config-register 0x2102
13. Use this command in order to save the configuration:
write memory
14. Reload the router, and then use your new user name and password to log in to the
router.
Method 2
1. Connect a terminal or PC with terminal emulation to the console port of the router
and ensure you have the correct terminal settings. They include no flow control, 1
stop bit, 8 data bits, no parity and 9600 baud rate.
2. If you are able to access the router, enter in show version at the prompt screen, and
document the configuration register setting.
3. Next, turn off the router and wait about 5 seconds and turn it back on.
4. Press break on the terminal keyboard within 1 minute of power up in order to the
router into ROMmon.
5. Enter in confreg 0x2142 at the rommon 1> prompot in order to boot the from Flash.
6. Type reset at the rommon 2> prompt.
7. Type no after each setup question or press Ctrl+C to bypass all questions.
8. Type enable at the Router> prompt
9. Type configure memory or copy startup-config running-config in order to copy
NVRAM into memory.
10. Type show running-config
11. Type configure terminal
12. Type enable secret <enter in a password that you will remember> in order to change
the enable secret password.
13. Issue the no shutdown command on every single interface that you use.
14. Type config-register . This typically is 0x2102.
15. Press Ctrl-z or end to leave config mode.
16. Type write memory or copy running-config startup-config to commit the
modifications

177
LAB 51 : PROJECT
1. VLAN Information
Switch VLAN ID VLAN Name IP Ports
DENVER 10 Cisco 172.16.10.0/24 F0/1-9
20 Solaris 172.16.20.0/24 F0/10 - 15
99 MGT 10.10.10.10/24 F0/24
TORONTO 30 Admin 172.16.30.0/24 F0/1 - 9
40 Accounts 172.16.40.0/24 F0/10 - 15
88 Management 11.11.11.11/24 F0/24
2. Router Information
Router Name Interface IP Address Description
LAN F0/0 (.1) 192.168.10.0/24 To GWY Router
F0/1.10 (Sub interface) 172.16.10.1/24 To VLAN 10
F0/1.99 (Sub interface) 10.10.10.10/24 To VLAN 99 (MGT)
GWY F0/0 (.2) 192.168.20.0/24 To LAN Router
F0/1.88 (Sub interface) 11.11.11.11/24 To VLAN 88(Management)
F1/0 (.1) 192.168.30.0/24 To ISP Router
ISP F0/0 (.2) 192.168.30.0/24 To GWY Router
F0/1 (.1) 172.16.50.0/24 To LAN Switch

178
2. DENVER
a. hostname, enable password, telnet access & VLAN configuration
b. Management VLAN Configuration
3. Router : LAN
a. Interface, hostname, enable password, telnet access configuration
b. Inter-Vlan Routing Configuration
4. TORONTO
a. Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
b. Management VLAN Configuration
5. Router : GWY
b. Inter-Vlan Routing Configuration
6. EIGRP Configuration on LAN and GWY Router only
7. Router ISP
b. static route to LAN router
8. GWY
Static default route to ISP
9. Redistribute static route into EIGRP
10. ACL Configuration
Condition : for the Internet hosts the following service is disabled to Inside but http service is
enabled
a. Telnet, FTP, SMTP, SSH, ping
11. Static NAT Configuration
condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20
12. Configure Inside Server as a HTTP Server
13. Verification

179
Configuration
DENVER
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
================================================================================
Switch(config)#hostname DENVER
DENVER(config)#enable secret cisco
DENVER(config)#username admin password admin123
DENVER(config)#line vty 0 4
DENVER(config-line)#login local
DENVER(config-line)#exit
DENVER(config)#
DENVER(config)#vlan 10
DENVER(config-vlan)#name cisco
DENVER(config-vlan)#exit
DENVER(config-vlan)#name solaris
DENVER(config)#interface range fastEthernet 0/1 - 9
DENVER(config-if-range)#switchport mode access
DENVER(config-if-range)#switchport access vlan 10
DENVER(config-if-range)#exit
DENVER(config)#interface range fastEthernet 0/10 - 15
DENVER(config-if-range)#switchport mode access
DENVER(config-if-range)#switchport access vlan 20
DENVER(config-if-range)#exit
Management VLAN Configuration
=============================
DENVER(config-vlan)#name MGT
DENVER(config-if)#switchport access vlan 99
DENVER(config)#interface vlan 99
DENVER(config-if)#ip address 10.10.10.10 255.255.255.0

180
Router : LAN
=============
Interface, hostname, enable password, telnet access configuration
=========================================================
Router(config)#hostname LAN
LAN(config)#interface fastEthernet 0/1
LAN(config-if)#no shutdown
LAN(config-if)#exit
LAN(config)#interface fastEthernet 0/0
LAN(config-if)#ip address 192.168.10.1 255.255.255.0
LAN(config-if)#no shutdown
LAN(config-if)#exit
LAN(config)#enable password cisco
LAN(config)#username admin password admin123
LAN(config)#line vty 0 4
LAN(config-line)#login local
LAN(config-line)#exit
Inter-Vlan Routing Configuration
==========================
LAN(config)#interface fastEthernet 0/1.10
LAN(config-subif)#encapsulation dot1Q 10
LAN(config-subif)#ip address 172.16.10.1 255.255.255.0
LAN(config-subif)#no shutdown
LAN(config-subif)#exit
LAN(config-subif)#exit
LAN(config)#
DENVER
========
DENVER(config-if)#switchport mode trunk

181
IP Assign to Hosts
==============
Verification
==========
Ping : VLAN 10 host to VLAN 20 host
C:>ping 172.16.20.2
LAN>en
Password:
LAN#ping 10.10.10.10
!!!!!

182
LAN#telnet 10.10.10.10
Trying 10.10.10.10 ...Open
Username: admin
Password:
LAN>
TORONTO
Hostname, enable password, telnet access configuration , VLAN & Access Port configuration
================================================================================
Switch#conf t
Switch(config)#hostname TORONTO
TORONTO(config)#enable secret cisco
TORONTO(config)#username admin password admin123
TORONTO(config)#line vty 0 4
TORONTO(config-line)#login local
TORONTO(config-line)#exit
TORONTO(config-vlan)#name admin
TORONTO(config-vlan)#exit
TORONTO(config)#vlan 40
TORONTO(config-vlan)#name Accounts
TORONTO(config)#interface range fastEthernet 0/1 - 9
TORONTO(config-if-range)#switchport mode access
TORONTO(config-if-range)#switchport access vlan 30
TORONTO(config-if-range)#exit
TORONTO(config)#interface range fastEthernet 0/10 - 15
TORONTO(config-if-range)#switchport mode access
TORONTO(config-if-range)#switchport access vlan 40
TORONTO(config-if-range)#exit
TORONTO(config)#
Management VLAN Configuration
=============================
TORONTO(config)#vlan 88
TORONTO(config-vlan)#name Management
TORONTO(config)#interface fastEthernet 0/24
TORONTO(config-if)#switchport access vlan 88
TORONTO(config-if)#exit
TORONTO(config)#interface vlan 88
TORONTO(config-if)#ip address 11.11.11.11 255.255.255.0
TORONTO(config-if)#no shutdown
TORONTO(config-if)#exit

183
TORONTO(config)#
Router : GWY
=============
Interface, hostname, enable password, telnet access configuration
=========================================================
Router(config)#hostname GWY
GWY(config)#interface fastEthernet 0/0
GWY(config-if)#ip address 192.168.10.2 255.255.255.0
GWY(config-if)#no shutdown
GWY(config-if)#exit
GWY(config-if)#ip address 192.168.20.1 255.255.255.0
GWY(config-if)#exit
GWY(config)#enable secret cisco
GWY(config)#username admin password admin123
GWY(config)#line vty 0 4
GWY(config-line)#login local
GWY(config-line)#exit
GWY(config)#
Inter-Vlan Routing Configuration
==========================
GWY(config-if)#exit
GWY(config)#interface fastEthernet 0/1.30
GWY(config-subif)#encapsulation dot1Q 30
GWY(config-subif)#ip address 172.16.30.1 255.255.255.0
GWY(config-subif)#no shutdown
GWY(config-subif)#exit
GWY(config-subif)#exit
TORONTO
===========

184
TORONTO(config)#interface fastEthernet 0/24
TORONTO(config-if)#switchport mode trunk
IP Assign to Hosts
==============
Verification
===========
C:>ping 172.16.40.2
GWY#ping 11.11.11.11
!!!!!
GWY#telnet 11.11.11.11
Trying 11.11.11.11 ...Open
Username: admin

185
Password:
GWY>
EIGRP Configuration on LAN and GWY Router only (except GWY to ISP)
=========================================================
LAN#conf t
LAN(config)#router eigrp 10
LAN(config-router)#network 172.16.10.0
LAN(config-router)#no auto-summary
GWY(config)#router eigrp 10
GWY(config-router)#network 172.16.30.0
GWY(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 10: Neighbor 192.168.10.1 (FastEthernet0/0) is up: new
adjacency
GWY(config-router)#no auto-summary
Verification EIGRP
Ping: Server PC to host on the Toronto
C:>ping 172.16.30.2

186
C:>ping 172.16.40.2
Telnet to DENVER switch from GWY
=============================
GWY#telnet 10.10.10.10
Trying 10.10.10.10 ...Open
Username: admin
Password:
LAN>
7. Router ISP
============================================================
ISP(config-if)#exit
ISP(config)#do ping 192.168.20.1
.!!!!
ISP(config)#enable secret cisco
ISP(config)#username admin password admin123
ISP(config)#line vty 0 4
ISP(config-line)#login local
ISP(config-line)#exit

187
ISP(config-if)#exit
b. static route to LAN router
========================
8. GWY
Static default route to ISP
GWY(config)#ip route 0.0.0.0 0.0.0.0 192.168.20.2
9. Redistribute static route into EIGRP on router GWY
GWY(config-router)#redistribute static
GWY(config-router)#redistribute connected
Verification
ISP#ping 172.16.20.2
!!!!!
ISP#ping 10.10.10.10
!!!!!
ISP#telnet 10.10.10.10
Trying 10.10.10.10 ...Open

188
Username: admin
Password:
LAN>
Assign IP address to outside PC
Verification
C:>ping 192.168.30.1
C:>ping 172.16.10.2

189
10. ACL Configuration
Condition : for the Internet hosts the following service is disabled to Inside but http service is enabled
a. Telnet, FTP, SMTP, SSH, ping
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq telnet
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq ftp
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq smtp
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq pop3
GWY(config)#access-list 101 deny tcp host 192.168.30.2 any eq 22
GWY(config)#access-list 101 deny icmp host 192.168.30.2 any echo
GWY(config)#access-list 101 deny icmp any host 192.168.30.2 echo-reply
GWY(config)#access-list 101 permit ip any any
GWY(config-if)#ip access-group 101 in
11. Static NAT Configuration
condition : only Inside HTTP Server's private IP is translated to public IP : 103.13.148.20
GWY(config-if)#ip nat outside
GWY(config-if)#exit
GWY(config-if)#ip nat inside
GWY(config-if)#exit
GWY(config)#ip nat inside source static 172.16.10.2 103.13.148.20
GWY(config)#

190
IPV6 Address
IPv6 uses 128-bit addresses, which means that for each person on the Earth there are
48,000,000,000,000,000,000,000,000,000 addresses !
Advantages:
 Enhanced security
 Header improvements
 No need for NAT
 Stateless address autoconfiguration
IPv6 uses eight groups of four hexadecimal digits separated by colons. For example, this is a
valid IPv6 address:
1234:4523:EDBA:0A01:0056:5054:5ABC:ABBD
IPv6 address shortening
1. a leading zero can be omitted
1240:0023:CCBA:0A01:0065:5054:9ABC:ABB4
will be------------
1240:23:CCBA:A01:65:5054:9ABC:ABB4
2. String of of zero's can be represented as two colons (::)
1240:0000:0000:0000:0456:0000:CCCB:11DC
can be written as

191
1240::456:0000:CCCB:11DC (But this can be for one time)
Here the 0000 can be written as single zero, not double ::
1240::456:0:CCCB:11DC
Three categories of IPv6 addresses exist:
 Unicast
 Anycast
 Multicast
There are three types of IPv6 unicast addresses
global unicast – similar to IPv4 public IP addresses. These addresses are assigned by the IANA
and used on public networks. They have a prefix of 2000::/3, meaning all the addresses that
begin with binary 001.
unique local – similar to IPv4 private addresses. They are used in private networks and aren’t
routable on the Internet. These addresses have a prefix of FD00::/8.
link local – these addresses are used for sending packets over the local subnet. Routers do not
forward packets with this addresses to other subnets. IPv6 requires a link-local address to be
assigned to every network interface on which the IPv6 protocol is enabled. These addresses
have a prefix of FE80::/10.
Loopback Address ::1/128
Unspecified Address ::/0
IPv6 multicast addresses
Multicast addresses in IPv6 are similar to multicast addresses in IPv4. They are used to
communicate with dynamic groupings of hosts, for example all routers on the link (“one-to-
many distribution”).
IPv6 multicast addresses start with FF00::/8
Here is a table of some of the most common link local multicast addresses:

192
Here is a summary of the most common address prefixes in IPv6:
IPv6 transition options
IPv4 and IPv6 networks are not interoperable and the number of devices that use IPv4 number
is still great. Some of these devices do not support IPv6 at all, so the migration process is
necessary since IPv4 and IPv6 will likely coexist for some time.
Many transition mechanisms have been proposes. We will introduce the main ones and
describe them in the next sections:
1. IPv4/IPv6 Dual Stacks
2. NAT64
3. Tunneling
IPv6 supports the following routing protocols:
 RIPng (RIP New Generation)
 OSPFv3
 EIGRP for IPv6
 IS-IS for IPv6
 MP-BGP4 (Multiprotocol BGP-4)
The following table summarizes the major differences between IPv4 and IPv6:

193
LAB 52: Configure IPv6
Cisco Routers do not have IPv6 routing enabled by default. To configure IPv6 on a Cisco DUs
you need to do two things:
1. Apply "ipv6 unicast-routing" in global configuration command.
2. We can assign IP to Interface on different method. We will describe here the following
methods:
 With eui-64 parameter
 Manually Assigned
 Link-local Addressing
eui-64 Parameter
BASIC Configuration
DU#conf t
DU(config)#ipv6 unicast-routing
DU(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64
DU(config-if)#end
BUET>en
BUET#conf t
BUET(config)#ipv6 unicast-routing
BUET(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64
BUET(config-if)#end
Verification

194
DU#show ipv6 interface fastEthernet 0/0
IPv6 is enabled, link-local address is FE80::2E0:8FFF:FED5:BD01
No Virtual link-local address(es):
Global unicast address(es):
2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01, subnet is 2001:BB9:AABB:1234::/64
[EUI]
Joined group address(es):
DU#show ipv6 route
IPv6 Routing Table - 3 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
C 2001:BB9:AABB:1234::/64 [0/0]
via ::, FastEthernet0/0
L 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01/128 [0/0]
L FF00::/8 [0/0]
via ::, Null0
DU#
BUET#show ipv6 interface fastEthernet 0/0
IPv6 is enabled, link-local address is FE80::202:4AFF:FEA8:2D01
No Virtual link-local address(es):
Global unicast address(es):
2001:BB9:AABB:1234:202:4AFF:FEA8:2D01, subnet is 2001:BB9:AABB:1234::/64
[EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFA8:2D01
Ping from BUET to DU

195
BUET#ping ipv6 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01
Sending 5, 100-byte ICMP Echos to 2001:BB9:AABB:1234:2E0:8FFF:FED5:BD01,
timeout is 2 seconds:
!!!!!
Manually Assigned and Link-local Addressing
Router>en
Router#conf t
Router(config)#hostname APECE
APECE(config)#ipv6 unicast-routing
APECE(config)#interface loopback 1
APECE(config-if)#ipv6 address 2001::2/128
APECE(config-if)#exit
APECE(config)#interface fastEthernet 0/0
APECE(config-if)#ipv6 enable
APECE(config-if)#no shutdown
APECE(config-if)#exit
with "ipv6 enable" command we will get IP address automatically to the router's Interface
Router#conf t
Router(config)#hostname Ashish
Ashish(config)#ipv6 unicast-routing
Ashish(config)#interface loopback 1
Ashish(config-if)#ipv6 address 2001::1/128

196
Ashish(config-if)#exit
Ashish(config)#interface fastEthernet 0/0
Ashish(config-if)#ipv6 enable
Ashish(config-if)#no shutdown
Ashish(config-if)#end
Ashish#show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::202:17FF:FE09:E901 (IP Address - link local Address, getting by ipv6 enable command)
FastEthernet0/1 [administratively down/down]
Loopback1 [up/up]
FE80::210:11FF:FE65:7A37
2001::1
Vlan1 [administratively down/down]
APECE#ping ipv6 FE80::202:17FF:FE09:E901
Output Interface: fastethernet0/0
Sending 5, 100-byte ICMP Echos to FE80::202:17FF:FE09:E901, timeout is 2
seconds:
!!!!!
LAB 53 : Configure IPv6 Static Route

197
The configuration and syntax are same as IPv4 Static routing, Just we will find some minor
differences than that of IPv4.
DU Router
Router>en
Router#conf t
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64
DU(config-if)#exit
BUET Router
Router>en
Router#conf t
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64
BUET#conf t
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64
BUET(config-if)#end
BUET#
Veirfication
BUET#show ipv6 interface brief
FastEthernet0/0 [up/up]
FE80::260:3EFF:FEAE:5901
2001:AD8:23:45::2

198
FastEthernet0/1 [administratively down/down]
Vlan1 [administratively down/down]
BUET#
Verify Connectivity using ping
DU#ping ipv6 2001:AD8:23:45::2
Sending 5, 100-byte ICMP Echos to 2001:AD8:23:45::2, timeout is 2 seconds:
!!!!!
DU#
Assign IPv6 Address to host
Ping to Router BUET from host
C:>ping 2001:BD55:1234:DC4::1
Reply from 2001:BD55:1234:DC4::1: bytes=32 time=1ms TTL=255
Reply from 2001:BD55:1234:DC4::1: bytes=32 time<1ms TTL=255
Now ping to Router DU
C:>ping 2001:AD8:23:45::1
Request timed out.
Request timed out.
Request timed out.
Request timed out.

199
Not success...so we need routing. We will configure static route here......
DU(config)#ipv6 route 2001:BD55:1234:DC4::/64 2001:AD8:23:45::2
Now ping to Host IP
DU#ping ipv6 2001:BD55:1234:DC4::2
Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::1, timeout is 2
seconds:
!!!!!
DU#
And ping to DU from host
C:>ping 2001:AD8:23:45::1
Pinging 2001:AD8:23:45::1 with 32 bytes of data:
Reply from 2001:AD8:23:45::1: bytes=32 time=2ms TTL=254
Reply from 2001:AD8:23:45::1: bytes=32 time<1ms TTL=254
LAB 54 :Configure RIPNG on Cisco Router
Basic Configuration
DU Router
Router#conf t

200
DU(config-if)#ipv6 address 2001:AD8:23:45::1/64
DU(config-if)#exit
BUET Router
Router>en
Router#conf t
BUET(config-if)#ipv6 address 2001:AD8:23:45::2/64
BUET(config-if)#ipv6 address 2001:BD55:1234:DC4::1/64
BUET(config-if)#end
Configure RIPNGN
DU(config)#ipv6 router rip ashish
DU(config-rtr)#exit
DU(config-if)#ipv6 rip ashish enable
DU(config-if)#exit
BUET(config)#ipv6 router rip ashish
BUET(config-rtr)#exit
BUET(config-if)#ipv6 rip ashish enable
BUET(config-if)#ipv6 rip ashish enable
BUET(config-if)#end
Verification
DU#ping ipv6 2001:BD55:1234:DC4::2

201
Sending 5, 100-byte ICMP Echos to 2001:BD55:1234:DC4::2, timeout is 2
seconds:
!!!!!
DU#show ipv6 route
IPv6 Routing Table - 4 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
C 2001:AD8:23:45::/64 [0/0]
L 2001:AD8:23:45::1/128 [0/0]
R 2001:BD55:1234:DC4::/64 [120/2]
via FE80::260:3EFF:FEAE:5901, FastEthernet0/0
L FF00::/8 [0/0]
via ::, Null0
DU#
*** Don’t forget to enable IPv6 unicast routing otherwise no routing protocol will work for IPv6.
LAB 55 : Dual-Stack Example
Hosts and network devices run both IPv4 and IPv6 at the same time.
Router#conf t
Router(config)#ipv6 unicast-routing

202
Router(config-if)#no shut
Router(config-if)#ipv6 address 2001:12::1/64
DU(config-if)#ipv6 address 2001:12::2/64
DU(config-if)#end
 FastEthernet 0/0 interfaces of two routers are dual stacked.
 It is configured with an IPv4 and an IPv6 address.
 For each protocol, the addresses on two routers are on the same network.
Verification
DU#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.10.2/24 (IPv4 Address)
------------------------------------
DU#show ipv6 interface fastEthernet 0/0
IPv6 is enabled, link-local address is FE80::2D0:97FF:FE08:1301 (IPv6 Address)
----------------------------------------
DU#ping ipv6 2001:12::1
Sending 5, 100-byte ICMP Echos to 2001:12::1, timeout is 2 seconds:
!!!!!

203
LAB 56 : Configuration of IPSEC VPN
A Virtual Private Network (VPN) provides a secure tunnel across a public network such as
Internet. for organizations to connect users and offices together, without the high costs of
dedicated leased lines.
VPNs are used generally for :
 Client VPNs (Remote Access VPN)- To connect Office to home or “roaming” users
 Site-to-Site VPNs - To connect branch offices to a head office.
Types of VPN protocols
1. Internet Protocol Security or IPSec:
2. Layer 2 Tunneling Protocol (L2TP):
3. Point – to – Point Tunneling Protocol (PPTP):
4. Secure Sockets Layer (SSL) and Transport Layer Security (TLS):
5. OpenVPN:
6. Secure Shell (SSH)
Here we describe only IPSec Site-to-Site VPN
IPSec:
IPSEC (Internet Protocol Security), is a suite of protocols, helps us to protect IP traffic on the
network layer.
4 core IPsec services:
 Confidentiality – It means encrypt the data.
 Integrity – It ensures that data has not been tampered or altered using hashing
algorithm.
 Authentication – It confirms the identity of the host sending data, using
 pre-shared keys or CA (Certificate Authority)
 Anti-replay – prevents duplication of encrypted packets

204
Configuration of IPSEC VPN
5 Phases of IPSec VPN:
1. Define interesting traffic.
2. IKE phase 1
Creates the first tunnel, which protects later ISAKMP negotiation message.
3. IKE phase 2
Creates the tunnel that protects data.
4. Transfer data
5. Tear down tunnel.
Basic Configuration
DU ROUTER
R1#conf t
R1(config-if)#exit
R1(config-if)#exit

205
R1(config-if)#exit
R1(config)#ip route 192.168.20.0 255.255.255.0 103.13.148.2
Configuring IKE Phase 1
1. Enable ISAKMP
R1(config)#crypto isakmp enable
2. Create ISAKMP Policy
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash md5
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#exit
3. Configure pre-shared keys:
R1(config)#crypto isakmp key cisco123 address 103.13.148.2
Configuring IKE Phase 2
1. Create transform sets:
R1(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac
2. (optional) Configure IPSec lifetime:
R1(config)#crypto ipsec security-association lifetime seconds 3600
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be
received encrypted
R1(config)#access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0
0.0.0.255
4. Set up IPSec crypto-map:
R1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 101

206
R1(config-crypto-map)#set peer 103.13.148.2
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set transform-set ashish
R1(config-crypto-map)#
Apply Cypto Map to Interface
R1(config-if)#crypto map mymap
The Configuration is same for R2 Router
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#hash md5
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 3600
R2(config)#crypto isakmp key cisco123 address 103.13.148.1
R2(config)#crypto ipsec transform-set ashish esp-3des esp-md5-hmac
R2(cfg-crypto-trans)#exit
R2(config)#crypto ipsec security-association lifetime seconds 3600
R2(config)#access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0
0.0.0.255
R2(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match address 101
R2(config-crypto-map)#set peer 103.13.148.1
R2(config-crypto-map)#set pfs group2
R2(config-crypto-map)#set transform-set ashish
R2(config-crypto-map)#exit
R2(config-if)#crypto map mymap
R2(config-if)#
*Mar 1 00:34:26.911: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#

207
Verification and testing
Apply ping from R1 to PC2
R1#ping 192.168.20.2 source 192.168.10.1
Be sure we apply ping from inside IP address while testing the VPN tunnel from the router. We
can also ping from PC1 to PC2.
Now the ping has setup the VPN because of its “interesting” traffic (the first ping is lost in the
VPN creation). We can verify with “show crypto engine connections active”
Verify the IPSec Phase 1 connection
R1#show crypto isakmp sa
Verify IPSec Phase 2 connection
R1# show crypto ipsec sa

208
We can also view active IPSec sessions using show crypto session command
APPENDIX -------
-----------------------------------------------------------SUBNETTING TECHNIQUE

209
IPv4 Address and Subnetting
IP or IP address or Internet Protocol address, is a number used to indicate the location of a
computer or other device on a network using TCP/IP.
Evolving the Internet technology there has been a high increasing demand for IP addresses.
IPv4 can only provide only 4.3 billion IP Addresses (approx). So there comes IPv6 and can
provide about 3.4*104
IP Addresses.
IP address classes (IPv4)
There are five classes of available IP ranges: Class A, Class B, Class C, Class D and Class E,
while only A, B, and C are commonly used. Each class allows for a range of valid IP addresses,
shown in the following table.
Class Address Range Supports
Class A
1.0.0.1 to
126.255.255.254
Supports 16 million hosts on each of 127 networks.
Class B
128.1.0.1 to
191.255.255.254
Supports 65,000 hosts on each of 16,000 networks.
Class C
192.0.1.1 to
223.255.254.254
Supports 254 hosts on each of 2 million networks.
Class D
224.0.0.0 to
239.255.255.255
Reserved for multicast groups.
Class E
240.0.0.0 to
254.255.255.254
Reserved for future use, or Research and Development
Purposes.
Ranges 127.x.x.x are reserved for the loopback or localhost, for example, 127.0.0.1 is the
loopback address. Range 255.255.255.255 broadcasts to all hosts on the local network.

210
127.0.0.1 is the loopback Internet protocol (IP) address also referred to as the “localhost.”
The address is used to establish an IP connection to the same machine or computer being
used by the end-user.
IPv4 network standards reserve the entire 127.0.0.0/8 address block for loopback purposes.
That means any packet sent to any of those addresses (127.0.0.1 through 127.255.255.255) is
looped back. The address 127.0.0.1 is the standard address normally used for IPv4 loopback
traffic; the rest are rarely used in practice. The IPv6 standard assigns only a single address for
loopback: ::1.
Private IP Addresses
The Internet Assigned Numbers Authority (IANA) reserves the following IP address blocks for
use as private IP addresses:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
The first set of IP addresses from above allow for over 16 million addresses, the second for
over 1 million, and over 65,000 for the last range.
Another range of private IP addresses is 169.254.0.0 to 169.254.255.255 but is for Automatic
Private IP Addressing (APIPA) use only.
Reserved IP Addresses
Technically, the entire range from 127.0.0.0 to 127.255.255.255 is reserved for loopback
purposes but you'll almost never see anything but 127.0.0.1 used in the real world.
The range from 0.0.0.0 to 0.255.255.255 are also reserved but don't do anything at all.
If you're even able to assign a device an IP address in this range, it would not function
properly no matter where on the network it was installed.

211
Subnet Mask
The subnet mask is the value assigned during subnetting. If, for example, your Internet
Service Provider has given you an IP address of 192.168.0.1/24, it means that your subnet
mask is 255.255.255.0. The 24 value represents the 24 1's of the binary equivalent of
255.255.255.0
A subnet mask is helpful to identify the network portion and host portion in an IP address.
The host portion further helps in calculating the number of IP addresses.
For e.g. 192.168.99.0 255.255.255.0
Here, in the subnet mask ‘255.255.255.0′, the last octet ‘0’ is the host portion which states
that the network can hold 2^8 = 256 IP addresses out of which the first one is ‘network ID’
and last one is called ‘broadcast ID’. So, the usable IP addresses are (256–2 = 254) IP
addresses.
Benefits of Subnetting
If we have whole room shared by all office staff without partition. And same office room
shared by staff after partitioning. Now they will get separate room.
Same case, when a large Network is divided into some small networks then number of
broadcast domain will be increased and performance will be better.
 Improve network performance and speed
 Reduce network congestion
 Boost network security
 Control network growth
 Ease administration
 Subnetting allows you to make efficient use of your address space.

212
Given Subnet is 192.168.10.0/24
We have to Subnet it so that there can have
1. At least 5 Subnets
2. 25 Hosts per subnet
And also find out the
3. Subnet Mask
4. What are the valid Subnets
5. The Valid Hosts Range for each Subnet
6. The broadcast Address for each Subnet
7. Find the Subnet and broadcast Address for 192.168.10.191 IP Address
192 168 10 0
8 bits 8 bits 8 bits 8 zeros
255 255 255 0 0 0 0 0 0 0 0
We will create New subnet and hosts /subnet using these 8
bits. As our CIDR is 24 so First 24 bits will not be used for
subnetting
Network bits will be taken from left side an Hosts bits will
be taken from Right side
We need at least 5 subnets.
Formula to find out Valid Subnet = 2^n - 2;
where n is the number of bits
If n = 1; Subnet = 2^1 - 2 =0
If n = 2; Subnet = 2^2 -2 = 2
If n = 3; Subnet = 2^3 - 2 = 6 (our desired value)
If n = 4; Subnet = 2^4 - 2 = 14
The Number of valid Subnets = 6
So we will take 3 bits from left side of the octet and make
these value to all three bits are 1
1 1 1 0 0 0 0 0
Here rest of the 5 bits are used for hosts / subnet
So The Number of Hosts / Subnet = 2^5 - 2 = 30

213
1. The Number of valid Subnets = 6
2. The Number of Valid Hosts / Subnet = 30
3. The Subnet Mask = 255.255.255.224
Subnet MASK 255.255.255. 1 1 1 0 0 0 0 0
255.255.255.224
Binary to Decimal 1 1 1 0 0 0 0 0
Have to memorize this 128 64 32 16 8 4 2 1
Consider the values where the value are 1's so here .........128, 64 and 32
Now Adding these values we have = 128 + 64 + 32 = 224 (Mask)
Decimal to Binary 248
128 64 32 16 8 4 2 1
1 1 1 1 1 0 0 0
248 = 128 + 64 + 32 + 16 + 8 (Have to find out which values are needed to form the value 248,
make these values are all ones as described above)
4. To find out the subnets we will first find the GAP between two subnets
This can be by using the following formula
Subnet Gap = 256 - mask value = 256 - 224 = 32
Also called incremental value just like 0---32----64----etc.
But zero subnet is not used normally in Cisco. If we want to use this we have to apply "ip-
subnet zero" command.
in details.....................
Subnet 32 64 96 128 160 196 our next value is 224, as it is mask
bit value we will not use this. ***
First Host 33 65 97 129 161 197
Last Host 62 94 126 158 194 222
Broadcast 63 95 127 159 195 223

214
 Broadcast will be the previous value of next subnet.
 First host = subnet +1, Last host = Broadcast-1
 So when we use subnet 32 i.e. 192.168.10.32 Subnet, then IP Addresses will be
192.168.10.33 through 192.168.10.62 total 30 IP Addresses which can be used in Host.
 Broadcast and Subnet IP would never be used as host IP Address
 Subnet Mask for these Addresses will be 255.255.255.224 and it is for all subnets
 From our formula, to find out the number of subnets we have subtract 2 (0ne is zero
subnet and other is 224 -mask bit value)
 WE also subtract 2 when we find the number of valid hosts , one is subnet value and
other is broadcast
7. We will do a simple calculation to find out ---
191/32 = 5 remainder is 191 - 160 (this value will be the always subnet) = 31 (must
be lower than 32)
i.e. Subnet = 192.168.10.160
Broadcast will be = 196-1 = 195 (Next Subnet = 160+32 =196)

215
ASHISH HALDER
APPLIED PHYSICS, ELECTRONICS AND COMMUNICATION ENGINEERING
UNIVERSITY OF DHAKA
EMAIL -glakh2010@gmail.com
skype: ashish.halder312

CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf

More Related Content

What's hot

Similar to CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf

Recently uploaded

CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf